[ Pobierz całość w formacie PDF ]
.222.56.706 426 ms 548 ms 437 ms core3.Memphis.mci.net [204.70.125.1]7 399 ms 448 ms 461 ms core2-hssi-2.Houston.mci.net [204.70.1.169]8 400 ms 466 ms 512 ms border7-fddi-0.Houston.mci.net [204.70.191.51]9 495 ms 493 ms 492 ms american-comm-svc.Houston.mci.net [204.70.194.86]10 522 ms 989 ms 490 ms webdownlink.foobar.net [208.128.37.98]11 468 ms 493 ms 491 ms 208.128.xx.3312 551 ms 491 ms 492 ms fubar.com [208.128.xx.61]If someone were to put a sniffer on any computer on that route, they could get my password! Now do youwant to go telneting around from one of your accounts to another?A solution to this problem is to use Secure Shell.This is a progra m you can download for free fromhttp://escert.upc.es/others/ssh/.According to the promotional literature,  Ssh (Secure Shell) is a program tolog into another computer over a network, to execute commands in a remote machine, and to move files fromone machine to another.It provides strong authenticationand secure communications over insecure channels.If you want to get a password on a computer that you know is being accessed remotely by people usingWindows 3.X, and if it is using Trumpet Winsock, and if you can get physical access to that Windows box,there is a super easy way to uncover the password.You can find the details, which are so easy they willblow your socks off, in the Bugtraq archives.Look for an entry titled  Password problem in Tru mpetWinsock. These archives are at http://www.netspace.org/lsv-archive/bugtraq.htmlAnother way to break into a computer is to get the entire password file.Of course the password file will beencrypted.But if your target computer doesn t run a program to prevent people from picking easypasswords, it is easy to decrypt many passwords.But how do you get password files? A good systems administrator will hide them well so even users on themachine that holds them can t easily obtain the file.The simplest way to get a password file is to steal a backup tape from your victim.This is one reason thatmost computer breakins are committed by insiders.But often it is easy to get the entire password file of a LAN remotely from across the Internet.Why shouldthis be so? Think about what happens when you log in.Even before the computer knows who you are, youmust be able to command it to compare your user name and password with its password file.What the computer does is perform its encryption operation on the password you enter and then compare itwith the encrypted entries in the password file.So the entire world must have access somehow to thisencrypted password file.You job as the would-be cracker is to figure out the name of this file and then getyour target computer to deliver this file to you.A tutorial on how to do this, which was published in the ezine K.R.A.C.K (produced by od^pheak), follows.Comments in brackets have been added to the K.R.A.C.K.text.*********************************************Strategy For Getting Root With a shadowed Passwdstep#1anonymous ftp into the server get passwd[This step will almost never work, but even the simplest attack may be worth a try.]step #2To defeat password shadowing on many (but not all) systems, write a program that uses successive calls togetpwent() to obtain the password file.Example:#includemain(){struct passwd *p;while(p=3Dgetpwent())printf("%s:%s:%d:%d:%s:%s:%s\n", p->pw_name,p->pw_passwd,p->pw_uid, p->pw_gid, p->pw_gecos, p->pw_dir,p->pw_shell);}Or u can Look for the Unshadowed Backup.[The following list of likely places to find the unshadowed backup is available from the  Hack FAQ writtenby Voyager.It may be obtained from http://www-personal.engin.umich.edu/~jgotts/hack-faq]Unix Path needed Token----------------------------------------------------------------------AIX 3 /etc/security/passwd !or /tcb/auth/files//A/UX 3.0s /tcb/files/auth/?/ *BSD4.3-Reno /etc/master.passwd *ConvexOS 10 /etc/shadpw *ConvexOS 11 /etc/shadow *DG/UX /etc/tcb/aa/user/ *EP/IX /etc/shadow xHP-UX /.secure/etc/passwd *IRIX 5 /etc/shadow xLinux 1.1 /etc/shadow *OSF/1 /etc/passwd[.dir|.pag] *SCO Unix #.2.x /tcb/auth/files//SunOS4.1+c2 /etc/security/passwd.adjunct =##usernameSunOS 5.0 /etc/shadowSystem V Release 4.0 /etc/shadow xSystem V Release 4.2 /etc/security/* databaseUltrix 4 /etc/auth[.dir|.pag] *UNICOS /etc/udb =20Step #3crack it[See below for instructions on how to crack a password file.]**************************************************So let s say you have managed to get an encrypted password file.How do you extract the passwords?An example of one of the many programs that can crack poorly chosen passwords is Unix Password Crackerby Scooter Corp.It is available atftp://ftp.info.bishkek.su/UNIX/crack-2a/crack-2a.tgzor http://iukr.bishkek.su/crack/index.htmlA good tutorial on some of the issues of cracking Windows NT passwords may be found athttp://ntbugtraq.rc.on.ca/samfaq.htmOne password cracker for Windows NT is L0phtcrack v1.5.It is available for FREE fromhttp://www.L0pht.com (that's a ZERO after the 'L', not an 'o').It comes with source so you can build it on justabout any platform.Authors are mudge@l0pht.com and weld@l0pht.com.Another Windows NT password cracker is Alec Muffett'sCrack 5.0 at http://www.sun.rhbnc.ac.uk/~phac107/c50a-nt-0.10.tgzEven if you crack some passwords, you will still need to correlate passwords with user names.One way todo this is to get a list of users by fingering your target computer.See the GTMHH Vol.1 No.1 for some waysto finger as many users as possible on a system.The verify command in sendmail is another way to get usernames.A good systems administrator will turn off both the finger daemon and the sendmail verify commandto make it harder for outsiders to break into their computers.If finger and the verify commands are disabled, there is yet another way to get user names.Oftentimes thepart of a person s email that comes before the  @ will also be a user name [ Pobierz całość w formacie PDF ]