jtr always works, nothing else needed. or if you cannot get the /etc/passwd then try PHF file in the /cgi-bin directory. if phf is there then you are in luck this file allows remote access to files (including the /etc/passwd file) to try this. open your web browser and type http://www.victim.com/cgi-bin/phf?Qa...%20/etc/passwd , ofcurse you have to change the victim.com to what ever you like . And if you want to be little fancier then try l0pht. This is going to cost little money but, damn, never saw anything like that. Some time takes a long time but always comes up with positive results.