Thursday, February 21, 2008

Generating Encrypted Strings For Password Restoration


This is a little bit of a twist on an old post (one of many, actually) that we did on password cracking in Linux and Unix using Perl.

In the previous entry in our ongoing series of randomly connected password hacking posts, and pretty much every other one of them, we've looked at how to guess passwords using brute force methods, or otherwise "figure out" a users password. For those of you who missed it, check out this post on generating all possible 8 character passwords with Perl.

Today, we're going to look at something similar, but different enough that it warrants its own post: How to generate the encrypted string (given a user name and password) that you can use to manually edit your Linux or Unix system's shadow file and change someone's password. Of course, you'd need elevated privileges (or a means to get them) in order to do this. But, for the purposes of this post, we'll just assume you do.

Looking at this ethically, it's a good way to get yourself out of a sticky situation if you garble the root password and have to boot off of CD into single user mode and "have to" manually edit the shadow file so you can log back in!

Basically, the script below accepts two forms of input, which we've elected to read from STDIN. This can be easily modified to take arguments, although we chose this method so that the password you were trying to recreate the encrypted field for wouldn't show up in anyone else's "ps" output.

The nature of DES is such that, for virtually every invocation of this script, given the exact same username and password, you'll end up generating an entirely unique string. However, when this is decrypted by the "crypt" function on your OS, each unique string will resolve to the same password you entered each and every time.

Of course, we don't officially endorse cutting and pasting into your shadow file (and strongly recommend you run "pwconv" afterward if you have to), but hopefully this little reverse-password-cracking Perl script will help save your bacon at least once :)

Best wishes and enjoy,

Creative Commons License

This work is licensed under a
Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License


# encrypted password field generator
# 2008 - Mike Golvach -
# Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License

print "Enter a user name: ";
$name = <STDIN>;
system("stty -echo");
print "Password: ";
$pass = <STDIN>;
system("stty echo");
print "\n";

print &cryptPwd($name,$pass);
print "\n";

sub cryptPwd
local($cp_name,$cp_passwd) = @_;
@cp_saltine = ('a' .. 'z','A' .. 'Z', '0' .. '9','.','/');

$now = time();
($cp_name_pt1, $cp_name_pt2) = unpack ("C2",$cp_name);
$week = $now / (60*60*24*7) + $cp_name_pt1 + $cp_name_pt2;
$cp_numsalt = $cp_saltine[$week % 64] . $cp_saltine[$now % 64];
$cp_cryptpass = crypt($cp_passwd,$cp_numsalt);

, Mike