Obtain a passwd file

Obtain a passwd file

By ghost | 9562 Reads |

0     0

• FTP Dir on server.com
• FTP Dir /ect on server.com

WHAT: It's easy to get a passwd (password) file, but it’s harder to get a “Good One” Yes, a good one, there is only one “Good One”. HOW: The oldest method I know is the FTP://server.com. Note: To do this ftp the server from your browser, not sum ftp progz or anything like that. Then you will ftp the server anonymously and you will see something like this:

¶FTP Dir on server.com

04/07/1999 12:00 Directory dev | <=— Devices 04/12/1999 12:00 Directory etc | <=— This one you want! 06/10/1998 12:00 Directory hidden | <=— Not important 03/22/2000 02:23 Directory pub | <=— Public stuff

As u can see this is a Unix system (windows does not have /ect/) So we click on –=>etc

¶FTP Dir /ect on server.com

04/12/1999 12:00 601 group |<=— File with group/user names 04/12/1999 12:00 509 passwd |<=— Bingo!

So we click on the passwd file. We see something like this: root:x:0:1:Super-User:/:/sbin/bash daemon:x:1:1::/: bin:x:2:2::/usr/bin: sys:x:3:3::/: adm:x:4:4:Admin:/var/adm: lp:x:71:8:Line Printer Admin:/usr/spool/lp: smtp:x:0:0:Mail Daemon User:/: WHAT: This stuff is useless. The X that means that the passwd is“shadowed” It's a shadowed passwd file, very hard to crack but there is way to do it, using a program called Deshadow -Deshadow would do the work they say, but deshadow is only to be run on your own unix box. root:x:0:1:Super-User:/:/sbin/bash | | | | | | | Login| | | | | | name | |group | | shell (bash= bourne again shell) | | id fullname| shadowed | passwd| home | dir userid

The "x" is called a token on some systems it is replaced by a "$" or "*" or sometimes even the user name.

-So now that the passwd file is useless, we are disapointed and just for the fun of it all we will take a look at the —=>group. we see something like this: root::0:root other::1: bin::2:root,bin,daemon sys::3:root,bin,sys,adm adm::4:root,adm,daemon uucp::5:root,uucp mail::6:root tty::7:root,tty,adm lp::8:root,lp,adm nuucp::9:root,nuucp staff::10: daemon::12:root,daemon sysadmin::14: nobody::60001: noaccess::60002: nogroup::65534: sponsor::26:dlamb,marci,trs,wjtifft,sndesign,bswingle,sonny star::22:nobody,trs,marci,dlamb,wjtifft,sndesign,bswingle,grossman cron::30:root,rwisner,trs,grossman,bcauthor,starnews,kvoa,bswingle,uurtamo nettools::29:root,rwisner,trs,grossman,bcauthor,bswingle,uurtamo su::27:root,rwisner,trs,grossman,bcauthor,uurtamo,bswingle ftp::60000: What's to say? A bunch a user names and group id's (gid). Sometimes you will find a file called pwd.db in the /etc dir. –Okay our attempt failed to retrieve a good passwd file, so now we are going to get the “Good One”.

• Note: On windows the passwd file is called .pwl *

You can do the old FTP method on many servers, but lets talk about the Good passwd file. We use the same example as above:

root:Npge08pfz4wuk:0:1:Super-User:/:/sbin/bash daemon:Fs2e08p34Cxw1:1:1::/: bin:Npge08pfz4wuk:2:2::/usr/bin:

What you see and what you should notice is the jibberish (Npge08pfz4wuk) it is an encrypted passwd. Actually it is not encrypted but encoded.

—––>>PASSWD Encoded info<<———

The passwd is to be encoded with randomly generated value called Salt. There are 4096 salt values. So if you want to do a Dictionary Attack u will have to try all the values. So the Npge08pfz4wuk, the Np is the salt and the ge08pfz4wuk is the encoded passwd.

Right about now u would want to download Jack the Ripper Great article on how to use it…. http://hellboundhackers.org/readarticle.php?article_id=45

Hack4u