Now if you happen to find a passwd fiel that looks something like this: "joetest:*:102 :100::/home/joetest:/usr/bin/re stsh"
which has a user name, not a programs, you have a shadowed passwd. The shadow file has the encrypted passwords on it. Depending on the Operating System, the passwd file may be in different places. To find out what Operating system your target is running from telnet (connected to that server of course) type uname -a and it should say, if you cannot get to telnet there is other methods of finding out. Here is a guide to systems passwd file locations (taken from a text on passwd files by Kryto.) A token is the * (or other symbol) beside a shadowed passwds user name
UNIX Paths (Courtesy of 2600)
UNIX Path Token
----------------------------AIX 3 /etc/security/passwd !
or /tcb/auth/files/first letter #
A/UX 3.0 s /tcb/files/auth/?/ * BSD4.3 -Reno /etc/master.passwd * ConvexOS 10 /etc/shadpw * ConvexOS 11 /etc/shadow * DG/UX /etc/tcb/aa/user/ * EP/IX /etc/shadow x HP-UX /.secure/etc/passwd * IRIX 5 /etc/shadow x Linux 1.1 /etc/shadow * OSF/1 /etc/passwd [.dir|.pag] * SCO Unix #.2 .x /tcb/auth/files/
System V Release 4.0 /etc/shadow x System V Release 4.2 /etc/security/* database
Ultrix 4 /etc/auth[.dir|.pag] *
UNICOS /etc/udb * Anyway once you have the passwd file (with user names) and shadow file you can find a unshadowing program which combines the passwd file and the shadow passwd and combines them into what a regualr passwd file would be. A unshadowing program can be found at http://www.hackersclub.com/k m/downloads/password_crack er/ucfjohn2.zip Now some servers have the shadow file on retrictions so no one without a special account on the server can get to it.
________________________6. Crackers
Now that you have gotten a passwd file, what the hell do you do it it to get passwords from it? Thats where crackers come in.
A cracker takes the passwd file and a wordlist and compares the wordlist to the passwd files encrypted passwd. I have used many different crackers. Everyone has their favorite. My personal favorite is one called PaceCrack95 Ver. 1.1
http://tms.netrom.com/~cassi dy/utils/pacec.zip
Many people swear that John the Ripper is the greatest but i have problems with it, but it can be gotten off any decent hacking page. Same for Cracker Jack. A Cracker will load a wordlist and a passwd file and compare the two. When it cracks a password it will tell you the user name and the unencrypted password. You don't need to write it down because the program auto saves it. Cracker Jack saves the file as jack.pot and i think John the Ripper does too. PaceCrack95 Ver. 1.1 saves it to the files name (ex., passwd.txt.db) with the exact name and makes it a.DB file. I like to keep a passwd file once i have cracked it and later try out a new passwd cracker on it with the same wordlist and see if it works or if it is fake. It helps
________________________7. Wordlists
Wordlists are a nessicity to cracking passwd files. They are just huge lists of words. The biggest wordlist is avaliable from here: ftp://ftp.ox.ac.uk/pub/wordlists/
If you get a passwd file from another contry get a wordlist with the same launguage as the worlist came from, as the users would probably use words they are familier with There are some programs which can make random numbers to what you specify but that might not be really great, since there is such a huge amount of number combinations they could use. I am not completly saying they are useless since i have cracked a password with one before, I had fashoned my own list of 4 digit numbers since people might use their phone number and well it worked
________________________8. What to do with a Cracked Passwd file
What you can do with a passwd is up to you. The nice thing to do is inform the administator of the server that, accounts on his (or her) server are insucure and possibly open to anyone hacking an account and bringing havok upon their server. Some other things you can do is fire up good ole telnet and connect to one of theirrts and see what you could do with that account. The possiblities are endless. You could hack a webpage (i wouldn't do that on account of how lame it is to destruct someones piece of work.)
You could use an exploit in sendmail and get root or install a sniffer on the system and get all the passwords you could ever want from it. You could use the account to do work on OTHER servers that you sure as hell wouldn't want to do from your own. If your account is canceled you can use a hacked accounts dial up till you purchase a new one. Like I said the list goes on and on. I am sure noone wants you doing anything destuctive (its lame anyhow.) And the best thing to do is report the problem to the system admin so, if he finds out he won't freak and call your admin and tell him you have been doing naughty things or even call the cops. I hope this text was informative enough to fufill your needs
No comments:
Post a Comment