Introduction-
To gain access into a Unix system, its necessary to have a username and a password, and what better place to find them than from /etc/passwd :-) This is the file which holds the list of usernames and passwords in Unix, aswell as other kind of information in relation which each username... The problem is that these passwords are encrypted. Let see the appearence of one of these files:
root:XY53yyh3gMvvE:0:3::/root:/bin/sh
daemon:*:1:5::/:/bin/sh
bin:*:2:2::/bin:/bin/sh
adm:*:4:4::/usr/adm:/bin/sh
uucp:*:5:3::/usr/spool/ucppublic:/usr/lib/uucp/uucico
lp:*:9:7::/usr/spool/lp:/bin/sh
hpdb:*:27:1:ALLBASE:/:/bin/sh
user1:g.um3CCF4uVIk:247:25:DArcy
Martín:/disc/users/pepito:/bin/csh
user2:RckFa8/idTCFg:248:24:Billy Corgan:/disc/users/fulanito:/bin/csh
user3:axX/MxQZr37tA:0:3:James Iha:/disc/users/menganito:/bin/csh
daemon:*:1:5::/:/bin/sh
bin:*:2:2::/bin:/bin/sh
adm:*:4:4::/usr/adm:/bin/sh
uucp:*:5:3::/usr/spool/ucppublic:/usr/lib/uucp/uucico
lp:*:9:7::/usr/spool/lp:/bin/sh
hpdb:*:27:1:ALLBASE:/:/bin/sh
user1:g.um3CCF4uVIk:247:25:DArcy
Martín:/disc/users/pepito:/bin/csh
user2:RckFa8/idTCFg:248:24:Billy Corgan:/disc/users/fulanito:/bin/csh
user3:axX/MxQZr37tA:0:3:James Iha:/disc/users/menganito:/bin/csh
As you can see, each line corresponds to a user, and contains ( in order ) the username, the encrypted password, the user_id, the group_id, the real name, the home directory and the shell loaded at the startup... The format may change slightly, but basically it is this one. As you can see, each field is separated from the previous and next field by a colom " : " In some lines, the password field is " * " This encrypted password is invalid, that is, they dont belong to an existing password, therefore you may not access those accounts. Another detail we must take into consideration are all those users whose user_id is "0", as ROOT. These users are ROOT by all means, therefore, they have the same rights as the actual ROOT. As you can observe, "user3" has a user_id=0, which means it is a ROOT. In a similar way, the users without user_id=0 may still have access to some ROOT actions by the fact that they belong to the ROOT group.
Ok, now we have to "dencrypt" the passwords. The problem is that Unix uses a one-way encryption mechanism, which means it cant be "dencrypted". Then... how does the LOGIN checks whether the password is correct? What happens is that the system encrypts the password that we enter and it is compared with the text string belonging to the actual password in the passwd file. If they are identical then the password is correct and the system lets you in. The way of attacking a unix passwd file is precisely the same as LOGIN does. What the cracker does is encrypt maaaaaaaaaaaaany words and check if any of the encrypted words match with the encrypted password in the passwd file. If they match, we have our password! And if not, we will try on with a different word. For doing this we need three things: 1- A word list to encrypt and check. 2- A List with the encrypted passwords (passwd file) 3- A program which does all the job.
STEP ONE: Obtaining the Word List
Be creative. You may write your own word list with names, surnames, famous people, numbers, months, bad words, companies, server names and the so used sex, love and god. Anything is valid as long as you think it may be used as a password in the system you want to hack. Luckly, you may find in internet word lists waiting to be checked. One of the most interesting places for obtaining word lists is: ftp://sable.ox.ac.uk/pub/wordlists/. There are many wordlists, but it is slightly slow. Fortunately, there is a mirror of this server in Spain, at ftp://sun.rediris.es/mirror/sable/wordlists/ which goes much more quicker, specially if your internet connection is inside the spanish network. Anyway, youy may always search in Yahoo or Lycos for "dictionar" or by "wordlis" and you'll find many sites with wordlists. A good tip is to try with the names and surnames of the users of the system you are trying to crack.... There is maaaaaaany people who uses as password their own names or their girlfriend's name. So a word list with the names and surnames of the users is a good chance of obtaining passwords. Another word which is a common a password is the username itself. Also many people uses "password". It is a good recommendation to extract all of the words inside the passwd file and try them as password. For doing this there are many utilities, some of them are even distributed together with the cracker. I dont think you'll find very difficult to find a program which extracts the names, surnames and usernames of the users in a /etc/passwd file. There are even utilities which their only function is to make word lists.
STEP 2: Obtaining the password list
This is slightly more difficult. If you have an account in the system you want to hack, you may always do a "cat /etc/passwd" If they dont have Shadow Passwords or NIS, a list like the one you have seen at the beginning will appear. Else, you will see somehing like this:
root:XY53yyh3gMvvE:0:3::/root:/bin/shwhere the password will be something like "*" or "x" or anything which contains an asterisc "*" as "*NOPASSWORD*". In this case, the file /etc/passwd is of no use, as Shadow Passwords or NIS is installed. Then, you may try doing a "ypcat /etc/passwd" With this you may probably find via screen the real list of passwords. In the event you dont have enough rights to run "ypcat", or if it isnt installed or if after doing it junk appears again, you will have to make use of other programs to obtain the passwords. I reccommend you PWGET. It is very easy to find, just look for PWGET.TAR.GZ or PWGET.TGZ in any archie, or in Lycos or in Yahoo. Sure you will find it. Once you have it, you just need to upload it to the server you want to hack, unzip it ("gzip -d -f PWGET.TGZ"), untar it ("tar -x -f PWGET.TAR"), compile it ("cc -o pwget pwget.c") and run it ("./pwget") by which you will see in the screen the password list. If you want the list in a file, you just have to redirect the screen output into a file:
daemon:*:1:5::/:/bin/sh
bin:*:2:2::/bin:/bin/sh
adm:*:4:4::/usr/adm:/bin/sh
uucp:*:5:3::/usr/spool/ucppublic:/usr/lib/uucp/uucico
lp:*:9:7::/usr/spool/lp:/bin/sh
hpdb:*:27:1:ALLBASE:/:/bin/sh
user1:g.um3CCF4uVIk:247:25:DArcy
Martín:/disc/users/pepito:/bin/csh
user2:RckFa8/idTCFg:248:24:Billy Corgan:/disc/users/fulanito:/bin/csh
user3:axX/MxQZr37tA:0:3:James Iha:/disc/users/menganito:/bin/csh
$ ./pwget > fileThe same way you will redirect the output under DOS... Now, for downloading the file you may use FTP, Kermit or the ZModem/Ymodem/Xmodem. For downloading the file via kermit or Zmodem you will need that your telnet program supports this protocols (as NetTerm), and that the Unix machine also does (that is, it has the neccesary file installed). Kermit is usually installed in all systems:
or else
$ ypcat /etc/passwd > file
or else
$ cat /etc/passwd > file
$ kermitYou may also use Zmodem, if it is installed:
kermit> set file type ascii (or "text", depends on systems)
kermit> set send pack 1000
kermit> set rec pack 1000
kermit> set file type 2 (or 3, as you prefer)
kermit> send fichero... Download->Kermit
CTRL+C
kermit> quit
$
$ sz fichero... Download->ZModem
$
Step 3: Cracking the password list
Now that you have the password list and several word lists, you need a program which encrypts the words and afterwards checks them with the encrypted passwords in the password list. There are many programs you may use. Now I will briefly comment the characteristics of the programs (an their names, so that you may look for them in the net), but first I would like to give some tips for obtaining the passwords in less time.CRACKERS:Delete from the password file all lines whose password is invalid ("*", "*NOPASSWORD*", etc) Arrange the lines of the password file by the two first characters of the encrypted password. Some of the programs I comment, do this automatically, but some dont. With these two steps you may save a lot of time depending in the cracker you use. Those users who have the password field empty
(user1::101:1:Manolito:/usr/user1:/bin/sh) dont have a password at all, therefore they are lines you may delete from the file. When you login, simply by typing the username you will have access. And in the event it asks you for a password, press ENTER without writing a password. :-)
Here you have a table comparing all the different crackers. In the same machine and with the same word and password lists. Some of them took too long, and I aborted the proccess of cracking the passwords. In this cases, I calculated the estimated time they will take to finish according to the time taken (1 hour) and the amount of words checked for that time.Cracker Jack 1.4 (JACK14*.*, CJACK*.*) It is the most extended in use, unleast as far as I know. It is almost in every hacking site of internet. Works under DOS and OS/2, and is quite fast. In the same "distribution" there are many utilities which treat the word list. You may search for it in the web. Brute 2.00 (BRUTE*.*) Another cracker quite popular even beeing so slow. I think there is a faster version, but uses an encrypting algorythm which isnt completely correct (although it is faster), and therefore it doesnt crack all passwords it should. I havent found any copy of this version, which means i wasnt able to test it. Works under DOS. StarCrack 0.64ß (STARCRAK*.*) This is a cracker with plenty of options, which allows to handle words while they are tested. It is quicker than Cracker Jack, works under DOS and is very complete. It is quite new, and is also a Beta, so i expect a much better version comming soon... :-? Has plenty of options and allows doing all kinds of things. You can find it at the StarCrack homepage: http://www.chez.com/thes/starcrak.html Hades 1.00a (HADES*.*) Another cracker for DOS. This works different from the rest of crackers. Instead of encrypting a word and checking it against the passwords of all users, it encrypts all the words and then checks them with the password of a user. Once it has finished with one user, it follows on with the next one. Due to this way of working, it makes too much I/O of disk, which slows down the whole proccess. It's output is slightly improved if we arrange the password file by the encrypted password field, as this way the cracker will check various users at the same time. It can also be improved by having all the lists (password and word lists) in memory in a virtual disc. Guess 2.1 (GUESS*.*) Cracker for DOS, extremelly slow. It has memory problems if we try to use it with password files with more than 1000 lines PCUPC 2.01 (PCUPC*.*) Another cracker for DOS. This one has memory problems if we try to crack password files with more than 600/700 lines. Killer Cracker 9.5 (DJKC95*.*, KC*.*) As Guess, a very slow cracker for DOS and which gives problems with password files longer than 1000 lines. Xit 2.0 (XIT20*.*) Cracker for DOS. It is the slowest i've found. As its name says, it is a SHIT! :-) HellFire Cracker 1.3 (HC130*.*) Cracker for Dos. Requires a 386 with co-processor so it can work, but for some strange reason it hangs in my pentium and in my 486, therefore i cant tell you how good it is. Maybe if you have a 386 you'll be able to use it satisfactory. The program includes a 387 emulator, just in case you dont have a co-processor. Any way, it is a very old program which surely wont be very fast. John the ripper 1.4 (UCFJOHN3*.*) Cracker for DOS/Win32/Linux and any other system, as it is distributed together with the source code. Works in a similiar way to Cracker Jack but includes more options and is quite fast. It is a new release (when the doc was written :) courtesy of UCF (United Cracking Force) and may be a bit difficult to find, but it is really useful and fast. It doesnt have as many options as the Star Crack, but is much faster. It even allows many options for treating the word list you use... This is the homepage of John the Ripper: http://www.false.com/security/john/
These are the results, ordered by speed: