Obtaining and Cracking a UNIX Password File (Part
1)
Introductory Information
If you want to be a REAL hacker, you must understand
how the system you are hacking works. Any idiot can follow a few instructions,
but it takes a smart person to know what exactly he/she is doing, and you
will have to know what you are doing in harder systems. First you must
understand how a login process works.
1) Username and password are entered
2) Password file is opened and proper login is
found
3) Entered password is encrypted and checked
against the (already encrypted) password in the file.
Let's take a look at a fake example. Here's the
system's password file at 'stupid.org':
-------------------------------------------
root:N03xwkfmdY/tX:0:0:Superuser:/root
web:bXnSqjfIUfhds:1:0:WebMaster:/web
ftp:pZa7t920jfoNX:2:0:ftp:/usr/ftp
-------------------------------------------
This is a very basic password file. Every
password file has the 'root' account. Root basically controls the system.
Since this is a website, it needs a webmaster account, and then there is
the ftp account which is used for, you guessed it, public ftp. Now let's
examine what all that stuff means. All pieces of information are separated
by colons (:).
1) The username/login
2) The encrypted form of the password
3) The group number the user is in*
4) The member number of the group the user has*
5) The description of the account
6) The home directory of the user
*I may be wrong about the ordering of 3 + 4. It might
be vice-versa.
Now say 'Mr.Hacker' connects to stupid.org and logs
in as root. He then enters the password 'toor' (root backwards). The password
file is opened and the account 'root' is found. Then the password Mr.Hacker
entered is encrypted and compared to the encrypted password in the password
file. Since the admin of this system can't remember a complex password,
he thought he could fool a hacker by choosing his password by reversing
his login name. Well, now Mr.Hacker has control of the system. This time
the hacker got root as a lucky guess, but no sysop would really make a
password that easy to guess. It's almost always a combination of lowercase
and uppercase letters (UNIX is case-sensitive), numbers, and sometimes
even unusual ASCII characters.
Note: Linux, FreeBSD, RedHat, Slackware, etc. - these
are all variations of UNIX.
Obtaining the Password File
We'll come back to the login process later, but now
you need to know how to get the coveted password file. You have two very
easy methods that will work on very low-security systems - usually .org
(non-profit organization) or .jp (Japanese) sites.
FTP Method
The first method requires a little carelessness
on the sysop's part. Run 'ftp.exe' (if you're using Win95). Type 'open'
and then the address of the site you want to hack. Login as 'anonymous'.
If this is allowed then either it's a public FTP or the sysop is very careless.
Now type 'get /etc/passwd'. If that works, don't get too excited yet. Ctrl+Break
out of FTP then type 'type passwd' in your Windows folder. If you see little
*'s where the encrypted password should be, that's called shadowing the
password file. Now, nothing can interpret the *'s, so that means there
is another, real, password file hidden somewhere. First try 'get /etc/shadow'
and 'get /etc/shadowed'.
PHF Exploit
If that doesn't work, it's time to move on to
the PHF exploit. PHF is a program that usually comes pre-installed on every
UNIX machine. It allows you to download ANY file from the server, including
the password file. Unfortunately, this flaw is already fixed on at least
95% of all Internet servers. But, if you are trying to hack a .org site
(the ones without donations through credit card via the Web, that is) (or
a .jp site, or so I'm told) you have a pretty good chance of the PHF exploit
working. All you have to do is open your web browser and enter the following
address, replacing webpage_goes_here with the site you're trying to hack.
http://webpage_goes_here/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
WARNING: IF YOU TRY THIS ON SOME SERVERS, YOU
CAN GO TO JAIL
Portscan Method
Neither of these methods worked? The third method
requires a good deal of creativity. First download a decent util called
Haktek.
It contains an excellent port scanner as well as a bunch of lamer tools.
Install and run Haktek. Change the target to the desired address. Now run
a port scan. Haktek will appear to lock up but just wait, it will finish
eventually. If you're really serious about hacking this particular site,
do a scan on 0-9999 instead of 0-1000. Telnet to every single one of these
ports. Windows Telnet will do the job. This is where your creativity comes
in. I can't help you now. A very good thing to do is obtain an account
with the site you're trying to hack (this is why hacking your college is
so popular). Search for exploits at Rootshell.
You're pretty much on your own now since I have no experience using C-code
exploits. These exploits will only work if you have Linux installed on
your computer or you have a shell account with compiler access. That's
all on obtaining the file for now.
Cracking the Password File
Cracking a password is the longest, most boring part
of hacking. Believe me, wordlists/dictionary files are totally useless,
unless you can find a program that generates a 2 gig+ dictionary file.
No one makes their password a word in any language anymore. For cracking
the password, you'll need the best UNIX password cracker around: John
the Ripper. Get the DOS version (unless of course you have Linux).
I have experienced some crashes with the Win32 one. Here's what a password
cracker does: it simulates a normal UNIX login by taking passwords from
a word list (don't use them) or by incrementally trying combinations of
ASCII characters, encrypting them, and comparing it to the encrypted password
in the password file. There is NO WAY to unencrypt a UNIX password, since
unencryption is never used during the login process. For a more detailed
explanation, ÅçìÐMêì§TéR
has a great doc on it at his
site. Enough about how everything works, you need to know how to use
John the Ripper. Copy the password file you have into the directory you
installed John the Ripper in. Now type 'john -incremental:all passwd',
where passwd is the filename of your password file. At any time you can
hit Ctrl+Break: this will stop the attempts and save it's exact status
in a file named 'restore'. To start where you left off, type 'john -restore'.
This can take 24hrs on a Pentium for ONE 8-character password. It's a good
idea to take one password line from your file and copy it into another
file and crack only that account. Leave your computer on 'john -restore'
any time you can. At night, while you're at work - whenever. Eventually,
the password will be cracked and the results written to a file called 'john.pot'.
That's about it for this issue. I intend to work on an C article as well
as the second part of this article for the next magazine. Good luck, and
be careful!
Bibliography: Text files that can be found at
Active Matrix's Hideaway and Neworder
Thanks: Carolyn Meinel for the GTMHH.
The Mentor for inspiration, ethics, and text
files.
SectorX (aka Ido
Lion) for teaching me so much.
Back
To Index