| Cracking Servers v1.0 |
| ~~~~~~~~~~~~~~~~~~~~~ |
|A System Administrators ehsan |
By far this is no new trick or exploit for all the newbies reading
this. In fact there are multiple other texts out that cover this same topic.
Also the chances of finding a server with this particular exploit or flaw is
slim to none. Common sense should help you realize that if you are reading
this guide, System Administrators know about this flaw. So why read this
tutorial? First off no system is totally secure and no matter how many of
these guides are posted there are always going to be Administrator out there
that overlooks this particular form of system exploitation. Another question
you might be asking yourself is, "Why should I read this guide if there are
so many others covering this topic out?" Well a simple answers to that is,
this guide is the newest tutorial covering this topic and thus all links,
information, etc will be more up to date compared to other guides.
Note:( please pay attention to these note boxes throughout this tutorial,
they will contain important tips, hints, and reminders for you )
Disclaimer & Notice
Attempting to or gaining unauthorized access to any computer system,
network, Internet or Internet server is illegal and of course punishable
by law. We will not, under any circumstances accept any responsibility
for any actions that you attempt to or take with this information. Now with
that out of the way sure you wish to continue?
First off as with all projects this one requires tools for the job.
Provided below are lists of the needed tools and the places where you may
obtain them. Free of charge of course. As you continue on you may find that
you don't need all of the tools. This is true, for some complete the same
task as each other. As you get more experienced personal style and taste may
determine which particular tools you use. Your personal system requirements
may also play a roll. But for now if you can, we suggest that you obtain all
of these files until you are more equipped with knowledge.
1. Netscape Navigator Web Browser
Suggested Use - to explore possible targets and login anonymously by FTP.
Obtainable At http://www.netscape.com/download/
2. FTP Client
Suggested Use - to anonymously log into servers to obtain the password file
Obtainable At - http://www.thefreesite.com/freeftpprograms.htm
3. Telnet Client
Suggested Use - to log into a target once password / login combination has
Obtainable At - http://www.thefreesite.com/telnetfreeware.htm
4. Password Cracker
Suggested Use - to decrypt Unix password files
Obtainable At - http://www.geocities.com/saimo_br/pwdcrackers.html
5. Dictionary Word List
Suggested Use - used for the password cracker to compare word, letter, and
number combinations so find passwords and logins.
Obtainable At - http://www.geocities.com/saimo_br/lists.html
Note: (these sites and software are not system specific. Please make sure you
read and know your particular system requirements before downloading so that
the software you obtain will be compatible with your system. )
Identifying A Password File
The first step is being able to positively identify what it is you're
a searching for. In a sense what is the point of going to buy a hard-drive
for your computer if you don't even know what one looks like right? So below
are some examples of password files. Study and learn what they look like so
when you come across one you will at least be able to identify it.
UN-Shadowed Password File
This is the type of password file you will be searching for. It is in
encrypted format but is not shadowed thus allowing you to be able to run a
password cracker to decrypt the file.
(Note that some password files will be much larger than this. This is just a
portion of one copied for explanation purposes. Now being able to
distinguish the different parts of a password file is helpful but in all
reality not completely necessary. All you need to be able to do is recognize
A) It is a password file.
B) Whether the file is shadowed or UN-shadowed. However since you are a
"cracker" you should want to learn all that is possible so we will explain
the pieces of the password file.)
Lets examine a line from the password file
1. y2bentle - this is the login name of the user.
2. A725bDhP/gCNE - this is the encrypted password of the user ( don't get
excited you must decrypt it before use)
3. 554 - this is the users number
4. 300 - the group number
5. Scott Bentley - this is the "Real Name" of the user. But as you can
imagine it isn't always the real name. So a better way to think of this is
the name provided by the user.
6. Home/y2bentle - this is the home directory of the user.
7. /bin/bash - this is the type of shell the user has.
So just to refresh and to make it easier to remember the contents of a line
of a password file are as follows
Username:encrypted password:user number:group number:real name:home directory
:type of shell
Shadowed Password Files
The other type of password file you may run into is called a
"shadowed" password file. Now the reason it is called this is because instead
of the encrypted password after the username the file will contain an X or *.
These are the type of files you will most commonly run across. Unfortunately
there is no way to "UN-shadow" a password file. But to keep a little hope
alive in this situation System Administrators sometimes keep a backup copy of
the password file. Most times this backup copy is in UN-shadowed format.
First below is an example of a shadowed password file.
daemon:*:1:31:Owner of many system processes:/root:
bin:*:3:7:Binaries Commands and Source,,,:/:/nonexistent
man:*:9:9:Mister Man Pages:/usr/share/man:
ftp:*:14:5:Anonymous FTP Admin:/var/ftp:/bin/date
Here is a normal example of a shadowed password file. To you as a
"cracker". This file is not worth the space it takes up. As I mentioned above
though some System Administrators keep back up copies of the password file
that are usually UN-shadowed. Below is a list according to Operating System
of where you might find some of these back-ups.
UNIX Path Token
AIX 3 /etc/security/passwd !
or /tcb/auth/files/A/UX 3.0s /tcb/files/auth/?/ *
BSD4.3-Reno /etc/master.passwd *
ConvexOS 11 /etc/shadow *
DG/UX /etc/tcb/aa/user/ *
EP/IX /etc/shadow x
HP-UX /.secure/etc/passwd *
IRIX 5 /etc/shadow x
Linux 1.1 /etc/shadow *
OSF/1 /etc/passwd[.dir|.pag] *
SCO Unix #.2.x /tcb/auth/files/ /
SunOS4.1+c2 /etc/security/passwd.adjunct ##username
SunOS 5.0 /etc/shadow maps/tables/whatever
System V Release 4.0 /etc/shadow x
System V Release 4.2 /etc/security/* database
Ultrix 4 /etc/auth[.dir|.pag] *
UNICOS /etc/udb *
If you don't have any luck finding an UN-shadowed copy of the
password file in these directories you are probably out of luck. But make
sure you search through the system if you are determined to find a password
for that system. You never know what you might uncover.
Obtaining the Password File
Now that you have your tools, can identify, and know the pieces of a
password file you are ready to move on obtaining a file. There are actually
two styles in which you can obtain a file anonymously that will be cover in
this section. The PHF Exploit and by Anonymous FTP.
The PHF Exploit is exactly that. It's an exploit that takes advantage of a
hole in CGI that prints the password file nice a pretty up onto your screen.
Although most servers have fixed this hole still can't hurt to try. To
attempt this exploit you simply open your web browser and enter the following
into the address bar.
Hit enter and your off. For example if your target was Microsoft.
You would enter
If it works you sit back copy and copy the password file off your
screen. Put it into your favorite word processor and your set. Now most
servers as I said have fixed this exploit and you will usually get an
404 ERROR NOT FOUND. However some System Administrators take it a little
further and setup loggers. They log your attempts. When this happens you will
usually get something like
At date and time
Hostname and IP
You might even get a fancy message. Such as " GOTCHA!" Now if you get
logged don't up and start packing your bags and heading for the border. First
thing to remember is you didn't break any laws. There is no law against
typing what you want into the address bar of your browser. There is no law
against copying whatever it displays on your screen. There is no law against
saving that information. There is not even any law against decrypting it.
There is however a law against logging in with it. At worst if you attempt
the PHF technique on a really and overly stressed System Administrator they
might notify your Administrator of your attempt. But in 99% of the cases they
will just let it go. You didn't get any information and they know that so why
go through the trouble.
Obtaining the password file through anonymous ftp is probably the
most common way you will be able to access one. There are a couple of
different methods in which you can do this that will be cover but first you
need to know some about FTP (file transfer protocol) and where you are
looking etc. First of all you should know that all servers have the password
in the /etc directory. So this is where you want to look. Also make sure you
are looking off of the highest directory of the tree when you check the /etc
directory. The next thing you will need to know is the name of the password
file you are looking for. Now I have seen password files come named many
things. But 9 out of 10 times it will be with one of two names. These are
either (passwd) or (passwd.db). So now you know where to look and what the
name of the files are lets move on to how to log in and obtain them.
Anonymous FTP w/ Netscape
This is probably one of the easiest ways to anonymously log into an
ftp server. All you need to do is open your Netscape browser. Then in the
address bar type in
With that you should be able to connect to the server. However you may
receive a screen with a message like
Anonymous Users Not Allowed
This meaning that the server either doesn't have an anonymous ftp server, or
the System Administrator has blocked access to anonymous FTP.
However, assuming that your selected target does allow anonymous FTP then you
should see a screen somewhat like this.
Current directory is /
bin/ Mon Jun 22 17:01:00 1998 Directory
etc/ Mon Jun 22 17:01:00 1998 Directory
lib/ Mon Jun 22 17:03:00 1998 Directory
pub/ Fri May 08 00:00:00 1998 Directory
Now from there you just click on the link for the /etc directory. Find the
file named either passwd or psswd.db and download it. Or you can click the
link the copy and paste the file from your screen if you prefer. Pretty easy
right? That's why 99% of servers have fixed this hole.
Anonymous FTP w/ an FTP Client
Well a lot of you will be used to using and FTP client to upload and
download files from the World Wide Web. Also since there are so many
different kinds this document will touch on enough of the basics to get you
through. Besides a little thinking never hurt anyone. So to get you started
you open up your ftp client. Now if your using windows client and I imagine
most of you are then you should find a link or a button somewhere to bring up
a connection screen. Then you will probably see options and spaces to fill
in the following.
Note: (these are only the must have/most popular options of the ftp clients
used. You may have more or less. It's important for you to get comfortable
using your preferred software.)
FTP SERVER- target goes here
NAME- name of target goes here
LOGIN NAME- login name goes here
PASSWORD- password goes here
There is also on most clients a check box option for anonymous logins. If
your client has this option just check this box and all you have to enter is
the FTP SERVER, and SERVER NAME. However if you don't have the check box
option you will need to manually fill in your login and password for
anonymous. So if you were connecting to Microsoft you would use the following
FTP SERVER- ftp.microsoft.com
LOGIN NAME- anonymous
PASSWORD- your email or "an" email address here
Once this is all filled in simply hit the connect button. If the server
doesn't allow anonymous connections then you will get an error message.
However if you do get connect you will probably (depending on your client
choice) see a screen something like that of Windows Explorer. With a frame on
the right and one on the left that have file folders in them. Usually the one
on the left will be your hard drive contents. And the one on the right will
be the contents of the server you are connected too. Then you simply find the
folder named /etc. Double click on it to enter that directory and find the
(passwd) or (psswd.db) file. Now once again (most) but not all clients
support drag and drop. So just click once on the password file hold down the
mouse button and drag it across to your hard drive frame. Drop it in and the
client will take care of the rest. And that is all there is to using an FTP
client to get a password file.
Note: (these instructions are for a windows ftp client that supports drag and
drop features. If your are using a different operating system or you client
doesn't support these features simple follow the same instructions above but
use your clients particular method for download a file)
Decrypting A Password File
To decrypt a password file you will need a password cracker. You can
find John the Ripper at the top of this document. John the Ripper is the
most popular password cracker. There are several good password crackers such
as Cracker Jack, which will also be explained in this section. There are
three main things need to crack a password file.
1) Password Cracker
2) Password File
3) Word List
A Password Cracker takes the password file and compares every word in the
word list until it finds a match. When a match is found it beeps and
displays the password and the username on the screen. Before cracking the
password file you first have to make sure that the password file and the word
list are in the same directory as the password cracker. Now you open MS-DOS
click on the start button in the task bar
look in the Programs directory
click on MS-DOS prompt
Now you should see an MS-DOS window open. Change to the directory to the
directory the password cracker is in. It could be C:\John the Ripper>. Once
you're in the folder John the Ripper is in, then type
john -w:(Dictionary File) (Password File)
John is there because it's the name of the program.
-w stands for word file.
(Dictionary File) replace this with the name of the Dictionary File you're
(Password file) is where you type the name of your password File.
Now you hit enter and John will start cracking the password file. When it
finds a match it will beep and displays the password and the username on the
screen. To see the current status of John, just press any key.
The problem with Cracker Jack and this is the reason John the Ripper is
considered better. Is that Cracker Jack requires a clean memory meaning it
must be run through Real MS-DOS.
click on the start button
click on shut down
click on the restart in MS-DOS
Once you're in run MS-DOS. Go to the directory where Cracker Jack is. It
could be C:\CrackerJack. So your DOS prompt would be C:\CrackerJack>. Here
type in jack and Cracker Jack will ask you for a password file and for a
PWfile(s): (Password File)
Wordfile: (Dictionary File)
Now press enter and Crack Jack will start cracking the password file. If
there are no matches try another word file. But sometimes the password file
is shadowed meaning they are can not be cracked, which you have learned about
earlier in this document already.
Using Your New Found Login and Password
Well assuming you have now found at least one user and password
combination what do you do with them? Well, here's a short brief explanation.
Open up your telnet client. Click on FILE - REMOTE SYSTEM. Then enter the
server you wish to connect too. After a few seconds you will get a prompt
asking for your Login. Enter your login, then one for password. You enter the
password you found. Once you're inside you are on your own because this is
not a guide to Unix. However depending on the level of user/pass you got you
could have multiple powers. If you got root. That's it your own the system.
You have superuser power over everything. However I highly doubt you have
root. Most likely you have a shell access user/pass combo. So once you log in
you have control over that users shell and their Web Site if they have one on
the server. However since you are a hacker and not a cracker you should live
and follow the ethics. So instead of doing the obvious damage you could. You
should simply log out (after looking around perhaps) after all we are
"crackers" and curious). Then send an email to the System Administrator of
the server you cracked. You don't need to go into detail but just inform them
their password file is obtainable through anonymous ftp and it is not
shadowed so decryption is possible. Now you may get any number of responses
back from "You worthless lousy hacker!" to "Thank you so much for the tip I
will give you a free service of some kind". Either way you did your part but
not causing damage and reporting the obvious flaw. If the System Admin still
doesn't fix it then they are in the wrong line of work, not your problem.
Look out for the next version of "Cracking Servers" at these Web
Sites listed below. The next version will go more in-depth with cracking
servers with exploits, through shell accounts, gaining root on your new found
server and much more.
Web Site: http://members.xoom.com/sublivion/
Co-author: Viper NT
Web Site: http://members.xoom.com/vipernt
Web Site: http://thenewbiesare.8m.com
Shout-outs to the rest of the team and HellFire
Copyright © 2003 hack boys & iranhacker security NT, All Right Reserved
A Notorious Snipers Production