[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20070113082744.GA6112@openwall.com>
Date: Sat, 13 Jan 2007 11:27:44 +0300
From: Danett song <danett18@...oo.com.br>
To: john-users@...ts.openwall.com
Subject: Re: OpenUnix 8 hash format is not the normal DES?
Hi Solar Designer,
How are u?
Since when I started this thread I had analyzed the OpenUnix 8 and learned there is not strace, however is the truss command (similar to strace in linux).
I changed my password and "trussed" it, below are the output commented...
execve("/usr/bin/passwd", 0x08047D50, 0x08047D58) argc = 1
*** SGID: rgid/egid/sgid = 102 / 3 / 3 ***
open("/usr/lib/libcrypt.so.1", O_RDONLY, 01001075434) = 3
fxstat(2, 3, 0x080475CC) = 0
mmap(0x00000000, 4096, PROT_READ, MAP_SHARED, 3, 0) = 0x080D4000
mmap(0x00000000, 19921, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x080D6000
mmap(0x080DA000, 408, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3,
12288) = 0x080DA000
close(3) = 0
munmap(0x080D4000, 4096) = 0
open("/usr/lib/libia.so", O_RDONLY, 01001075434) = 3
fxstat(2, 3, 0x080475CC) = 0
mmap(0x00000000, 4096, PROT_READ, MAP_SHARED, 3, 0) = 0x080D4000
mmap(0x00000000, 34064, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x080DC000
mmap(0x080E1000, 11324, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3
, 16384) = 0x080E1000
mmap(0x080E4000, 1296, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS
, -1, 0) = 0x080E4000
close(3) = 0
munmap(0x080D4000, 4096) = 0
open("/usr/lib/libiaf.so", O_RDONLY, 01001075434) = 3
fxstat(2, 3, 0x080475CC) = 0
mmap(0x00000000, 4096, PROT_READ, MAP_SHARED, 3, 0) = 0x080D4000
mmap(0x00000000, 36224, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x080E6000
mmap(0x080EE000, 3432, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3,
28672) = 0x080EE000
close(3) = 0
munmap(0x080D4000, 4096) = 0
mprotect(0x080E6000, 30177, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
open("/usr/lib/libnsl.so.1", O_RDONLY, 01001075434) = 3
fxstat(2, 3, 0x080475CC) = 0
mmap(0x00000000, 4096, PROT_READ, MAP_SHARED, 3, 0) = 0x080D4000
mmap(0x00000000, 328424, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x080F0000
mmap(0x08139000, 8344, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3,
294912) = 0x08139000
mmap(0x0813C000, 17128, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOU
S, -1, 0) = 0x0813C000
close(3) = 0
munmap(0x080D4000, 4096) = 0
open("/usr/lib/libsocket.so.2", O_RDONLY, 01001075434) = 3
fxstat(2, 3, 0x080475CC) = 0
mmap(0x00000000, 4096, PROT_READ, MAP_SHARED, 3, 0) = 0x080D4000
mmap(0x00000000, 66908, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x08142000
mmap(0x0814F000, 7940, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3,
49152) = 0x0814F000
mmap(0x08151000, 5468, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x08151000
close(3) = 0
munmap(0x080D4000, 4096) = 0
mprotect(0x080E6000, 30177, PROT_READ|PROT_EXEC) = 0
access("/usr/lib/locale/C/.", 13) = 0
brk(0x0830A50C) = 0
ioctl(0, I_FIND, "iaf") = 0
getuid() = 0 [ 0 ]
open("/etc/default/passwd", O_RDONLY, 0666) = 3
lseek64(3, 0, 0) = 0
ioctl(3, TCGETS, 0x08047BC0) Err#25 ENOTTY
fxstat(2, 3, 0x08047C00) = 0
brk(0x0830E508) = 0
read(3, " # i d e n t\t " @ ( # )".., 8192) = 246
read(3, 0x08308698, 8192) = 0
lseek64(3, 0, 0) = 0
read(3, " # i d e n t\t " @ ( # )".., 8192) = 246
lseek64(3, 0, 0) = 0
read(3, " # i d e n t\t " @ ( # )".., 8192) = 246
lseek64(3, 0, 0) = 0
read(3, " # i d e n t\t " @ ( # )".., 8192) = 246
read(3, 0x08308698, 8192) = 0
lseek64(3, 0, 0) = 0
read(3, " # i d e n t\t " @ ( # )".., 8192) = 246
lseek64(3, -36, 1) = 210
close(3) = 0
getuid() = 0 [ 0 ]
seteuid(0) = 0
systeminfo(SI_HOSTNAME, "I0C801", 257) = 7
systeminfo(SI_SET_HOSTNAME, "I0C801", 7) = 7
seteuid(0) = 0
access("/etc/shadow", 10) = 0
open("/usr/lib/ns.so.1", O_RDONLY, 01001076040) Err#2 ENOENT
open("/etc/passwd", O_RDONLY, 0666) = 3
ioctl(3, TCGETS, 0x08047B74) Err#25 ENOTTY
fxstat(2, 3, 0x08047BB4) = 0
read(3, " r o o t : x : 0 : 3 : 0".., 8192) = 4829
lseek64(3, -3776, 1) = 1053
close(3) = 0
open("/etc/passwd", O_RDONLY, 0666) = 3
ioctl(3, TCGETS, 0x08047B80) Err#25 ENOTTY
fxstat(2, 3, 0x08047BC0) = 0
read(3, " r o o t : x : 0 : 3 : 0".., 8192) = 4829
read(3, 0x08308760, 8192) = 0
close(3) = 0
open("/usr/lib/locale/C/LC_MESSAGES/uxlibc", O_RDONLY, 01003117445) Err#2 ENOENT
UX:passwd: write(2, " U X : p a s s w d : ", 11) = 11
INFOwrite(2, " I N F O", 4) = 4
: write(2, " : ", 2) = 2
open("/usr/lib/locale/C/LC_MESSAGES/uxcore.abi", O_RDONLY, 01001076110) Err#2 E
NOENT
Changing password for root
write(2, " C h a n g i n g p a s".., 27) = 27
xstat(2, "/etc/security/ia/index", 0x08047C6C) = 0
open("/etc/security/ia/index", O_RDONLY, 01014077444) = 3
mmap(0x00000000, 2640, PROT_READ, MAP_SHARED, 3, 0) = 0x080D4000
munmap(0x080D4000, 2640) = 0
close(3) = 0
open("/etc/security/ia/master", O_RDONLY, 01014102450) = 3
lseek(3, 0, 0) = 0
read(3, " r o o t\0\0\0\0\0\0\0\0".., 315) = 315
close(3) = 0
open("/dev/tty", O_RDONLY, 01014102410) = 3
sigfillset(0x080D2BD0) = 0
sigaction(SIGINT, 0x08047A0C, 0x08047A54) = 0
sigaction(SIGINT, 0x08047A10, 0x00000000) = 0
ioctl(3, TCGETS, 0x08047A94) = 0
ioctl(3, TCSETSF, 0x08047A94) = 0
read(3, 0x08047AC3, 1) (sleeping...)
read(3, " t", 1) = 1
read(3, " e", 1) = 1
read(3, " s", 1) = 1
read(3, " t", 1) = 1
read(3, "\n", 1) = 1
ioctl(3, TCSETSW, 0x08047A94) = 0
write(2, "\n", 1) = 1
close(3) = 0
sigaction(SIGINT, 0x080479F8, 0x00000000) = 0
open("/dev/tty", O_RDONLY, 01014102410) = 3
sigaction(SIGINT, 0x08047A0C, 0x08047A54) = 0
sigaction(SIGINT, 0x08047A10, 0x00000000) = 0
ioctl(3, TCGETS, 0x08047A94) = 0
ioctl(3, TCSETSF, 0x08047A94) = 0
Re-enter new password:write(2, " R e - e n t e r n e w".., 22) = 22
read(3, 0x08047AC3, 1) (sleeping...)
read(3, " t", 1) = 1
read(3, " e", 1) = 1
read(3, " s", 1) = 1
read(3, " t", 1) = 1
read(3, "\n", 1) = 1
ioctl(3, TCSETSW, 0x08047A94) = 0
write(2, "\n", 1) = 1
close(3) = 0
sigaction(SIGINT, 0x080479F8, 0x00000000) = 0
getksym("hrestime", 0x08047BBC, 0x08047BB8) = 0
open("/dev/sysdat", O_RDONLY, 01003216040) = 3
mmap(0x00000000, 4096, PROT_READ, MAP_SHARED, 3, -36864) = 0x080D4000
close(3) = 0
getpid() = 9495 [ 9494 ]
open("/etc/security/mac/ltf.alias", O_RDONLY, 0) Err#2 ENOENT
xstat(2, "/etc/security/ia/.pwd.lock", 0x08047C50) = 0
creat("/etc/security/ia/.pwd.lock", 0400) = 3
sigset(SIGALRM, 0x08096660) = SIG_DFL
alarm(15) = 0
fcntl(3, F_SETLKW, 0x08047CD8) = 0
alarm(0) = 15
sigset(SIGALRM, SIG_DFL) = 0x08096660
sigset(SIGHUP, SIG_IGN) = SIG_DFL
sigset(SIGINT, SIG_IGN) = SIG_DFL
sigset(SIGQUIT, SIG_IGN) = SIG_DFL
sigset(SIGILL, SIG_IGN) = SIG_DFL
sigset(SIGTRAP, SIG_IGN) = SIG_DFL
sigset(SIGABRT, SIG_IGN) = SIG_DFL
sigset(SIGEMT, SIG_IGN) = SIG_DFL
sigset(SIGFPE, SIG_IGN) = SIG_DFL
sigset(SIGKILL, SIG_IGN) Err#22 EINVAL
sigset(SIGBUS, SIG_IGN) = SIG_DFL
sigset(SIGSEGV, SIG_IGN) = SIG_DFL
sigset(SIGSYS, SIG_IGN) = SIG_DFL
sigset(SIGPIPE, SIG_IGN) = SIG_DFL
sigset(SIGALRM, SIG_IGN) = SIG_DFL
sigset(SIGTERM, SIG_IGN) = SIG_DFL
sigset(SIGUSR1, SIG_IGN) = SIG_DFL
sigset(SIGUSR2, SIG_IGN) = SIG_DFL
sigset(SIGPWR, SIG_IGN) = SIG_DFL
sigset(SIGWINCH, SIG_IGN) = SIG_DFL
sigset(SIGURG, SIG_IGN) = SIG_DFL
sigset(SIGPOLL, SIG_IGN) = SIG_DFL
sigset(SIGSTOP, SIG_IGN) Err#22 EINVAL
sigset(SIGTSTP, SIG_IGN) = SIG_DFL
sigset(SIGCONT, SIG_IGN) = SIG_DFL
sigset(SIGTTIN, SIG_IGN) = SIG_DFL
sigset(SIGTTOU, SIG_IGN) = SIG_DFL
sigset(SIGVTALRM, SIG_IGN) = SIG_DFL
sigset(SIGPROF, SIG_IGN) = SIG_DFL
sigset(SIGXCPU, SIG_IGN) = SIG_DFL
sigset(SIGXFSZ, SIG_IGN) = SIG_DFL
sigset(SIGWAITING, SIG_IGN) = SIG_DFL
sigset(SIGLWP, SIG_IGN) = SIG_DFL
sigset(SIGAIO, SIG_IGN) = SIG_DFL
sigset(SIGMIGRATE, SIG_IGN) = SIG_DFL
sigset(SIGCLUSTER, SIG_IGN) = SIG_DFL
sigset(SIG#37, SIG_IGN) = SIG_DFL
sigset(SIG#38, SIG_IGN) = SIG_DFL
sigset(SIG#39, SIG_IGN) = SIG_DFL
sigset(SIG#40, SIG_IGN) = SIG_DFL
sigset(SIG#41, SIG_IGN) = SIG_DFL
sigset(SIG#42, SIG_IGN) = SIG_DFL
sigset(SIG#43, SIG_IGN) = SIG_DFL
sigset(SIG#44, SIG_IGN) = SIG_DFL
sigset(SIG#45, SIG_IGN) = SIG_DFL
sigset(SIG#46, SIG_IGN) = SIG_DFL
sigset(SIG#47, SIG_IGN) = SIG_DFL
sigset(SIG#48, SIG_IGN) = SIG_DFL
sigset(SIG#49, SIG_IGN) = SIG_DFL
sigset(SIG#50, SIG_IGN) = SIG_DFL
sigset(SIG#51, SIG_IGN) = SIG_DFL
sigset(SIG#52, SIG_IGN) = SIG_DFL
sigset(SIG#53, SIG_IGN) = SIG_DFL
sigset(SIG#54, SIG_IGN) = SIG_DFL
sigset(SIG#55, SIG_IGN) = SIG_DFL
sigset(SIG#56, SIG_IGN) = SIG_DFL
sigset(SIG#57, SIG_IGN) = SIG_DFL
sigset(SIG#58, SIG_IGN) = SIG_DFL
sigset(SIG#59, SIG_IGN) = SIG_DFL
sigset(SIG#60, SIG_IGN) = SIG_DFL
sigset(SIG#61, SIG_IGN) = SIG_DFL
sigset(SIG#62, SIG_IGN) = SIG_DFL
sigset(SIG#63, SIG_IGN) = SIG_DFL
sigset(SIG#64, SIG_IGN) = SIG_DFL
lvlfile("/etc/shadow", 1, 0x08047CF4) = 0
xstat(2, "/etc/shadow", 0x08047C5C) = 0
unlink("/etc/stmp") Err#2 ENOENT
creat("/etc/stmp", 0600) = 4
close(4) = 0
open("/etc/stmp", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 4
open("/etc/shadow", O_RDONLY, 0666) = 5
ioctl(5, TCGETS, 0x08047AE8) Err#25 ENOTTY
fxstat(2, 5, 0x08047B28) = 0
read(5, " r o o t : x V 4 w 1 p p".., 8192) = 1459
ioctl(4, TCGETS, 0x08047A8C) Err#25 ENOTTY
fxstat(2, 4, 0x08047ACC) = 0
write(4, " r o o t : 8 t f K n V x".., 31) = 31
write(4, " d a e m o n : N P : 6 4".., 21) = 21
write(4, " b i n : N P : 6 4 4 5 :".., 18) = 18
write(4, " s y s : N P : 6 4 4 5 :".., 18) = 18
write(4, " a d m : N P : 6 4 4 5 :".., 18) = 18
write(4, " u u c p : N P : 6 4 4 5".., 19) = 19
write(4, " m a i l : N P : 6 4 4 5".., 19) = 19
write(4, " n u u c p : N P : 6 4 4".., 20) = 20
write(4, " n o b o d y : N P : 6 4".., 21) = 21
write(4, " n o a c c e s s : N P :".., 23) = 23
/* Many entrys with contents of my user/passwords */
read(5, 0x08308DE8, 8192) = 0
close(5) = 0
close(4) = 0
chmod("/etc/stmp", 0100400) = 0
chown("/etc/stmp", 0, 3) = 0
fork() = 9412
Received signal #18, SIGCLD, in wait() [default]
siginfo: SIGCLD CLD_EXITED pid=9412 uid=0 status=0x0000
wait() = 9412 [ 0x0000 ]
fcntl(3, F_SETLK, 0x08047CDC) = 0
close(3) = 0
auditctl(2, 0x08047CD0, 20) Err#65 ENOPKG
_exit(0)
As we can see, the most relevant parts in my opinion is:
- The library strings /usr/lib/libcrypt.so.1, and it doesn't contain relevant information.
# strings /usr/lib/libcrypt.so.1
:2*"
<4,$
>6.&
@80(
91)!
;3+#
=5-%
?7/'
91)!
:2*"
;3+#
<4,$?7/'
>6.&
=5-%
(3-!0,1'8"5.*2$
exec /usr/bin/crypt -p 2>/dev/null
/sbin/sh
- The library /usr/lib/libia.so, it contain some suspicious files like /etc/security/ia/master....
# strings /usr/lib/libia.so
uxcore:710:unable to allocate space
/etc/security/audit/classes
uxcore:711:unable to obtain event class information
alias
uxcore:712:syntax error in <%s>, line <%d>
uxcore:713:event type or class "%s" exceeds <%d> characters
uxcore:714:event type or class "%s" contains non-printable characters
/etc/security/audit/classes
uxcore:711:unable to obtain event class information
none
uxcore:721:keyword "%s" may not be used in conjunction with event types or classes
uxcore:719:event type "%s" is a fixed event and may not be manipulated
uxcore:720:event type "%s" is not valid for object-level auditing
uxcore:715:event type "%s" is not currently audited
uxcore:716:invalid event type or class "%s" specified
/etc/security/ia/audit
/etc/security/ia/index
/etc/security/ia/master
/etc/security/ia/mastmp
/etc/security/ia/omaster
/etc/security/ia/indextmp
/etc/security/ia/oindex
/etc/security/ia/level/
/etc/security/audit/classes
/etc/security/audit/classes
NULL
access
acct_off
acct_on
acct_sw
add_grp
add_usr
add_usr_grp
assign_lid
assign_nm
audit_buf
audit_ctl
audit_dmp
audit_evt
audit_log
audit_map
bad_auth
bad_lvl
cancel_job
chg_dir
chg_nm
chg_root
chg_times
cov_chan_1
cov_chan_2
cov_chan_3
cov_chan_4
cov_chan_5
cov_chan_6
cov_chan_7
cov_chan_8
create
cron
dac_mode
dac_own_grp
date
deactivate_lid
def_lvl
del_nm
disp_attr
exec
exit
fcntl
file_acl
file_lvl
file_priv
fork
init
iocntl
ipc_acl
kill
link
login
lp_admin
lp_misc
misc
mk_dir
mk_mld
mk_node
mod_grp
mod_usr
mount
msg_ctl
msg_get
msg_op
open_rd
open_wr
page_lvl
passwd
pipe
pm_denied
proc_lvl
prt_job
prt_lvl
recvfd
rm_dir
sched_lk
sched_fp
sched_ts
sem_ctl
sem_get
sem_op
set_attr
set_gid
set_grps
set_lvl_rng
set_pgrps
set_sid
set_uid
setrlimit
shm_ctl
shm_get
shm_op
status
sym_create
sym_status
tfadmin
trunc_lvl
ulimit
umount
unlink
modpath
modadm
modload
moduload
lwp_create
lwp_bind
lwp_unbind
p_online
logoff
sched_fc
lwp_exit
lwp_kill
keyctl
fd_acl
/etc/security/ia/master
/etc/security/ia/index
/etc/security/ia/mastmp
/etc/security/ia/mastmp
/etc/security/ia/mastmp
/etc/security/ia/mastmp
/etc/security/ia/mastmp
/etc/security/ia/mastmp
/etc/security/ia/omaster
/etc/security/ia/omaster
/etc/security/ia/mastmp
/etc/security/ia/mastmp
/etc/security/ia/mastmp
/etc/security/ia/mastmp
/etc/security/ia/indextmp
/etc/security/ia/indextmp
/etc/security/ia/indextmp
/etc/security/ia/indextmp
/etc/security/ia/indextmp
/etc/security/ia/indextmp
/etc/security/ia/indextmp
/etc/security/ia/indextmp
/etc/security/ia/oindex
/etc/security/ia/oindex
/etc/security/ia/indextmp
/etc/security/ia/indextmp
/etc/security/ia/indextmp
/etc/security/ia/indextmp
/etc/security/ia/mastmp
/etc/security/ia/mastmp
/etc/security/ia/mastmp
/etc/security/ia/mastmp
/etc/security/ia/mastmp
/etc/security/ia/mastmp
/etc/security/ia/mastmp
/etc/security/ia/indextmp
/etc/security/ia/mastmp
/etc/security/ia/indextmp
/etc/security/ia/mastmp
/etc/security/ia/indextmp
/etc/security/ia/mastmp
/etc/security/ia/indextmp
/etc/security/ia/mastmp
/etc/security/ia/indextmp
/etc/security/ia/mastmp
/etc/security/ia/indextmp
/etc/security/ia/mastmp
/etc/security/ia/indextmp
/etc/security/ia/mastmp
/etc/security/ia/indextmp
/etc/security/ia/mastmp
/etc/security/ia/omaster
/etc/security/ia/omaster
/etc/security/ia/mastmp
/etc/security/ia/indextmp
/etc/security/ia/mastmp
/etc/security/ia/indextmp
/etc/security/ia/mastmp
/etc/security/ia/mastmp
/etc/security/ia/indextmp
/etc/security/ia/oindex
/etc/security/ia/oindex
/etc/security/ia/mastmp
/etc/security/ia/indextmp
/etc/security/ia/mastmp
/etc/security/ia/indextmp
/etc/security/ia/indextmp
/etc/security/ia/mastmp
/etc/security/ia/indextmp
:tmp
- The librarys /usr/lib/libnsl.so.1 and /usr/lib/libsocket.so.2 doesn't contain relevant information.
- The file /etc/security/ia/master is not a text file as we can see
# file /etc/security/ia/master
/etc/security/ia/master: data
The intersing is that via strings I can see parts of my hashs, that also exist in my /etc/shadow...
root
8tfKnVxS5re - The same seen in "write(4, " r o o t : 8 t f K n V x".., 31) = 31"
/sbin/sh
daemon*5v21dw01yuPiGDVreR5kDDvT
*5v21dw01yuPiGDVreR5kDDvT
/usr/bin
*5v21dw01yuPiGDVreR5kDDvT
*5v21dw01yuPiGDVreR5kDDvT
/var/adm
uucp
*5v21dw01yuPiGDVreR5kDDvT
/usr/lib/uucp
mail
*5v21dw01yuPiGDVreR5kDDvT
/etc/mail
nuucp
*5v21dw01yuPiGDVreR5kDDvT
/var/spool/uucppublic
/usr/lib/uucp/uucico
nobody
*5v21dw01yuPiGDVreR5kDDvT
noaccess
If we check it against entrys in /etc/shadow file...
# cat /etc/shadow |grep 8tfKnV (If whe look for a part of the first string that appear a hash against shadow file ,it doesn't exist)
#
# cat /etc/shadow |grep uPiG (if we look for a part of the second string that appear a hash against shadow file, it exist).
root:*LK*5v21dw01yuPiG:11576::::::
Looks intersting that a part of the sencod string (*5v21dw01yuPiG) match the shadow entry...
Solar, for you the entire string (*5v21dw01yuPiGDVreR5kDDvT) looks like some algorithm ? Also we yet have the first string that doesn't mismatch? Maybe it also is combinated in the full hash?
Any idea how to convert this file to text file, like the /etc/shadow (in a fashion we can read this)?
- The file /etc/default/passwd only have password policys...
# cat /etc/default/passwd
#ident "@(#)unixsrc:usr/src/common/cmd/passwd/passwd.dfl /main/uw7_uk/1"
#ident "$Header: /sms/sinixV5.4es/rcs/s19-full/usr/src/cmd/passwd/passwd.dfl,v 1.1 91/02/28 19:24:04 ccs Exp $"
PASSLENGTH=3
MAXWEEKS=-1
PASSLENGTH=3
MINWEEKS=0
MAXWEEKS=-1
- This entrys are the new password i typed...
read(3, " t", 1) = 1
read(3, " e", 1) = 1
read(3, " s", 1) = 1
read(3, " t", 1) = 1
read(3, "\n", 1) = 1
- the file /etc/security/ia/.pwd.lock is just used to lock the password file...
- the /etc/stmp is a kind of temporary file created during the passwd process execution, it have some hashs inside it, however when passwd program finish it's deleted (maybe copied to new password file?)...
Well, that't most I could get... Solar Designer do you also belive that /etc/security/ia/master can be the real password file? Any idea how to parse it to use in John The Ripper?
Thank you
Cheers
Solar Designer <solar@...nwall.com> escreveu: On trying to locate the "real" password hashes (for passwords of more
than 8 characters long):
On Sat, Dec 09, 2006 at 01:02:01AM -0300, Danett song wrote:
> Files having the string root I looked without sucess. Any other trick for what look?
Well, I would either trace the syscalls that the "passwd" program is
making (when run by root as "passwd username") or reverse-engineer parts
of it (or, more likely, of a library that it uses). Alternatively, the
same approaches may be applied to any daemon that does password
authentication or to the "login" program. Running "strings" on some
program binaries or library files might be enough.
I haven't touched a SCO'ish system for many years, so I simply don't
know what changes they have made to password hash storage since then.
--
Alexander Peslyak
GPG key ID: 5B341F15 fp: B3FB 63F4 D7A3 BCCC 6F6E FC55 A2FC 027C 5B34 1F15
http://www.openwall.com - bringing security into open computing environments
Was I helpful? Please give your feedback here: http://rate.affero.net/solar
--
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.
__________________________________________________
Fale com seus amigos de gra?a com o novo Yahoo! Messenger
http://br.messenger.yahoo.com/
--
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
