IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled


Obtaining and Cracking a UNIX Password File (Part 1)

By Ice Dragon

Introductory Information

If you want to be a REAL hacker, you must understand how the system you are hacking works. Any idiot can follow a few instructions, but it takes a smart person to know what exactly he/she is doing, and you will have to know what you are doing in harder systems. First you must understand how a login process works.

1) Username and password are entered
2) Password file is opened and proper login is found

3) Entered password is encrypted and checked against the (already encrypted) password in the file.

Let's take a look at a fake example. Here's the system's password file at 'stupid.org':

 -------------------------------------------
root:N03xwkfmdY/tX:0:0:Superuser:/root

web:bXnSqjfIUfhds:1:0:WebMaster:/web

ftp:pZa7t920jfoNX:2:0:ftp:/usr/ftp

-------------------------------------------

 This is a very basic password file. Every password file has the 'root' account. Root basically controls the system. Since this is a website, it needs a webmaster account, and then there is the ftp account which is used for, you guessed it, public ftp. Now let's examine what all that stuff means. All pieces of information are separated by colons (:).

 1) The username/login
2) The encrypted form of the password

3) The group number the user is in*

4) The member number of the group the user has*

5) The description of the account

6) The home directory of the user

*I may be wrong about the ordering of 3 + 4. It might be vice-versa.
Now say 'Mr.Hacker' connects to stupid.org and logs in as root. He then enters the password 'toor' (root backwards). The password file is opened and the account 'root' is found. Then the password Mr.Hacker entered is encrypted and compared to the encrypted password in the password file. Since the admin of this system can't remember a complex password, he thought he could fool a hacker by choosing his password by reversing his login name. Well, now Mr.Hacker has control of the system. This time the hacker got root as a lucky guess, but no sysop would really make a password that easy to guess. It's almost always a combination of lowercase and uppercase letters (UNIX is case-sensitive), numbers, and sometimes even unusual ASCII characters.
Note: Linux, FreeBSD, RedHat, Slackware, etc. - these are all variations of UNIX.

Obtaining the Password File

We'll come back to the login process later, but now you need to know how to get the coveted password file. You have two very easy methods that will work on very low-security systems - usually .org (non-profit organization) or .jp (Japanese) sites.
FTP Method
The first method requires a little carelessness on the sysop's part. Run 'ftp.exe' (if you're using Win95). Type 'open' and then the address of the site you want to hack. Login as 'anonymous'. If this is allowed then either it's a public FTP or the sysop is very careless. Now type 'get /etc/passwd'. If that works, don't get too excited yet. Ctrl+Break out of FTP then type 'type passwd' in your Windows folder. If you see little *'s where the encrypted password should be, that's called shadowing the password file. Now, nothing can interpret the *'s, so that means there is another, real, password file hidden somewhere. First try 'get /etc/shadow' and 'get /etc/shadowed'.

PHF Exploit
If that doesn't work, it's time to move on to the PHF exploit. PHF is a program that usually comes pre-installed on every UNIX machine. It allows you to download ANY file from the server, including the password file. Unfortunately, this flaw is already fixed on at least 95% of all Internet servers. But, if you are trying to hack a .org site (the ones without donations through credit card via the Web, that is) (or a .jp site, or so I'm told) you have a pretty good chance of the PHF exploit working. All you have to do is open your web browser and enter the following address, replacing webpage_goes_here with the site you're trying to hack.

http://webpage_goes_here/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd

WARNING: IF YOU TRY THIS ON SOME SERVERS, YOU CAN GO TO JAIL

Portscan Method
Neither of these methods worked? The third method requires a good deal of creativity. First download a decent util called Haktek. It contains an excellent port scanner as well as a bunch of lamer tools. Install and run Haktek. Change the target to the desired address. Now run a port scan. Haktek will appear to lock up but just wait, it will finish eventually. If you're really serious about hacking this particular site, do a scan on 0-9999 instead of 0-1000. Telnet to every single one of these ports. Windows Telnet will do the job. This is where your creativity comes in. I can't help you now. A very good thing to do is obtain an account with the site you're trying to hack (this is why hacking your college is so popular). Search for exploits at Rootshell. You're pretty much on your own now since I have no experience using C-code exploits. These exploits will only work if you have Linux installed on your computer or you have a shell account with compiler access. That's all on obtaining the file for now.

Cracking the Password File

Cracking a password is the longest, most boring part of hacking. Believe me, wordlists/dictionary files are totally useless, unless you can find a program that generates a 2 gig+ dictionary file. No one makes their password a word in any language anymore. For cracking the password, you'll need the best UNIX password cracker around: John the Ripper. Get the DOS version (unless of course you have Linux). I have experienced some crashes with the Win32 one. Here's what a password cracker does: it simulates a normal UNIX login by taking passwords from a word list (don't use them) or by incrementally trying combinations of ASCII characters, encrypting them, and comparing it to the encrypted password in the password file. There is NO WAY to unencrypt a UNIX password, since unencryption is never used during the login process. For a more detailed explanation, ÅçìÐMêì§TéR has a great doc on it at his site. Enough about how everything works, you need to know how to use John the Ripper. Copy the password file you have into the directory you installed John the Ripper in. Now type 'john -incremental:all passwd', where passwd is the filename of your password file. At any time you can hit Ctrl+Break: this will stop the attempts and save it's exact status in a file named 'restore'. To start where you left off, type 'john -restore'. This can take 24hrs on a Pentium for ONE 8-character password. It's a good idea to take one password line from your file and copy it into another file and crack only that account. Leave your computer on 'john -restore' any time you can. At night, while you're at work - whenever. Eventually, the password will be cracked and the results written to a file called 'john.pot'. That's about it for this issue. I intend to work on an C article as well as the second part of this article for the next magazine. Good luck, and be careful!
Bibliography: Text files that can be found at Active Matrix's Hideaway and Neworder

Thanks: Carolyn Meinel for the GTMHH.

The Mentor for inspiration, ethics, and text files.

SectorX (aka Ido Lion) for teaching me so much.

 
 
Back To Index