thegatodt
commented
1 week ago I managed to decompress the firmware and found the hass password.
root:$1$53kXe8YH$8EY.pBJPCxLokumE/Z7gY0:0:0:root:/root:/bin/sh
Any recommended tools for brute force?
Open thegatodt opened 2 weeks ago
thegatodt
commented
1 week ago I managed to decompress the firmware and found the hass password.
root:$1$53kXe8YH$8EY.pBJPCxLokumE/Z7gY0:0:0:root:/root:/bin/sh
Any recommended tools for brute force?
Anonymous941
commented
1 week ago Hashcat or John the Ripper should work, try wordlist mode and then incremental mode. You can also check if they have a Samba hash (ie if they ever used Samba to transfer things), those are way easier to crack
thegatodt
commented
1 week ago I managed to crack the password with hashcat 'Broadcom.' However, when I try to access via telnet and use the SU command, it tells me it's incorrect. Any idea where to go from here? I have physical access to the modem.
jclehner
commented
5 days ago Which console are you logging into? CM or RG?
thegatodt
commented
5 days ago The modem has the default Factory Key "password" so I can enable Telnet through SNMP. I connect via Telnet to 192.168.100.1
arrobazo
commented
5 days ago I managed to crack the password with hashcat 'Broadcom.' However, when I try to access via telnet and use the SU command, it tells me it's incorrect. Any idea where to go from here? I have physical access to the modem.
That hash is the default for the RG side, the SU password you refer to is for the CM "eCoS" side, anyway you can find the SU password via the RG side by connecting via uart or if you are in a CM-litte shell you can move to RG's switchCpuConsole (password: Broadcom). Also the SU password is probably brcm and that way you can have a FAT shell.
thegatodt
commented
4 days ago That hash is the default for the RG side, the SU password you refer to is for the CM "eCoS" side, anyway you can find the SU password via the RG side by connecting via uart or if you are in a CM-litte shell you can move to RG's
switchCpuConsole(password: Broadcom). Also the SU password is probablybrcmand that way you can have a FAT shell.
I logged into the RG console with the credentials, but I don’t know where to look for the CM console SU password. The only password I find in cat /etc/passwd is the one I already had before.
brcm didn't work for me.
arrobazo
commented
4 days ago If you are already on the RG side, you might be able to read the /dev/ ram, look for this string Proceed with caution! a few bytes before your SU password should appear
I have a kaonmedia CG3000 modem with Telnet access, but I need the SU password. I was able to upload a firmware image here. Could someone please help me?