debain系统的系统用户弱密码检测不出来
testwill opened this issue · 35 comments
/opt/veinmind-tools/veinmind-weakpass/artifacts/linux-amd64/veinmind-weakpass_linux_amd64 scan 192.168.1.94:443/library/test_weakpass:0.1
INFO[0002] Start Scan Image SSH Weakpass: 192.168.1.94:443/library/test_weakpass:0.1
============================================================================================
| Scan Total: 1 |
| Spend Time: 2.159982615s |
| Weakpass Image Total: 0 |
| Weakpass Total: 0 |
+----------------------------------------------------------------------------------------------+
============================================================================================
cat /etc/shadow
root::19139:0:99999:7:::
daemon::19139:0:99999:7:::
bin::19139:0:99999:7:::
sys::19139:0:99999:7:::
sync::19139:0:99999:7:::
games::19139:0:99999:7:::
man::19139:0:99999:7:::
lp::19139:0:99999:7:::
mail::19139:0:99999:7:::
news::19139:0:99999:7:::
uucp::19139:0:99999:7:::
proxy::19139:0:99999:7:::
www-data::19139:0:99999:7:::
backup::19139:0:99999:7:::
list::19139:0:99999:7:::
irc::19139:0:99999:7:::
gnats::19139:0:99999:7:::
nobody::19139:0:99999:7:::
_apt:*:19139:0:99999:7:::
nginx:!:19140:0:99999:7:::
test:$y$j9T$c/zxurpmCyM0ACN53Rsnl.$/a3a7ZXTmnZgaIFeUMB21pECYdoU.y.UJQlAULHs9/7:19191:0:99999:7:::
test用户的密码是123456
贴一下你的 os info,检查一下你的test用户密码是否为123456
cat /etc/issue
Debian GNU/Linux 11 \n \l
cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
你的用户密码是怎么写进去的,是直接echo 进去的还是命令生成的,我看密码格式好像不是标准格式。
使用的 adduser
history
1 adduser root
2 adduser test
3 exit
4 su root
5 exit
6 history
passwd test,改过了?
如果你改完密码了,但是加密模式是
应该是输入了y。那为什么Ubuntu可以呀?
没有指定加密模式,系统自带的吗
明白了,谢谢
是哪个分支,我20号同步一下,测试还是没有检测出来
目前分支还没有被合并,我们计划兼容其他几种新的加密模式,提前体验 y 加密 可以从pr中找到具体的分支进行pull,然后尝试
PR 已合并,tag 为 v1.4.1
./artifacts/linux-amd64/veinmind-weakpass_linux_amd64 scan 192.168.1.94:443/library/test_weakpass:0.1
INFO[0000] start to scan mysql weakpass: 192.168.1.94:443/library/test_weakpass:0.1
INFO[0000] start to scan tomcat weakpass: 192.168.1.94:443/library/test_weakpass:0.1
INFO[0000] start to scan redis weakpass: 192.168.1.94:443/library/test_weakpass:0.1
INFO[0000] start to scan ssh weakpass: 192.168.1.94:443/library/test_weakpass:0.1
============================================================================================
| Scan Total: 4 |
| Spend Time: 154.779788ms |
| Weakpass Image Total: 0 |
| Weakpass Total: 0 |
+----------------------------------------------------------------------------------------------+
============================================================================================
git branch
master
- v1.4.1
image 配置
请确保你添加完弱密码账户后,从container打包了镜像
你可以从你测试镜像run 一个 container,然后进去查看shadow文件中的弱密码行,是否与上图格式相同
不太一样,但是我的密码应该123456,我再添加一个用户看看
docker run -it 192.168.1.94:443/library/test_weakpass:0.1 sh
passwd test
New password:
Retype new password:
passwd: password updated successfully
ca^H^H^H
sh: 2:: not found
bash
root@fe1f645ed185:/# cat /etc/shadow
root::19139:0:99999:7:::
daemon::19139:0:99999:7:::
bin::19139:0:99999:7:::
sys::19139:0:99999:7:::
sync::19139:0:99999:7:::
games::19139:0:99999:7:::
man::19139:0:99999:7:::
lp::19139:0:99999:7:::
mail::19139:0:99999:7:::
news::19139:0:99999:7:::
uucp::19139:0:99999:7:::
proxy::19139:0:99999:7:::
www-data::19139:0:99999:7:::
backup::19139:0:99999:7:::
list::19139:0:99999:7:::
irc::19139:0:99999:7:::
gnats::19139:0:99999:7:::
nobody::19139:0:99999:7:::
_apt:*:19139:0:99999:7:::
nginx:!:19140:0:99999:7:::
test:$y$j9T$DqxAtCWKtO9D/B8bzSuo3.$enEcI5aIds7Q5FSXkIBxkeyOmcnh/aZzBE0hsP7HOKA:19200:0:99999:7:::
root@fe1f645ed185:/# exit
exit
e^H^H^H
sh: 6: not found
exit
root@jack-virtual-machine:/home/jack/test/veinmind-tools/plugins/go/veinmind-weakpass#
root@jack-virtual-machine:/home/jack/test/veinmind-tools/plugins/go/veinmind-weakpass#
root@jack-virtual-machine:/home/jack/test/veinmind-tools/plugins/go/veinmind-weakpass# ./artifacts/linux-amd64/veinmind-weakpass_linux_amd64 scan -s ssh test 192.168.1.94:443/library/test_weakpass:0.3
INFO[0000] start to scan ssh weakpass: 192.168.1.94:443/library/test_weakpass:0.3
============================================================================================
| Scan Total: 1 |
| Spend Time: 141.485744ms |
| Weakpass Image Total: 0 |
| Weakpass Total: 0 |
+----------------------------------------------------------------------------------------------+
============================================================================================
root@jack-virtual-machine:/home/jack/test/veinmind-tools/plugins/go/veinmind-weakpass# docker run -it 192.168.1.94:443/library/test_weakpass:0.3 /bin/bash
root@9fe8491dd003:/# cat /etc/shadow
root::19139:0:99999:7:::
daemon::19139:0:99999:7:::
bin::19139:0:99999:7:::
sys::19139:0:99999:7:::
sync::19139:0:99999:7:::
games::19139:0:99999:7:::
man::19139:0:99999:7:::
lp::19139:0:99999:7:::
mail::19139:0:99999:7:::
news::19139:0:99999:7:::
uucp::19139:0:99999:7:::
proxy::19139:0:99999:7:::
www-data::19139:0:99999:7:::
backup::19139:0:99999:7:::
list::19139:0:99999:7:::
irc::19139:0:99999:7:::
gnats::19139:0:99999:7:::
nobody::19139:0:99999:7:::
_apt:*:19139:0:99999:7:::
nginx:!:19140:0:99999:7:::
test:$y$j9T$DqxAtCWKtO9D/B8bzSuo3.$enEcI5aIds7Q5FSXkIBxkeyOmcnh/aZzBE0hsP7HOKA:19200:0:99999:7:::
修改了一下也不行
- 即使用同一个 弱密码加密出来的结果也是不一样的
- 但是veinmind-weakpass 都可检查出来
其他的镜像可以检测出来吗?还是只有debain的不可以?
./artifacts/linux-amd64/veinmind-weakpass_linux_amd64 scan 192.168.1.94:443/library/ubuntu_weakpass:0.1
INFO[0000] start to scan mysql weakpass: docker.io/library/ubuntu_weakpass:0.1
INFO[0000] start to scan tomcat weakpass: docker.io/library/ubuntu_weakpass:0.1
INFO[0000] start to scan redis weakpass: 192.168.1.94:443/library/ubuntu_weakpass:0.1
INFO[0000] start to scan ssh weakpass: 192.168.1.94:443/library/ubuntu_weakpass:0.1
WARN[0000] {
"id": "sha256:05fb21919da1e02f515953d1ea1f3ad0d5306309c690026b6d72d4580e7c3121",
"time": "2022-07-27T15:09:52.978097211+08:00",
"level": "High",
"detect_type": "Image",
"event_type": "Risk",
"alert_type": "Weakpass",
"alert_details": [
{
"weakpass_detail": {
"username": "root",
"password": "123456",
"service": "SSH"
}
}
]
}
============================================================================================
| Scan Total: 4 |
| Spend Time: 138.928614ms |
| Weakpass Image Total: 1 |
| Weakpass Total: 1 |
+----------------------------------------------------------------------------------------------+
| ImageName: 192.168.1.94:443/library/ubuntu_weakpass:0.1 |
| ServiceName: ssh |
| Status: Unsafe |
| Username: root |
| Password: 123456 |
| Filepath: /etc/shadow |
+----------------------------------------------------------------------------------------------+
============================================================================================
可以
你在container中修改密码之后,有没有commit
你们修改的commit是哪个呀? 我今天刚同步过来的,不会是代码问题吧
有的。
docker commit fe1f645ed185 192.168.1.94:443/library/test_weakpass:0.3
sha256:04469849db2d379b6b337841fc595cd135ce93ecc9da72990d0b672dcd13e718
上面的一个里面是有的 两个/etc/shadow 中的 test是一样的。应该能看出来
目前的master 版本就可以检测 你看你的 plugins/go/veinmind-weakpass/hash/passwd_linux_dynamic.go
有无此代码
// prepare for $y$
func (pw *Password) matchYescrypto(key, hash string) bool {
ckey := C.CString(key)
chash := C.CString(hash)
out := C.crypt(ckey, chash)
C.free(unsafe.Pointer(ckey))
C.free(unsafe.Pointer(chash))
return C.GoString(out) == hash
}谢谢,有这个代码的分支确实可以了。