قالب وردپرس درنا توس
Home / Tips and Tricks / Harden Sudo Password to Defend Against Hashcat Attacks «Zero Byte :: WonderHowTo

Harden Sudo Password to Defend Against Hashcat Attacks «Zero Byte :: WonderHowTo



Hackers are always looking for new ways to utilize systems and filter out passwords, even in hashed form. Sophisticated broken power attacks powered by advanced GPUs can perform millions of password attempts per second. But Ubuntu and Debian users are not completely helpless. There are ways to harden the hashed password to better defend against Hashcat attacks.

Why would an attacker steal my Sudo password?

Root privileges are usually required to access the / etc / shadow file in Ubuntu and Debian systems where the hashed passwords are stored. An attacker who extracts this data would suggest that they already have root privileges. Access to root level can be acquired without knowing the target's password with using the operating system or physically utilizing the device.

For example, the Linux kernel's vulnerabilities are revealed several times a year and never need to know the target's password to win a root shell. Similarly, the user function function is often abused to embed captivating cron jobs. It can be configured with just a few minutes of physical access to the target device and does not require a password.

If an attacker has got root access otherwise, why would they still need the sudo password? Well, there may be many reasons for this. The striker can try to do any of the following.

  • Switch to other devices or services on the network, and learn the password scheme used (eg, Hunter321
    ).
  • Dump encrypted passwords saved in Chrome or Firefox browsers. These encrypted passwords are sometimes secured by the user's login password.
  • Check if the username is reused for popular social media and banking sites.
  • Physical access to the device to log in. If the attacker used single-user mode to extract the password hash, they can attempt to crack it to log in when the target device is unattended.

There is really no one saying how far an attacker can turn with a single password that has been reused over accounts, websites, and network services. [19659002] How Debian and Ubuntu store passwords safely

The / etc / shadow file stores information about the target password, salt, hashing algorithm, password expiration date, and so on. You can execute the command below grip using the variable $ USER and the terminal automatically searches for the target user name in the / etc / shadow file.

  sudo seized $ USER /etc/shadow
tokyoneon:$6$oHP9lHDM$DyxrXl6U/t3A91eA4FWpc4n/Tn3tI.Cb1YRZT/p76kdcyTUiWTNMBDp1YrCFpJJtBRxfh71aGOZZHcXfY9qeN0:17762:0:99999:7:::

The sections are separated by colons ( : ) as shown below. We will focus on section 2. The other sections are not relevant to defending Hashcat (brute force) attacks, so I skip them at the moment.

  tokyoneon: $ 6 $ oHP9lHDM $ DyxrXl6U / t3A91eA4FWpc4n / Tn3tI.Cb1YRZT / p76kdcyTUiWTNMBDp1YrCFpJJtBRxfh71aGOZZHcXfY9qeN0: 17762: 0: 99999: 7 :::
---- 1 ----- | --------------------------------------- ----------- --- 2 ----------------------------------- ----------- | --- 3 --- | -4- | --- 5 --- | -6- | -7- | -8- | 

Section 2 is further separated by dollar signs ( $ ) into three sections.

  $ 6 $ oHP9lHDM $ DyxrXl6U / t3A91eA4FWpc4n / Tn3tI.Cb1YRZT / p76kdcyTUiWTNMBDp1YrCFpJJtBRxfh71aGOZZHcXfY9qeN00
| 1 | ---- 2 --- | -------------------------------------- -3 ---------- ------------------------------------ | These sections consist of the hash type ( 1 ), salt ( 2 ) and hashed password ( 3] ). The hash type denotes SHA-512, but type  (SHA-256) is also common. Salts are random values ​​used to create strong unique hashs. According to today's standards, this password is stored in a relatively secure form. But it can still be subject to a targeted attack. 

Latest 2018's EVGA GeForce RTX 2080 Ten GPU (Best for Password Cracking :): Buy from Amazon | Best Buy | Walmart

Step 1: Test Hash Against Hashcat

Of curiosity, I wanted to learn how many passwords a second Hashcat can perform against the above hash created in Ubuntu 18. This was tested with a generic Nvidia GeForce GTX 1060 GPU. The GPU is not advanced, but standard in many consumer desks these days. It would not be unreasonable to think that most hackers with dedicated password cracking machines can perform more calculations per second with a superior GPU.

  hashcat-a 3 -m 1800 /tmp/password_hash.txt? L? L? l? l? l? l 
 hashcat (v5.1.0) starts ...

OpenCL Platform # 1: NVIDIA Corporation
======================================
* Unit # 1: GeForce GTX 1060 3GB, 754/3018 MB Distributable, 9MCU

Session ..........: hashcat
Status ...........: Running
Hash.Type ........: sha512crypt $ 6 $, SHA512 (Unix)
Hash.Target ......: $ 6 $ oHP9lHDM $ DyxrXl6U / t3A91eA4FWpc4n / Tn3tI.Cb1YRZT / p ... Y9qeN0
Time.Started .....: Tue Mar 5 02:25:23 2019 (15 seconds)
Time.Estimated ...: Tue Mar 5 03:36:19 2019 (1 hour, 10 minutes)
Guess.Mask .......:? L? L? L? L? L [6]
Guess.Queue ......: 1/1 (100.00%)
Speed. # 1 .........: 72631 H / s (403.13ms) @ Accel: 1024 Sling: 512 Thr: 32 Vec: 1
Recovered ........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress ... 884736/308915776 (0.29%)
Rejected .........: 0/884736 (0.00%)
Restore.Point ....: 0/11881376 (0.00%)
Restore.Sub. # 1 ...: Salt: 0 Amplifier: 3-4 Iteration: 3072-3584
Candidates. # 1 ....: barier -> bjuhgi
Hardware.Mon. # 1 ..: Temp: 62c Fan: 35% Util: 100% Core: 1847MHz Mem: 3802MHz Bus: 16

[s] tatus [p] use [b] ypass [c] heckpoint [q] ut => 

The above Hashcat command performs a mask attack ( -a 3 ) using SHA-512 Unix hash type ( -m 1800 ) with all possible letters lowercase (? 1 ) combination. As we can see, it can perform 72,631 hashs per second (H / s). At this rate, it would only take an hour to try every six letter combination of lowercase letters. And as we have learned before, six-character passwords are extremely common. At 72,600 H / s, cracking of eight and nine characters password hasty is very much in reality with a generic Nvidia GPU.

Step 2: Hard Password Shash

Of course, using a long and complex password would counter most brute-force attacks. But let's take another approach by increasing the hash's "SHA rounds". SHA rounds (better known as iterations) are used as a "fall factor", which essentially forces the CPU and GPU to take much longer in calculating a single password attempt. The higher this value, the longer Hashcat must work to crack the hash.

By default, the Ubuntu and Debian use SHA-512 encryption method with 5000 SHA rounds. As we can see in the above Hashcat output, 5000 SHA rounds correspond to nearly 73,000 password attempts per second. Who is not good news for users in Ubuntu and Debian. Fortunately, the number of SHA rounds can be increased manually to better defend against violence attacks. This can be done with the command chpasswd .

Chpasswd, which passwd is a password management tool. It was designed to change many passwords in bulk, while being able to specify the hash type and number of SHA rounds (among other things).

Warning (Read Before You Go):

If your CPU is older than an Intel i3, do not use more than 750,000 SHA rounds. Intel i7 users must not exceed 30,000,000 SHA rounds. Increasing this value can require a lot of processing power and take minutes (maybe hours) to complete. Canceling the command before it is clear can lead to the system becoming unstable. Use the command below with caution as the setting of the value is too high can make it difficult to log in or break the system. Gradually increase the number of SHA rounds to test the limits of your CPU.

  sudo chpasswd -s 10000000 -c SHA512 <<< username: password; history -c 

The command chpasswd above will use 10,000,000 SHA rounds ( -s ) with the SHA-512 encryption method ( -c -c )). <<< characters indicate a string used as input data. In this case, the input is the user name and the desired password. To prevent the new password from being displayed in the terminal history, add () the command history to clear it ( -c )).

grabbed the / etc / shadow file again to find a new section between the hash type and the salt reading rounds = 10,000 . This is an indication of the chpasswd command was successful

  sudo grep $ USER / etc / shadow 
 tokyoneon :. $ 6 $ rounds = 10,000,000 $ h6JNZ / CRSFfBbu $ 4ZcBt2md4dd3GsrL7jUv / 269dMPP4k9PEQVbMOnThbRC3kFnOKIjHHDK3qg / kh1BNcPNU9EJtfggqPn4 / 8nSN0: 17960: 0: 99999: 7 :: 

Step feed this new Hashcat 10,000,000 SHA rounds and observe the number of password attempts it can perform.

  hashcat -a 3 -m 1800 /tmp/hardened_password_hash.txt? l? l? l? l? l? l 
 hashcat (v5.1.0) starts ...

OpenCL Platform # 1: NVIDIA Corporation
======================================
* Unit # 1: GeForce GTX 1060 3GB, 754/3018 MB Distributable, 9MCU

[s] tatus [p] use [b] ypass [c] heckpoint [q] from => s

Session ..........: hashcat
Status ...........: Running
Hash.Type ........: sha512crypt $ 6 $, SHA512 (Unix)
Hash.Target ......: $ 6 $ rounds = 10000000 $ cHi6OvAYRy $ x8Z0kLn.JYAPOWQkH3RMy ... 2i3G30
Time.Started .....: Tue Mar 5 03:16:28 2019 (7 seconds)
Time.Estimated ...: Tue 30 Jul 05:46:22 2019 (147 days, 1 hour)
Guess.Mask .......:? L? L? L? L? L [6]
Guess.Queue ......: 1/1 (100.00%)
Speed. # 1 .........: 24 H / s (410.36ms) @ Accel: 1024 Sling: 512 Thr: 32 Vec: 1
Recovered ........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress ......... 0/308915776 (0.00%)
Rejected .........: 0/0 (0.00%)
Restore.Point ....: 0/11881376 (0.00%)
Restore.Sub. # 1 ...: Salt: 0 Amplifier: 0-1 Iteration: 8704-9216
Candidates. # 1 ....: sarier -> seven
Hardware.Mon. # 1 ..: Temp: 56c Fan: 29% Util: 100% Core: 1873MHz Mem: 3802MHz Bus: 16

[p] tatus [p] use [b] ypass [c] heckpoint [q] ut => 

Only only 24 hashes per second can be guessed against this hardened hash that can make weak passwords as "zxcvbn" resilient

Conclusion: Choose an appropriate SHA round value

Now this is not a recommendation or argument to use weak passwords with 10,000,000 SHA rounds. Reader should increase the number of SHA rounds in addition to using strong passwords. I use an absurd high value in this article to show how far this type of cure can be taken. But someone SHA round value over standard 5000 will help defend against violent violence attacks. Although only a small SHA round value anywhere over 1,000,000 is likely to make brute-force a completely insufficient attack vector. Higher values ​​make it very difficult for an attacker on the system to learn the password. Increasing the SHA rounds significantly reduces the number of passwords per second that Hashcat can perform.

The biggest drawback to increasing the SHA rounds is how much CPU processing is required to execute a single sudo command or sign in to the account. Higher SHA rounds (eg 10,000,000) can take up to 10 seconds to calculate a sudo command on a modern Intel i7 CPU. Older processors can take much longer. The trick is to find a cute place where it only takes about two seconds to calculate the SHA rounds. In this way, broken violence attacks are still weakened, but it does not forever perform a single sudo command.

If you had this article, follow me on Twitter @tokyoneon_ ] and GitHub to agree with my current projects. For questions and concerns, leave a comment below or send me a tweet.

Don't miss: Using Ubuntu as your primary operating system (Application Hardening & Sandboxing)

Cover photo by tokyoneon / Null Byte

]

Source link