Cracking Servers v1.0
_________________________________
|
|
Cracking Servers v1.0 |
A System Administrators Nightmare|
_________________________________|
Introduction
____________
By far this is no new trick or exploit for all the newbies reading
this. In fact there are multiple other texts out that cover this same topic.
Also the chances of finding a server with this particular exploit or flaw is
slim to none. Common sense should help you realize that if you are reading
this guide, System Administrators know about this flaw. So why read this
tutorial? First off no system is totally secure and no matter how many of
these guides are posted there are always going to be Administrator out there
that overlooks this particular form of system exploitation. Another question
you might be asking yourself is, "Why should I read this guide if there are
so many others covering this topic out?" Well a simple answers to that is,
this guide is the newest tutorial covering this topic and thus all links,
information, etc will be more up to date compared to other guides.
Note:( please pay attention to these note boxes throughout this tutorial,
they will contain important tips, hints, and reminders for you )
Disclaimer & Notice
____________________
Attempting to or gaining unauthorized access to any computer system,
network, Internet or Internet server is illegal and of course punishable
by law. We will not, under any circumstances accept any responsibility
for any actions that you attempt to or take with this information. Now with
that out of the way sure you wish to continue?
Section 1
Tools
_______________
First off as with all projects this one requires tools for the job.
Provided below are lists of the needed tools and the places where you may
obtain them. Free of charge of course. As you continue on you may find that
you don't need all of the tools. This is true, for some complete the same
task as each other. As you get more experienced personal style and taste may
determine which particular tools you use. Your personal system requirements
may also play a roll. But for now if you can, we suggest that you obtain all
of these files until you are more equipped with knowledge.
1. Netscape Navigator Web Browser
Suggested Use - to explore possible targets and login anonymously by FTP.
Obtainable At http://www.netscape.com/download/
2. FTP Client
Suggested Use - to anonymously log into servers to obtain the password file
Obtainable At - http://www.thefreesite.com/freeftpprograms.htm
3. Telnet Client
Suggested Use - to log into a target once password / login combination has
been obtained.
Obtainable At - http://www.thefreesite.com/telnetfreeware.htm
4. Password Cracker
Suggested Use - to decrypt Unix password files
Obtainable At - http://www.false.com/security/john/
5. Dictionary Word List
Suggested Use - used for the password cracker to compare word, letter, and
number combinations so find passwords and logins.
Obtainable At - ftp://ftp.cso.uiuc.edu/pub/security/wordlists/
Note: (these sites and software are not system specific. Please make sure you
read and know your particular system requirements before downloading so that
the software you obtain will be compatible with your system. )
_____________________________________________________________________________
Section 2
Identifying A Password File
___________________________
The first step is being able to positively identify what it is you're
a searching for. In a sense what is the point of going to buy a hard-drive
for your computer if you don't even know what one looks like right? So below
are some examples of password files. Study and learn what they look like so
when you come across one you will at least be able to identify it.
UN-Shadowed Password File
__________________________
This is the type of password file you will be searching for. It is in
encrypted format but is not shadowed thus allowing you to be able to run a
password cracker to decrypt the file.
fldl0001:oS6quCRbDkmuM:537:300:Diane Laing:/home/fldl0001:/bin/bash
alastair:UZ9MFB7pOLvH6:540:100:Alastair Sommerville:/home/alastair:/bin/bash
y2aberne:SjfSyVTnZ3ZT6:541:300:Kate Abernethy:/home/y2aberne:/bin/bash
y2ronxin:Ter0LeetG7uH6:542:300:Maggie Ronxin:/home/y2ronxin:/bin/bash
y2fair:.HocpfcuhgBbU:543:300:Jane Fair:/home/y2fair:/bin/bash
y2mcbrid:faARb1ftg.xfg:544:300:Emma McBride:/home/y2mcbrid:/bin/bash
y2hunter:HdXaBQoGpdR1Q:545:300:Gavin Hunter:/home/y2hunter:/bin/bash
y2marsha:3dtDG9VDCAXAw:546:300:Ruth Marshall:/home/y2marsha:/bin/bash
y2halket:AcuYHIXytcDac:547:300:Steven Halkett:/home/y2halket:/bin/bash
y2macfar:g1k5tnbE3mn4w:548:300:Cassidy MacFarlane:/home/y2macfar:/bin/bash
d2wilson:u7TfMN0MeKPjY:550:300:Robert Wilson:/home/d2wilson:/bin/bash
d2hunter:b7wdUmJobrfuc:551:300:Douglas Hunter:/home/d2hunter:/bin/bash
d2bell:k9SnbgYAdblnI:552:100:David Bell:/home/d2bell:/bin/bash
d2lane:eArmBPOBOn3J.:553:300:David Lane:/home/d2lane:/bin/bash
y2bentle:A725bDhP/gCNE:554:300:Scott Bentley:/home/y2bentle:/bin/bash
(Note that some password files will be much larger than this. This is just a
portion of one copied for explanation purposes. Now being able to
distinguish the different parts of a password file is helpful but in all
reality not completely necessary. All you need to be able to do is recognize
A) It is a password file.
and
B) Whether the file is shadowed or UN-shadowed. However since you are a
"cracker" you should want to learn all that is possible so we will explain
the pieces of the password file.)
Lets examine a line from the password file
y2bentle:A725bDhP/gCNE:554:300:Scott Bentley:/home/y2bentle:/bin/bash
1. y2bentle - this is the login name of the user.
2. A725bDhP/gCNE - this is the encrypted password of the user ( don't get
excited you must decrypt it before use)
3. 554 - this is the users number
4. 300 - the group number
5. Scott Bentley - this is the "Real Name" of the user. But as you can
imagine it isn't always the real name. So a better way to think of this is
the name provided by the user.
6. Home/y2bentle - this is the home directory of the user.
7. /bin/bash - this is the type of shell the user has.
So just to refresh and to make it easier to remember the contents of a line
of a password file are as follows
Username:encrypted password:user number:group number:real name:home directory
:type of shell
Shadowed Password Files
_______________________
The other type of password file you may run into is called a
"shadowed" password file. Now the reason it is called this is because instead
of the encrypted password after the username the file will contain an X or *.
These are the type of files you will most commonly run across. Unfortunately
there is no way to "UN-shadow" a password file. But to keep a little hope
alive in this situation System Administrators sometimes keep a backup copy of
the password file. Most times this backup copy is in UN-shadowed format.
First below is an example of a shadowed password file.
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:31:Owner of many system processes:/root:
operator:*:2:20:System &:/usr/guest/operator:/bin/csh
bin:*:3:7:Binaries Commands and Source,,,:/:/nonexistent
games:*:7:13:Games pseudo-user:/usr/games:
news:*:8:8:News Subsystem:/:/nonexistent
man:*:9:9:Mister Man Pages:/usr/share/man:
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/libexec/uucp/uucico
xten:*:67:67:X-10 daemon:/usr/local/xten:/nonexistent
nobody:*:65534:65534:Unprivileged user:/nonexistent:/nonexistent
ftp:*:14:5:Anonymous FTP Admin:/var/ftp:/bin/date
y2bentle:*:554:300:Scott Bentley:/home/y2bentle:/bin/bash
Here is a normal example of a shadowed password file. To you as a
"cracker". This file is not worth the space it takes up. As I mentioned above
though some System Administrators keep back up copies of the password file
that are usually UN-shadowed. Below is a list according to Operating System
of where you might find some of these back-ups.
UNIX Path Token
----------------------------------------------------------------
AIX 3 /etc/security/passwd !
or /tcb/auth/files/ /
SunOS4.1+c2 /etc/security/passwd.adjunct ##username
SunOS 5.0 /etc/shadow . Once
you're in the folder John the Ripper is in, then type
john -w:(Dictionary File) (Password File)
John is there because it's the name of the program.
-w stands for word file.
(Dictionary File) replace this with the name of the Dictionary File you're
using.
(Password file) is where you type the name of your password File.
Now you hit enter and John will start cracking the password file. When it
finds a match it will beep and displays the password and the username on the
screen. To see the current status of John, just press any key.
The problem with Cracker Jack and this is the reason John the Ripper is
considered better. Is that Cracker Jack requires a clean memory meaning it
must be run through Real MS-DOS.
click on the start button
click on shut down
click on the restart in MS-DOS
Once you're in run MS-DOS. Go to the directory where Cracker Jack is. It
could be C:\CrackerJack. So your DOS prompt would be C:\CrackerJack>. Here
type in jack and Cracker Jack will ask you for a password file and for a
dictionary file.
PWfile(s): (Password File)
Wordfile: (Dictionary File)
Now press enter and Crack Jack will start cracking the password file. If
there are no matches try another word file. But sometimes the password file
is shadowed meaning they are can not be cracked, which you have learned about
earlier in this document already.
_____________________________________________________________________________
Section 5
Using Your New Found Login and Password
________________________________________
Well assuming you have now found at least one user and password
combination what do you do with them? Well, here's a short brief explanation.
Open up your telnet client. Click on FILE - REMOTE SYSTEM. Then enter the
server you wish to connect too. After a few seconds you will get a prompt
asking for your Login. Enter your login, then one for password. You enter the
password you found. Once you're inside you are on your own because this is
not a guide to Unix. However depending on the level of user/pass you got you
could have multiple powers. If you got root. That's it your own the system.
You have superuser power over everything. However I highly doubt you have
root. Most likely you have a shell access user/pass combo. So once you log in
you have control over that users shell and their Web Site if they have one on
the server. However since you are a hacker and not a cracker you should live
and follow the ethics. So instead of doing the obvious damage you could. You
should simply log out (after looking around perhaps) after all we are
"crackers" and curious). Then send an email to the System Administrator of
the server you cracked. You don't need to go into detail but just inform them
their password file is obtainable through anonymous ftp and it is not
shadowed so decryption is possible. Now you may get any number of responses
back from "You worthless lousy hacker!" to "Thank you so much for the tip I
will give you a free service of some kind". Either way you did your part but
not causing damage and reporting the obvious flaw. If the System Admin still
doesn't fix it then they are in the wrong line of work, not your problem.
Look out for the next version of "Cracking Servers" at these Web
Sites listed below. The next version will go more in-depth with cracking
servers with exploits, through shell accounts, gaining root on your new found
server and much more.
