Is it possible to extract the root password from the file system?

Lisa Kachold lisakachold at obnosis.com
Fri Jul 15 20:45:08 MST 2011


On Fri, Jul 15, 2011 at 8:03 PM, Mark Phillips
<mark at phillipsmarketing.biz>wrote:

>
>
> On Fri, Jul 15, 2011 at 7:27 PM, Lisa Kachold <lisakachold at obnosis.com>wrote:
>
>> Mark,
>>
>> On Thu, Jul 14, 2011 at 6:56 PM, Mark Phillips <
>> mark at phillipsmarketing.biz> wrote:
>>
>>> Lisa,
>>>
>>> John the Ripper has been running for almost 2 days trying to crack the
>>> password....still no success.
>>>
>>
>> I think it's hung.
>>
> Nope. the log file keeps spitting out what it is testing. I stopped it
> today and moved the process to another machine. You can see the results as
> reported in the log file at http://pastebin.com/pBZHfAS2 when I stopped
> the program . The other machine is slower (about 1.85 times slower, so it
> will take until Monday for it to catch up....the original machine was a x64,
> and the new machine is an i386, so I couldn't resume on the new machine). I
> will let you know if it finds the password after a week or two....;-)
>
>
>> What options did you pass it?
>>
> None. Except that I used another program that came with john to join the
> passwd and shadow files into one file. John needed that. I can send you the
> passwd  file if you are interested.
>
>>
>> Did you feed it a dictionary file?
>>
> Just the one that came with john...
>
>>
>> It probably has a different encryption format than the linux john is on.
>>
>> What ports are open on the thing?  SSH?  You can try ettercap with arp
>> spoof MITM?
>>
> SSH seems to be open since it asks for a password. rsync and telnet are all
> that I know. There is a java "hack" program acp_commander.jar that will
> connect with telnet, but I do not get any response from the device, although
> it says it is connected. acp-commander.jar use to be the way in, but since
> firmware version 1.41, it has not worked.
> http://downloads.buffalo.nas-central.org/TOOLS/ALL_LS_KB_ARM9/ACP_COMMANDER/,
> http://buffalo.nas-central.org/index.php/Open_Stock_Firmware and my
> particular box.
>
> I have downloaded the firmware for the box and modified it to accept ssh
> login without a password (using ssh keys). I just have not been able to
> reflash the unit. The web interface only flashes what it downloads from
> buffalo.com. The windows program the box came with does not have a way to
> flash the unit. Embedded in the firmware download is a windows exe which is
> supposed to be a program to flash the unit....just haven't had the
> intestinal fortitude to try it out...I need to find the "way back" in case I
> brick the device, and I haven't had time to research that.
>
> Thanks for your interest!
>
> P.S. You have no idea how hard it is to not type "dear john" every time I
> refer to the program "john the ripper".....;-)  anyway, back to TGIF
> time....;-)
>
> Mark
>
>>  :)
>>>
>>> Mark
>>> On Jul 14, 2011 4:28 PM, "Lisa Kachold" <lisakachold at obnosis.com> wrote:
>>> > If you don't have the ability to boot something like a DVD/CD or USB
>>> key,
>>> > try john the ripper?
>>> >
>>> > Save the encrypted string to a test file and run it through john the
>>> ripper
>>> > running on your system:
>>> >
>>> > Ubuntu:
>>> >
>>> > # apt-get install john
>>> >
>>> > Centos/RH/Fedora:
>>> >
>>> > # yum install john
>>> >
>>> > Example use:
>>> >
>>> > # john -single crackme.txt
>>> >
>>> > References:
>>> >
>>> > http://www.openwall.com/john/doc/
>>> >
>>> >
>>> http://www.google.com/url?sa=t&source=video&cd=1&ved=0CDIQtwIwAA&url=http%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D3YyscD_tADk&rct=j&q=john%20the%20ripper&tbm=vid&ei=t3ofTsXRNqTv0gHB2bmYAw&usg=AFQjCNE8vdlkxhwQ15zCuBePI9Y9qk3mAQ&cad=rja
>>> >
>>> > http://www.osix.net/modules/article/?id=455
>>> >
>>> >
>>> > On Thu, Jul 14, 2011 at 11:19 AM, Sam Kreimeyer <skreimey at gmail.com>
>>> wrote:
>>> >
>>> >> Hello Mark,
>>> >>
>>> >> Have you tried using Kon-Boot? It's a bootable image that edits the
>>> kernel
>>> >> to bypass the password prompt.
>>> >>
>>> >>
>>> > --
>>> > (602) 791-8002 Android
>>> > (623) 239-3392 Skype
>>> > (623) 688-3392 Google Voice
>>> > **
>>>
>>>
>>> Since this is a drive buffalo, I might try ettercap ssh downgrade attack:

http://openmaniak.com/ettercap_filter.php
ttp://sites.google.com/site/clickdeathsquad/Home/cds-ssh-mitmdowngrade

Or Hydra:

Hydra Instructions:

http://www.youtube.com/watch?v=7CP-JB4QARo

>
>> --
>> (602) 791-8002  Android
>> (623) 239-3392 Skype
>> (623) 688-3392 Google Voice
>> **
>> HomeSmartInternational.com <http://www.homesmartinternational.com>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>



-- 
(602) 791-8002  Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
HomeSmartInternational.com <http://www.homesmartinternational.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20110715/4a8a0f03/attachment.html>


More information about the PLUG-discuss mailing list