155 lines
5.5 KiB
Plaintext
155 lines
5.5 KiB
Plaintext
|
|
///////////////////////////////// //
|
|
// /// // //
|
|
///// /// // //
|
|
///// /// // //
|
|
// /// // //
|
|
/////////// /// //////////// //
|
|
|
|
////////// //////// ////////////////// // // ////////
|
|
// // // // // // // / // // //
|
|
////////// // // //////// //////// // /// // // //
|
|
// //////// // // // // // // // //
|
|
// // // // // //// //// // //
|
|
// // // //////// /////// /// /// ////////
|
|
=========================================================================ect/passwd
|
|
|
|
Brought to you by ---=> *KGB* ---=>fh_foxhound@hotmail.com
|
|
|
|
|
|
Intro: This file is 'bout the ect/passwd and everything that comes with it.
|
|
|
|
__disclaimer__
|
|
|
|
This file is for educational purpose only, blah blah, i am not responsable for your actions and
|
|
stuff like that. My main purpose is to contribute my knowledge to you.
|
|
|
|
|
|
|
|
=======================
|
|
Let's Start
|
|
=======================
|
|
*First of all it's easy to get a passwd (password) file, but it is harder to get a good one.
|
|
Good one? yes, a good one, there is only one Good one.
|
|
Okay only one good one, now tell me how 2 get the damn thing!
|
|
|
|
The oldest methode i know is the FTP://server.com.
|
|
Note: To do this ftp the server from your browser, not sum ftp progz or shit like that.
|
|
Then you will ftp the server anonymously and you will see something like this:
|
|
|
|
FTP Dir on server.com
|
|
---------------------
|
|
04/07/1999 12:00 Directory dev <=--- Devices
|
|
04/12/1999 12:00 Directory etc <=--- This one u want!
|
|
06/10/1998 12:00 Directory hidden <=--- Not important
|
|
03/22/2000 02:23 Directory pub <=--- Public stuff
|
|
|
|
As u can see this is a Unix system (duh windows doesnt have /ect/).
|
|
So we click on --=>ect
|
|
|
|
FTP Dir /ect on server.com
|
|
--------------------------
|
|
04/12/1999 12:00 601 group <=--- File with group/user names
|
|
04/12/1999 12:00 509 passwd <=--- Bingo!
|
|
|
|
So we click on the passwd file.
|
|
We see:
|
|
|
|
root:x:0:1:Super-User:/:/sbin/bash
|
|
daemon:x:1:1::/:
|
|
bin:x:2:2::/usr/bin:
|
|
sys:x:3:3::/:
|
|
adm:x:4:4:Admin:/var/adm:
|
|
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
|
|
smtp:x:0:0:Mail Daemon User:/:
|
|
|
|
THIS IS USELESSSSSSS, why? see the X that means that the passwd is shadowed.
|
|
It's a shadowed passwd file, very very hard to crack there is way 2 do it, a program called
|
|
Deshadow would do the work they say, but deshadow is only to be run on your own unix box.
|
|
|
|
root:x:0:1:Super-User:/:/sbin/bash
|
|
| | | | | | |
|
|
Login| | | | | |
|
|
name | |group | | shell (bash= bourne again shell)
|
|
| | id fullname|
|
|
shadowed |
|
|
passwd| home
|
|
| dir
|
|
userid
|
|
|
|
****
|
|
The "x" is called a token on some systems it is replaced by a "$" or "#" or sometimes even the user name.
|
|
****
|
|
|
|
So now that the passwd file is useless, we are disapointed and just for the fun of it all
|
|
we will take a look at the ---=>group.
|
|
we see:
|
|
|
|
root::0:root
|
|
other::1:
|
|
bin::2:root,bin,daemon
|
|
sys::3:root,bin,sys,adm
|
|
adm::4:root,adm,daemon
|
|
uucp::5:root,uucp
|
|
mail::6:root
|
|
tty::7:root,tty,adm
|
|
lp::8:root,lp,adm
|
|
nuucp::9:root,nuucp
|
|
staff::10:
|
|
daemon::12:root,daemon
|
|
sysadmin::14:
|
|
nobody::60001:
|
|
noaccess::60002:
|
|
nogroup::65534:
|
|
sponsor::26:dlamb,marci,trs,wjtifft,sndesign,bswingle,sonny
|
|
star::22:nobody,trs,marci,dlamb,wjtifft,sndesign,bswingle,grossman
|
|
cron::30:root,rwisner,trs,grossman,bcauthor,starnews,kvoa,bswingle,uurtamo
|
|
nettools::29:root,rwisner,trs,grossman,bcauthor,bswingle,uurtamo
|
|
su::27:root,rwisner,trs,grossman,bcauthor,uurtamo,bswingle
|
|
ftp::60000:
|
|
|
|
What's to say? a bunch a user names and group id's (gid).
|
|
Sometimes you will find a file called pwd.db in the /ect dir.
|
|
|
|
=======================
|
|
Let's Move On
|
|
=======================
|
|
*Okay our attempt failed to retrieve a good passwd file, so now we are gonna get a good one.
|
|
Note: On windows the passwd file is called .pwl
|
|
|
|
You can do the old FTP method on many servers, but lets talk about the Good passwd file.
|
|
We use the same example as above:
|
|
|
|
root:Npge08pfz4wuk:0:1:Super-User:/:/sbin/bash
|
|
daemon:Fs2e08p34Cxw1:1:1::/:
|
|
bin:Npge08pfz4wuk:2:2::/usr/bin:
|
|
|
|
What u see and what u should notice is the jibberish (Npge08pfz4wuk) it is a encrypted passwd.
|
|
Actually it is not encrypted but encoded.
|
|
|
|
------->>PASSWD Encoded info<<---------
|
|
|
|
Encoded? that's right, when the passwd is to be encoded with randomly generated value called Salt.
|
|
There are 4096 salt values. So if you want to do a Dictionary Attack u will have 2 try all the values.
|
|
So the Npge08pfz4wuk, the Np are the salt and the ge08pfz4wuk is the encoded passwd.
|
|
|
|
---------------------------------------
|
|
|
|
Right about now u would want 2 download Jack the Ripper "Its primary purpose is to detect weak UNIX passwords"
|
|
And use the Ripper to crack the passwd file.
|
|
When it is cracked u will have access to the server. =)
|
|
|
|
=======================
|
|
Final Notes
|
|
=======================
|
|
*Now u know a little about this shit, don't forget the hardest part is getting the passwd file.
|
|
the rest is easy compared 2 that.
|
|
Ofcourse i only showed one method of getting a passwd file.
|
|
To get a passwd file the other way, you first need to find a hole in the services running
|
|
at various ports of the host.
|
|
|
|
I hope u know enough now.
|
|
|
|
GrtZ,
|
|
|
|
---=>KGB (fh_foxhound@hotmail.com) |