Copy Link
Add to Bookmark
Report
Phruwt Issue 03 004
Getting Passwords Over a Network
by spooty
This article will explain how to get someone's password for their unix
account etc., from the packets transmitted over a localtalk or ethernet
network. I will not bother to explain the difficulties (or
impossibilities) of cracking THE password file, or worse yet, shadowed
passwords. If you want to learn about these, go read alt.2600 and look at
all the lamers asking how to hack the password file in one easy step. What
I will give you is the simplest and most powerful way to acquire passwords.
Sniffing packets may or may not be punishable where you are. It may be
shady behavior, or potentially legitimate. Using someone else's password
is obviously a no-no in the eyes of admins, and the law, but then again, if
you gave a shit, you wouldn't be reading this. Ready?
First of all, you need a packet sniffer. Just about any sniffer will do.
Since this article is aimed primarily at Mac users, I will use Watch 1.7.1,
available at the Phruwt ftp site. This app will do nicely. Now, all you
need is a Mac and a network, both of which you will have to find yourself.
Any computer at a cluster at any company or university will probably be
tied into their network, at least for a local bridge. For older, smaller,
or just plain dumber networks, you will be able to access the entire LAN
from any computer connected to it. Otherwise you are limited to the
particular zone to which your computer is assigned. It shouldn't be too
hard to find a good, accessible zone, however. If there is a main
computing center at a school, for example, it will probably be both the
site of accessible computers AND the same zone that sysadmins use.
Alrighty. Time to get to work. Fire up your sniffer. The default
settings on Watch 1.7.1 are fine. Under the "Filter" menu, only "LAP ctrl
capture" should be checked. Click "start." Now you will see "packets" and
"errors" begin to add up. For the first time, let 50 or more packets pile
up before you hit stop. Now look at the packets. They will all have
names like AFP, ATP, etc, that will confuse the hell out of your newbie ass
if you don't know what they are. Don't worry about them. What you're
looking for are the ones which are labeled by either TCP or Telnet.
Anyone using Telnet to log into an account will have to enter both a userid
and a password. This is where your knowledge of terminals comes in. When
you're telnetting, or using any terminal-based software, every keystroke
you hit is sent to the server, and then the server responds somehow to your
screen in the terminal. For example, say you are typing a letter to
someone using pine or some other unix mailer. If you type "k", a "k" will
be sent to the server, and then a "k" will be sent back to appear on your
screen. On the other hand, if you're hitting space bar to advance a page
or something, a space will be sent, but the server will not return a space,
but rather the next page of text. Got it?
So what you're looking for is the userid/password interaction between the
client and server. By watching the packets (and you'll see this quickly),
you'll soon find some sucker firing up his account. The first sign will be
the server's prompt for the userid, which should be as plain as day. Then
the unwitting fool will start typing in his userid, and the server will be
displaying it on his screen like this (these are only the last few columns
you will see in Watch. For more detail, you can double click on any of the
packets):
(In this example, 25 is the server and 69 is the user's computer)
lap dst 69 lap src 25 Telnet: 'login:'
lap dst 25 lap src 69 Telnet: 'l'
lap dst 69 lap src 25 Telnet: 'l'
lap dst 25 lap src 69 Telnet: 'o'
lap dst 69 lap src 25 Telnet: 'o'
lap dst 25 lap src 69 Telnet: 's'
lap dst 69 lap src 25 Telnet: 's'
lap dst 25 lap src 69 Telnet: 'e'
lap dst 69 lap src 25 Telnet: 'e'
lap dst 25 lap src 69 Telnet: 'r'
lap dst 69 lap src 25 Telnet: 'r'
Of course anyone typing any words will look like this, so you have to be
sure this punk is logging in and not just blabbing about himself to his fat
girlfriend back home. So make sure he has received the login prompt before
this, by paying attention to the source and destinations of each packet
(dst and src). Also, all the packets may not be together like this. A lot
of other shit might be mixed in, so once again, lay off the crack and make
sure the packets you're looking at are all going to and from the same
places (note: the number for the server will just about always be the same
and the varying clients' addresses will differ).
Now when it's time for the password:
lap dst 25 lap src 69 Telnet: 's'
lap dst 69 lap src 25 Telnet: ' '
lap dst 25 lap src 69 Telnet: 'm'
lap dst 69 lap src 25 Telnet: ' '
lap dst 25 lap src 69 Telnet: 'e'
lap dst 69 lap src 25 Telnet: ' '
lap dst 25 lap src 69 Telnet: 'g'
lap dst 69 lap src 25 Telnet: ' '
lap dst 25 lap src 69 Telnet: 'm'
lap dst 69 lap src 25 Telnet: ' '
lap dst 25 lap src 69 Telnet: 'a'
lap dst 69 lap src 25 Telnet: ' '
Where, you ask, are the missing letters? They don't show up, because the
server doesn't reveal them on the user's screen, so the ol' peeking over
the shoulder technique won't work, unless you can follow someone's typing
fingers, which is hella difficult.
Okey dokey. You've got your userid and password. Go have fun now.
Unless, of course you want to hear about the other fun you can have with a
sniffer. Say for example, you're trolling around and see someone is
reading PORNO stories on usenet. One time I found this kid reading stories
about some little boy getting off by being spanked by his mom. What a
fucking weirdo! Anyway, you can pinpoint who is doing what pretty easily.
Use another program, like Trawl or Interpoll, and you'll be able to see
what every locally networked computers' addresses are. Usually you can get
the owner name too. Also, you can set Watch to filter out everything
except the traffic between two addresses. This is particularly useful,
because most of the time there will be so much fucking trash flying back
and forth, that it will be difficult to wade through it all.
This method is sort of a bitch to use, because you may have to just wait
and be lucky to get the password. You can be sneaky though like this:
Call some bastard up whose password you want. Be at a computer, if
necessary in his/her zone.
You: "Hey Jerky, didja get that kewl mail I sentya?
Them: "Uh, let me check..."
(Fire up your sniffer and do it quick!)
Them: "Hold on..."
(click, click, click, as they type away)
Them: "All it says is 'hi.'"
You: "Oh whoops, I'll have to send it again. Bye."
Hang up, stop the packet collection and you've got paydirt.
If someone uses a desktop based mailing program, like Eudora, the
collecting account passwords is even easier. The packets will be marked
"TCP" instead of "Telnet" and in the text of the packet (you'll have to
check the full details of the packet for this) you'll find the whole text
of the userid's and passwords inside.
Sniffers are good for a lot of other shit too, so play around with them and
see what you get. Unfortunately, Apple Fileserver (AFS) passwords are a
bear to get, since they are usually two-way scrambled (sys 7.1 and higher,
I believe). I'm trying to figure out the encryption, but it's not really
my department. In any event, someone's account password will very often be
their server password too.
Although some systems are switching over to Kerberos protected transmission
of all packets across their LANs, most are still wide open. Doing
something butt-stupid, like changing someone's password on them, will only
result in them getting back into their account in a matter of hours, so be
creative. It's pretty fun just to watch (hence the name) the dark sides of
all the people you know. Then go up to them and say shit like, "Spank much
lately?" Have fun with this, and don't get caught.
-spooty
