Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

New Basic Skills(Ready)

  1. Home
  2. Forum
  3. Projects
  4. New Basic Skills(Ready)

ghost's Avatar

ghost

0 0

How To Get A Passwd File WHAT: It's easy to get a passwd (password) file, but it’s harder to get a “Good One” Yes, a good one, there is only one “Good One”.

HOW: The oldest method I know is the FTP://server.com.
Note: To do this ftp the server from your browser, not sum ftp progz or anything like that. Then you will ftp the server anonymously and you will see something like this:

FTP Dir on server.com

04/07/1999 12:00 Directory dev | <=— Devices 04/12/1999 12:00 Directory etc | <=— This one you want! 06/10/1998 12:00 Directory hidden | <=— Not important 03/22/2000 02:23 Directory pub | <=— Public stuff

As u can see this is a Unix system (windows does not have /ect/) So we click on –=>etc

FTP Dir /ect on server.com

04/12/1999 12:00 601 group |<=— File with group/user names 04/12/1999 12:00 509 passwd |<=— Bingo!

So we click on the passwd file. We see something like this:

root:x:0:1:Super-User:/:/sbin/bash daemon:x:1:1::/: bin:x:2:2::/usr/bin: sys:x:3:3::/: adm:x:4:4:Admin:/var/adm: lp:x:71:8:Line Printer Admin:/usr/spool/lp: smtp:x:0:0:Mail Daemon User:/:

WHAT: This stuff is useless. The X that means that the passwd is“shadowed” It's a shadowed passwd file, very hard to crack but there is way to do it, using a program called Deshadow

Deshadow would do the work they say, but deshadow is only to be run on your own unix box.

root:x:0:1:Super-User:/:/sbin/bash | | | | | | | Login| | | | | | name | |group | | shell (bash= bourne again shell) | | id fullname| shadowed | passwd| home | dir userid

The "x" is called a token on some systems it is replaced by a "$" or "#" or sometimes even the user name.

So now that the passwd file is useless, we are disapointed and just for the fun of it all we will take a look at the —=>group. we see something like this:

root::0:root other::1: bin::2:root,bin,daemon sys::3:root,bin,sys,adm adm::4:root,adm,daemon uucp::5:root,uucp mail::6:root tty::7:root,tty,adm lp::8:root,lp,adm nuucp::9:root,nuucp staff::10: daemon::12:root,daemon sysadmin::14: nobody::60001: noaccess::60002: nogroup::65534: sponsor::26:dlamb,marci,trs,wjtifft,sndesign,bswingle,sonny star::22:nobody,trs,marci,dlamb,wjtifft,sndesign,bswingle,grossman cron::30:root,rwisner,trs,grossman,bcauthor,starnews,kvoa,bswingle,uurtamo nettools::29:root,rwisner,trs,grossman,bcauthor,bswingle,uurtamo su::27:root,rwisner,trs,grossman,bcauthor,uurtamo,bswingle ftp::60000:

What's to say? A bunch a user names and group id's (gid). Sometimes you will find a file called pwd.db in the /etc dir.

Okay our attempt failed to retrieve a good passwd file, so now we are going to get the “Good One”. ** Note: On windows the passwd file is called .pwl **

You can do the old FTP method on many servers, but lets talk about the Good passwd file. We use the same example as above:

root:Npge08pfz4wuk:0:1:Super-User:/:/sbin/bash daemon:Fs2e08p34Cxw1:1:1::/: bin:Npge08pfz4wuk:2:2::/usr/bin:

What you see and what you should notice is the jibberish (Npge08pfz4wuk) it is an encrypted passwd. Actually it is not encrypted but encoded.

—––>>PASSWD Encoded info<<———

The passwd is to be encoded with randomly generated value called Salt. There are 4096 salt values. So if you want to do a Dictionary Attack u will have to try all the values. So the Npge08pfz4wuk, the Np is the salt and the ge08pfz4wuk is the encoded passwd.

Right about now u would want to download Jack the Ripper Great article on how to use it…. http://hellboundhackers.org/readarticle.php?article_id=45 "Its primary purpose is to detect weak UNIX passwords" And use the Ripper to crack the passwd file. When it is cracked u will have access to the server.

Of course I only showed one method of getting a passwd file. To get a passwd file the other way, you first need to find a hole in the services running at various ports of the host.

By:Hack4u