UNIX is the most popular computer system on the Internet today. This makes it essential for even Mac hackers to know (or at least be able to bluff) their way through UNIX. You do not need to be a UNIX wizzard to hack a UNIX system, but a little knowledge is required. This text covers everything you will need to know to hack into a UNIX system and steal the "passwd" file.
SECTION 1. UNIX SYSTEMS HACKING
*************************************
1. A common UNIX login screen looks something like this:
UNIX System V Release 4.0 (Genesis)
login:
Other UNIX servers include AIX, BSD, System V, and Ultrx. Always try to figure out what kind of machine you are hacking. You will sometimes need to know later on.
2. Hopefully, you already have a nice, juicy account on the server. If so, skip down to step 3. If not, keep reading...
You'll can first try default accounts that the sysadmin might not have deleted. These accounts do not require a password. If they work you should not be prompted for a password. But, if you do get the password prompt, enter the login name for the password as well.
(Look in Appendix B for a list of default UNIX passwords)
3. If you have your account, you can try to steal the passwd file. The file may be protected in several different ways, but hey, you're a hacker and you are ready to try.
The easiest and most common hack would be to type this at the prompt:
(prompt)> cat /etc/passwd
NOTE: (prompt)> represents the account prompt. It will be different on your machine. Remember, don't type the prompt with an entry.
NOTE 2: "cat' is short for concatenate. This command is used to display files in standard output.
If you get a listing that looks something like this:
...Then you'll need to try something else. The machine is using a different password protection scheme. Keep on reading.
yp-Yellow pages/NIS
Some UNIX machines use a new(er) system called Yellow Pages or yp. NIS is the current name for the old yp and stands for Network Information System. If the system you are attempting to hack is running NIS you will have a short passwd file that looks something like this:
+::0:0:::
Type (remember, your prompt will be different) to see the real passwd.
(promt)> ypcat passwd
AIX
If the computer is a AIX system, the passwd file is soemwhere else. At the prompt type:
cat /etc/security/passwd
Hopefully, this will display the password file. Save it and proceed to
Section 2.
Other Problems
Sometimes the above hacks just don't work...Most often it is because you don't have enough permissions to access the passwd file. In these cases you may try exploiting some REALLY dumb user.
1. Log into the server using whatever account you have and (at your prompt) type:
(prompt)> cd ..
(prompt)> ls
(That's LS)
This changes the directory up one and allows you to see the other accounts names:
auys84 hgree lynn5 opera
benton hnor mitchb phung
diane jimf mouthe uunde
dike jimz narc2 vestis
gyof kims nordic weasel
These are all accounts of the UNIX machine you are on. Print the list out and exit the machine. Then try to log on using each account name as login and password. For example...
Ultrx v4.3
login:auys84 (Lets try the first one on the list: auys84)
Password:auys84 (Same as login name. It WILL NOT be shown as you type it)
Login incorrect (Not a dumb user...Lets try the next one)
login:benton
Password:benton (Again, the password would not be shown)
Last login: Tues Mar 17 5:39:02 from remote server
Sun Microsystems Inc. SunOS 5.4 Generic July 1994
You have new mail.
Fri Mar 21 6:21:45 CST 1997
/usr/users/benton
bob{benton}/usr/users/benton%
This is caused by a REALLY stupid user. Hopefully, you can now access the password file and go to Section 2. If it has no more privileges than the one you already have try trading it in the IRC
channel #hack or #2600.
SECTION 2. CRACKING THE "PASSWD" FILE
*************************************
The entire object to hack a UNIX system is to get an account with which you can do whatever you want with. This requires stealing the "passwd" file. "passwd" is the name of the file in which user account information is stored. The PW file contains the USERNAME, PASSWORD, USER NUMBER, GROUP NUMBER, GECOS INFO, HOME DIRECTORY, and SHELL.
One account in a password file might look like this...
Most of this should be fairly obvious to except maybe the Password. This IS NOT the password! This is VERY important. This is the encrypted version of the password. When a new user is created on a UNIX system, they supply a password for their account which is then encrypted and stored in the passwd file. When the user signs on to their account they type their password and the UNIX host compares it to the encrypted version. If they match, the user is allowed to sign on. This means any user can view the
encrypted passwd file, but they can't read it because it is encrypted. (BTW, hackers have known the UNIX encryption algorithim for years which makes the next tricks possible)
"It's encrypted so cracking it is impossible, right?" Wrong. You can use a UNIX passwd cracker. Many are out there so find one that works for you. (I prfer MacCrac which is available from my www site. http://www.yatho.com/weasel/ )
First the UNIX passwd cracker takes an encrypted password equivalent from an account entry in a UNIX passwd file uses it as a reference. From whatever account entry the encrypted equivalent was pulled, is the particular account the passwd cracker will attempt to crack.
Then the passwd cracker procedes to "guess" the password. This means a single word is pulled from a encrypted Dictionary (encrypted with the UNIX encryption algorithim) and compared with the encrypted word being used as a reference.
If the encrypted word matches the reference word, the "passwd" cracker logs the information, and moves on to the next account.
If the two don't match, the "passwd" cracker uses another word from the Dictionary and goes through the guessing process again. If the cracker goes through the whole Dictionary without finding a match it goes on to the next account.
A fast computer can go through a huge password file overnight and come up with a few logins. These logins are usually real words found in an English dictionary. This should be a lesson to NEVER USE A REAL WORD AS A PASSWORD!
Well, that about wraps it up! This is meant as a beginners guide and should NOT be used as an excuse not to learn UNIX. I would reccomend first trying out an easy target (libraies are great, just don't mess anything up) before graduating to harder things. I know I didn't cover everything like Password Shadowing, but that gets a bit complicated and I didn't want to confuse anyone. If I missed anything please write me.
The Weasel
weasel@yatho.com
http://www.yatho.com/weasel/welcome.html
Appendix A
DICTIONARY FILES OR WORD LISTS
******************************
A Dictionary or Word List is used by a "passwd" cracker in order to compare an encrypted password with encrypted words. An list of words from a fairly standard Dictionary file would look something like this:
A
a
aa
aal
aalii
aam
Aani
aardvark
aardwolf
Dictionaries that have most English words tend to be about 3 MB or more. Now this may seem like alot, but there are Dictionaries with not only English words, but foreign words, slang words, dog names, peoples names, etc. These can be as a gigabyte or more! Remember, the larger the dictionary, the longer it takesyour cracker to go through all the words.
Appendix B
UNIX DEFAULT PASSWORDS
**********************
(Taken from various sources)
root
adm
bin
sys
sync
nobody
setup
ingres
guest
user
help
unix
admin
pub
batch
network
sysinfo
sysbin
sysadm
shutdown
makefsys
mountfsys
unmountfsys
checkfsys
lp
dptp
daemon
trouble
nuucp
uucp
student
field
visitor
uuhelp
cron
who
shutdown
rje
tty
somebody
powerdown
general
gsa
games
public
test
standard
demo
listen
usenet
console
root2
ncrm
startup
new
(Let me know if there are any others I don't know about)
Appendix C
THANKS AND CREDITS
******************
I would like to thank all the people who wrote the 2600 FAQ and first introduced me to UNIX hacking.
I would like to thank Apple Computer for making the world's only "Insanely Great" Computer.
I would like to thank all the people who contributed to this guide (who shall, as always, remain nameless for obvious reasons)
And last, but not least, I want to thank Q101 radio for playing great songs while I wrote this. And thanks to Brook Hunter, my favorite DJ, who always plays the best songs.
