💾 Archived View for spam.works › mirrors › textfiles › uploads › ectpasswd.txt captured on 2023-06-16 at 20:53:31.

View Raw

More Information

-=-=-=-=-=-=-

              /////////////////////////////////      //
             //               ///   //              //
            /////            ///   //              //
           /////            ///   //              //
          //               ///   //              //
         ///////////      ///   ////////////    //

     	 //////////   //////// //////////////////  //         // ////////
    	//      //   //    // //        //        //   /     // //     //
       //////////   //    // ////////  ////////  //  ///    // //     //
      //           ////////       //        //  // //  //  // //     //
     //           //    //       //        //  ////     //// //     //
    //		 //    // ////////   ///////  ///	/// ////////   
=========================================================================etc/passwd

Brought to you by ---=> *KGB* ---=>fh_foxhound@hotmail.com ----=>thdreamer.com/kgb

Intro:	This file is 'bout the etc/passwd and everything that comes with it.

Topics: Getting a Passwd file
	Info about the /etc/passwd
	Info about the /etc/passwd fields
 	Info about the encryption
	Info about the /etc/shadow
	How to crack a passwd file using John the Ripper.
	Choosing a good Passwd
	
__disclaimer__

This file is for educational purpose only, blah blah, i am not responsable 
for your actions and
stuff like that. My main purpose is to contribute my knowledge to you.

=======================
First sum Facts about the /etc/passwd file
=======================


	
The /etc/passwd file is the most important user-related configuration file on the system.



	
All Unix systems have this file.



	
/etc/password contains information on all users including root.



	
It is almost perfectly standardized across all systems.



	
Misconfiguring this file can result in all users being unable to log in, including root,

 it also can result in anyone being able to login as anybody, including root.

=======================
Let's Start
=======================

	
First of all it's easy to get a passwd (password) file, but it is harder to 

get a good one.
Good one? yes, a good one, there is only one Good one.
Okay only one good one, now tell me how 2 get the damn thing!

The oldest methode i know is the FTP://server.com.
Note: To do this ftp the server from your browser, not sum ftp progz or shit 
like that.
Then you will ftp the server anonymously and you will see something like 
this:

FTP Dir on server.com
---------------------
04/07/1999 12:00      Directory dev     <=--- Devices
04/12/1999 12:00      Directory etc     <=--- This one u want! 
06/10/1998 12:00      Directory hidden  <=--- Not important
03/22/2000 02:23      Directory pub     <=--- Public stuff

As u can see this is a Unix system (duh windows doesnt have /etc/).
So we click on --=>etc

FTP Dir /etc on server.com
--------------------------
04/12/1999 12:00      601 group    <=--- File with group/user names
04/12/1999 12:00      509 passwd   <=--- Bingo!

So we click on the passwd file.
We see:

root:x:0:1:Super-User:/:/sbin/bash
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
smtp:x:0:0:Mail Daemon User:/:


	
**

The /etc/passwd contains so much user-related information wich is needed by normal users,
there for it is world-readable but never make the passwd file world-writable!

	
**


THIS IS USELESSSSSSS, why? see the X that means that the passwd is shadowed.
It's a shadowed passwd file, very very hard to crack there is way 2 do it, a 
program called
Deshadow would do the work they say, but deshadow is only to be run on your 
own unix box.


	
**

-When Shadowing your /etc/passwd-

The encrypted passwords are moved out into a shadow password file 
(called /etc/shadow, how it is called depends on what release/disstro your are using) 
that is NOT publicly readable. 
The passwd file has always been readable so that, for example, ls -l 
could figure out who owns what. But having the passwd encryptions 
readable is a security risk.

	
**

                  
                    gecos 
                      |
root:x:0:1:Super-User:/:/sbin/bash
  |   | | |       |      |     |
Login | | |       |      |     |
name  | |group    |      |    shell (bash= bourne again shell)
      | | id   fullname  |
  shadowed	         |
  passwd|                home
        |                dir
     userid

UserName:Password:UserID:PrincipleGroup:Gecos:HomeDirectory:Shell

------->>Info about GECOS<<-------

General Electric Comprehensive Operating System,

"Some early UNIX systems at Bell Labs used GCOS machines for print spooling 
and various other services; the field added to `/etc/passwd' to carry GCOS ID information 
was called the `GECOS field' and survives today as the `pw_gecos' member used for 
the user's full name and other human-ID information" -Jargon file

This field is used to allow some programs like mail and news access to the users's real name.
also this field can contain any ASCII charater except ":".
----------------------------------


	
***

The "x" is called a token on some systems it is replaced by a "$" or "#" or 
sometimes even the user name.

	
***


So now that the passwd file is useless, we are disapointed and just for the 
fun of it all
we will take a look at the ---=>group. (/etc/group)
we see:

root:x:0:root
other::1:
bin::2:root,bin,daemon
sys::3:root,bin,sys,adm
adm::4:root,adm,daemon
uucp::5:root,uucp
mail::6:root
tty::7:root,tty,adm
lp::8:root,lp,adm
nuucp::9:root,nuucp
staff::10:
daemon::12:root,daemon
sysadmin::14:
nobody::60001:
noaccess::60002:
nogroup::65534:
sponsor::26:dlamb,marci,tcl,wjtifft,sndesign,bswingle,sonny
star::22:nobody,tcl,marci,dlamb,wjtifft,sndesign,bswingle,grossman
cron::30:root,zwisner,tcl,grossman,bcauthor,starnews,kvoa,bswingle,uurtamo
nettools::29:root,zwisner,tcl,grossman,bcauthor,bswingle,uurtamo
su::27:root,zwisner,tcl,grossman,bcauthor,uurtamo,bswingle
ftp::60000:

What's to say? a bunch a user names and group id's (gid).

Sometimes you will find a file called pwd.db in the /etc dir. This is a 
database file.
Unfortunatly this file is useless. Because in these file the passwords are 
removed.
The spwd.db is the same kind of file but without the passwords removed.
Remember this about the files:

     /etc/passwd	 ASCII password file, with passwords removed
     /etc/master.passwd  ASCII password file, with passwords intact
     /etc/pwd.db	 format password database, with passwords removed
     /etc/spwd.db	 format password database, with passwords intact

=======================
Let's Move On
=======================

	
Okay our attempt failed to retrieve a good passwd file, so now we are gonna 

get a good one.
Note: On windows the passwd file is called .pwl

You can do the old FTP method on many servers, but lets talk about the Good 
passwd file.
We use the same example as above:

root:Npge08pfz4wuk:0:1:Super-User:/:/sbin/bash
daemon:Fs2e08p34Cxw1:1:1::/:
bin:Npge08pfz4wuk:2:2::/usr/bin:

What u see and what u should notice is the jibberish (Npge08pfz4wuk) it is a 
encrypted passwd.
Actually it is not encrypted but encoded.

------->>PASSWD Encoded info<<---------

Encoded? that's right, when the passwd is to be encoded with randomly 
generated value called Salt.
There are 4096 salt values. So if you want to do a Dictionary Attack u will 
have 2 try all the values.
So the Npge08pfz4wuk, the Np are the salt and the ge08pfz4wuk is the hashed 
passwd.
Sometimes there is nothing no hashed passwd, no shadowed passwd, just an 
empty space. This means that
there is no passwd!! this is a major security risk.
---------------------------------------

Right about now u would want 2 download John the Ripper. 

http://hackersclub.com/km/files/password_cracker/ucfjohn2.zip


"Its primary purpose is to detect weak UNIX passwords"
And use the Ripper to crack the passwd file.

Put the file into the same directory where john.exe is and run a brute force attack on the
file with the following command:

>john -incremental passwd.txt

This may take a while, in some cases it may take up to 3 weeks!!.
You can also attack the file with a wordlist, do this with the following command:

>john -wordlist:<wordlist> passwd.txt

=======================
Choosing the Right Password
=======================
Many people use weak passwords, easy guesable passwords, easy crackable passwords.
What is a weak password? example: protection
What is wrong with the password protection?, well the password doesn't contain any numbers,
it's a guesable word and it's all lower case, the lenght of the password is good though.

I would suggest a password like 0xS2vM87X, it contains Upper and Lower case letters,
its lenght is good (a good passwd has a min. lenght of 8 letters) and it contains letters and numbers.

Good passwords are better than changing passwords all the time. 
Forcing users to change passwords make them pick weak ones, and/or  write them down.

Don't use the Same password for everything!!, i had many cases where the mail passwd was the same
as the Root passwd....

There are Passwd generators who will generate passwords at random, if you would like this
you can download them at www.download.com.

=======================
Final Notes
=======================

	
Now u know a little about this shit, there are many ways of getting a

passwd file,
Ofcourse i only showed one method of getting a passwd file.
To get a passwd file the other way, you first need to find a hole in the 
services running
at various ports of the host.


GrtZ,

---=>KGB (fh_foxhound@hotmail.com)