Re: Security issues in publishing content of /etc ?

lemieuxs_at_ca.inter.net
Date: 08/09/04

  • Next message: Lukasz Sztachanski: "Re: Security issues in publishing content of /etc ?"
    To: Fabio Miranda Hamburger <fabmirha@ns.isi.ulatina.ac.cr>, lemieuxs@ca.inter.net, security-basics@securityfocus.org
    Date: Mon, 9 Aug 2004 13:14:10 US/Eastern
    
    

    > You could use a brute force attack to get weak passwords. You may find
    > software installed in the machine or other hosts information.

    Brute force means trying every possibilities? Using a dictionnary most possibly, what if
    the password
    have a scrict policy, like no more than 3 same kind of characters in a suite and must
    contain lower-
    case, upper-case, numbers and punctuation. This would definately slow down the brute
    force I guess.

    > Too few changes you get a readable shadow password file nowadays. You cant
    > do password cracking with /etc/passwd. The host IP or 'dns ip' is public
    > avalible and It is not a risk by itself.

    There was a program called `crack` which I think would just encrypt words in a dictionnary
    using the
    same hashing algorythm as the one seen in /etc/passwd and compare its results with the
    ones in that
    file. Isn't how it works?

    > You can chroot a filesystem to prevent users to view systems files. A
    > server can do the sharing and other just authenticate users.

    For a linux system, but here I'm thinking on devellopping a software that will mimic the
    inner working
    of linux (in a very light way), and all files will be stored on every computer who uses
    the software
    (containing the big /etc/passwd of all users). Therefore, all files are on the system,
    with the user's
    privilieges when he installed it. A malicious user will be able to read that sort of
    /etc/passwd.

    Thanks,
     
    Simon

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------


  • Next message: Lukasz Sztachanski: "Re: Security issues in publishing content of /etc ?"