HackFest Tomorrow@ Gangplankhq.com in Chandler Noon-3PM
Hackfest in Chandler Noon-3PM at Gangplankhq.com 250 Arizona Avenue. We have a lab tomorrow with flags (ala Vmware) including Exploitable and Debian Lenny (and a few others) for your exploitation glee. I also will go through a quick Metasploit demonstration using WebDAV. We also will be going over DefCon 19 (August 4-Aug 7 2011) presentations and discussions: https://www.defcon.org/html/defcon-19/dc-19-index.html Almost all of their presentations are made available somewhere, so if you can't go, be assured you will actually get more out of the videos and other materials that come out of the events. http://hackfest.obnosis.com http://plug.phoenix.az.us -- (602) 791-8002 Android (623) 239-3392 Skype (623) 688-3392 Google Voice** http://www.homesmartinternational.com --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
Re: Is it possible to extract the root password from the file system?
Mark, On Thu, Jul 14, 2011 at 6:56 PM, Mark Phillips m...@phillipsmarketing.bizwrote: Lisa, John the Ripper has been running for almost 2 days trying to crack the passwordstill no success. I think it's hung. What options did you pass it? Did you feed it a dictionary file? It probably has a different encryption format than the linux john is on. What ports are open on the thing? SSH? You can try ettercap with arp spoof MITM? :) Mark On Jul 14, 2011 4:28 PM, Lisa Kachold lisakach...@obnosis.com wrote: If you don't have the ability to boot something like a DVD/CD or USB key, try john the ripper? Save the encrypted string to a test file and run it through john the ripper running on your system: Ubuntu: # apt-get install john Centos/RH/Fedora: # yum install john Example use: # john -single crackme.txt References: http://www.openwall.com/john/doc/ http://www.google.com/url?sa=tsource=videocd=1ved=0CDIQtwIwAAurl=http%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D3YyscD_tADkrct=jq=john%20the%20rippertbm=videi=t3ofTsXRNqTv0gHB2bmYAwusg=AFQjCNE8vdlkxhwQ15zCuBePI9Y9qk3mAQcad=rja http://www.osix.net/modules/article/?id=455 On Thu, Jul 14, 2011 at 11:19 AM, Sam Kreimeyer skrei...@gmail.com wrote: Hello Mark, Have you tried using Kon-Boot? It's a bootable image that edits the kernel to bypass the password prompt. -- (602) 791-8002 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** HomeSmartInternational.com http://www.homesmartinternational.com --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss -- (602) 791-8002 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** HomeSmartInternational.com http://www.homesmartinternational.com --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
Re: Is it possible to extract the root password from the file system?
On Fri, Jul 15, 2011 at 7:27 PM, Lisa Kachold lisakach...@obnosis.comwrote: Mark, On Thu, Jul 14, 2011 at 6:56 PM, Mark Phillips m...@phillipsmarketing.biz wrote: Lisa, John the Ripper has been running for almost 2 days trying to crack the passwordstill no success. I think it's hung. Nope. the log file keeps spitting out what it is testing. I stopped it today and moved the process to another machine. You can see the results as reported in the log file at http://pastebin.com/pBZHfAS2 when I stopped the program . The other machine is slower (about 1.85 times slower, so it will take until Monday for it to catch upthe original machine was a x64, and the new machine is an i386, so I couldn't resume on the new machine). I will let you know if it finds the password after a week or two;-) What options did you pass it? None. Except that I used another program that came with john to join the passwd and shadow files into one file. John needed that. I can send you the passwd file if you are interested. Did you feed it a dictionary file? Just the one that came with john... It probably has a different encryption format than the linux john is on. What ports are open on the thing? SSH? You can try ettercap with arp spoof MITM? SSH seems to be open since it asks for a password. rsync and telnet are all that I know. There is a java hack program acp_commander.jar that will connect with telnet, but I do not get any response from the device, although it says it is connected. acp-commander.jar use to be the way in, but since firmware version 1.41, it has not worked. http://downloads.buffalo.nas-central.org/TOOLS/ALL_LS_KB_ARM9/ACP_COMMANDER/, http://buffalo.nas-central.org/index.php/Open_Stock_Firmware and my particular box. I have downloaded the firmware for the box and modified it to accept ssh login without a password (using ssh keys). I just have not been able to reflash the unit. The web interface only flashes what it downloads from buffalo.com. The windows program the box came with does not have a way to flash the unit. Embedded in the firmware download is a windows exe which is supposed to be a program to flash the unitjust haven't had the intestinal fortitude to try it out...I need to find the way back in case I brick the device, and I haven't had time to research that. Thanks for your interest! P.S. You have no idea how hard it is to not type dear john every time I refer to the program john the ripper.;-) anyway, back to TGIF time;-) Mark :) Mark On Jul 14, 2011 4:28 PM, Lisa Kachold lisakach...@obnosis.com wrote: If you don't have the ability to boot something like a DVD/CD or USB key, try john the ripper? Save the encrypted string to a test file and run it through john the ripper running on your system: Ubuntu: # apt-get install john Centos/RH/Fedora: # yum install john Example use: # john -single crackme.txt References: http://www.openwall.com/john/doc/ http://www.google.com/url?sa=tsource=videocd=1ved=0CDIQtwIwAAurl=http%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D3YyscD_tADkrct=jq=john%20the%20rippertbm=videi=t3ofTsXRNqTv0gHB2bmYAwusg=AFQjCNE8vdlkxhwQ15zCuBePI9Y9qk3mAQcad=rja http://www.osix.net/modules/article/?id=455 On Thu, Jul 14, 2011 at 11:19 AM, Sam Kreimeyer skrei...@gmail.com wrote: Hello Mark, Have you tried using Kon-Boot? It's a bootable image that edits the kernel to bypass the password prompt. -- (602) 791-8002 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** HomeSmartInternational.com http://www.homesmartinternational.com --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss -- (602) 791-8002 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** HomeSmartInternational.com http://www.homesmartinternational.com --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
Re: Is it possible to extract the root password from the file system?
On Fri, Jul 15, 2011 at 8:03 PM, Mark Phillips m...@phillipsmarketing.bizwrote: On Fri, Jul 15, 2011 at 7:27 PM, Lisa Kachold lisakach...@obnosis.comwrote: Mark, On Thu, Jul 14, 2011 at 6:56 PM, Mark Phillips m...@phillipsmarketing.biz wrote: Lisa, John the Ripper has been running for almost 2 days trying to crack the passwordstill no success. I think it's hung. Nope. the log file keeps spitting out what it is testing. I stopped it today and moved the process to another machine. You can see the results as reported in the log file at http://pastebin.com/pBZHfAS2 when I stopped the program . The other machine is slower (about 1.85 times slower, so it will take until Monday for it to catch upthe original machine was a x64, and the new machine is an i386, so I couldn't resume on the new machine). I will let you know if it finds the password after a week or two;-) What options did you pass it? None. Except that I used another program that came with john to join the passwd and shadow files into one file. John needed that. I can send you the passwd file if you are interested. Did you feed it a dictionary file? Just the one that came with john... It probably has a different encryption format than the linux john is on. What ports are open on the thing? SSH? You can try ettercap with arp spoof MITM? SSH seems to be open since it asks for a password. rsync and telnet are all that I know. There is a java hack program acp_commander.jar that will connect with telnet, but I do not get any response from the device, although it says it is connected. acp-commander.jar use to be the way in, but since firmware version 1.41, it has not worked. http://downloads.buffalo.nas-central.org/TOOLS/ALL_LS_KB_ARM9/ACP_COMMANDER/, http://buffalo.nas-central.org/index.php/Open_Stock_Firmware and my particular box. I have downloaded the firmware for the box and modified it to accept ssh login without a password (using ssh keys). I just have not been able to reflash the unit. The web interface only flashes what it downloads from buffalo.com. The windows program the box came with does not have a way to flash the unit. Embedded in the firmware download is a windows exe which is supposed to be a program to flash the unitjust haven't had the intestinal fortitude to try it out...I need to find the way back in case I brick the device, and I haven't had time to research that. Thanks for your interest! P.S. You have no idea how hard it is to not type dear john every time I refer to the program john the ripper.;-) anyway, back to TGIF time;-) Mark :) Mark On Jul 14, 2011 4:28 PM, Lisa Kachold lisakach...@obnosis.com wrote: If you don't have the ability to boot something like a DVD/CD or USB key, try john the ripper? Save the encrypted string to a test file and run it through john the ripper running on your system: Ubuntu: # apt-get install john Centos/RH/Fedora: # yum install john Example use: # john -single crackme.txt References: http://www.openwall.com/john/doc/ http://www.google.com/url?sa=tsource=videocd=1ved=0CDIQtwIwAAurl=http%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D3YyscD_tADkrct=jq=john%20the%20rippertbm=videi=t3ofTsXRNqTv0gHB2bmYAwusg=AFQjCNE8vdlkxhwQ15zCuBePI9Y9qk3mAQcad=rja http://www.osix.net/modules/article/?id=455 On Thu, Jul 14, 2011 at 11:19 AM, Sam Kreimeyer skrei...@gmail.com wrote: Hello Mark, Have you tried using Kon-Boot? It's a bootable image that edits the kernel to bypass the password prompt. -- (602) 791-8002 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** Since this is a drive buffalo, I might try ettercap ssh downgrade attack: http://openmaniak.com/ettercap_filter.php ttp://sites.google.com/site/clickdeathsquad/Home/cds-ssh-mitmdowngrade Or Hydra: Hydra Instructions: http://www.youtube.com/watch?v=7CP-JB4QARo -- (602) 791-8002 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** HomeSmartInternational.com http://www.homesmartinternational.com --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss -- (602) 791-8002 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** HomeSmartInternational.com http://www.homesmartinternational.com --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings:
Re: Is it possible to extract the root password from the file system?
Since this is a drive buffalo, I might try ettercap ssh downgrade attack: http://openmaniak.com/ettercap_filter.php ttp://sites.google.com/site/clickdeathsquad/Home/cds-ssh-mitmdowngrade Not sure how a man in the middle attack will work, since I don't know the password to begin with... Or Hydra: Hydra Instructions: http://www.youtube.com/watch?v=7CP-JB4QARo Hydra is promising. I tried it with the common passwords list from openwall. No luck. Do you have any better password lists? Thanks, Mark --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss