On Wed, Jun 10, 2015 at 6:49 PM, Moby <moby@mobsternet.com> wrote:
On 06/10/2015 04:25 PM, Greg Freemyer wrote:
All,
The below SR is for a new to OBS password recovery tool (LaZagne).
From what I've seen all it does is look for plain text passwords that the user has visibility to if they knew where to look and present them. I have not done a code review, but I did run it to see what it found.
In the case of running it as root, it is not looking in /home/* for passwords, just /etc and /root
I know hacking tools are not allowed on OBS, but I argue this is more of an auditing tool in that it lets users know what plain text passwords they have on there system.
I can accept it into security:forensics (which is where it was submitted), but I'd appreciate your feedback as to the appropriateness of this package in security:forensics and/or factory before I do that.
Per the website (http://www.kitploit.com/2015/02/the-lazagne-project-recover-most-common.html) LaZagne can recover passwords from:
==== browsers - firefox, opera chats - pidgin, jitsi mails - thunderbird adminsys - filezilla, environment variables database - sqldeveloper, squirrel, dbvisualizer wifi - network manager wallet - gnome keyring ====
Summary, With openSUSE 13.2 LaZagne was able to retrieve some passwords for filezilla and wireless lans, but the passwords were being stored in plain text.
Thanks Greg
<snip>
Definitely a good auditing tool to have and security:forensics has my vote for putting it in.
-- --Moby
LaZagne is now in security:forensics if anyone wants to try it out.
From what I've seen, if it can retrieve a password you should consider the password easily recovered because it doesn't try very hard.
As noted before I ran it as myself, root, and a brand new user. It alerted me to a couple plain text passwords I had stored, so it was useful from that perspective. Greg -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org