Exercise 8: Exploiting Empty User Passwords

Objective: Understand how to identify and exploit accounts with empty passwords for privilege escalation, and learn strategies to prevent such vulnerabilities through proper password policies and account auditing.

Scenario: During a security assessment of a Linux system, you suspect that some user accounts might have empty passwords. These misconfigurations can be exploited to gain unauthorized access to the system. Your task is to identify such accounts, exploit them to assess their impact, and recommend mitigation strategies to secure the system.

Lab Setup

1. Environment:
   • A Linux system with at least one user account configured with an empty password.
2. Tools Required:
   • Terminal access to the Linux system.
   • Basic understanding of user authentication and Linux account management.

Lab Steps

Step 1: Identify Users with Empty Passwords

Check the /etc/shadow file for accounts with empty passwords:

sudo cat /etc/shadow | grep '::'

Accounts with :: in their entry indicate no password is set.

Example output:

testuser::18446:0:99999:7:::

Verify the identified users by listing all system accounts:

cat /etc/passwd

Cross-reference usernames from /etc/shadow to confirm their validity.

Step 2: Test Login for Empty-Password Accounts

Attempt to log in as the identified user:

su testuser

If no password is prompted, the login will succeed.

Explore the user’s permissions and accessible files:

whoami 

ls -la

Note any valuable information or accessible files.

Step 3: Escalate Privileges

Check if the account has sudo privileges:

sudo -l

If sudo access is available, escalate privileges:

sudo su

Verify by running:

whoami

Expected output: root.

Step 4: Gather Additional Information

Use the compromised account to gather sensitive information:

Check for SSH keys:

cat ~/.ssh/authorized_keys

Look for configuration files or logs:

ls -la /home/testuser

Search for credentials in system files:

grep -i 'password' /etc/* 2>/dev/null

Solution

Explanation:

• Accounts with empty passwords allow unauthorized users to log in without authentication, leading to potential privilege escalation or data theft.
• In this exercise, an empty-password account was exploited to gain access and potentially escalate privileges to root.

Prevention:

Enforce Password Policies:

Use tools like pam_pwquality to enforce strong passwords:

sudo apt install libpam-pwquality

Configure /etc/security/pwquality.conf with rules for password strength.

Audit User Accounts:

Regularly check for empty passwords:

sudo cat /etc/shadow | grep '::'

Disable or remove accounts with empty passwords:

sudo passwd -l testuser

Implement System Hardening:

Restrict root access and ensure all accounts have secure passwords.

Use tools like fail2ban to prevent unauthorized login attempts.

Monitor Account Activity:

Enable logging of authentication events using tools like auditd.

Testing and Verification

After securing accounts, verify that no user accounts have empty passwords:

sudo cat /etc/shadow | grep '::'

Attempt to log in with previously identified accounts to confirm they are no longer accessible without authentication.

Document all changes and outcomes for reporting.

Reflection

This exercise demonstrates the risks of misconfigured user accounts with empty passwords and highlights the importance of enforcing password policies and regular account audits. By completing this lab, you’ve gained practical experience in identifying, exploiting, and mitigating vulnerabilities associated with empty-password accounts.