Security Basics mailing list archives
Re: Security issues in publishing content of /etc ?
From: Fabio Miranda Hamburger <fabmirha () ns isi ulatina ac cr>
Date: Mon, 9 Aug 2004 12:30:49 -0600 (CST)
You could use a brute force attack to get weak passwords. You may find software installed in the machine or other hosts information.Brute force means trying every possibilities? Using a dictionnary most possibly, what if the password have a scrict policy, like no more than 3 same kind of characters in a suite and must contain lower- case, upper-case, numbers and punctuation. This would definately slow down the brute force I guess.
It is a matter of probability. You can try thousand of passwords in a week. A strict policy helps alot though.
Too few changes you get a readable shadow password file nowadays. You cant do password cracking with /etc/passwd. The host IP or 'dns ip' is public avalible and It is not a risk by itself.There was a program called `crack` which I think would just encrypt words in a dictionnary using the same hashing algorythm as the one seen in /etc/passwd and compare its results with the ones in that file. Isn't how it works?
Shadow passwords are stored in /etc/shadow or /etc/master.passwd
You can chroot a filesystem to prevent users to view systems files. A server can do the sharing and other just authenticate users.For a linux system, but here I'm thinking on devellopping a software that will mimic the inner working of linux (in a very light way), and all files will be stored on every computer who uses the software (containing the big /etc/passwd of all users). Therefore, all files are on the system, with the user's privilieges when he installed it. A malicious user will be able to read that sort of /etc/passwd.
The software you prented to do, should implement a level of security thus a user, with your mimic software installed on his machine, wont be able to access system information. I dont understand what kind of software you have in mind but a good idea would be to have a server and store all information in one point. It is risky to have account information store in client side. If you will implement virtual machines, the user can boot his OS and mount you mimic software. A user can find out the way you implement your virtual disk and code a data structure that reads info. If you dont monitor log information on each client, a user can code a brute force attack which could be very successful. If your mimic software share network resources with the client machine, a user may be able to install fake server or a sniffer from the host machine. --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Security issues in publishing content of /etc ? lemieuxs (Aug 09)
- Re: Security issues in publishing content of /etc ? Lukasz Sztachanski (Aug 09)
- Re: Security issues in publishing content of /etc ? Fabio Miranda Hamburger (Aug 09)
- <Possible follow-ups>
- Re: Security issues in publishing content of /etc ? lemieuxs (Aug 09)
- Re: Security issues in publishing content of /etc ? Fabio Miranda Hamburger (Aug 09)
- *sigh* Re: Security issues in publishing content of /etc ? Evaldo Gardenali (Aug 10)
- Re: Security issues in publishing content of /etc ? Fabio Miranda Hamburger (Aug 09)