Open thegatodt opened 2 weeks ago
I managed to decompress the firmware and found the hass password.
root:$1$53kXe8YH$8EY.pBJPCxLokumE/Z7gY0:0:0:root:/root:/bin/sh
Any recommended tools for brute force?
Hashcat or John the Ripper should work, try wordlist mode and then incremental mode. You can also check if they have a Samba hash (ie if they ever used Samba to transfer things), those are way easier to crack
I managed to crack the password with hashcat 'Broadcom.' However, when I try to access via telnet and use the SU command, it tells me it's incorrect. Any idea where to go from here? I have physical access to the modem.
Which console are you logging into? CM or RG?
The modem has the default Factory Key "password" so I can enable Telnet through SNMP. I connect via Telnet to 192.168.100.1
I managed to crack the password with hashcat 'Broadcom.' However, when I try to access via telnet and use the SU command, it tells me it's incorrect. Any idea where to go from here? I have physical access to the modem.
That hash is the default for the RG side, the SU password you refer to is for the CM "eCoS" side, anyway you can find the SU password via the RG side by connecting via uart or if you are in a CM-litte shell you can move to RG's switchCpuConsole
(password: Broadcom). Also the SU password is probably brcm
and that way you can have a FAT shell.
That hash is the default for the RG side, the SU password you refer to is for the CM "eCoS" side, anyway you can find the SU password via the RG side by connecting via uart or if you are in a CM-litte shell you can move to RG's
switchCpuConsole
(password: Broadcom). Also the SU password is probablybrcm
and that way you can have a FAT shell.
I logged into the RG console with the credentials, but I don’t know where to look for the CM console SU password. The only password I find in cat /etc/passwd
is the one I already had before.
brcm
didn't work for me.
If you are already on the RG side, you might be able to read the /dev/ ram, look for this string Proceed with caution!
a few bytes before your SU password should appear
I have a kaonmedia CG3000 modem with Telnet access, but I need the SU password. I was able to upload a firmware image here. Could someone please help me?