Re: Did any of you ever see a machine compromised by remote root? (Was Re: Allowing remote root login seems to be bad.)

Hash: SHA1

Ron Arts wrote:
Even though the root password was strong?


In the wild? Yep. Although indirectly.

What happened was some one got a hold of a backup and restored the /
partition to a system for which they owned root, then did a password
crack against the /etc/shadow file. They apparently got the backup
through compromising a user account, then finding a file that had a
backup stored in an insecure directory.

Doing pen testing, I have found directories on systems where the average
user could find files of cracked passwords (including root) that
internal security people had created while testing password strength,
and I have found previous pen test reports that disclosed cracked root
passwords that were still the same password a year or more later. Worse,
I have found NIS, NIS+, and LDAP directory services that contain a root
password common to all systems.

If you can crack ANY account on a system, you can probably get to root
sooner rather than later.

When doing pen testing or ethical hacking, it is rare that I cannot
recover the root password hashes; then it is just a matter of time until
I own root. Worse, it is all too often that I am able to grab root
passwords sent over the network in clear text using telnet, ftp, ad.
nauseam. (See the DSniff tool kit, for example.)

Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253

Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla -


Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.