the Stage for Your First Python Program:
The Cuckoo’s Egg
A system administrator at Lawrence Berkley National Labs, Clifford Stoll, documented his personal hunt for a hacker (and KGB informant) who broke into various United States national research laboratories, army bases, defense contractors, and academic institutions in
The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage
( Stoll, 1989 ). He also published a May 1988 article in
Communications of the ACM
describing the in-depth technical details of the attack and hunt ( Stoll, 1988 ).
Fascinated by the attacker’s methodology and actions, Stoll connected a printer to a compromised server and logged every keystroke the attacker made. During one recording, Stoll noticed something interesting (at least in 1988).Almost immediately after compromising a victim, the attacker downloaded the encrypted password file. What use was this to the attacker? After all, the victim systems encrypted the user passwords using the UNIX crypt algorithm. However, within a week of stealing the encrypted password files, Stoll saw the attacker log on with the stolen accounts. Confronting some of the victim users, he learned they had used common words from the dictionary as passwords ( Stoll, 1989 ).
Upon learning this, Stoll realized that the hacker had used a dictionary attack to decrypt the encrypted passwords. The hacker enumerated through all the words in a dictionary and encrypted them using the Unix Crypt() function. After encrypting each password, the hacker compared it with the stolen encrypted password. The match translated to a successful password crack.
Consider the following encrypted password file. The victim used a plaintext password
egg
and salt equal to the first two bytes or
HX
. The UNIX Crypt function calculates the encrypted password with
crypt(‘egg’,’HX’) = HX9LLTdc/jiDE.
attacker$ cat /etc/passwd
victim: HX9LLTdc/jiDE: 503:100:Iama Victim:/home/victim:/bin/sh
root: DFNFxgW7C05fo: 504:100: Markus Hess:/root:/bin/bash
Let’s use this encrypted password file as an opportunity to write our first Python script, a UNIX password cracker.
Your First Program, a UNIX Password Cracker
The real strength of the Python programming language lies in the wide array of standard and third-party libraries. To write our UNIX password cracker, we will need to use the crypt() algorithm that hashes UNIX passwords. Firing up the Python interpreter, we see that the crypt library already exists in the Python standard library. To calculate an encrypted UNIX password hash, we simply call the function crypt.crypt() and pass it the password and salt as parameters. This function returns the hashed password as a string.
Programmer$ python
>>> help(‘crypt’)
Help on module crypt:
NAME
crypt
FILE
/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/lib-dynload/crypt.so
MODULE DOCS
http://docs.python.org/library/crypt
FUNCTIONS
crypt(...)
crypt(word, salt) -> string
word will usually be a user’s password. salt is a 2-character string
which will be used to select one of 4096 variations of DES. The
characters in salt must be either “.”, “/”, or an alphanumeric
character. Returns the hashed password as a string, which will be
composed of characters from the same alphabet as the salt.
Let’s quickly try hashing a password using the crypt() function. After importing the library, we pass the password “egg” and the salt “HX” to the function. The function returns the hashed password value “HX9LLTdc/jiDE” as a string. Success! Now we can write a program to iterate through an entire dictionary, trying each word with the custom salt for the hashed password.
programmer$ python
>>> import crypt
>>> crypt.crypt(“egg”,”HX”)
‘HX9LLTdc/jiDE’
To write our program, we will create two functions-main and testpass. It proves a good