Eikonal Blog

2012.04.27

Logon Banners

Filed under: infosec, security hardening, web security — Tags: , , , , , , — sandokan65 @ 15:06
  • On Linux systems, put pre-login banner text in the files /etc/banner, /etc/issue, and /etc/issue.net; and the after-login banner in /etc/motd.
  • For OpenSSH servers (e.g. on Linux systems), activate the banner use (by SSH/SFTP/SCP) by including following (uncommented) line in /etc/ssh/sshd_config:
    Banner /etc/banner
  • TELNET:
    • On Linux, if Kerberized TELNET is used, edit /etc/xinetd.d/krb5-telnet to add following line:
      banner = /etc/issue
    • Older versions of TELNET may be using /etc/default/telnetd containing the block:
        BANNER="\\n
        nThis should be a telnet banner\\n
        n"
        
  • FTP:
    • If gssftp is used (on Linux), edit /etc/xinetd.d/gssftp to add following line:
      banner = /etc/issue
    • If wu-ftpd is used (on Linux), edit /etc/ftpaccess to add following line:
      banner = /etc/issue
    • FTP may be using /etc/ftpd/banner.msg (or any file external to /etc/ftpd/ftpaccess) by specifying following line:
      banner /etc/ftpd/banner.msg

      in /etc/ftpd/ftpaccess.

2011.07.08

Auditing Unix Security

Misc

2011.05.12

Passwords related postings

Generating password hashes

  • Generating unix-style MD5 hash: openssl passwd -1 -salt QIGCa pippo
    • produces: $1$QIGCa$/ruJs8AvmrknzKTzM2TYE.
  • generating password hash using system’s native crypt() command: perl -e ‘print crypt(“pippo”, “\$1\$QIGCa”),”\n”‘
    • produces: $1Su6NR9CFU/6
  • Using Python’s Passlib library (http://packages.python.org/passlib/):
    • Install Python (e.g. in Cygwin)
    • Install Passlib library following instructions at http://packages.python.org/passlib/install.html
    • start Python: python
    • Calculate the SHA256 hash of the word Password:

      >>> from passlib.hash import sha256_crypt
      >>> hash = sha256_crypt.encrypt("password")
      >>> hash
      '$5$rounds=80000$9GPMLb8EE.1QFrUk$Y0XQiZRKMhOrB2GcfCeWREG.x3jCfa5pbmxSO/hjCE3'
      >>> sha256_crypt.encrypt("password")
      '$5$rounds=80000$9fjOxTQNeyPhsCvp$XmyKju3TfWUEPXGPXMZ6sIPcv26Uok7NLPyZhx5g7R9'
      >>> sha256_crypt.encrypt("password", rounds=12345)
      '$5$rounds=12345$Kk9DTJPMRyxGFB3q$7tdzdJXq4YRu7ms6PGo7zTlOHVwYOQO1aUeUsZ3Mrl5'
      >>> sha256_crypt.verify("password", hash)
      True
      >>> sha256_crypt.verify("letmeinplz", hash)
      False
        

    • Generating BouncyCastle SHA1-512 hashes for use in Atlassian JIRA:

      >>> from passlib.hash import atlassian_pbkdf2_sha1
      >>> atlassian_pbkdf2_sha1.encrypt("password")
      '{PKCS5S2}fU8ppRTCuJeS8n7PGYOQMhVqZ4hUidTIiWI4K8R8IBOXm/lYywaouSLtvlTeTr3V'
      >>> atlassian_pbkdf2_sha1.encrypt("password")
      '{PKCS5S2}+X+PMcYYAwBAKIWwFsJY639EipU1NXJfc1jKC5VYHZV7zoDI4zTEpKO4xZQoegg1'
      >>> atlassian_pbkdf2_sha1.encrypt("password")
      '{PKCS5S2}1Nq7N2YM4ZyTstZaSynlnGGh2rgAG+b7SB+9xreszUhrE39BnfwNg2RGm6tqvDg2'
      >>> atlassian_pbkdf2_sha1.encrypt("password")
      '{PKCS5S2}bu1dK0WotXYuBaB0bo2RslxMAp4JawLofUFw4S5fZdAtfsm3Ats6kO6j5NaHZCdt'
      >>> atlassian_pbkdf2_sha1.encrypt("password")
      '{PKCS5S2}z/mfc47xvjcm5Ny7dw7BeExB68Oc4XiTJvUS5HRAadKr4/Aomn1WOMMrMWtikUPK'
        

    • Supported hashing algorithms:
      • Archaic Unix Schemes:
        • passlib.hash.des_crypt – DES Crypt
        • passlib.hash.bsdi_crypt – BSDi Crypt
        • passlib.hash.bigcrypt – BigCrypt
        • passlib.hash.crypt16 – Crypt16
      • Standard Unix Schemes:
        • passlib.hash.md5_crypt – MD5 Crypt
        • passlib.hash.bcrypt – BCrypt
        • passlib.hash.sha1_crypt – SHA-1 Crypt
        • passlib.hash.sun_md5_crypt – Sun MD5 Crypt
        • passlib.hash.sha256_crypt – SHA-256 Crypt
        • passlib.hash.sha512_crypt – SHA-512 Crypt
      • Other Modular Crypt Schemes:
        • passlib.hash.apr_md5_crypt – Apache’s MD5-Crypt variant
        • passlib.hash.phpass – PHPass’ Portable Hash
        • passlib.hash.pbkdf2_digest – Generic PBKDF2 Hashes
        • passlib.hash.cta_pbkdf2_sha1 – Cryptacular’s PBKDF2 hash
        • passlib.hash.dlitz_pbkdf2_sha1 – Dwayne Litzenberger’s PBKDF2 hash
        • passlib.hash.scram – SCRAM Hash
        • passlib.hash.bsd_nthash – FreeBSD’s MCF-compatible nthash encoding
        • passlib.hash.unix_disabled – Unix Disabled Account Helper
      • Standard LDAP (RFC2307) Schemes:
        • passlib.hash.ldap_md5 – MD5 digest
        • passlib.hash.ldap_sha1 – SHA1 digest
        • passlib.hash.ldap_salted_md5 – salted MD5 digest
        • passlib.hash.ldap_salted_sha1 – salted SHA1 digest
        • passlib.hash.ldap_crypt – LDAP crypt() Wrappers
        • passlib.hash.ldap_plaintext – LDAP-Aware Plaintext Handler
      • Non-Standard LDAP Schemes:
        • passlib.hash.ldap_hex_md5 – Hex-encoded MD5 Digest
        • passlib.hash.ldap_hex_sha1 – Hex-encoded SHA1 Digest
        • passlib.hash.ldap_pbkdf2_digest – Generic PBKDF2 Hashes
        • passlib.hash.atlassian_pbkdf2_sha1 – Atlassian’s PBKDF2-based Hash
        • passlib.hash.fshp – Fairly Secure Hashed Password
        • passlib.hash.roundup_plaintext – Roundup-specific LDAP Plaintext Handler
      • SQL Database Hashes:
        • passlib.hash.mssql2000 – MS SQL 2000 password hash
        • passlib.hash.mssql2005 – MS SQL 2005 password hash
        • passlib.hash.mysql323 – MySQL 3.2.3 password hash
        • passlib.hash.mysql41 – MySQL 4.1 password hash
        • passlib.hash.postgres_md5 – PostgreSQL MD5 password hash
        • passlib.hash.oracle10 – Oracle 10g password hash
        • passlib.hash.oracle11 – Oracle 11g password hash
      • MS Windows Hashes:
        • passlib.hash.lmhash – LanManager Hash
        • passlib.hash.nthash – Windows’ NT-HASH
        • passlib.hash.msdcc – Windows’ Domain Cached Credentials
        • passlib.hash.msdcc2 – Windows’ Domain Cached Credentials v2
      • Other Hashes:
        • passlib.hash.cisco_pix – Cisco PIX hash
        • passlib.hash.cisco_type7 – Cisco “Type 7” hash
        • passlib.hash.django_digest – Django-specific Hashes
        • passlib.hash.grub_pbkdf2_sha512 – Grub’s PBKDF2 Hash
        • passlib.hash.hex_digest – Generic Hexdecimal Digests
        • passlib.hash.plaintext – Plaintext
      • Cisco “Type 5” hashes

Passphrase Hashes

Articles


Passwords related postings at this blog:

2011.04.04

lastlog

2011.02.28

Code analysis, Debugging and reverse engineering / Code security

Tools

More

Personal computer security

Anti-mallware (=Antivirus)

Misc:

Anti-spyware

Misc:

Anti-Rootkit / Rootkit detection

  • Trend Micro’s RootkitBuster – http://free.antivirus.com/rootkit-buster/
      A rootkit scanner that offers ability to scan for hidden files, registry entries, processes, drivers and hooked system services, and MBR. It also includes the cleaning capability for hidden files and registry entries. Master Boot Record (MBR) rootkit detection, gives RootkitBuster the ability to detect hidden MBR content. It can spot all variants of MBR rootkit in the wild. MBR rootkits first began appearing in the wild late 2007. New variants continue to appear.
  • Trend Micro’s RUBotted – http://free.antivirus.com/rubotted/:
      Malicious software called Bots can secretly take control of computers and make them participate in networks called “Botnets.” These networks can harness massive computing power and Internet bandwidth to relay spam, attack web servers, infect more computers, and perform other illicit activities. RUBotted monitors your computer for suspicious activities and regularly checks with an online service to identify behavior associated with Bots. Upon discovering a potential infection, RUBotted prompts you to scan and clean your computer.
  • Sophos Anti RookKit – http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
  • chrootkit – http://www.chkrootkit.org/ (MAC and many linux/unix versions)
  • GMER – http://www.gmer.net/ – (Windows)

Email security

File and container/volume encryption

“Secure” file erasure

Privacy cleaners

Steganography

Passwords management

Host-based (aka “Personal”) firewalls

More on this blog: IpTables – https://eikonal.wordpress.com/2011/01/24/iptables/ | Port Knocking – https://eikonal.wordpress.com/2010/10/05/port-knocking/ | Firewalls – https://eikonal.wordpress.com/2012/05/04/firewalls/

Web proxies

Related:

Process scanners

2011.02.24

Database security

Database auditing

Misc info

2011.02.10

SUDO

Filed under: infosec, security hardening, unix — Tags: , — sandokan65 @ 11:38

2011.01.24

iptables

Filed under: firewalls, infosec, security hardening — Tags: , , , — sandokan65 @ 15:46

More on this blog: Personal Computer Security > Personal Firewalls – https://eikonal.wordpress.com/2011/02/28/personal-computer-security/ | Port Knocking – https://eikonal.wordpress.com/2010/10/05/port-knocking/ | Firewalls – https://eikonal.wordpress.com/2012/05/04/firewalls/

2011.01.13

Declawing Cookies


Disabling Flash cookies (LSOs)

2010.12.16

SSH, OpenSSH

SSHFS (SSH FileSystem)

Related:

Authentication via public keys

SFTP

FTPS vs SFTP

Using SCP

  • Example syntax for Secure Copy (scp) – http://www.hypexr.org/linux_scp_help.php
    • Copy the file “foobar.txt” from a remote host to the local host: $ scp your_username@remotehost.edu:foobar.txt /some/local/directory
    • Copy the file “foobar.txt” from the local host to a remote host: $ scp foobar.txt your_username@remotehost.edu:/some/remote/directory
    • Copy the directory “foo” from the local host to a remote host’s directory “bar”: $ scp -r foo your_username@remotehost.edu:/some/remote/directory/bar
    • Copy the file “foobar.txt” from remote host “rh1.edu” to remote host “rh2.edu”: $ scp your_username@rh1.edu:/some/remote/directory/foobar.txt \
      your_username@rh2.edu:/some/remote/directory/
    • Copying the files “foo.txt” and “bar.txt” from the local host to your home directory on the remote host: $ scp foo.txt bar.txt your_username@remotehost.edu:~
    • Copy multiple files from the remote host to your current directory on the local host: $ scp your_username@remotehost.edu:/some/remote/directory/\{a,b,c\}. Also:: $ scp your_username@remotehost.edu:~/\{foo.txt,bar.txt\} .

Use of Expect with SSH suite applications

Password-less SFTP

Establish the SFTP connection to the system AAAA where the user account BBBB has password CCCC, and go to the directory DDDD, all without being prompted to enter the password:

    sftpToAAAA.expect
    #!/bin/expect
    # sftpToAAAA.expect
    
    spawn sftp BBBB@AAAA
    expect "password" {
       sleep 1
       send "CCCC\n"
    }
    send "cd DDDD\n"
    interact
    

All normal warning on the danger of hard-wiring the password into scripts are in place here.

Password-less SCP

Use the SCP to upload connect system AAAA with user account BBBB (that has password CCCC), and upload the file EEEE to the directory DDDD, all without being prompted to enter the password:

    UploadEEEEtoAAAA.expect
    #!/bin/expect
    spawn scp EEEE BBBB@AAAA:DDDD/EEEE
    expect "password" {
      send "CCCC\n"
    }
    

More

2010.11.06

Security assessments for network infrastructure devices

2010.10.05

Port knocking

Filed under: firewalls, infosec, security hardening — Tags: — sandokan65 @ 14:20

More on this blog: IpTables – https://eikonal.wordpress.com/2011/01/24/iptables/ | Personal Computer Security > Personal Firewalls – https://eikonal.wordpress.com/2011/02/28/personal-computer-security/ | Firewalls – https://eikonal.wordpress.com/2012/05/04/firewalls/

2010.07.13

Enforcing password virtues in Linux

Filed under: security hardening — Tags: , , , — sandokan65 @ 11:16

2010.04.20

Unix hardening

General

Passwords

Logging and auditing


Related:

Blog at WordPress.com.