Default encrypted passwords

Jay Ts jay at toltec.metran.cx
Thu Oct 11 11:16:12 GMT 2001


> 
> On Thu, 27 Sep 2001, Jay Ts wrote:
> 
> > > [John Malmberg]
> > > Removing the plain text passwords from an SMB network only eliminates the
> > > probability that someone could use those same passwords to attack other
> > > protocols.
> > 
> > For a Samba network, this is not true, because Unix usernames and
> > passwords are sent over the net in plaintext.  So a cracker could
> > use them to attack the Samba host.  One popular method of attacking
> > Unix systems is to first obtain a non-root user's password, and then
> > use it to log in and do a brute force crack of the root password.
> 
> The crackers would understand how to get passwords from SMB packets as
> opposed to them picking up the passwords from telnet and other
> sessions?

Passwords can be picked up from both quite easily.  But consider that
Red Hat 7 (at least) now comes "out of the box" with telnet disabled,
and running a sshd daemon. Telnet and the r-commands are nowadays
contraindicated on a secure network.

> > The key phrase there is "assuming that they have enough skill",
> > to which I would add, "and enough CPU time".  All computer security,
> > like any other security, functions by making it inconvenient or
> > difficult enough to break in that few people do it.
> 
> The bandwidth on the network will usually be more of a limit than
> CPU time.  Plus the skill level will come into play.

?

Is your network running at 10 bits per second? :-)

This is an old discussion, but my point, IIRC, was that it's really
easy to grab someone's .pwl file and run a brute-force attack on it.
This requires CPU time.  Networks speed is not an issue for this type
of attack, assuming it is running at faster than 0 bits per second.

> > The harder it is to break in, the fewer break-ins there will be.
> > 
> > Or to put it another way, if you leave the front door key for your
> > house under a rock outside next to the front door, aren't you
> > asking for trouble?
> 
> It really depends on how well you get along with the dog. :-)

Unfortunately, computers don't have dogs in them. Someone attacking
from over the network can "own" an insecure computer before anyone who is
managing or using that computer even notices.

> The big problem is that when most people approach computer security, they
> approach it from the perspective that some malicious cracker is going to
> try to break in to their systems, and spend a lot of time and money to
> prevent this.
> 
> The reality is that this is the least likely thing that will happen to
> most companies computer.

I wonder if you still "own" yours! :-)  I'd recommend for you a quick
reading of a good book on network security.  Even though you're running
OpenVMS there (which I think most hackers don't grok, and therefore
would be less likely to attack), you might benefit from a quick
perusal of O'Reilly's book "Practical Unix & Internet Security".

> Preventing accidental corruption to data is higher priority than dealing
> with malicious people.

That makes sense, but just don't do your first priority, and forget
about everything else!

> Disgruntled Employees with skill are very rare.

The type of attack I was referring to previously (in Workgroup
security) does not require any skill at all!  For example, I have
virtually no cracking skills whatsoever, but if you set me down at
a logged-in Windows workstation on your SMB network, I can grab
ALL of your network passwords within 2 minutes, guaranteed.  All I
would have to do is wait until you step out to refill your coffee
cup, and put a floppy in the drive and run one simple program.
And you would never know it happened. Now do you see what I'm getting at?

- Jay Ts




More information about the samba-technical mailing list