hi to all, i have an AIX6.1 machine and i want to decrypt an ssha1 password written on /etc/security/passwd. the reason that i want to do that is because i have some complains about a few users that cannot login and receive the message for invalid login. i suspect that they are entering wrong password because i can see the unsuccessful_login_count attribute of their user to grow when they are entering the password. the problem is that all of them insist that they enter the correct password so i cannot prove that they do something wrong. i did a little search and i read about hashcat but i don't think i can install this on my machine cause the security department probably will not allow me to do this. if somebody knows a way to decrypt it then maybe can send me a private message. thank you
Whats wrong in initializing the password again?
If you suspect something wrong what is stopping you to create a new user, you enter the passwd and reconnect... if as you say is seem general then all accounts should be affected...
If these people connect from PCs are you sure they have not CAPSLOCK or NUMLOCK activated?
I have that problem a few times, and most times (99%!), because just before to go bezeurk I go see the folk, and ask them to show me, people confuse with their PC/AD/Novell password and unix host passwd...
A Forum rules reminder:
well the thing is that users are not in my company. there are users that connect to the server that are located in other offices. also i read that in sha1 encryption even if a user has the same password with someone else it does not have the same encryption code in /etc/security/passwd. so even if i initialize this password to another user i will not get the same hash on my /etc/security/passwd file. i know you are probably right about CAPSLOCK etc but it is so frustrating to arguing with somebody on the phone trying to explain that they do something wrong and yet they insist that they do everything correct.
Well for those users, you give them the new password, saying it works because you have used it to test the connection.. the idea was not to decrypt ssha1 but to see that the password you entered is valid, there is no reason it works for some and not for others, and as I have already said, specially with people not connecting for some time ( have you checked when was last time?) The AD or Novell policy forces the passwd change , the users apply, then when returning to UNIX are suprised and they swear its the correct passwd (yes but its the PC.. not the UNIX) and meanwhile they are so stressed that they have forgotten the UNIX passwd anyway...
the idea of password decryption is that i could decrypt the password from /etc/security/passwd file and use it in order to connect myself and see if its working or not. i can do what you suggest but it will not stop these users to repeat the same behavior again. maybe if i can show to them that they are wrong they are going to pay more attention to what they are doing.
Have you a strict failed login attempt policy? Because I have seen boxes blocked by "Non intrusive" security scan software, if you have that sort of soft...
yes if a user has 5 unsuccessfull login attempts then the account is locked.
but i check the counter anyway and the number is still below 5 when the user complains.
A vague idea - can you tcpdump the users' session and find out this way what they enter?
hmm are you sure that i can do that through
tcpdump
?
cause i tried it and i just see the packets between the computer and server. no user's input is displayed
This depends on the permissions you have on the server, on which you have to run the command. While I did this successfully several years ago, I now reckon that it might be pointless nowadays when e.g. ssh is used...
i can connect as root on the server.
the users are connected via ssh so even if i get the users session (by logging session output) i still cannot see what they enter as password
The other way to try is
cp -p /etc/security/passwd /etc/security/passwd.orig
Now change the password of the user
passwd <user>
Reset the unsuccessful login count
chuser unsuccessful_login_count=0 <user>
Now open a putty session or any other emulator you use and login using new credentials for that user.
And anytime you can replace the old passwd file.
Also, is ssh logging enabled in /etc/syslog.conf file? It can also help you sometimes.
From a software perspective, you are an "attacker". The system is designed to prevent everyone from doing what you are trying to do. Passwords are not generally stored in a reversible way, to prevent people from doing exactly what you want to do -- crack their password. They're hashed instead, which is irreversible. When they enter a password it's also hashed, and the hashes compared to see if they're identical. (More or less. There's salting done -- again, to make it harder to do exactly what you are trying to do.)
In a nutshell, you cannot decrypt a one-way hash function like SHA-1 (unless the hash function has serious security problems in the implementation).
End of story.
thank you all guys for your response.
ibmtech: when i reset the user's account then the user can connect again with new password. i tried this but the problem is that every few days these users need to reset their password because in their opinion the "correct" password that they enter is not accepted by the system and need to reset it. no i dont have ssh logging set. how can this help?
Corona688, Neo: yes i understand that what i am trying to do is considered "attack". i was wondering if there is a way to decrypt the password like aix is doing when the user enter his credentials.
No. You cannot decrypt a correctly implemented one-way hash function. Period.
That is why it is called "one way".
I'm closing this thread because it is not possible to decrypt properly implemented one-way hash functions and these forums are not hacker boards for discussions on how to break and attack security functions.