2

First off, I'm well aware that this is a controversial topic. I can give my word as a sysadmin that I have the best of intentions (depending on how you view the next paragraph) but I understand that some people will take issue with this. It's your choice whether to answer privately (see profile for website/contact info) or not at all.

We have an older Linux-based appliance that's developed some issues, and unfortunately is still relatively critical to one of our services. It's an older x86 Linux "white box" appliance, and the vendor has, apparently, closed up shop a few years ago, so no support at all.We've exhausted every option other than trying to root the box and fix it ourselves, and unfortunately, instead of a normal IDE disk, it has some weird soldered-on-board flash drive.

I managed to use a (long-known, never patched) URL argument vulnerability in their web UI (Perl CGI script) to dump /etc/passwd (not shadowed - go figure), and have the crypted (salted MD5) hashes for root and a user named "support". Any suggestions on where to go from here? I don't really know much about the "other side" of security. The most exposure I've had to password cracking is running John the Ripper on /etc/passwd to check for dictionary words - but I installed it on a 16-core box, and I assume it'll take weeks (if it ever succeeds) to get us a result, especially since it's only using one core.

Any suggestions for how to do this? Short of asking some crypto guys to take a few weeks to write something... does anyone know of (reputable) software for this task? Or can anyone recommend a reputable company that will... "recover" the password?

Jason Antman
  • 1,546
  • 1
  • 12
  • 23
  • Aside: Take a Clonezilla image of this machine as soon as you can! John The Ripper also has recent patches that you should apply. They're not in the mainline distribution. Even 16 Westmere cores will not be as fast as a slow Radeon 5xxx series GPU though. – Jodie C Jul 12 '11 at 03:10
  • 1
    Rent an Amazon GPU instance, and use the raw GPU power to break the hashes. – Tom O'Connor Jul 12 '11 at 12:21

2 Answers2

3

Assuming the box in question isn't cd, network or usb bootable, in which case this task is trivial using any bootable linux media, give the following a try:

ocl hashcat

That is GPU based, not CPU though, so if your 16 core system is a server without decent GPUs, it won't help much unfortunately.

LowKeyLieSmith
  • 31
  • 1
  • 1
    A GPU based brute force is def. the way to go forwards with this. Take the file home and run it on your gaming rig if you have one. – Mark Henderson Jul 12 '11 at 02:36
2

Attacking the hash seems like the wrong approach here - MD5 has its issues, but brute force against a strong, salted password will still take forever; your physical access to the device should give you all you need.

My recommendation: Try everything you can to get to a root prompt.

If there's a password on the BIOS (I'll assume there is), try to break it by resetting the BIOS memory - find a jumper for it, or pull the battery and wait for a while. If there's no prompt for getting into the BIOS at all, it's hidden; try every key that it might possibly be.

If a grub prompt comes up at all, edit the boot command with the word single.

And, as @LowKeyLieSmith mentioned, try every boot method imaginable.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248