Splunking Your Password — Is Splunk Safe for Its Own Passwords?

We often use tools to assess the security of other systems, but what about the tool itself? Who watches that? And how secure is it? So one of the most popular tools in Security Operations Centres is Splunk. Let’s have a look at how it stores passwords.

Splunk is a great tool. Under the hood it actually operates like a Linux type environment (even on a Windows OS). Each of the user logins and passwords are then stored in the passwd file in the /etc folder (within the Splunk home folder). And so I was having a look, and found that the following is created for a user named “csn01”:

:csn01:$6$Uk8SVGLsBuSmD75R$Lhp5yjwRUAM.LbH5IIthZ1u0bAUdJwBvvccBshAvpFPiRn62EYeiKOaP8xh97aV4UaNfVykRZhUy/3ZOZd1oc.:::user::::18161

So what is the method used for hashing the password. Well, we split the hashed password into three main groups (seperated by the “$” symbol):

6
Uk8SVGLsBuSmD75R
Lhp5yjwRUAM.LbH5IIthZ1u0bAUdJwBvvccBshAvpFPiRn62EYeiKOaP8xh97aV4UaNfVykRZhUy/3ZOZd1oc.

and where “6” is the hashing method (SHA-512), “Uk8SVGLsBuSmD75R” is the salt value, and “Lhp5yjwRUA..d1oc.” is the hashed version. When the user logs into Splunk, their password will be added to the salt value, and the same hashed version should be created. Well, the “$6” part identifies…