Mark, Openwall is one of the better free lists out there. BT5 has darkc0de in it (17mb). I can't think of any others that you don't have to pay for. However, you can pass rules to JTR for creating word permutations on the fly to expand your list (use the --rules option [note: default rules will increase the dictionary size about 40x]) or add entries yourself to the text file. If you have a good guess as to words the password probably contains, you could use that with the word rules to make a custom dictionary to run against it. Given how long your first dictionary attack ran, though, I would say that getting a larger dictionary (and you can get some that are several gigs) might be prohibitively time consuming. If you really want to go that route, then I'd try it with something like hashcat or other hash generator that can utilize a GPU. Even economy ATI and Nvidia cards can greatly speed the process. Just a thought, do you know if JTR is running the right hashing algorithm? The first number in the /etc/shadow file should tell you. Not too long ago I wasted a few hours waiting for JTR to crack the wrong hashed password before I realized what happened. The --format option will take care of that. This may be a silly question, but is it possible to boot the NAS in rescue mode? If that's not an option, the only other alternative I can think of would be looking for services vulnerable to privilege escalation. http://www.exploit-db.com/ might have some useful code for that. Just do a search for some of the services on the system. I hope it works out!