Is it possible to extract the root password from the file system?

Ben Trussell azlobo73 at gmail.com
Sun Jul 17 10:39:09 MST 2011 

[possible_device_bricking_advice]

You might try just extracting the tarball, editing the shadow file removing
the root password altogether (::), then, re-tar the extracted archived then
re-flashing with the updated tarball.  Then hit 'enter' for the the root
password, and then set it to whatever you want after login as root.  This is
of course untested and possibly bad advice.  And of course depends on the
last bullet item you listed below.

http://tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html

[/possible_device_bricking_advice]

On Sun, Jul 17, 2011 at 9:44 AM, Mark Phillips
<mark at phillipsmarketing.biz>wrote:

> Bryan,
>
> I think what you are missing is the "...and you know your password...". I
> don't know the root password for the NAS box. That is what I am trying to
> figure out so I can ssh into the box as root. What I have:
>
> * Buffalo NAS LS-WXL with firmware rev 1.43
>
> * I can ssh as root and get a password prompt.
>
> * I can ftp into the box as a user that I created, but cannot get to the
> filesystem that way.
>
> * I have downloaded the firmware and unzipped it. One thought is to add a
> key to ssh for root and login. Reflashing the unit with firmware that does
> not come from the Buffalo site is not well documented, so I have put this
> possible solution on hold for the time being.
>
> * I just found the info about using some type of php exploit, hence my
> previous email. I am not a php guy, so I am a little lost on how to make it
> work.
>
> Does this elicit any thoughts on how to crack the root password for this
> box?
>
> Thanks!
>
> Mark
>
>
> On Sun, Jul 17, 2011 at 4:31 PM, Bryan O'Neal <
> Bryan.ONeal at theonealandassociates.com> wrote:
>
>> if you can get a copy of the password hash file. And you know your
>> password. Then you should be able to figure out the hash function and
>> JTR should give you every password on the box. So... I seem to be
>> missing something in this conversation thread. ?
>>
>> On 7/17/11, Mark Phillips <mark at phillipsmarketing.biz> wrote:
>> > On Sun, Jul 17, 2011 at 3:54 AM, Lisa Kachold
>> > <lisakachold at obnosis.com>wrote:
>> >
>> >> There are alot of password files and dictionary lists on various sites.
>> >> Backtrack5 contains a good number.
>> >>
>> >> But I imagine that it's either not allowing root via ssh or you have
>> the
>> >> wrong username.
>> >>
>> >
>> > It turns out the box is smarter than a fifth grader.....after a few
>> hydra
>> > attacks, it started rejecting all the hydra attempts to ssh in via root.
>> > Once I stopped hydra (after running all night), it took a couple of
>> hours
>> > before it would respond to ssh attempts from root. It now will ask for
>> the
>> > root password, but I still have no idea what it is.
>> >
>> >>
>> >> Or it's a truely random string.
>> >>
>> > It could be....the password for the zip file to unzip the file system is
>> >
>> >  YvSInIQopeipx66t_DCdfEvfP47qeVPhNhAuSYmA4
>> >
>> > . Someone retrieved it using a disassembler on the file system.
>> >
>> > I did some more reading, and one person was able to use php to allow ssh
>> > login. The box allows one to create a web space, and it comes with php
>> > installed. One can edit the php.ini file, and I can upload via ftp a php
>> > script. The script they suggested is:
>> > <?php
>> > $file = '../../../../etc/pam.d/sshd';
>> > $fh=fopen($file, 'w') or die("can't open file");
>> > $stringData = "account  required   pam_unix.so\n";
>> > fwrite($fh, $stringData);
>> > $stringData = "session  required   pam_unix.so\n";
>> > fwrite($fh, $stringData);
>> > $stringData = "auth required pam_permit.so\n";
>> > fwrite($fh, $stringData);
>> > fclose($fh);
>> > ?>
>> >
>> > I uploaded the script, but I get a 404 File not Found when I access the
>> > page. I thought it might be a file permission error since the file is
>> only
>> > rw. I tried chmod 777 at the ftp prompt, and got the error message File
>> not
>> > Found, but ls shows it is there.
>> >
>> > ftp> ls
>> > 200 PORT command successful
>> > 150 Opening ASCII mode data connection for file list
>> > drwxrwxrwx   2 apache   apache          6 Jul 17 08:23 cgi-bin
>> > drwxrwxrwx   2 apache   apache         22 Jul 17 08:23 htdocs
>> > drwxrwxrwx   2 apache   apache         39 Jul 17 08:23 log
>> > -rw-rw-rw-   1 hammerhead hdusers       335 Jul 17 08:49 script.php
>> > 226 Transfer complete
>> > ftp> chmod 777 script.php
>> > 550 CHMOD 777 script.php: No such file or directory
>> > ftp>
>> >
>> > Is there anything I can change in the php.ini file to make this script
>> > execute? Or, am I missing something else?
>> >
>> > BTW, I cannot ftp as root, but I can ftp as a user I created,
>> hammerhead.
>> >
>> > Thanks,
>> >
>> > Mark
>> >
>> >>
>> >> On Fri, Jul 15, 2011 at 10:33 PM, Mark Phillips <
>> >> mark at phillipsmarketing.biz> wrote:
>> >>
>> >>> Since this is a drive buffalo, I might try ettercap ssh downgrade
>> attack:
>> >>>>
>> >>>> http://openmaniak.com/ettercap_filter.php
>> >>>> ttp://
>> sites.google.com/site/clickdeathsquad/Home/cds-ssh-mitmdowngrade
>> >>>>
>> >>>> Not sure how a man in the middle attack will work, since I don't know
>> >>>> the
>> >>> password to begin with...
>> >>>
>> >>> Or Hydra:
>> >>>>
>> >>>> Hydra Instructions:
>> >>>>
>> >>>> http://www.youtube.com/watch?v=7CP-JB4QARo
>> >>>>
>> >>>>>
>> >>>>>> Hydra is promising. I tried it with the common passwords list from
>> >>> openwall. No luck. Do you have any better password lists?
>> >>>
>> >>> Thanks,
>> >>>
>> >>> Mark
>> >>>
>> >>> ---------------------------------------------------
>> >>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> >>> To subscribe, unsubscribe, or to change your mail settings:
>> >>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>> >>>
>> >>
>> >>
>> >>
>> >> --
>> >> (602) 791-8002  Android
>> >> (623) 239-3392 Skype
>> >> (623) 688-3392 Google Voice
>> >> **
>> >> HomeSmartInternational.com <http://www.homesmartinternational.com>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> ---------------------------------------------------
>> >> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> >> To subscribe, unsubscribe, or to change your mail settings:
>> >> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>> >>
>> >
>>
>> --
>> Sent from my mobile device
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20110717/82ec5be1/attachment.html>

More information about the PLUG-discuss mailing list