Re: Hack possibilities

Thanks for your answers.

Walt : "How hard did you try? It's usually available."
I tried with a personnal "brute force" : it try "ypcat [shadow-name].[by-x]", where shadow-name is the text "shadow" transformed in many ways (case, transforms letters : o->0, etc)
and by-x represents the differents sorting value (byname....)
It was often the same answer : "table doesn't exist".

The table "shadow.byname" exists, but is outdated, and doesn't
correspond to the passwd list I've retrieved before (which is valid).
It's like a Win2k server I've tested : the NTLM hash was the real hash,
but the LM hash was the old one, because the admin changed it's
password after having disabled the LM hash.

So I hope it's the same here : the remote shadow listing is disabled.

Walt: "The current recommendation is to use LDAP, or even better,
Kerberos."
I'll tell my friend about those possibilities, he's the only one to manage and to know he's network configuration.

tom87.21@xxxxxxxxx a écrit :

Hi !

I'm testing a network that a friend had prepared for a contest, and I
would like to know more about NIS accounts security.

I've tried to hack it, with a simple user accound, and I saw that I
could get the account list, in a 'passwd-like' format. I used the
command ypcat to retrieve it.

Fortunalety for my friend, the 'shadow-like' list don't appear with the
same way. But I'm not a guru and I would like to know if the ypcat is
able to retrieve the shadow passwords list, and if so if it's possible
to delete execution access on ypcat (via chmod), without further
problems in user-login etc. Else, does exist tips to force ypcat to be
discret ?

Thanks for answer.

.