I was not saying you knew the root password just that you knew a
password and a corresponding hash to said password and the root hash
JTR should be able to get you the correct root password.
On 7/17/11, Mark Phillips <
mark@phillipsmarketing.biz> wrote:
> Bryan,
>
> I think what you are missing is the "...and you know your password...". I
> don't know the root password for the NAS box. That is what I am trying to
> figure out so I can ssh into the box as root. What I have:
>
> * Buffalo NAS LS-WXL with firmware rev 1.43
>
> * I can ssh as root and get a password prompt.
>
> * I can ftp into the box as a user that I created, but cannot get to the
> filesystem that way.
>
> * I have downloaded the firmware and unzipped it. One thought is to add a
> key to ssh for root and login. Reflashing the unit with firmware that does
> not come from the Buffalo site is not well documented, so I have put this
> possible solution on hold for the time being.
>
> * I just found the info about using some type of php exploit, hence my
> previous email. I am not a php guy, so I am a little lost on how to make it
> work.
>
> Does this elicit any thoughts on how to crack the root password for this
> box?
>
> Thanks!
>
> Mark
>
> On Sun, Jul 17, 2011 at 4:31 PM, Bryan O'Neal <
> Bryan.ONeal@theonealandassociates.com> wrote:
>
>> if you can get a copy of the password hash file. And you know your
>> password. Then you should be able to figure out the hash function and
>> JTR should give you every password on the box. So... I seem to be
>> missing something in this conversation thread. ?
>>
>> On 7/17/11, Mark Phillips <mark@phillipsmarketing.biz> wrote:
>> > On Sun, Jul 17, 2011 at 3:54 AM, Lisa Kachold
>> > <lisakachold@obnosis.com>wrote:
>> >
>> >> There are alot of password files and dictionary lists on various sites.
>> >> Backtrack5 contains a good number.
>> >>
>> >> But I imagine that it's either not allowing root via ssh or you have
>> >> the
>> >> wrong username.
>> >>
>> >
>> > It turns out the box is smarter than a fifth grader.....after a few
>> > hydra
>> > attacks, it started rejecting all the hydra attempts to ssh in via root.
>> > Once I stopped hydra (after running all night), it took a couple of
>> > hours
>> > before it would respond to ssh attempts from root. It now will ask for
>> the
>> > root password, but I still have no idea what it is.
>> >
>> >>
>> >> Or it's a truely random string.
>> >>
>> > It could be....the password for the zip file to unzip the file system is
>> >
>> > YvSInIQopeipx66t_DCdfEvfP47qeVPhNhAuSYmA4
>> >
>> > . Someone retrieved it using a disassembler on the file system.
>> >
>> > I did some more reading, and one person was able to use php to allow ssh
>> > login. The box allows one to create a web space, and it comes with php
>> > installed. One can edit the php.ini file, and I can upload via ftp a php
>> > script. The script they suggested is:
>> > <?php
>> > $file = '../../../../etc/pam.d/sshd';
>> > $fh=fopen($file, 'w') or die("can't open file");
>> > $stringData = "account required pam_unix.so\n";
>> > fwrite($fh, $stringData);
>> > $stringData = "session required pam_unix.so\n";
>> > fwrite($fh, $stringData);
>> > $stringData = "auth required pam_permit.so\n";
>> > fwrite($fh, $stringData);
>> > fclose($fh);
>> > ?>
>> >
>> > I uploaded the script, but I get a 404 File not Found when I access the
>> > page. I thought it might be a file permission error since the file is
>> only
>> > rw. I tried chmod 777 at the ftp prompt, and got the error message File
>> not
>> > Found, but ls shows it is there.
>> >
>> > ftp> ls
>> > 200 PORT command successful
>> > 150 Opening ASCII mode data connection for file list
>> > drwxrwxrwx 2 apache apache 6 Jul 17 08:23 cgi-bin
>> > drwxrwxrwx 2 apache apache 22 Jul 17 08:23 htdocs
>> > drwxrwxrwx 2 apache apache 39 Jul 17 08:23 log
>> > -rw-rw-rw- 1 hammerhead hdusers 335 Jul 17 08:49 script.php
>> > 226 Transfer complete
>> > ftp> chmod 777 script.php
>> > 550 CHMOD 777 script.php: No such file or directory
>> > ftp>
>> >
>> > Is there anything I can change in the php.ini file to make this script
>> > execute? Or, am I missing something else?
>> >
>> > BTW, I cannot ftp as root, but I can ftp as a user I created,
>> > hammerhead.
>> >
>> > Thanks,
>> >
>> > Mark
>> >
>> >>
>> >> On Fri, Jul 15, 2011 at 10:33 PM, Mark Phillips <
>> >> mark@phillipsmarketing.biz> wrote:
>> >>
>> >>> Since this is a drive buffalo, I might try ettercap ssh downgrade
>> attack:
>> >>>>
>> >>>> http://openmaniak.com/ettercap_filter.php
>> >>>> ttp://
>> sites.google.com/site/clickdeathsquad/Home/cds-ssh-mitmdowngrade
>> >>>>
>> >>>> Not sure how a man in the middle attack will work, since I don't know
>> >>>> the
>> >>> password to begin with...
>> >>>
>> >>> Or Hydra:
>> >>>>
>> >>>> Hydra Instructions:
>> >>>>
>> >>>> http://www.youtube.com/watch?v=7CP-JB4QARo
>> >>>>
>> >>>>>
>> >>>>>> Hydra is promising. I tried it with the common passwords list from
>> >>> openwall. No luck. Do you have any better password lists?
>> >>>
>> >>> Thanks,
>> >>>
>> >>> Mark
>> >>>
>> >>> ---------------------------------------------------
>> >>> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
>> >>> To subscribe, unsubscribe, or to change your mail settings:
>> >>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>> >>>
>> >>
>> >>
>> >>
>> >> --
>> >> (602) 791-8002 Android
>> >> (623) 239-3392 Skype
>> >> (623) 688-3392 Google Voice
>> >> **
>> >> HomeSmartInternational.com <http://www.homesmartinternational.com>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> ---------------------------------------------------
>> >> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
>> >> To subscribe, unsubscribe, or to change your mail settings:
>> >> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>> >>
>> >
>>
>> --
>> Sent from my mobile device
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>
--
Sent from my mobile device
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss