Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Password Security :: unixpw.txt

Cracking that passwd file!

    Author(s):  Krypto                                                     
      Subject:  Cracking that "Passwd" File                                
       R  E  A  L  I  T  Y     C  H  E  C  K     N  E  T  W  O  R  K!       
      I'm not an amazing "3l33t3" hacker, but I have picked up some things  
  over the course of my scene life.                                         
      At times, many of us are without Internet shell account, therefore    
  inhibiting our ablility to spread the warez.  Many of us seek to remedy   
  this by cracking Internet shell accounts and doing as we please with      
  them, mainly spreading.  Here, I'll show you the basic process in         
  cracking UNIX accounts so that you can better your efforts in spreading   
  them warez.                                                               
      Most Internet shells are UNIX based and therefore store the password  
  to all the users in a file called the "passwd" file.  This is usually     
  located at /etc/passwd.  The basic structure of the passwd file contains  
  lines looking like this:                                                  
      bgates:VKa0XuF8KB4sc:5604:12:William Gates:/home/bgates:/bin/bash     
      Essentially, the line is broken down into these parts:                
  Username: bgates                                                          
  Encrypted Password: VKa0XuF8KB4sc                                         
  User number: 5604                                                         
  Group Number: 12                                                          
  Real Name (usually): William Gates                                        
  Home Directory: /home/bgates                                              
  Type of Shell: /bin/bash                                                  
      Your main concern is to crack each encrypted password for every       
  user.  Because the encryption function is only unidirectional, you        
  cannot decrypt the encrypted password.  You must run a cracking program   
  which encrypts words then compares the encrypted word with the password.  
  If they match you now have cracked the password.                          
      Because cracking relies on words that are encrypted, you MUST have a  
  wordlist.  For beginners, a basic wordlist can be found as a dictionary   
  file supplied as a part of UNIX.  The more the comprehensive the          
  wordlist is, the better your chances of successfully cracking passwords.  
  Next, you'll need a passwd cracker, which comes under numerous versions   
  depending on your operating system.  Currently the best are:              
  Software            Operating System                                      
  CrackerJack v1.4    DOS                                                   
  Crack               UNIX                                                  
      Run the "cracking" program and feed your wordlist and passwd file     
  into the program.  And watch as it "cracks" the passwords.                
      Sometimes you'll discover that the passwd file is incomplete or       
  looks something like this:                                                
      bgates:*:5604:12:William Gates:/home/bgates:/bin/bash                 
      The * is called the token and means that the passwd file has been     
  shadowed.  Password shadowing is a security system where the encrypted    
  password field of /etc/passwd is replaced with a special token and the    
  encrypted password is stored in a separate file which is not readable by  
  normal system users.                                                      
      In order to defeat this, you'll need to write a C program and         
  compile it similar to this:                                               
      Cut out the program at the bottom and save as "shadow.c"              
      Run "gcc shadow.c -o shadow" or "cc shadow.c -o shadow"               
      Run "./shadowpw >> password"                                          
      "password" should be your deshadowed password list.                   
      If you have any problems, or need any help whatsoever... DO NOT       
  CONTACT ME!                                                               
  Sample Unshadow Program                                                   
   struct  SHADOWPW {     /* see getpwent(3) */                             
     char *pw_name;                                                         
     char *pw_passwd;                                                       
     int  pw_uid;                                                           
     int  pw_gid;                                                           
     int  pw_quota;                                                         
     char *pw_comment;                                                      
     char *pw_gecos;                                                        
     char *pw_dir;                                                          
     char *pw_shell;                                                        
   struct passwd *getpwent(), *getpwuid(), *getpwnam();                     
   #ifdef   elxsis?                                                         
   /* Name of the shadow password file. Contains password and aging info *  
   #define  SHADOWPW "/etc/shadowpw"                                        
   #define  SHADOWPW_PAG "/etc/shadowpw.pag"                                
   #define  SHADOWPW_DIR "/etc/shadowpw.dir"                                
    *  Shadow password file pwd->pw_gecos field contains:                   
    *  <type>,<period>,<last_time>,<old_time>,<old_password>                
    *  <type>  = Type of password criteria to enforce (type int).           
    *  BSD_CRIT (0), normal BSD.                                            
    *  STR_CRIT (1), strong passwords.                                      
    *  <period>  = Password aging period (type long).                       
    *  0, no aging.                                                         
    *  else, number of seconds in aging period.                             
    *  <last_time>	 = Time (seconds from epoch) of the last password        
    *  change (type long).                                                  
    *  0, never changed.n                                                   
    *  <old_time>  = Time (seconds from epoch) that the current password    
    *  was made the <old_password> (type long).                             
    *  0, never changed.ewromsinm                                           
    *  <old_password> = Password (encrypted) saved for an aging <period> t  
    *  prevent reuse during that period (type char [20]).                   
    *  "*******", no <old_password>.                                        
   /* number of tries to change an aged password */                         
   #define  CHANGE_TRIES 3                                                  
   /* program to execute to change passwords */                             
   #define  PASSWD_PROG "/bin/passwd"                                       
   /* Name of the password aging exempt user names and max number of entir  
   #define  EXEMPTPW "/etc/exemptpw"                                        
   #define MAX_EXEMPT 100                                                   
   /* Password criteria to enforce */                                       
   #define BSD_CRIT 0 /* Normal BSD password criteria */                    
   #define STR_CRIT 1  /* Strong password criteria */                       
   #define MAX_CRIT 1                                                       
   #endif   elxsi                                                           
   #define NULL 0                                                           
   struct passwd *p;                                                        
   int i;                                                                   
   for (;1;) {;                                                             
     if (p==NULL) return;                                                   
   struct SHADOWPW *a;                                                      
   /* SunOS 5.0  /etc/shadow */                                             
   /* SunOS4.1+c2     /etc/security/passwd.adjunct */                       
      The passwd file is located in the following pathes for each system.   
  To determine your UNIX system type, enter the following during the UNIX   
      uname -a                                                              
  UNIX Paths (Courtesy of 2600)                                             
  UNIX                  Path                            Token               
  AIX 3                 /etc/security/passwd            !                   
         or             /tcb/auth/files/<first letter   #                   
                              of username>/<username>                       
  A/UX 3.0s             /tcb/files/auth/?/*                                 
  BSD4.3-Reno           /etc/master.passwd              *                   
  ConvexOS 10           /etc/shadpw                     *                   
  ConvexOS 11           /etc/shadow                     *                   
  DG/UX                 /etc/tcb/aa/user/               *                   
  EP/IX                 /etc/shadow                     x                   
  HP-UX                 /.secure/etc/passwd             *                   
  IRIX 5                /etc/shadow                     x                   
  Linux 1.1             /etc/shadow                     *                   
  OSF/1                 /etc/passwd[.dir|.pag]          *                   
  SCO Unix #.2.x        /tcb/auth/files/<first letter   *                   
                               of username>/<username>                      
  SunOS4.1+c2           /etc/security/passwd.adjunct    ##username          
  SunOS 5.0             /etc/shadow                                         
                        <optional NIS+ private secure maps/tables/whatever  
  System V Release 4.0  /etc/shadow                     x                   
  System V Release 4.2  /etc/security/* database                            
  Ultrix 4              /etc/auth[.dir|.pag]            *                   
  UNICOS                /etc/udb                        *                   
      Well secure systems with shadowed passwords will cause a              
  segmentation fault once you've run that sample program.  Remember, don't  
  come bugging me on IRC if your little hacking escapade doesn't turn out   
  like you wanted it to.  Well, that's all for now, enjoy your newly        
  hacked UNIX accounts and spread them warez.                               

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH