home *** CD-ROM | disk | FTP | other *** search
- This is by no means a complete or even good list of possible ways to get a
- copy of the shadow file, but it's some that work and are pretty handy to
- know if you do alot of freelance cracking.
-
- Unix including: SunOS, SCO, System V, and others of the like are sometimes
- vulnerable to ypcat. This is an old and well known trick but it works.. To
- use it simply type ypcat /etc/passwd with your capture option turned on, or
- use
-
- ypcat /etc/passwd > ~/passwd
-
- and download the passwd file from your home dir.
-
- Unix including: SCO, System V 3.2, ?, could be vulnerable to a hole using
- the .lastlogin file. In your home directory if a ls -al shows the
- .lastlogin to be owned by auth or root or anyone with better security then
- you it's good :) To exploit:
-
- rm -f ~/.lastlogin
- ln -s ~/.lastlogin /etc/passwd
-
- Now logout and then back in so you create the link.
-
- cat .lastlogin > passwd
- rm -f ~/.lastlogin
-
- This hole could have several other uses as well, the fact that it allows
- you read access to most any file on the system is a nice gift.
-
- Linux including: slackware, ?, not only can the dip hole be used to exploit
- root but it can also snag you the shadow file fairly easily. Why you
- wouldn't use it to get to root and then just edit/download it I have no
- clue but here it is anyways.. To exploit:
-
- ln -s /etc/shadow /tmp/dummy.dip
- /sbin/dip -v /tmp/dummy.dip
-
- Assuming dip is vulnerable this should type the shadow file for you and of
- course it's not limited to just reading the shadow file..
-
- If you know of other tricks, especially some that defeat linux shadow, and
- wish to share them mail Cassidy..
-
