Unix-based dictionary attack utility, based on the unix_chkpwd utility.
On many distributions, a SUID binary called unix_chkpwd exists and is being used by PAM.
That utility can read from its standard input (which is verified not to be a Terminal input) and compare its hash to the hash found in the /etc/shadow file.
Generally that utility should only be used by PAM itself, but you can invoke it as a child process.
In the past I have found that the hash comparison was a naive memcmp, which would expose the check to a Timing side-channel attack but it seems to have been fixed since then.
Nevertheless, since there is no lockout policy, an attacker could easily run a local dictionary attack to uncover the password.
Note: the utility does create security audit logs.
Installing dependencies:
python3 -m pip install -r ./requirements.txtRunning:
./dictiopwn.py -d DICT [-c]
- The
-dflag is mandatory and specified the dictionary to be used. The dictionary should split attempts by linebreaks. I've included a naive dictionary file in the repository. - The
-cflag is optional and makes the utility attempt every casing option for each attempt, hence covering more options but making the dictionary attack run longer.
I release this tool for educational purposes only and provide it without warranty.
Use this tool at your own risk.
Besides examining the security audit logs, defenders are encouraged to look for anomalous parent processes of the unix_chkpwd utility.
Stay tuned!
Jonathan Bar Or