Contrary to popular belief, UNIX passwords cannot be decrypted. UNIX
passwords are encrypted with a one way function. The login program encrypts
the text you enter at the “Password:” prompt and compares that encrypted
string against the encrypted form of your password.
Password cracking software uses wordlists. Each word in the wordlist is
encrypted and the results are compared to the encrypted form of the target
The best cracking program for UNIX passwords is currently Crack by Alec
Muffett. For PC-DOS, the best package to use is currently CrackerJack.
Password Shadowing:
Password shadowing is a security system where the encrypted password field
of /etc/passwd is replaced with a special token and the encrypted password
is stored in a separate file which is not readable by normal system users.
To defeat password shadowing on many (but not all) systems, write a program
that uses successive calls to getpwent() to obtain the password file.
Finding the shadowed password:
UNIX Path Token
AIX 3 /etc/security/passwd !
/tcb/auth/files/[first letter #
of username]/[username]
A/UX 3.0s /tcb/files/auth/?/*
BSD4.3-Reno /etc/master.passwd *
ConvexOS 10 /etc/shadpw *
ConvexOS 11 /etc/shadow *
DG/UX /etc/tcb/aa/user/ *
EP/IX /etc/shadow x
HP-UX /.secure/etc/passwd *
IRIX 5 /etc/shadow x
Linux 1.1 /etc/shadow *
OSF/1 /etc/passwd[.dir|.pag] *
SCO UNIX #.2.x /tcb/auth/files/[first letter *
of username]/[username]
SunOS4.1+c2 /etc/security/passwd.adjunct ##username
SunOS 5.0 /etc/shadow
[optional NIS+ private secure maps/tables/whatever]
System V Release 4.0 /etc/shadow x
System V Release 4.2 /etc/security/* database
Ultrix 4 /etc/auth[.dir|.pag] *
UNICOS /etc/udb *