Step 1. Getting Crack
Crack is readily available on the Internet. For this Daily Drill Down, Crack was downloaded from Purdue University. From this site, the following files were downloaded:
•crack5.0.tar.gz
•crack5.0.README
•alec_muffet.asc
•crack5.0.tar.gz.asc
If a hacker is able to modify the source code for security applications and then present the modified package as if it were the original, any system the modified code is installed on becomes wide open to attack. To ensure the integrity of any packages you are planning to install, download PGP Command Line Freeware v6.5.8 for Linux/UNIX from MIT.
Once pgp is installed on your system, your first task is to add Alec Muffett's public key to your pgp keyring. To add the key to your keyring, use the command:
pgp alec_muffet.asc
Now, Alec Muffett's public key may be used to verify the integrity of the Crack package you have downloaded. To verify the integrity of the package you have downloaded, run the command:
pgp crack5.0.tar.gz.asc
If pgp verifies the integrity of the package, copy crack5.0.tar.gz to the /usr/src subdirectory, then untar and uncompress Crack with the command:
tar -zxvf crack5.0.tar.gz
The Crack package will expand into the c50a directory. This directory and its subdirectories contain the source code required to build crack 5.0, and the scripts necessary to run Crack.
Step 2. Selecting the correct C compiler
The correct C compiler is selected by editing the /usr/src/c50a/Crack file. Look for the section heading "Vanilla Unix cc." Change this section from:
# vanilla Unix cc
CC=cc
CFLAGS="-g -O $C5FLAGS"
#LIBS=-lcrypt # uncomment only if necessary to use stdlib crypt(), eg: NetBSD MD5
# gcc 2.7.2
#CC=gcc
#CFLAGS="-g -O2 -Wall $C5FLAGS"
#LIBS=-lcrypt # uncomment only if necessary
to:
# vanilla Unix cc
#CC=cc
#CFLAGS="-g -O $C5FLAGS"
#LIBS=-lcrypt # uncomment only if necessary to use stdlib crypt(), eg: NetBSD MD5
# gcc 2.7.2
CC=gcc
CFLAGS="-g -O2 -Wall $C5FLAGS"
LIBS=-lcrypt # uncomment only if necessary
Step 3. Selecting the correct password hashing method
Linux password hashing
Once step two is completed, you need to prepare Crack for the password hashing method used on your system. Hashing provides password security by taking data, such as passwords for input, and generating a mathematical value for the input by applying a mathematical rule, or algorithm. Hashing algorithms are often referred to as "one-way." This means that a hash value may be created from any input, but the input cannot be recreated from the hash. Once a file has been hashed, a small change in the file will produce a completely different hash. The most important feature of hashing algorithms is that it is extremely hard to find two sets of data with the same hash value. The two hashing algorithms most often used for Linux password hashing are Crypt(3), MD5, and bigcrypt.
Building Crack for crypt(3)
The standard hashing algorithm for Linux is crypt(3). Crypt(3) has the following characteristics:
•This method uses the DES algorithm, which accepts a maximum of eight characters (64 bits) as input and generates a 104-bit hash value.
•This 104-bit value consists of 13 characters; the first two characters are not part of the hash.
•Each user's hashed password is unique, and is stored in either /etc/password or /etc/shadow.
•Whenever a user enters his or her password, the password is hashed by crypt(3), and the resulting hash is compared to the value stored in /etc/passwd or /etc/shadow.
•If the values match, the user gains access. If the values don't match, the user is denied access.
No modifications to the Crack script are required if your system is running crypt(3) hashing, but one change to consider making is to use libdes, a hashing engine included with crack5.0. The libdes engine is required if you plan to use crack7, which is a brute-force password-guessing program. To use the libdes engine, execute the following commands:
cd /usr/src/c50a/src/libdes
make
Building Crack for MD5
MD5, or the MD5 message digest algorithm, from RSA Security’s site, is one of the most common hashing algorithms in use today. Quite often, MD5 password hashing is selected during the Linux installation process. Passwords hashed using MD5 are not easily decrypted. MD5 takes input data and generates a 128-bit fingerprint, or message digest, from this input. It is practically impossible to get the same message digest from two different files.
To build Crack for use with an MD5 hashing scheme, execute the following commands:
cd /usr/src/cd50a/src
mv libdes libdes.orig
cd util
cp elcid.c elcid.c.orig
cp elcid.c,bsd elcid.c
Building Crack for bigcrypt
On Red Hat Linux, version 5.2 or newer, the libc-crypt library is pre-installed. This allows the use of bigcrypt. If the libc-crypt library is required, it may be downloaded from Red Hat’s official site or gnu.org.
Once libc-crypt has been installed, the file /usr/src/c50a/src/util/elcid.c must be edited. Change the following two lines in this file:
#define PLAINTEXTSIZE 8
#undef CRYPT16
to
#define PLAINTEXTSIZE 16
#define CRYPT16
Once you have made the appropriate changes for the encryption method used on your system, you're ready to compile Crack. To compile Crack, use the command:
./Crack -makeonly
If ./Crack -makeonly terminates because of an error, the standard procedure is to correct the error and then compile the code again. When ./Crack -makeonly is executed, the first action taken is to remove all object files created by the previous compilation. The /usr/src/c50a/run subdirectory is not removed, however, and this results in the Crack script looking for object files that don't exist. When this condition occurs, run either of the following commands to ensure the next execution will not look for these object files:
make clobbermake spotless
Once the ./Crack -makeonly script executes with no errors, the next step is to compile the crack dictionaries.
Step 4. Build the Crack dictionaries
A Crack dictionary is simply a file consisting of one string of alphanumeric or nonalphanumeric characters per line. The default dictionaries that come with Crack are located in /usr/src/c50a/dict. There are three subdirectories, and each one contains collections of words based upon a different subject. When Crack is executed, dictionaries are generated based on the list of dictionary groups contained in the /usr/src/c50a/conf/dictgrps.conf file. The default dictgrps.conf file packaged with Crack is shown in Example 1. For this example, several commented lines at the beginning of the file are not shown. The lines shown are the ones that concern the administrator.
Example 1. The default dictgrps.conf file# List what source files will be used to create <which> dictionaries:
#
# <dictionary tag>:<fileglob> <fileglob> ...
#
# Dict '1' is created from /usr/dict/words (etc) and $CRACK_HOME/dict/1/*
# Dict '2' is created from $CRACK_HOME/dict/2/*
# Dict '3' is created from $CRACK_HOME/dict/3/*
1:/usr/dict/*words* dict/1/*
2:dict/2/*
3:dict/3/*
Each dictionary group is a collection of word lists contained in the /c50a/dict/1,2 or 3 subdirectory. The order of the dictionaries is important, because this is how Crack determines which dictionaries will be used to guess passwords first. The last three lines of this file are the ones that matter to administrators. The number to the left of the colon is called the dictionary tag. This tag sets the priority for the dictionary group to the right of the colon. The lower the number, the sooner Crack will use this dictionary group to guess passwords. To make the most out of your Crack runs, arrange the dictionary groups in this file so that Crack attempts to guess the most common passwords first.
Some administrators will want to install additional dictionaries. Two good sources for dictionaries are Purdue University and Oxford.
Any naming convention may be used for dictionaries. Dictionaries in any subdirectories under /usr/src/c50a/dict, however, must use the .DWG extension. The new dictionaries may be placed in existing dictionary groups, or new groups may be created by adding new tags to the conf/dictgrps.conf file. Once additional dictionaries have been added, the Crack dictionaries are built with the command:
./Crack -makedict
Step 5. Merging shadow passwords
If you don't use shadow passwords then you can start running Crack without any more modifications. If you are using shadowed passwords (and you should), then you will have to merge the hashed passwords into a single file. This is accomplished with the command:
[color=red]copy /etc/shadow /root/pw-merged
shadmrg.sv > /root/pw-merged[/color]
In the example above, the hashed passwords in /etc/shadow have been merged into a single file and written to a new file named /root/pw-merged. The root directory was chosen for this file because it has no "other" permissions. Only the root user and users in the root group may read or cd into this directory.
Once this step is completed, you’re ready to start running Crack.
Step 6. Running crack
To execute, simply execute the Crack script with the following command:
./Crack /root/pw-merged
When Crack is run, the cracker program is executed. The cracker program takes a long time to complete its run. This is because of the large number of computations Crack has to perform to guess passwords. Although there are several password-guessing programs available, a typical attempt at guessing passwords would involve the following steps:
1.The program will try easy passwords to guess, such as "password" or the user name.
2.The program will then run through all words in its dictionaries, which usually include common passwords.
3.The program will use foreign language dictionaries and any special dictionaries. For example, an administrator in a hospital may create a dictionary of medical terms that could be used as passwords by medical staff.
4.The program will then try all combinations of letters up to a specified limit, e.g., six letters.
5.Lastly, the program will try all combinations of upper and lowercase letters, numbers, and punctuation marks, up to a specified limit, e.g., four characters.
These procedures ensure that all combinations of letters, numbers, and characters will be used to guess passwords. The problem is that these procedures create a huge amount of work for your processor. Let's assume you have established a password rule where users may use letters only in their passwords, and must use eight letters. Each value in the hashed password represents one letter. Therefore, each value represents one out of a possible 26 letters. When eight letters are used in the password, the password can be one of 268 combinations, or 208,000,000,000 possible combinations. That's for an eight-character password using letters only. Once other characters are added to passwords, such as numbers or nonalphanumeric characters (*,/,\.%,$,#, etc.), the password is even more difficult to guess. Guessing passwords is one of the most intense loads an administrator can place on his or her resources. Run Crack when network usage is light (weekends), and on the most capable CPU at your disposal.
While Crack is attempting to guess passwords, the administrator is able to check on the progress of the run by using the Reporter script. To execute the Reporter script, run the command:
./Reporter -quiet
There are only two options to select from when executing Reporter: Quiet mode is used to suppress warning and error messages; HTML mode is used to generate Reporter in HTML format.
To generate Reporter output in HTML format, use the command:
./Reporter –html
Suspending Crack Runs
The pauser script, located in the c50a/scripts subdirectory, is used to suspend Crack runs. The pauser script performs the following actions:
•While Crack is running, the pauser script is executed approximately every minute.
•The pauser script looks for a file named GOTO-SLEEP in the CRACK_HOME directory. If the file exists, the pauser script sleeps for one minute, and then looks for the GOTO-SLEEP file again.
•If the file is found again, pauser goes back to sleep.
•If the GOTO-SLEEP file is not found, the pauser script returns control to the cracker process that invoked pauser.
•To suspend a Crack run, the administrator needs to create the GOTO-SLEEP in the /usr/src/c50a directory.
•To create the GOTO-SLEEP file, use the command:
touch /usr/src/c50a/GOTO-SLEEP
The pauser script also provides the administrator with the ability to run Crack only at night and on weekends. If this is required, remove the comments (#), from lines 3 to 9 in the following section of the pauser script.
1. # Go to sleep between 0800 and 1759 inclusive, except weekends
2. ###
3. # set `date '+%H %w'` # $1=hour(00..23) $2=day(0..6)
4. #
5. # if [ "$1" -ge 8 -a "$1" -le 17 -a "$2" -ge 1 -a "$2" -le 5 ]
6. # then
7. # sleep $POLL
8. # continue
9. # fi
break # like, y'know, totally gross, man...
done
exit 0
Terminating Crack runs
The plaster script, also located in c50a/scripts, is used to terminate Crack runs correctly. To shut down a Crack run correctly, run the following commands as root:
cd /usr/src/c50a/scripts
./plaster
make tidy
The plaster script will kill processes associated with both the Crack script and the cracker program.
The make tidy command will clean up various files created during the Crack run.
Conclusion
The Crack utility is a security tool that all system administrators should know how to use. Regularly scheduled Crack runs will provide the administrator with the ability to eliminate easily guessed passwords. This Daily Drill Down covered the installation and configuration of Crack on a Linux system. We discussed the installation of Crack and editing Crack configuration files to match the password hashing method being used. We also discussed how to build Crack dictionaries. Finally, we looked at the facilities available to read information generated by Crack, and the commands and procedures used to run, suspend, or terminate Crack runs.
Part two of this series will cover using Crack over networks, the Crack7 brute-force password guessing program, and creating Crack rules to control how Crack uses the dictionaries to guess passwords.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes. ......Join the TechRepublic Community and join the conversation! Signing-up is free and quick, Do it now, we want to hear your opinion.

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT