Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: craking shadowed password files!

  1. #1

    craking shadowed password files!

    hi guys
    i was just wondering if there is some way to decrypt shadowed password files!!
    thankx for ur help
    by the way it's for educational purposes
    no need to flame

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    i tried john but it couldnt resolve it
    so isnt there any other high tech tool??

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Couldn't resolve it???

    Weird. I was just there. AFAIK, that is the best for shadowed passwords.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    Senior Member
    Join Date
    Apr 2002
    Posts
    1,050
    i tried john but it couldnt resolve it
    so isnt there any other high tech tool??
    What do you mean it wouldnt 'resolve' ? what operating system you using ?

    Wordlists
    More wordlists

    wordlists for the obvious !
    By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
    The 20th century pharoes have the slaves demanding work
    http://muaythaiscotland.com/

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    For Educational purposes only:

    The answer is probably "yes", but you have to decide between what is theoretically possible and what is practical in terms of time and money.

    "Encrypted passwords can not be decrypted. Programs that pretend to
    crack a password file just do brute-force on it : they have a
    dictionary, they encrypt every word in it (plus some common
    spellings, such a 0 at the end of word), and they compare these
    results with what's in password file. Which means that if all
    passwords are well chosen, they should not be able to get one.

    But do not rely on this. Shadow passwords are good, for they do not
    cost much, and they are a great security improvement."


    I cannot remember where the quote came from, but the guy does have a point.

    Any software that does, or claims to do this, must run two steps:

    1. "Unshadow" the data {it has been replaced with "X" or "*"}
    2. Unencrypt/decipher the data.

    Obviously the strength and type of encryption is a factor here, as well.

    I am sure that there are organisations that have very sophisticated software that does attempt "true" decryption (Mossad perhaps ) This, and the supercomputers to run them are way outside the budgets and attention spans of script kiddies and those who do not belong to government intelligence agencies.

    Other programs will be defeated by well chosen passwords, and may well fail if the dictionary is wrong (eg. a Roman Alphabet dictionary will not crack an Arabic file), if the passwords are all symbols etc. It would just take too long to try all the possibilities, and if an exact match is not found, you don't get a crack.

    The message is, don't use proper words, use letters in upper and lower case, use numbers, use characters. Also that the longer your password is, the harder it is to crack.

    Change your passwords regularly, so that if anyone gets hold of the file it will be useless before they have time to crack it. Enforce a security policy that makes users change their passwords regularly.

    Hope that this helps.

  7. #7
    Senior Member DeadAddict's Avatar
    Join Date
    Jun 2003
    Posts
    2,583
    Seeing how this is going to be used for educational purposes only try this program
    http://www.freewareweb.com/cgi-bin/archive.cgi?ID=496

  8. #8
    Senior Member
    Join Date
    Apr 2002
    Posts
    634
    If you are well speaking about *nix shadowed passwords, John is the ultimate program for cracking them. You will not find a better one. The only issue is (like with every crackers) the time needed to make the job if the passwords are not obvious.

    If you are simply speaking about passwords hidden behind asterisks in programs, you can try the DeadAddict link or find a ton of similar programs with Google.
    Life is boring. Play NetHack... --more--

  9. #9
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Posts
    1,164
    To use John the Ripper, you have to "unshadow" the /etc/shadow file. For that, you have to have read access of said /etc/shadow since only root can view it (on most shadow routines). Once you unshadow (making sure you direct it to a file, since unshadow puts to STDOUT), then you can run it as './john ./file_name'. Success is purely based on your computer's per-second ciphers. Standard crypt passwords are eaten like popcorn whereas md5 hashes are extremely hard to brute-force and take days if not weeks. A 5-digit md5 password brute-forced on an average 1ghz machine takes something like 4 days (or something close) because the number of ciphers per second is much much less than regular crypt/etc.
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

  10. #10
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    vorlin,

    thanks for the support...........are you saying up to 4 days per password, or per password file?
    If it is the file, are you alllowed to suggest how many in it?

    cheers

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •