Obtaining and Cracking a UNIX Password File (Part 1)
If you want to be a REAL hacker, you must understand
how the system you are hacking works. Any idiot can follow a few instructions,
but it takes a smart person to know what exactly he/she is doing, and you
will have to know what you are doing in harder systems. First you must understand
how a login process works.
1) Username and password are entered
2) Password file is opened and proper login is found
3) Entered password is encrypted and checked against the (already encrypted)
password in the file.
Let's take a look at a fake example. Here's the
system's password file at 'stupid.org':
This is a very basic password file. Every
password file has the 'root' account. Root basically controls the system.
Since this is a website, it needs a webmaster account, and then there
is the ftp account which is used for, you guessed it, public ftp. Now
let's examine what all that stuff means. All pieces of information are
separated by colons (:).
1) The username/login
2) The encrypted form of the password
3) The group number the user is in*
4) The member number of the group the user has*
5) The description of the account
6) The home directory of the user
*I may be wrong about the ordering of 3 + 4.
It might be vice-versa.
Now say 'Mr.Hacker' connects to stupid.org and logs
in as root. He then enters the password 'toor' (root backwards). The password
file is opened and the account 'root' is found. Then the password Mr.Hacker
entered is encrypted and compared to the encrypted password in the password
file. Since the admin of this system can't remember a complex password,
he thought he could fool a hacker by choosing his password by reversing
his login name. Well, now Mr.Hacker has control of the system. This time
the hacker got root as a lucky guess, but no sysop would really make a password
that easy to guess. It's almost always a combination of lowercase and uppercase
letters (UNIX is case-sensitive), numbers, and sometimes even unusual ASCII
Note: Linux, FreeBSD, RedHat, Slackware, etc.
- these are all variations of UNIX.
Obtaining the Password File
We'll come back to the login process later, but now
you need to know how to get the coveted password file. You have two very
easy methods that will work on very low-security systems - usually .org
(non-profit organization) or .jp (Japanese) sites.
The first method requires a little carelessness on the sysop's part. Run
'ftp.exe' (if you're using Win95). Type 'open' and then the address of the
site you want to hack. Login as 'anonymous'. If this is allowed then either
it's a public FTP or the sysop is very careless. Now type 'get /etc/passwd'.
If that works, don't get too excited yet. Ctrl+Break out of FTP then type
'type passwd' in your Windows folder. If you see little *'s where the encrypted
password should be, that's called shadowing the password file. Now, nothing
can interpret the *'s, so that means there is another, real, password file
hidden somewhere. First try 'get /etc/shadow' and 'get /etc/shadowed'.
If that doesn't work, it's time to move on to the PHF exploit. PHF is a
program that usually comes pre-installed on every UNIX machine. It allows
you to download ANY file from the server, including the password file. Unfortunately,
this flaw is already fixed on at least 95% of all Internet servers. But,
if you are trying to hack a .org site (the ones without donations through
credit card via the Web, that is) (or a .jp site, or so I'm told) you have
a pretty good chance of the PHF exploit working. All you have to do is open
your web browser and enter the following address, replacing webpage_goes_here
with the site you're trying to hack.
WARNING: IF YOU TRY THIS ON SOME SERVERS, YOU CAN GO TO JAIL
Neither of these methods worked? The third method requires a good deal of
creativity. First download a decent util called Haktek.
It contains an excellent port scanner as well as a bunch of lamer tools.
Install and run Haktek. Change the target to the desired address. Now run
a port scan. Haktek will appear to lock up but just wait, it will finish
eventually. If you're really serious about hacking this particular site,
do a scan on 0-9999 instead of 0-1000. Telnet to every single one of these
ports. Windows Telnet will do the job. This is where your creativity comes
in. I can't help you now. A very good thing to do is obtain an account with
the site you're trying to hack (this is why hacking your college is so popular).
Search for exploits at Rootshell.
You're pretty much on your own now since I have no experience using C-code
exploits. These exploits will only work if you have Linux installed on your
computer or you have a shell account with compiler access. That's all on
obtaining the file for now.
Cracking the Password File
Cracking a password is the longest, most boring part
of hacking. Believe me, wordlists/dictionary files are totally useless,
unless you can find a program that generates a 2 gig+ dictionary file. No
one makes their password a word in any language anymore. For cracking the
password, you'll need the best UNIX password cracker around: John
the Ripper. Get the DOS version (unless of course you have Linux). I
have experienced some crashes with the Win32 one. Here's what a password
cracker does: it simulates a normal UNIX login by taking passwords from
a word list (don't use them) or by incrementally trying combinations of
ASCII characters, encrypting them, and comparing it to the encrypted password
in the password file. There is NO WAY to unencrypt a UNIX password, since
unencryption is never used during the login process. For a more detailed
has a great doc on it at his site.
Enough about how everything works, you need to know how to use John the
Ripper. Copy the password file you have into the directory you installed
John the Ripper in. Now type 'john -incremental:all passwd', where passwd
is the filename of your password file. At any time you can hit Ctrl+Break:
this will stop the attempts and save it's exact status in a file named 'restore'.
To start where you left off, type 'john -restore'. This can take 24hrs on
a Pentium for ONE 8-character password. It's a good idea to take one password
line from your file and copy it into another file and crack only that account.
Leave your computer on 'john -restore' any time you can. At night, while
you're at work - whenever. Eventually, the password will be cracked and
the results written to a file called 'john.pot'. That's about it for this
issue. I intend to work on an C article as well as the second part of this
article for the next magazine. Good luck, and be careful!
Bibliography: Text files that can be found at Active
Matrix's Hideaway and Neworder
Thanks: Carolyn Meinel for the GTMHH.
The Mentor for inspiration, ethics, and text files.
SectorX (aka Ido Lion) for teaching
me so much.