WHAT:
It's easy to get a passwd (password) file, but its harder to get a Good One
Yes, a good one, there is only one Good One.
HOW:
The oldest method I know is the FTP://server.com. 
*Note: To do this ftp the server from your browser, not sum ftp progz or anything like that.*
Then you will ftp the server anonymously and you will see something like this:

FTP Dir on server.com
---------------------
04/07/1999 12:00 Directory dev | <=--- Devices
04/12/1999 12:00 Directory etc | <=--- This one you want!
06/10/1998 12:00 Directory hidden | <=--- Not important
03/22/2000 02:23 Directory pub | <=--- Public stuff

As u can see this is a Unix system *(windows does not have /ect/)*
So we click on --=>etc

FTP Dir /ect on server.com
--------------------------
04/12/1999 12:00 601 group |<=--- File with group/user names
04/12/1999 12:00 509 passwd |<=--- Bingo!

So we click on the passwd file.
We see something like this:
	root:x:0:1:Super-User:/:/sbin/bash
	daemon:x:1:1::/:
	bin:x:2:2::/usr/bin:
	sys:x:3:3::/:
	adm:x:4:4:Admin:/var/adm:
	lp:x:71:8:Line Printer Admin:/usr/spool/lp:
	smtp:x:0:0:Mail Daemon User:/:
WHAT: This stuff is useless. The X that means that the passwd isshadowed
It's a shadowed passwd file, very hard to crack but there is way to do it, using a program called Deshadow
-Deshadow would do the work they say, but deshadow is only to be run on your own unix box.
	root:x:0:1:Super-User:/:/sbin/bash
	| | | | | | |
	Login| | | | | |
	name | |group | | shell (bash= bourne again shell)
	| | id fullname|
	shadowed | 
	passwd| home
	| dir
	userid

p19


****
The "x" is called a token on some systems it is replaced by a "$" or "#" or sometimes even the user name.
****
-So now that the passwd file is useless, we are disapointed and just for the fun of it all
we will take a look at the ---=>group.
we see something like this:
	root::0:root
	other::1:
	bin::2:root,bin,daemon
	sys::3:root,bin,sys,adm
	adm::4:root,adm,daemon
	uucp::5:root,uucp
	mail::6:root
	tty::7:root,tty,adm
	lp::8:root,lp,adm
	nuucp::9:root,nuucp
	staff::10:
	daemon::12:root,daemon
	sysadmin::14:
	nobody::60001:
	noaccess::60002:
	nogroup::65534:
	sponsor::26:dlamb,marci,trs,wjtifft,sndesign,bswingle,sonny
	star::22:nobody,trs,marci,dlamb,wjtifft,sndesign,bswingle,grossman
	cron::30:root,rwisner,trs,grossman,bcauthor,starnews,kvoa,bswingle,uurtamo
	nettools::29:root,rwisner,trs,grossman,bcauthor,bswingle,uurtamo
	su::27:root,rwisner,trs,grossman,bcauthor,uurtamo,bswingle
	ftp::60000:
What's to say? A bunch a user names and group id's (gid).
Sometimes you will find a file called pwd.db in the /etc dir.
--Okay our attempt failed to retrieve a good passwd file, so now we are going to get the Good One.
* Note: On windows the passwd file is called .pwl *

You can do the old FTP method on many servers, but lets talk about the Good passwd file.
We use the same example as above:

root:Npge08pfz4wuk:0:1:Super-User:/:/sbin/bash
daemon:Fs2e08p34Cxw1:1:1::/:
bin:Npge08pfz4wuk:2:2::/usr/bin:

What you see and what you should notice is the jibberish (Npge08pfz4wuk) it is an encrypted passwd.
Actually it is not encrypted but encoded.

------->>PASSWD Encoded info<<---------

The passwd is to be encoded with randomly generated value called Salt.
There are 4096 salt values. So if you want to do a Dictionary Attack u will have to try all the values.
So the Npge08pfz4wuk, the Np is the salt and the ge08pfz4wuk is the encoded passwd.
**********************************************************************
Right about now u would want to download Jack the Ripper Great article on how to use it.... http://hellboundhackers.org/readarticle.php?article_id=45

Hack4u