TUCoPS :: Password Security :: hackpwd.txt

How to crack a Unix password file


             -=How to crack a unix password file=-
                       -=Lord Devious=-

1.) Obtaining a password file.

     There are a few diffrent ways to get a password file. You can:

a.) Telnet to port 21 on the provider.

b.) Use an FTP program that does all the commands for you. I happen to
use WINFTP wich can be downloaded from: 
http://www.geocities.com/siliconvalley/vista/9203/winftp.zip


2.) Logon to the server.

A.) When using TELNET type:
User anonymous
login

B.) When using WINFTP:
Just leave everything blank with the exception of HOST which is filed with
the HOST you are connecting to.
Then hit Anonymous Login and ti will automaticly fill the UserId with Anonymous

    Now you should be in the system (probably in TMP) if not then this system
wont allow anonymous logins. If this is true try getting an account on the system.
Call up the ISP and tell them you want an account but ask for a seven day tril to
the system. In most cases the will give it to you.

3.) Find the password file.

     You will normaly find some sort of password file in the ETC directory. 
It will normaly be called PWD.DB or PASSWD, dowlaod this file. 

4.) Determining the password file type.

	You may allready know that a shadowed password file is not as eisly
cracked as a unshadowed file. But you may not know wether it is shadowed or
not. So heare are some examples.

<<Example of an unshadowed password file>>
root:RqX6dqOZsf4BI:0:1:System PRIVILEGED Account,,,:/:/bin/csh
field:PASSWORD HERE:0:1:Field Service PRIVILEGED Account:/usr/field:/bin/csh
operator:PASSWORD HERE:0:28:Operator PRIVILEGED Account:/opr:/opr/opser
ris:Nologin:11:11:Remote Installation Services Account:/usr/adm/ris:/bin/sh
daemon:*:1:1:Mr Background:/:
sys:PASSWORD HERE:2:3:Mr Kernel:/usr/sys:
bin:PASSWORD HERE:3:4:Mr Binary:/bin:
uucp:Nologin:4:1:UNIX-to-UNIX Copy:/usr/spool/uucppublic:/usr/lib/uucp/uucico
uucpa:Nologin:4:1:uucp adminstrative account:/usr/lib/uucp:
sso:Nologin:6:7:System Security Officer:/etc/security:
news:Nologin:8:8:USENET News System:/usr/spool/netnews:
sccs:PASSWORD HERE:9:10:Source Code Control:/:
ingres:PASSWORD HERE:267:74:ULTRIX/SQL Administrator:/usr/kits/sql:/bin/csh
rlembke:n25SO.YgDxqhs:273:15:Roger Lembke,,,:/usr/email/users/rlembke:/bin/csh
rhuston:ju.FWWOh0cUSM:274:15:Robert Huston,st 304c,386,:/usr/email/users/rhuston:/bin/csh
jgordon:w4735loqb8F5I:275:15:James."Tiger" Gordon:/usr/email/users/jgordon:/bin/csh
lpeery:YIJkAzKSxkz4M:276:15:Larry Peery:/usr/email/users/lpeery:/bin/csh
nsymes:lSzkVgKhuOWRM:277:15:Nancy Symes:/usr/email/users/nsymes:/bin/csh
<<END>>
  
     Now the actual file is much longer than this but you can get a basic 
idea. If you want to dowload this file for further observation you can get it
at http://www.chez.com/davidcb/unshd.zip

<<Example of a shadowed password file>>
root:RqX6dqOZsf4BI:0:1:System PRIVILEGED Account,,,:/:/bin/csh
field:*:0:1:Field Service PRIVILEGED Account:/usr/field:/bin/csh
operator:*:0:28:Operator PRIVILEGED Account:/opr:/opr/opser
ris:*:11:11:Remote Installation Services Account:/usr/adm/ris:/bin/sh
daemon:*:1:1:Mr Background:/:
sys:*:2:3:Mr Kernel:/usr/sys:
bin:*:3:4:Mr Binary:/bin:
uucp:*:4:1:UNIX-to-UNIX Copy:/usr/spool/uucppublic:/usr/lib/uucp/uucico
uucpa:*:4:1:uucp adminstrative account:/usr/lib/uucp:
sso:*:6:7:System Security Officer:/etc/security:
news:*:8:8:USENET News System:/usr/spool/netnews:
sccs:*:9:10:Source Code Control:/:
ingres:*:267:74:ULTRIX/SQL Administrator:/usr/kits/sql:/bin/csh
rlembke:*:273:15:Roger Lembke,,,:/usr/email/users/rlembke:/bin/csh
rhuston:*:274:15:Robert Huston,st 304c,386,:/usr/email/users/rhuston:/bin/csh
jgordon:*:15:James."Tiger" Gordon:/usr/email/users/jgordon:/bin/csh
lpeery:*:276:15:Larry Peery:/usr/email/users/lpeery:/bin/csh
nsymes:*:277:15:Nancy Symes:/usr/email/users/nsymes:/bin/csh
<<END>>

	The actual file is much larger than this. The lines were cut to fit
in this document, and its much longer. If you want to download this file for
further observation you can get it at http://www.chez.com/davidcb/shdod.zip


5.) What to do to crack the file if it is unshadowed.


	If you are shure that the file is unshadowed you can attempt to crack
it. To crack it you need to get a cracker program. I suggest either John the
ripper or Cracker Jack. I personaly use john the ripper. It can be downloaded
from http://www.chez.com/davidcb/ucfjohn1.zip

A.) Create a wordlist of random passwords, but if you want a good one 
premade you can download the whole passcrack lesson 1 zip from Hackers Club
at http://www.hackersclub.com/km/newbies/lesson1/lesson1.zip  this zip file
contains: PUFFS.DIC wich is a word dictonary for Jhon the ripper or Cracker
Jack. CJACK.FAQ is a Cracker Jack FAQ by kM. HACKME.TXT is an example password
file. INFO.TXT is a lesson on cracking by kM.

B.) Start your cracking program.

     BA.) When using John the ripper
              john -w:puffs.dic <Password File>
     
     BB.) When using Cracker Jack
              jack (Enter)
              When prompted for password file:  (Password File)
              When prompted for wordlist file: PUFFS.DIC  (Or custoume file)     
           Writes whats it cracks to JACK.POT

c.) The tuffest step of all WAIT!

       With any luck you will get a password. If you are cracking a huge 
provider with an unshadowed PW file chances are you get a few. 

 <A problem with PUFFS.DIC>
       Alot of people use all numbers for a password. PUFFS.DIC does not have
    many numbers so i made a program to generate all six diget numbers to a file.
    Get it at http://www.chez.com/davidcb/ldmake.zip

6.) Where to find the actual password files if a PW file is shadowed.

     Like i said most of the time the password files are in the ETC directory.
 But you can find shadowed passwords in these directories according to the 
system.

Version               Path                            Token
-----------------------------------------------------------------
AIX 3                 /etc/security/passwd            !
          or             /tcb/auth/files//
A/UX 3.0s             /tcb/files/auth/?/*
BSD4.3-Reno           /etc/master.passwd              *
ConvexOS 10           /etc/shadpw                     *
ConvexOS 11           /etc/shadow                     *
DG/UX                 /etc/tcb/aa/user/               *
EP/IX                 /etc/shadow                     x
HP-UX                 /.secure/etc/passwd             *
IRIX 5                /etc/shadow                     x
Linux 1.1             /etc/shadow                     *
OSF/1                 /etc/passwd[.dir|.pag]          *
SCO Unix #.2.x        /tcb/auth/files//
SunOS4.1+c2           /etc/security/passwd.adjunct    ##username
SunOS 5.0             /etc/shadow

System V Release 4.0  /etc/shadow                     x
System V Release 4.2  /etc/security/* database
Ultrix 4              /etc/auth[.dir|.pag]            *
UNICOS                /etc/udb                        *

7.) You have the password, so what do you do now?

     When i crack passwords this way i dont take advantage of the administrators
misteak. In all cases i tell the administrator he has problems in his security
and that i was able to crack some there passwords. The administrator will be 
extatic that a hacker is helping him out. Infact an account i hacked localy 
actualy gave me a whole year of free service for notifying him of his problems.
 
     So remeber dont do anything illegal, unless you want a 300 pound boyfriend
named Bubba. People will like you more if you help them, not destroy them.

                                       Have fun!
                                        Lord Devious  --====================987654321_0==_
Content-Type: text/plain; charset="us-ascii"

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH