Because UNIX is the most popular server operating system on the Internet, its security is of great concern. This security is mainly achieved by passwords. UNIX passwords are only stored in an encrypted text file, which is generally stored in the /etc directory and named passwd. Historically, the UNIX password encryption algorithm has undergone several revisions, and now the DES algorithm is commonly used. The password file is encrypted 25 times with the DES algorithm. For the result of each DES encryption, it is necessary to use 2 to the 56th power to search for one traversal. Therefore, in theory, the workload of cracking such a password is unimaginable.
However, in the password setting process, there are many other personal factors at play, and many people use these factors to decrypt. Because of password security concerns, people are forbidden to write passwords on paper, so many people try to make their passwords easy to remember, and this provides an opportunity for hackers.
Bell Labs computer security experts R. Morris and K. Thompson proposed the possibility of such an attack: a user’s information can be used to establish a password that he may use dictionary, such as: his father’s name, girlfriend’s birthday or name, street names, etc. The dictionary is then encrypted, and each time an encrypted entry is taken out and compared with the password file, if they are consistent, the password has been guessed.
Generally speaking, this attack strategy is very effective, please ask yourself: Is your password related to something around you?
In fact, after getting someone’s personal data, the whole deciphering process can be done with a simple C program. For example:
There is a set of subroutines that can easily access the /etc/passwd file, read the file to the entry or write a new entry, and so on.
The getpwuid() function can get the entry of the specified UID from the /etc/passwd file. The getpwnam() function retrieves the entry in the /etc/passwd file for the specified login name.
The above two subroutines return a pointer to the passwd structure, which is defined in /usr/include/pwd.h as follows:
struct passwd {
char * pw_name; /* login name*/
char * pw_passwd; /* encrypted password*/
uid_t pw_uid; /* UID */
gid_t pw_gid; / * GID */
char * pw_age; /* Proxy info*/
char * pw_comment; /* comment* /
char * pw_gecos;
char * pw_dir; /* main directory*/
char * pw_shell; /* shell used */
char * pw_shell; /* shell used */
};
Functions such as getpwent(), setpwent(), endpwent() can perform subsequent processing on the password file.
The first call to getpwent() opens the /etc/passwd file and returns a pointer to the first entry in the file, keeping the file open between calls, Then call getpwent() to return the entries in the password file sequentially. And calling setpwent() can reset the pointer of the password file to the beginning of the file, and call endpwent() after using the password file to close the password file.
Therefore, the attacker only needs to create a dictionary file, then call the ready-made DES encryption routine to encrypt each entry in the dictionary file, and then use the above function to open the password file , it is easy to get the cracked password by performing a circular comparison.
The Internet worm of November 2, 1998, which is still fresh in people’s memory, was broken by this method.
Of course, many contemporary UNIX systems have taken corresponding preventive measures against this attack strategy, such as storing passwords and user information separately, limiting the number of user login attempts, etc. .
In contrast, there are other methods of stealing passwords, one of which is called a Trojan horse. For example, you may find the following information on your terminal: Please enter your user name to logon:Your password:
Then, you honestly enter your password. As everyone knows, this is likely to be a Trojan horse program that imitates login information, it will record your password, and then pass it on to the intruder.