checking for password strength in NG/AI and NGx Administrators

[cciesec2006]

Hi All,

I've been tasked to do a security audit for all of our firewall
Administrators. One of the tasks is to audit the password strength
anyone who can log into the Provider-1 and CMAs regardless of
privileges.

Anyway, I have access to the $MDSDIR/conf/mdsdb/cp-admins.C file
and I can see all user accounts in here and the password is encrypted.
I would like to run this password through a some kind of password
cracker and see how strong these passwords are because I can create
a P-1 supper user with a password of "123456", which is NOT good.
This is what I see in the file:

[root@Linux-lab mdsdb]# more cp-admins.C
(
:version (6.08)
: (admin
:AdminInfo (
:chkpf_uid ("{4DD1C39A-D709-11DC-B0AE-0AFA61096565}")
:ClassName (pv1_administrator)
:table (pv1_administrators)
:LastModified (
:Time ("Sat Feb 9 12:19:47 2008")
:By (localhost)
:From (Linux-lab)
)
:icon ("Provider-1/pv1_admin")
)
:GlobalSdbReadOnly (0)
:SdbReadOnly (0)
:administrator (true)
:auth_method ("Old User Password")
:connection_state (uninitialized)
:customer_perms ()
:days (127)
:fromhour ("00:00")
:internal_password (6b846265fd68a762707f8102a2d4711f1e26f479)
:msp_perm (80000000)
:pv1_auth_server ()
:sic_name ()
:tohour ("23:59")
:type (pv1_administrator)
:vsx_provisioning (true)
)
[root@Linux-lab mdsdb]#

Anyone know I can crack the checkpoint internal password string,
in this case, 6b846265fd68a762707f8102a2d4711f1e26f479

Any ideas?

Thanks.

[Thorpuse]

Rather than a brute-force or dictionary attack through the GUI, there's no easy way to get the password in the clear. CP's password system is basic to say the least - the assumption is that if you're serious about authentication security, you'll outsource auth to a 3rd party (preferably two-factor based) authentication technology.

If I were to speculate, you could possibly try and run a dictionary attack using the authentication in dbedit or an equivalient command line tool. The success or otherwise of this would tell whether going down the path of 3rd-party authentication systems is required... :)

Good luck.

[cciesec2006]

My P-1 supper users, myself included, use RSA SecurID for authentication.
Everyone with read-only access use checkpoint internal password for
authentication. However, checkpoint has no internal mechanism to force
complex password creation. Therefore, someone could be creating an
account with a very easy password such as "123456" and checkpoint will
NOT complain about it.

I am interested in a freeware that I can use to crack checkpoint password.
any ideas where I can get one? Thanks.

[Thorpuse]

Not sure this solves your problem - if your issue is that you can create an admin with a cryptographically poor password, then "cracking" the password isn't going to prove anything, because the "problem" as you describe it will still exist even after you crack the existing passwords.

If such a tool exists that could decrypt the entry, and this was in the open, I would think that would be a big problem.... It ain't going to work that way!

[cciesec2006]

corporate security dictates that password scheme must be complexed
and hard to guess. I am trying to enforce corporate security. There
are people who are lazy and create easy to guess password. Yes,
my problem still exists but I can tell those users to change the password
and make it harder to guess.

"If such a tool exists that could decrypt the entry, and this was in the open, I would think that would be a big problem.... It ain't going to work that way!"

I have to disagree with this. There are tools out there to crack Windows
and Unix password. Why is checkpoint password any different?