Obsolete Linux Password Hash Threats
Obsolete password hashes on Linux represent a threat for user credentials and lateral movement. An old or weak password hash generally means:
The user's password is easily brute forced if stolen using modern CPU and GPU hardware.
The system is old and may have other problems lurking beneath as it's not being maintained.
The user's account may have been moved onto a modern system, but the password has not been changed or updated in years to use the newer more secure algorithms.
In this video we discuss this threat and how Sandfly can agentlessly and rapidly identify user accounts vulnerable to this attack.
Linux has had a variety of password hashes over the years that are designed to protect user's passwords from being easily stolen and used. When you type your password in, it is passed through an algorithm that mixes it up in a cryptographically viable way and then writes it out as a hash into a file, so that if that file is stolen by the attacker, they can't easily figure out what the user's password is. They actually have to run through a variety of work to reverse that algorithm, to figure out what the user might be using. This is all well and good, but the problem is over the years CPUs have gotten faster and the new GPUs that are out are phenomenally fast. They are now very well suited to doing brute force attacks against user passwords and in particular obsolete cryptographic hashes.
When a hash is stolen, a modern password cracker could do millions or even billions of attempts a second against that password. If you know most users, they're very bad at picking a password, so it's very easy for these computer systems to very quickly run through all the iterations and find out what they're doing. Even if they pick a random password, if it's below a certain length, chances are very high that the system might be able to crack it, especially with a legacy algorithm.
The other problem with legacy algorithms on Linux is that they frequently are indicating smoke, and where there's smoke, there's fire. These old algorithms are typically only found on legacy systems. So if you see an old password algorithm, that typically means it's a very old system. If it's a very old system, that means it might not be patched, it might not be upgraded, it might have server configuration issues or things that are going to cause it to get compromised. That's going to allow an attacker onto there and allow those attackers to steal those passwords, crack those passwords and then use them for lateral movement across your network. The whole thing is very bad news.
The other thing that it may indicate is an old password or an old user account being moved onto a modern system. Now that's fine because a lot of the password algorithms are backwards compatible, but where it's not fine is the fact that if they're using a password algorithm hashing that’s old, that that user has not changed that password in a very, very, very long time. If that password is ever compromised on a legacy system, an attacker is going to have immediate access to your modern system.
In any event, the user needs to update that password and use a modern hashing algorithm. Let me show you how all this looks. I'm going to go over to the Sandfly dashboard here. Sandfly is an agentless endpoint detection and response system on Linux but it also does a lot of other cool things, such as being able to look for policy and security mismanagement, SSH keys for lateral movement attacks and passwords, which I'm going to show you here in a moment.
We scan one of our systems here, and on that system we got a couple of alerts. The first alert we got is we have a policy alert that indicates that a user here called Jack Slack has a problem. And the user here, Jack Slack, is using obsolete MD5 hash for their password. I can see here who they are, their group. I can see here that yes, indeed, they do in fact have a weak password hash type. So I know that this user, Jack Slack, is either a very old account or that this system is very old.
Audit your SSH keys
Experience the benefits of proactive threat detection, seamless integration, and SSH asset tracking.
Try Sandfly TodayTry The next problem that we found in the system, which frequently goes hand in hand with legacy passwords, is that there was just a bad password in general. We looked at this box and again we found our user, Jack Slack. And Jack Slack has a password that's the same as your username. It's one of these things we tend to see over time that using these legacy password hashes are frequently tied to accounts that are mismanaged or that are just very, very old, people aren't paying attention anymore, or maybe they were carelessly credentialed when they were first created. But in this case here, we found that this account has a password that's the same as a username. We can run through a custom password list to find this kind of activity, no problem. But again, they tend to go hand in hand, these types of problems.
How does this look from the terminal side? If I go to my terminal over here and I cat out /etc/shadow we're going to see a couple of things:
I have two users with passwords, and that's this long convoluted string here. The first user is called Pi because this is a Raspberry Pi.
And the prefix for the password is $y$. That means yescrypt. This is a modern algorithm.
Yescrypt is designed specifically to be very slow to execute, even on specialized hardware, it's hardened against those types of attacks. And even GPUs do not perform very well when doing a lot of brute force attacks against that algorithm. But down here we have Jack Slack. His account starts with a prefix of $1$. And what this means is that this is an older MD5 hash. These MD5 hashes are very easily optimized for password cracking on modern systems. So you don't want to see that anywhere.
Here you have two problems. We have MD5 down here, but also a yescrypt up here - a legacy account that was moved onto a modern box. Either way it needs to be investigated.
So pay attention if you see legacy passwords lying about. That's something Sandfly can give visibility into, and importantly it will indicate when you have a high risk an attacker is going to gain lateral movement through those accounts if stolen. The chances of an attacker pulling off a brute force attack are very, very, very high. You should try to work very hard to get them out of your enterprise if you're still using them.
Sandfly is able to find this and many other types of Linux attacks without deploying any endpoint agents. Get your free license today or contact us for more information.