For many years /etc/passwd was used to hold the password hashes of all users on a Unix system. However, offline password cracking has become more and more fruitful, and since /etc/passwd needs to be world readable, most Unixes have moved hashed passwords to /etc/shadow.
Even without password hashes, /etc/passwd still has value for the opportunistic attacker.
OS fingerprinting
UIDs
You can think of the accounts on a Unix system as belonging to one of three categories: system accounts, application service accounts, and user accounts. Migrating accounts from one system to another can turn into an information disclosure nightmare unless the numeric user identifiers (UIDs) and the textual usernames match up in lock-step. Helpfully, Unix distributors allocate ranges of UIDs to correspond with each category.
Root almost always has UID zero.
System accounts almost always stay under UID 99.
What is the UID of the first regular user account? If it is 1001, you're probably looking at a reasonably new Linux system such as RHEL 6 or Fedora 16. If it starts at 501, you are looking at something more staid, RHEL 4 or older.
Shells
On Linux, almost everyone uses bash except possibly root. Even then, some will install bash in /bin and some in /usr/bin.
On Solaris, you'll likely see references to /usr/dt/bin/ksh and /usr/ucb.
See /opt/gnu/bin/bash? That's going to be an old Solaris system.
See /usr/xpg4/bin/sh? Solaris.
See sam or smh? It's an HPUX box.
Home Directories
Look at root's home directory.
Solaris systems ship with a default root home directory of /.
What about everyone else's home directories? Linux systems prefer to put people in /home. A lot of solaris systems ship with /export/home instead, but if you know it's a solaris system and you see everyone living in /home, there's a good chance that the home directories are network accessible and served off of another server as an NFS share. Check /etc/vfstab to get the NFS server, and use nfsmount to read every file.
Service Enumeration
Many services install their own account. It's easy to infer what services are installed and running by looking for common names. Red Hat maintains a list of their service accounts (with assigned UIDs)
here.
Username Enumeration
The first column of the passwd file lists the usernames of every account on the system. Restrict your brute forcing activities to these usernames only.
Blank Passwords
Look down the second column. It should be nothing but 'x's, but if there's an empty field, (i.e., if you see '::' instead of ':x:',) you will probably be able to log in as that user without entering a password.
Social Engineering
Column XXX is the comments field. Frequently, this field is used by finger(1) to hold contact information for each user, such as their full name, the office or department they work in, their phone number.
Publicly Accessible Sensitive Information
Earlier I mentioned that on some systems, root's home directory defaults to the file system root, '/'. This directory is world-readable. Depending on how often the root account is used, whether the default umask has been set, and general administrator hygiene, you can find accessible .history files, backup files, mailboxes, configuration and resource files.
Poorly Chosen Initial Passwords
Accounts toward the bottom of the file have been added more recently than those toward the top. Many systems demand that users change their passwords on first login. Relying on this fact, many system administrators use a default password such as "Welcome1", or if they default to having the same password as the username. Putting these three facts together, the bottom-most accounts are likely to not have had their initial login.
Password Hashes
Yes, in this day and age, some Unix systems will still have password hashes in /etc/passwd. HPUX still ships in this dangerous default configuration and many HPUX administrators belong to a culture that fears change. They lack confidence of understanding their own technology. They think they might break something and they refuse to harden their systems.
No comments:
Post a Comment