Is it possible to extract the root password from the file system?

Tue Jul 12 13:50:30 MST 2011

From: Mark Phillips <mark at phillipsmarketing.biz>
> I was able to unzip the firmware to my laptop and it appears that
> ssh root login is now enabled in the stock firmware. I confirmed
> this by trying ssh to the machine.....but, I need the root password
> to login. How can I extract the root password from the file system
> for the device?

> I assume Linux/Linus has made it impossible to get at the root
> password this way (e.g. from a copy of the file system)

Not impossible.  Just annoyingly difficult.  And there's got to be a better
way than that.  But to get the password via brute-force, read on:

/etc/shadow should contain a line like:

root:$1$02PZeP4V$oh.for.hecks.sake:0:99999:7:::

...Take a look at the second field.  The part between the first and last $ is
the salt, and the rest is the crypted password.  If the second field is empty,
then root's password is the empty string.  If the second field contains *, !,
or x , then the crypt() function can't generate that string, and root can't
log in with a password.  But then you could do something like

/* testcrypt.c
 * gcc -o testcrypt testcrypt.c -lcrypt */
#define _XOPEN_SOURCE
#include<stdio.h>
#include<unistd.h>

int main(int argc, char **argv)
{
char *salt="$1$02PZeP4V$"; /* salt part of above string */
printf("%s crypted with %s is: %s\n",argv[1],salt,crypt(argv[1],salt));
return 0;
}
/* end C */

strncmp() the result of crypt() with the oh.for.hecks.sake portion of the
string from /etc/shadow , and if you get 0, you've got a password match. 
You'd probably have to go through a very long list of strings before finding
the right one.  There's no telling what they picked.  I'd guess the password
would be somewhere in the manual or the docs, but ICBW.

You might be able to take the firmware's shadow file, replace the crypted
string for root with your own crypted string from your own Linux box's shadow
file, then pack up that firmware and install it on the device.  Then you'd
know root's password.

-- 
Matt G / Dances With Crows
The Crow202 Blog:  http://crow202.org/wordpress/
There is no Darkness in Eternity/But only Light too dim for us to see