11:46 Are you satisfied with the memory of their linux system? | |
It's no secret that in Unix systems, all information provided in the form of files. In Linux, there is a file / proc / kcore, which is an "alias" to the physical system memory. Manuals say that the total length of this file - the size of physical memory (RAM) plus 4KB, but out of it this file on different systems I've come to the conclusion that the file size is the size of RAM + SWAP. Similarly, you can use the device file / dev / mem or / dev / kmem, but interaction with them in this topic for I will not consider. Having a handy "cast of memory", the first that wanted to test - can we use this "memory" for restoring and retrieving passwords for system users. Unprintable characters to us for this task is not useful just because in the password we use them all the same can not / will not, therefore, using the command strings, we can get rid of them, overtaking / proc / kcore to a text file: # strings / proc / kcore> / tmp / kdump calculate the number of resulting rows # wc-l / tmp / kdump 4438050 (this figure was calculated on a system with 3 gigabytes of RAM) with this version of the startup team, we get a lot of unnecessary and non-unique data, we add sorting: # strings / proc / kcore | sort-u> / tmp / kdump.uniq # wc-l / tmp / kdump.uniq 3330526 You do not care much, let's imagine that the passwords used by more than 6 symbols - add key-n 6: # strings-n 6 / proc / kcore | sort-u> / tmp/kdump.uniq.6 # wc-l / tmp/kdump.uniq.6 674397 So we got a file with some data, let's use it as a dictionary program for john the ripper and get a look Do decrypt passwords from the file / etc / shadow # john - wordlist = / tmp/kdump.uniq.6 / etc / shadow Loaded 5 password hashes with five different salts (FreeBSD MD5 [32/32 ]) .... If your account is active and used to enter passwords, not keys, there is a chance to decrypt / etc / shadow with our straight from the tin slovarem.Iz 5 machines on which I tested this methodology could decipher three unknown to me the password. With kcore can get a lot of interesting information, such as detection of LKM rootkits or hidden execution of commands, I suggest discuss-it in the comments;) PS for the sake of the experiment was written by a parser kcore, which takes as parameters the minimum and maximum length of possible passwords, if anyone is interested, I can lay out. UPD: below the source parser, which was written for testing # include <stdio.h> # include <unistd.h> # include <ctype.h> ; void usage (char * argv0) { printf ("Usage:% s [options] <filename> \ n", argv0); printf ("-m [MIN] minimal length of string (Default: 4) \ n"); printf ("-M [MAX] maximal length of string (Default: 1912) \ n"); printf ("<filename> file that u want to dump \ n"); exit (1); } int main (int argc, char * argv []) { FILE * fp; int arg, i, binvalid; int MIN = 4, ; int MAX = 12; char pass [MAX +1], ch; char * filename; while ((arg = getopt (argc, argv, " m: M: "))! = EOF) { switch (arg) { ; case 'm': MIN = atoi (optarg); break; ; case 'M': MAX = atoi (optarg); break; ; default: usage (argv [0]); break; ;} } if (optind> = argc) { usage (argv [0]); } filename = argv [optind]; fp = fopen (filename, "r"); if (! fp) { printf ("ERROR: Unable open file:% s \ n", filename); return 1; } i = 0; do { ch = (char) fgetc (fp); if (feof (fp)) break; if (ch> 33 & & ch <127) { i + +; pass [i-1] = ch; if (i> = MAX) { pass [i] = '\ 0'; ; printf ("% s \ n", pass); i = 0; } } else { if (i> = MIN) { pass [i] = '\ 0'; ; printf ("% s \ n", pass); } i = 0; } } while (1); fclose (fp); } | |
|
Total comments: 0 | |