The Hack FAQ

27.0 Unix Accounts

The following section deals with Accounts on Unix systems.

27.1 What are common accounts and passwords for Unix?

All Unix systems have an account called root. This account is also commonly known as the superuser. Actually, any account with a user ID (UID) and group ID (GID) of zero could be considered a superuser account. It is possible that a system administrator will rename the root account for obfuscation, but this is rather impractical as many applications not only require that there be an account with UID zero but also require the name of the account be "root" to perform certain functions. As administrators do not wish to create more problems for themself, or have to patch more code than neccessary, this is a rare occurence.

Oh, and unless you've been living under a rock, you should already know that root is the holy name of God in Unix.

Here are a few other accounts and passwords (if known) commonly found on Unix systems:

System	Account	Password	Purpose
Some	guest	(none)	Guest Access
Some	demo	(none)	Demo access
Some	games	(none)	Play games
Some	nuucp	(none)	UUCP access
Some	daemon	(none)	Typically invalid for direct access
Some	bin	(none)	Typically invalid for direct access
Some	man	(none)	Typically invalid for direct access
Some	lpd	(none)	Typically invalid for direct access
Some	sys	(none)	Typically invalid for direct access
Some	nobody	(none)	Typically invalid for direct access
Some	ftp	(none)	Anonymous FTP acccess, requests email address in lieu of password
AIX	guest	guest	Guest access
NeXT	root	NeXT	god (default password on shipped systems)
NeXT	signa	signa	Guest account
NeXT	me	(none)	Not seen on all systems
SGI/IRIX	4DGifts	(none)	Unknown
SGI/IRIX	lp	(none)	Unknown
SGI/IRIX	tour	(none)	Unknown
SGI/IRIX	tutor	(none)	Unknown
SGI/IRIX	demos	(none)	Unknown

27.2 How can I figure out valid account names for Unix?

Remotely, you have a few things you can try. Here are a few suggestions:

finger: By typing in 'finger @targethost', you may get users that are currently logged in. This will give you a few accounts. Also by typing 'finger account@targethost' you may be able to determine if that account is valid, and possibly the last time it has been accessed. Unfortunately, most Unix systems refuse finger requests from remote hosts, so this usually doesn't do you a lot of good. But if finger is allowed, it can return a lot of information. Try running finger with a '-l' for more verbose listings. If you gain local access, use 'finger account' to get info on other accounts on the system. For example, if 'finger root' returns info about an administrator named Fred, then 'finger fred', which may reveil Fred's regular account.
rusers: You can run 'rusers example.com' which may return remote user info if the service is allowed.
whois: Doing a 'whois example.com' will return info about who is responsible for the domain, and usually includes valid account names. You can use this to possibly determine other account names, and odds are very good that the administrative contact and/or the technical contact have the system privileges you desire.
mail: Often by telnetting to the mail server and trying to verify or expand names you can learn account names. By typing 'telnet example.com 25' and typing in 'EXPN account' or 'VRFY account' will tell you if that account is valid. You may have to type in 'HELO' or some other commands before you can do an EXPN or VRFY.

A lot of administrators are aware of the above techniques, and will often treat these probes as attacks themselves. Many sites refuse finger and ruser accesses, and a lot of sites have configured their mailer to either not respond to VRFY and EXPN or simply return nothing of value. Odds are good that sites that refuse these types of probes are usually logging these types of probes, so you may wish to probe from one location and attack from another.

If you can gain access locally, such as through a guest account, there are a number of things you can do to view possible account names. Try using some of the finger techniques from above minus the targethost, try typing 'w' or 'who' or even 'more /etc/passwd' to get account names.

Top | Next: Unix Passwords | Previous: Netware Mathematical/Theoretical Info | Table of Contents