Hacktopia

In this short tutorial I will show you how to generate your very own password list to feed into a password cracker. First make sure you have plenty of disk space. You will need terabytes to store all that you will be able to generate by using my example so be careful and watch the password file grow to make sure that it does not fill up your system. So for starters get a Unix system, preferbly Linux with some nice fast processor, and like I stated before plenty of disk space. Then install ‘John The Ripper often refered to as simply john when run from the command line.

Here is a example ubuntu system package search

user@server:~$ aptitude search john
i   john                                                      – active password cracking tool

I am sure you can use the power of john for good or evil, but pleas try to use it for good.  I have used it for noble reasons.  One company that I worked for wanted to make sure that the passwords of the accounts for the servers where secure so I was asked to run a password cracker on the user.  So I broke out john and watched how the majority of them where cracked in under a second.  it did take several times asking the users to make better passwords before it took a resonable amount of time to cracks them.  At the time I considered a couple of days good enough.

Recently I was unable to long into one of my systems.  I was authorized for the system so I simply asked a friend to reset my password.  Before the password was reset I had the freind copy my hash from the shadow file like so.

user@server:~$ grep user/etc/passwd > pass
user:x:1000:1000:user,,,:/home/user:/bin/bash

I used the resulting pass file to feed to john.  I did this with out a dictionary file.  The benifits to using a dictionary is that john does not need to use processign power to generate diffrent passwords.

bab@nixer:~$ john pass
Loaded 1 password (Standard DES [48/64 4K])

I finally was told what my password was after 11 days.  It is very neat that you can press return while it is running to see what kind of guesses john is trying.  For background info the password that was used was only 8 charaters long with one capital and one number the rest where lower case. The reason that it took so long was that john had to generate each password and then try it against the has that I provided.  As you might of guessed these kind of attaches are only usefull when you have the password and the hash.

Below is the command to generate 95 printable ASCII characters of lengths 1 to 8.  I would suggest simiting the list to something smaller like replacin ALL with Alpha or Digit.  You can also edit the /etc/john/john.conf file to shorten or letehen the passwords generated and a few other options.

john -incremental=All –stdout > john_string_list

Here are the 26 printiable ASCII charaters

!”#$%&’()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~

I have done a fair bit of research on this topic.  While most sites will show you how to set up fail over on solris 10 with multiple ip, and probe-based failure detection.  Those two things can cause problems.  First off, most often ip space is at a premium and you want to be able to use as few a ip as possible.  So using one ip instead of three is highly appreciated.  Second having to do probe-based failure detection aka pinging the router or another host on the subnet can cause problems if you have many hosts in a data center set up in a similar fashion.  While mpathd can ping a host besides the router, the default behavior is for mpathd to contently be pinging the router making sure it is still there, and if it ceases to be there any more then it will fail over.  This can be as often as once a second.  Also multiple subnets can be served by the same router multiplying the affects.  Router’s cpu are not very fast, while they might be fast at routing, this is because the routing is accomplished through the hardware, which is carried out through a diffrent CPU.

Just to state the obvious, this is best designed for up time of service, not for aggregate speed because it is a master slave set up not master master set up.  You want to make sure that your two interfaces are in different cards if at all possible and connected to two separate network switches.

Lets start with the config file.

# cat /etc/default/mpathd
#
#pragma ident   “@(#)mpathd.dfl 1.2     00/07/17 SMI”
#
# Time taken by mpathd to detect a NIC failure in ms. The minimum time
# that can be specified is 100 ms.
#
#FAILURE_DETECTION_TIME=2500
FAILURE_DETECTION_TIME=10000
#
# Failback is enabled by default. To disable failback turn off this option
#
FAILBACK=yes
#
# By default only interfaces configured as part of multipathing groups
# are tracked. Turn off this option to track all network interfaces
# on the system
#
TRACK_INTERFACES_ONLY_WITH_GROUPS=yes

It is pretty self explanatory with the comments that are present.  It is really nice because the only other changes that have to be made are to the /etc/hostname.ce* files.

bash-3.00# cat /etc/hostname.ce0
10.36.133.113 netmask + broadcast + group mainint up
bash-3.00# cat /etc/hostname.ce4
group mainint up

if will look like the fowling

# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
ce0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 8
inet 0.0.0.0 netmask ff000000 broadcast 0.255.255.255
groupname mainint
ether 0:14:4f:d6:f7:b8
ce4: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 9
inet 10.36.133.113 netmask ffffff00 broadcast 10.36.133.255
groupname mainint
ether 0:14:4f:4a:d5:a3

You can also fail over the interface by hand by issusing the /usr/sbin/if_mpadm command.

bash-3.00# /usr/sbin/if_mpadm  -d ce0
Feb 13 14:47:31 server in.mpathd[185]: Successfully failed over from NIC ce0 to NIC ce4

bash-3.00# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
ce0: flags=89000842<BROADCAST,RUNNING,MULTICAST,IPv4,NOFAILOVER,OFFLINE> mtu 0 index 8
inet 0.0.0.0 netmask 0
groupname mainint
ether 0:14:4f:d6:f7:b8
ce4: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 9
inet 10.36.133.113 netmask ffffff00 broadcast 10.36.133.255
groupname mainint
ether 0:14:4f:4a:d5:a3
ce4:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 9
inet 0.0.0.0 netmask ff000000 broadcast 0.255.255.255

If you ever want to make any changes, like switch which interface is primary, then it could be helpful to Wittie a quick script to help you out.  Don’t forget to make it executable by issuing the command chmod u+x script

#!/usr/bin/bash
ifconfig=/usr/sbin/ifconfig

$ifconfig ce0 unplumb
$ifconfig ce4 unplumb

Make sure that you have unique unique MAC address on the server.  If you do not have unique MAC address it can confuse the switch.

to check that a unique mac is set you can “ifconfig -a” and look at the MAC addres or

bash-3.00# eeprom |grep mac
local-mac-address?=true

If it comes back false then you can fix it by issusing the fowling command

eeprom "local-mac-address?"=true

Some useful inks with further reading.

You might have to be logged into sun solve for the first link to work.
http://sunsolve.sun.com/search/document.do?assetkey=1-61-228885-1
http://docs.sun.com/app/docs/doc/816-0211/6m6nc66s8?a=view

Trying to find out where all your man pages are located, have no fear this is how you can find them.

user@server:~$ manpath
/usr/local/man:/usr/local/share/man:/usr/share/man

Which will tell you what directories you computer will look for man files.
you can also look in

$ grep MANPATH /etc/manpath.config

To see where you system expects the man pages to be located.

I you would like to read some man pages about man then then ‘man man’ and ‘man 5 manpath’ for more information.  If there are man pages that you have but you cant get them to show up by typing “man widget” then you simply have to add them to you man path.