Chapter 2: Passwords Cracking Unix passwords: Contrary to popular belief, UNIX passwords cannot be decrypted. UNIX passwords are encrypted with a one way function. The login program encrypts the text you enter at the "Password:" prompt and compares that encrypted string against the encrypted form of your password. Password cracking software uses wordlists. Each word in the wordlist is encrypted and the results are compared to the encrypted form of the target password. The best cracking program for UNIX passwords is currently Crack by Alec Muffett. For PC-DOS, the best package to use is currently CrackerJack. Password Shadowing: Password shadowing is a security system where the encrypted password field of /etc/passwd is replaced with a special token and the encrypted password is stored in a separate file which is not readable by normal system users. To defeat password shadowing on many (but not all) systems, write a program that uses successive calls to getpwent() to obtain the password file. Finding the shadowed password: UNIX Path Token ----------------------------------------------------------------- AIX 3 /etc/security/passwd ! /tcb/auth/files/[first letter # of username]/[username] A/UX 3.0s /tcb/files/auth/?/* BSD4.3-Reno /etc/master.passwd * ConvexOS 10 /etc/shadpw * ConvexOS 11 /etc/shadow * DG/UX /etc/tcb/aa/user/ * EP/IX /etc/shadow x HP-UX /.secure/etc/passwd * IRIX 5 /etc/shadow x Linux 1.1 /etc/shadow * OSF/1 /etc/passwd[.dir|.pag] * SCO UNIX #.2.x /tcb/auth/files/[first letter * of username]/[username] SunOS4.1+c2 /etc/security/passwd.adjunct ##username SunOS 5.0 /etc/shadow [optional NIS+ private secure maps/tables/whatever] System V Release 4.0 /etc/shadow x System V Release 4.2 /etc/security/* database Ultrix 4 /etc/auth[.dir|.pag] * UNICOS /etc/udb *