Jump to content

embedded device password cracking


haicen
 Share

Recommended Posts

I picked up a cctv system from newegg for $50. Partly because I wanted to be able to keep an eye on my apartment when I'm away, and partly to play around with. Specifically, it is a Rosewill RSCM-0704B042. 

 

The first thing I did was fire up nmap to see what ports were open. I see the following ports open: 23 (telnet),80 (web),554 (rtsp),8000 (web alt) ,49152 (unknown). My best guess for port 49152 is that it is for the custom viewing application. I tried to connect to the device via telnet with the usual password combos root/root, root/blank, root/toor, root/password, as well as the default password for the web interface admin/123456. None of these worked, which was surprising.

 

My next step was to take a look at the firmware, so I pulled a copy from http://www.rosewill.com/media/downloadable/drivers/Shieldeye_PC-_CMS.zip to see if there was anything interesting. I unpacked the romfs and found etc/passwd files. There was a standard passwd, and "passwd-". I don't know what significance the "passwd-" has. I have included both hashes below.

"passwd"    root:$1$$64lU4r1qa6icjzK/sBmQo.:0:0::/root:/bin/sh
"passwd-"   root:ab8nBoH3mb8.g:0:0::/root:/bin/sh

The first i immediately sent to jtr, but it has been running for >12 hours. I basically have 2 questions:

  1. Will jtr eventually crack the password? My assumption is that it will eventually be cracked.
  2. Is there a better tool for cracking the password? I am currently generating a rainbow table for 1-7 character lowercase alpha passwords. It has occurred to me that this probably isn't the correct keyspace to be searching.

 

Link to comment
Share on other sites

1. What dictionary/word list /rules are you using? If you've gone for a basic brute force then it probably will be cracked but could take years.

 

2. What type rainbow tables are you generating? Whether you've got the correct keyspace depends on what the password is. If it is 8 characters then you haven't, if it is a 6 character lower case alpha then it is.

 

Generally rainbow tables aren't used much any more, good word lists and rules are considered better.

Link to comment
Share on other sites

I am doing a pure brute force attack. I am assuming since the password wasn't one of the usual defaults that it wouldn't be generated by a human. I don't have any details about what format the password is in.

Link to comment
Share on other sites

Just because you couldn't guess it in a couple of goes you assumed it wasn't created by a human? That is one of the daftest things I've heard in a long time. Did you try things like Shieldeye or letmein?

And if you don't know the format, what rainbow tables are you generating?

The format is crypt md5 https://en.m.wikipedia.org/wiki/Crypt_(C)

If you want to try to crack the password then I'd go with word lists and rules (Google them) or you could try to modify the firmware you've got set a password you know then upload that. You may have to bypass CRC checks but that should be possible as you control things. If it is signed though it's unlikely you'll get anywhere.

 

 

Link to comment
Share on other sites

Nevermind. I decided to do a quick google search for the hash, and as it turns out, it has already been cracked. I don't know why I didn't try that first.

Link to comment
Share on other sites

Just as a followup, I was able to gain access to the device via telnet. Poking around the filesystem, I found a separate passwd file, which is different. This new passwd file contains the information for the web interface and local device login. I.E. the web viewing portal.

 

Here is what I know:

  • The admin combo is admin:123456.
  • The passwords are not tied to a specific username. I created a few different user names with the same password. The hashes were constant.
  • The password cannot be longer than 6 characters, special characters are allowed

At this stage, I am attempting to determine what method is being used to hash these passwords. I have tried a few variations using 612345, 000000, 123455, etc, but do not see a pattern directly. 

format is pw - hash

123456 - nTBCS19C
  5555 - QwZ3AbMB
000000 - qAj0oSP1
111111 - 9kwf1kHJ
222222 - z7a10QFR
612345 - gJJp8X7Q

In the directory above this passwd file, there is a file called encrypt_info, but it only contains the MAC address of the device, a product number, and the following line:

oem 000015

Since the password is limited to 6 characters, this oem value seems of interest. I suspect the values are base64 encoded, but I've tried playing around with a b64 encoder/decoder, and can't find anything that matches.

 

Link to comment
Share on other sites

3 hours ago, haicen said:

Just as a followup, I was able to gain access to the device via telnet. Poking around the filesystem, I found a separate passwd file, which is different. This new passwd file contains the information for the web interface and local device login. I.E. the web viewing portal.

 

Here is what I know:

  • The admin combo is admin:123456.
  • The passwords are not tied to a specific username. I created a few different user names with the same password. The hashes were constant.
  • The password cannot be longer than 6 characters, special characters are allowed

At this stage, I am attempting to determine what method is being used to hash these passwords. I have tried a few variations using 612345, 000000, 123455, etc, but do not see a pattern directly. 

format is pw - hash


123456 - nTBCS19C
  5555 - QwZ3AbMB
000000 - qAj0oSP1
111111 - 9kwf1kHJ
222222 - z7a10QFR
612345 - gJJp8X7Q

In the directory above this passwd file, there is a file called encrypt_info, but it only contains the MAC address of the device, a product number, and the following line:

oem 000015

Since the password is limited to 6 characters, this oem value seems of interest. I suspect the values are base64 encoded, but I've tried playing around with a b64 encoder/decoder, and can't find anything that matches.

 

What OS is the device running? Also, can you try pastng the hashed password into the password input? I've seen some really poorly embedded device actually accept the hash :eyeroll: 

Link to comment
Share on other sites

Its running busybox v1.16.1

 

Using the hashed password won't work. They aren't hashed or encrypted on the client side. In fact, they are sent in the clear every time the user visits a different page of the interface as well as being stored as a cookie.

Link to comment
Share on other sites

4 hours ago, haicen said:

Its running busybox v1.16.1

 

Using the hashed password won't work. They aren't hashed or encrypted on the client side. In fact, they are sent in the clear every time the user visits a different page of the interface as well as being stored as a cookie.

Wow . . I feel like I just traveled back to 2001

Edited by Captain
Link to comment
Share on other sites

  • 1 month later...
  • 1 month later...
  • 3 months later...

There wasn't a huge amount of stuff available. The most concerning thing I found was an undocumented user with a visible password. I wrote a small write up at https://haicen.blogspot.com/2016/08/security-dvr-hacking.html. I have been super busy with life stuff, and haven't really had time to do much. I have a few ideas. I suspect there might be something going on with one of the open ports. I tried looking at it with wireshark and netcat, but didn't see anything happening. I might look at it some more soon.

 

I couldn't get video to work at all in any browsers that aren't IE due to the reliance on ActiveX.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...