Eikonal Blog

2011.07.08

Auditing Unix Security

Misc

2011.05.12

Passwords related postings

Generating password hashes

  • Generating unix-style MD5 hash: openssl passwd -1 -salt QIGCa pippo
    • produces: $1$QIGCa$/ruJs8AvmrknzKTzM2TYE.
  • generating password hash using system’s native crypt() command: perl -e ‘print crypt(“pippo”, “\$1\$QIGCa”),”\n”‘
    • produces: $1Su6NR9CFU/6
  • Using Python’s Passlib library (http://packages.python.org/passlib/):
    • Install Python (e.g. in Cygwin)
    • Install Passlib library following instructions at http://packages.python.org/passlib/install.html
    • start Python: python
    • Calculate the SHA256 hash of the word Password:

      >>> from passlib.hash import sha256_crypt
      >>> hash = sha256_crypt.encrypt("password")
      >>> hash
      '$5$rounds=80000$9GPMLb8EE.1QFrUk$Y0XQiZRKMhOrB2GcfCeWREG.x3jCfa5pbmxSO/hjCE3'
      >>> sha256_crypt.encrypt("password")
      '$5$rounds=80000$9fjOxTQNeyPhsCvp$XmyKju3TfWUEPXGPXMZ6sIPcv26Uok7NLPyZhx5g7R9'
      >>> sha256_crypt.encrypt("password", rounds=12345)
      '$5$rounds=12345$Kk9DTJPMRyxGFB3q$7tdzdJXq4YRu7ms6PGo7zTlOHVwYOQO1aUeUsZ3Mrl5'
      >>> sha256_crypt.verify("password", hash)
      True
      >>> sha256_crypt.verify("letmeinplz", hash)
      False
        

    • Generating BouncyCastle SHA1-512 hashes for use in Atlassian JIRA:

      >>> from passlib.hash import atlassian_pbkdf2_sha1
      >>> atlassian_pbkdf2_sha1.encrypt("password")
      '{PKCS5S2}fU8ppRTCuJeS8n7PGYOQMhVqZ4hUidTIiWI4K8R8IBOXm/lYywaouSLtvlTeTr3V'
      >>> atlassian_pbkdf2_sha1.encrypt("password")
      '{PKCS5S2}+X+PMcYYAwBAKIWwFsJY639EipU1NXJfc1jKC5VYHZV7zoDI4zTEpKO4xZQoegg1'
      >>> atlassian_pbkdf2_sha1.encrypt("password")
      '{PKCS5S2}1Nq7N2YM4ZyTstZaSynlnGGh2rgAG+b7SB+9xreszUhrE39BnfwNg2RGm6tqvDg2'
      >>> atlassian_pbkdf2_sha1.encrypt("password")
      '{PKCS5S2}bu1dK0WotXYuBaB0bo2RslxMAp4JawLofUFw4S5fZdAtfsm3Ats6kO6j5NaHZCdt'
      >>> atlassian_pbkdf2_sha1.encrypt("password")
      '{PKCS5S2}z/mfc47xvjcm5Ny7dw7BeExB68Oc4XiTJvUS5HRAadKr4/Aomn1WOMMrMWtikUPK'
        

    • Supported hashing algorithms:
      • Archaic Unix Schemes:
        • passlib.hash.des_crypt – DES Crypt
        • passlib.hash.bsdi_crypt – BSDi Crypt
        • passlib.hash.bigcrypt – BigCrypt
        • passlib.hash.crypt16 – Crypt16
      • Standard Unix Schemes:
        • passlib.hash.md5_crypt – MD5 Crypt
        • passlib.hash.bcrypt – BCrypt
        • passlib.hash.sha1_crypt – SHA-1 Crypt
        • passlib.hash.sun_md5_crypt – Sun MD5 Crypt
        • passlib.hash.sha256_crypt – SHA-256 Crypt
        • passlib.hash.sha512_crypt – SHA-512 Crypt
      • Other Modular Crypt Schemes:
        • passlib.hash.apr_md5_crypt – Apache’s MD5-Crypt variant
        • passlib.hash.phpass – PHPass’ Portable Hash
        • passlib.hash.pbkdf2_digest – Generic PBKDF2 Hashes
        • passlib.hash.cta_pbkdf2_sha1 – Cryptacular’s PBKDF2 hash
        • passlib.hash.dlitz_pbkdf2_sha1 – Dwayne Litzenberger’s PBKDF2 hash
        • passlib.hash.scram – SCRAM Hash
        • passlib.hash.bsd_nthash – FreeBSD’s MCF-compatible nthash encoding
        • passlib.hash.unix_disabled – Unix Disabled Account Helper
      • Standard LDAP (RFC2307) Schemes:
        • passlib.hash.ldap_md5 – MD5 digest
        • passlib.hash.ldap_sha1 – SHA1 digest
        • passlib.hash.ldap_salted_md5 – salted MD5 digest
        • passlib.hash.ldap_salted_sha1 – salted SHA1 digest
        • passlib.hash.ldap_crypt – LDAP crypt() Wrappers
        • passlib.hash.ldap_plaintext – LDAP-Aware Plaintext Handler
      • Non-Standard LDAP Schemes:
        • passlib.hash.ldap_hex_md5 – Hex-encoded MD5 Digest
        • passlib.hash.ldap_hex_sha1 – Hex-encoded SHA1 Digest
        • passlib.hash.ldap_pbkdf2_digest – Generic PBKDF2 Hashes
        • passlib.hash.atlassian_pbkdf2_sha1 – Atlassian’s PBKDF2-based Hash
        • passlib.hash.fshp – Fairly Secure Hashed Password
        • passlib.hash.roundup_plaintext – Roundup-specific LDAP Plaintext Handler
      • SQL Database Hashes:
        • passlib.hash.mssql2000 – MS SQL 2000 password hash
        • passlib.hash.mssql2005 – MS SQL 2005 password hash
        • passlib.hash.mysql323 – MySQL 3.2.3 password hash
        • passlib.hash.mysql41 – MySQL 4.1 password hash
        • passlib.hash.postgres_md5 – PostgreSQL MD5 password hash
        • passlib.hash.oracle10 – Oracle 10g password hash
        • passlib.hash.oracle11 – Oracle 11g password hash
      • MS Windows Hashes:
        • passlib.hash.lmhash – LanManager Hash
        • passlib.hash.nthash – Windows’ NT-HASH
        • passlib.hash.msdcc – Windows’ Domain Cached Credentials
        • passlib.hash.msdcc2 – Windows’ Domain Cached Credentials v2
      • Other Hashes:
        • passlib.hash.cisco_pix – Cisco PIX hash
        • passlib.hash.cisco_type7 – Cisco “Type 7” hash
        • passlib.hash.django_digest – Django-specific Hashes
        • passlib.hash.grub_pbkdf2_sha512 – Grub’s PBKDF2 Hash
        • passlib.hash.hex_digest – Generic Hexdecimal Digests
        • passlib.hash.plaintext – Plaintext
      • Cisco “Type 5” hashes

Passphrase Hashes

Articles


Passwords related postings at this blog:

2011.05.03

2011.02.28

Personal computer security

Anti-mallware (=Antivirus)

Misc:

Anti-spyware

Misc:

Anti-Rootkit / Rootkit detection

  • Trend Micro’s RootkitBuster – http://free.antivirus.com/rootkit-buster/
      A rootkit scanner that offers ability to scan for hidden files, registry entries, processes, drivers and hooked system services, and MBR. It also includes the cleaning capability for hidden files and registry entries. Master Boot Record (MBR) rootkit detection, gives RootkitBuster the ability to detect hidden MBR content. It can spot all variants of MBR rootkit in the wild. MBR rootkits first began appearing in the wild late 2007. New variants continue to appear.
  • Trend Micro’s RUBotted – http://free.antivirus.com/rubotted/:
      Malicious software called Bots can secretly take control of computers and make them participate in networks called “Botnets.” These networks can harness massive computing power and Internet bandwidth to relay spam, attack web servers, infect more computers, and perform other illicit activities. RUBotted monitors your computer for suspicious activities and regularly checks with an online service to identify behavior associated with Bots. Upon discovering a potential infection, RUBotted prompts you to scan and clean your computer.
  • Sophos Anti RookKit – http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
  • chrootkit – http://www.chkrootkit.org/ (MAC and many linux/unix versions)
  • GMER – http://www.gmer.net/ – (Windows)

Email security

File and container/volume encryption

“Secure” file erasure

Privacy cleaners

Steganography

Passwords management

Host-based (aka “Personal”) firewalls

More on this blog: IpTables – https://eikonal.wordpress.com/2011/01/24/iptables/ | Port Knocking – https://eikonal.wordpress.com/2010/10/05/port-knocking/ | Firewalls – https://eikonal.wordpress.com/2012/05/04/firewalls/

Web proxies

Related:

Process scanners

2010.07.14

Javascript Password Strength Meter

Filed under: passwords — Tags: , — sandokan65 @ 13:03

http://www.geekwisdom.com/dyn/passwdmeter

Code (http://www.geekwisdom.com/js/passwordmeter.js):

/* ************************************************************
Created: 20060120
Author:  Steve Moitozo  -- geekwisdom.com
Description: This is a quick and dirty password quality meter 
		 written in JavaScript so that the password does 
		 not pass over the network.
License: MIT License (see below)
Modified: 20060620 - added MIT License
Modified: 20061111 - corrected regex for letters and numbers
                     Thanks to Zack Smith -- zacksmithdesign.com
---------------------------------------------------------------
Copyright (c) 2006 Steve Moitozo 

Permission is hereby granted, free of charge, to any person 
obtaining a copy of this software and associated documentation 
files (the "Software"), to deal in the Software without 
restriction, including without limitation the rights to use, 
copy, modify, merge, publish, distribute, sublicense, and/or 
sell copies of the Software, and to permit persons to whom the 
Software is furnished to do so, subject to the following 
conditions:

   The above copyright notice and this permission notice shall 
be included in all copies or substantial portions of the 
Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY 
KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE 
AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT 
HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, 
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE 
OR OTHER DEALINGS IN THE SOFTWARE. 
---------------------------------------------------------------


Password Strength Factors and Weightings

password length:
level 0 (3 point): less than 4 characters
level 1 (6 points): between 5 and 7 characters
level 2 (12 points): between 8 and 15 characters
level 3 (18 points): 16 or more characters

letters:
level 0 (0 points): no letters
level 1 (5 points): all letters are lower case
level 2 (7 points): letters are mixed case

numbers:
level 0 (0 points): no numbers exist
level 1 (5 points): one number exists
level 1 (7 points): 3 or more numbers exists

special characters:
level 0 (0 points): no special characters
level 1 (5 points): one special character exists
level 2 (10 points): more than one special character exists

combinatons:
level 0 (1 points): letters and numbers exist
level 1 (1 points): mixed case letters
level 1 (2 points): letters, numbers and special characters 
					exist
level 1 (2 points): mixed case letters, numbers and special 
					characters exist


NOTE: Because I suck at regex the code might need work
	  
NOTE: Instead of putting out all the logging information,
	  the score, and the verdict it would be nicer to stretch
	  a graphic as a method of presenting a visual strength
	  guage.

************************************************************ */
function testPassword(passwd)
{
		var intScore   = 0
		var strVerdict = "weak"
		var strLog     = ""
		
		// PASSWORD LENGTH
		if (passwd.length4 && passwd.length7 && passwd.length15)                    // length 16 or more
		{
			intScore = (intScore+18)
			strLog   = strLog + "18 point for length (" + passwd.length + ")\n"
		}
		
		
		// LETTERS (Not exactly implemented as dictacted above because of my limited understanding of Regex)
		if (passwd.match(/[a-z]/))                              // [verified] at least one lower case letter
		{
			intScore = (intScore+1)
			strLog   = strLog + "1 point for at least one lower case char\n"
		}
		
		if (passwd.match(/[A-Z]/))                              // [verified] at least one upper case letter
		{
			intScore = (intScore+5)
			strLog   = strLog + "5 points for at least one upper case char\n"
		}
		
		// NUMBERS
		if (passwd.match(/\d+/))                                 // [verified] at least one number
		{
			intScore = (intScore+5)
			strLog   = strLog + "5 points for at least one number\n"
		}
		
		if (passwd.match(/(.*[0-9].*[0-9].*[0-9])/))             // [verified] at least three numbers
		{
			intScore = (intScore+5)
			strLog   = strLog + "5 points for at least three numbers\n"
		}
		
		
		// SPECIAL CHAR
		if (passwd.match(/.[!,@,#,$,%,^,&,*,?,_,~]/))            // [verified] at least one special character
		{
			intScore = (intScore+5)
			strLog   = strLog + "5 points for at least one special char\n"
		}
		
									 // [verified] at least two special characters
		if (passwd.match(/(.*[!,@,#,$,%,^,&,*,?,_,~].*[!,@,#,$,%,^,&,*,?,_,~])/))
		{
			intScore = (intScore+5)
			strLog   = strLog + "5 points for at least two special chars\n"
		}
	
		
		// COMBOS
		if (passwd.match(/([a-z].*[A-Z])|([A-Z].*[a-z])/))        // [verified] both upper and lower case
		{
			intScore = (intScore+2)
			strLog   = strLog + "2 combo points for upper and lower letters\n"
		}

		if (passwd.match(/([a-zA-Z])/) && passwd.match(/([0-9])/)) // [verified] both letters and numbers
		{
			intScore = (intScore+2)
			strLog   = strLog + "2 combo points for letters and numbers\n"
		}
 
									// [verified] letters, numbers, and special characters
		if (passwd.match(/([a-zA-Z0-9].*[!,@,#,$,%,^,&,*,?,_,~])|([!,@,#,$,%,^,&,*,?,_,~].*[a-zA-Z0-9])/))
		{
			intScore = (intScore+2)
			strLog   = strLog + "2 combo points for letters, numbers and special chars\n"
		}
	
	
		if(intScore  15 && intScore  24 && intScore  34 && intScore < 45)
		{
		   strVerdict = "strong"
		}
		else
		{
		   strVerdict = "stronger"
		}
	
	document.forms.passwordForm.score.value = (intScore)
	document.forms.passwordForm.verdict.value = (strVerdict)
	document.forms.passwordForm.matchlog.value = (strLog)
	
}

Create a free website or blog at WordPress.com.