So, I'm a bit bored tonight... I scan my network just for fun and found out something about the unifi router.
So I tried login with root, guess the password.
login as: root
root@192.168.0.1's password:
BusyBox v1.6.1 (2013-12-23 17:22:03 HKT) built-in shell (ash)
Enter 'help' for a list of built-in commands.
Well, that is easy.
# cat /etc/shadow
#root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
#tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::
#tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::
Looks like this password hashes have been recycled a few times in router firmware.
check it out. Not a surprise I guess. More interesting bits below:
# ps
PID USER VSZ STAT COMMAND
1 root 1584 S init
2 root 0 SW< [kthreadd]
3 root 0 SW< [ksoftirqd/0]
4 root 0 SW< [watchdog/0]
5 root 0 SW< [events/0]
6 root 0 SW< [khelper]
9 root 0 SW< [async/mgr]
74 root 0 SW< [kblockd/0]
84 root 0 SW< [khubd]
101 root 0 SW [khungtaskd]
102 root 0 SW [pdflush]
103 root 0 SW [pdflush]
104 root 0 SW< [kswapd0]
106 root 0 SW< [crypto/0]
663 root 0 SW< [mtdblockd]
726 root 4428 S /usr/sbin/mini_httpd -d /usr/www -c /cgi-bin/* -u ro
730 root 2632 S /usr/bin/pc
732 root 1588 S -/bin/sh
733 root 4964 S /usr/bin/logic
734 root 2560 S /usr/bin/ip6mon
735 root 2564 S /usr/bin/ramon
736 root 2576 S /usr/bin/ip6aac
742 root 1592 S /usr/sbin/inetd
744 root 2224 S /usr/sbin/dropbear
1412 root 2612 S /usr/sbin/pppd plugin rp-pppoe.so eth5 user
1420 root 1204 S /sbin/udhcpc -i eth8 -m 1500 -f
1534 root 1984 S /usr/sbin/dhcp6c -c /var/dhcpv6/dhcp6c_301203713 -f
1698 root 1204 S /sbin/miniupnpd -f /etc/upnpd.conf -d
1921 root 1208 S /usr/sbin/radvd -C /var/radvd.conf -d 1
1967 root 2040 S /usr/sbin/dhcp6s -c /var/dhcpv6/br0.conf -f br0
2007 root 1320 S /sbin/dproxy -c /etc/dproxy.conf -d
2124 root 1244 S /sbin/udhcpd /var/udhcpd.confge
6840 root 2280 R /usr/sbin/dropbear
6841 root 1592 S -sh
6872 root 1584 R ps
# pwd
/var/log
# cat device_info
Manufacturer: innacomm
ProductClass: RG4332
SerialNumber: RGWINNIN15********
IP: 192.168.0.1
HWVer: RTL8196C
SWVer: RG4332_V2.7.0
There is a samba config file in /etc, but when I try to connect it doesn't work. Not sure what is the purpose of it.
# cat smb.conf
[global]
workgroup = home
netbios name = dsl_route
server string = Samba Server
security = user
local master = Yes
preferred master = Yes
encrypt passwords = yes
smb passwd file = /var/smbpasswd
#private dir = /tmp/smbvar
socket options = TCP_NODELAY
wins proxy = no
log level = 10
load printers = no
guest account = root
log file = /var/log/smblog
max log size = 0
interfaces = 192.168.1.1/255.255.255.0
dns proxy = no
browseable = yes
guest ok = yes
writeable = no
display charset = utf8
unix charset = utf8
dos charset = utf8
public = yes
[usb1_1]
path = /mnt/usb1_1
writeable = yes
browseable = yes
directory mask = 0777
create mask = 0777
I'm getting sleepy, so I'll continue this next time I hope... Bai for now.
I have been looking for this. Thanks, mate. Great stuff.
ReplyDeleteDear Sir/Madam,
ReplyDeleteIt is illegal to access or make changes to your router, or any data stored on any secured device when you do not have permission to do so. If you access and change the contents of the router without Innacomm & TM immediate permission, you are breaking the law.
Please consider to remove this posting, else we will serve you with legal proceedings.
Thanks.
Obrigado pela partilha
ReplyDelete