Bryan,

I think what you are missing is the "...and you know your password...". I don't know the root password for the NAS box. That is what I am trying to figure out so I can ssh into the box as root. What I have:

* Buffalo NAS LS-WXL with firmware rev 1.43

* I can ssh as root and get a password prompt.

* I can ftp into the box as a user that I created, but cannot get to the filesystem that way.

* I have downloaded the firmware and unzipped it. One thought is to add a key to ssh for root and login. Reflashing the unit with firmware that does not come from the Buffalo site is not well documented, so I have put this possible solution on hold for the time being.

* I just found the info about using some type of php exploit, hence my previous email. I am not a php guy, so I am a little lost on how to make it work.

Does this elicit any thoughts on how to crack the root password for this box?

Thanks!

Mark

On Sun, Jul 17, 2011 at 4:31 PM, Bryan O'Neal <Bryan.ONeal@theonealandassociates.com> wrote:
if you can get a copy of the password hash file. And you know your
password. Then you should be able to figure out the hash function and
JTR should give you every password on the box. So... I seem to be
missing something in this conversation thread. ?

On 7/17/11, Mark Phillips <mark@phillipsmarketing.biz> wrote:
> On Sun, Jul 17, 2011 at 3:54 AM, Lisa Kachold
> <lisakachold@obnosis.com>wrote:
>
>> There are alot of password files and dictionary lists on various sites.
>> Backtrack5 contains a good number.
>>
>> But I imagine that it's either not allowing root via ssh or you have the
>> wrong username.
>>
>
> It turns out the box is smarter than a fifth grader.....after a few hydra
> attacks, it started rejecting all the hydra attempts to ssh in via root.
> Once I stopped hydra (after running all night), it took a couple of hours
> before it would respond to ssh attempts from root. It now will ask for the
> root password, but I still have no idea what it is.
>
>>
>> Or it's a truely random string.
>>
> It could be....the password for the zip file to unzip the file system is
>
>  YvSInIQopeipx66t_DCdfEvfP47qeVPhNhAuSYmA4
>
> . Someone retrieved it using a disassembler on the file system.
>
> I did some more reading, and one person was able to use php to allow ssh
> login. The box allows one to create a web space, and it comes with php
> installed. One can edit the php.ini file, and I can upload via ftp a php
> script. The script they suggested is:
> <?php
> $file = '../../../../etc/pam.d/sshd';
> $fh=fopen($file, 'w') or die("can't open file");
> $stringData = "account  required   pam_unix.so\n";
> fwrite($fh, $stringData);
> $stringData = "session  required   pam_unix.so\n";
> fwrite($fh, $stringData);
> $stringData = "auth required pam_permit.so\n";
> fwrite($fh, $stringData);
> fclose($fh);
> ?>
>
> I uploaded the script, but I get a 404 File not Found when I access the
> page. I thought it might be a file permission error since the file is only
> rw. I tried chmod 777 at the ftp prompt, and got the error message File not
> Found, but ls shows it is there.
>
> ftp> ls
> 200 PORT command successful
> 150 Opening ASCII mode data connection for file list
> drwxrwxrwx   2 apache   apache          6 Jul 17 08:23 cgi-bin
> drwxrwxrwx   2 apache   apache         22 Jul 17 08:23 htdocs
> drwxrwxrwx   2 apache   apache         39 Jul 17 08:23 log
> -rw-rw-rw-   1 hammerhead hdusers       335 Jul 17 08:49 script.php
> 226 Transfer complete
> ftp> chmod 777 script.php
> 550 CHMOD 777 script.php: No such file or directory
> ftp>
>
> Is there anything I can change in the php.ini file to make this script
> execute? Or, am I missing something else?
>
> BTW, I cannot ftp as root, but I can ftp as a user I created, hammerhead.
>
> Thanks,
>
> Mark
>
>>
>> On Fri, Jul 15, 2011 at 10:33 PM, Mark Phillips <
>> mark@phillipsmarketing.biz> wrote:
>>
>>> Since this is a drive buffalo, I might try ettercap ssh downgrade attack:
>>>>
>>>> http://openmaniak.com/ettercap_filter.php
>>>> ttp://sites.google.com/site/clickdeathsquad/Home/cds-ssh-mitmdowngrade
>>>>
>>>> Not sure how a man in the middle attack will work, since I don't know
>>>> the
>>> password to begin with...
>>>
>>> Or Hydra:
>>>>
>>>> Hydra Instructions:
>>>>
>>>> http://www.youtube.com/watch?v=7CP-JB4QARo
>>>>
>>>>>
>>>>>> Hydra is promising. I tried it with the common passwords list from
>>> openwall. No luck. Do you have any better password lists?
>>>
>>> Thanks,
>>>
>>> Mark
>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>>
>>
>>
>>
>> --
>> (602) 791-8002  Android
>> (623) 239-3392 Skype
>> (623) 688-3392 Google Voice
>> **
>> HomeSmartInternational.com <http://www.homesmartinternational.com>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>

--
Sent from my mobile device
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss