CRACKING THE ROOT PASSWORD AND CONNECTING VIA SSH TO THE KANKUN SMART PLUG
- Layout for this exercise:
1 - Cracking the root password with John The Ripper
- This exercise is based on the previous one, where the firmware of Kankun Smart Plug was extracted:
https://dgmsp.blogspot.com/2017/05/11-extracting-and-analyzing-firmware-of.html
- Checking the interesting contents of the file system, for instance the passwords file /etc/passwd:
- Also, the encrypted file for passwords is /etc/shadow:
- Before using John The Ripper to decrypt the passwords, let's unshadow /etc/passwd and /etc/shadow creating a file test:
- unshadow combines /etc/passwd and /etc/shadow:
- Using John The Ripper for decryption, the root password is p9z34c:
2 - Connecting to the network created by Kankun Smart Plug
- When the Smart Plug is plugged, and after 20 seconds of solid blue light, it starts blinking slowly:
- At that time Kankun works as a hotspot or Access Point creating a WiFi network of SSID OK_SP3.
- The device used in this exercise is an Ubuntu virtual machine hosted by a Windows 10, what detects the newly created WiFi network OK_SP3:
- The characteristics of the wireless network OK_SP3:
- The Virtual Machine is attached with the mode Bridged Adapter, so that it is networked directly to OK_SP3:
- Once inside the Ubuntu virtual machine we notice that Kankun (acting as Access Point) assigns an IP 192.168.10.140 to Ubuntu:
3- Accessing via SSH
- From Ubuntu, connected to the network (192.168.10.0/24) of the hotspot Kankun, let's discover any other host:
- The host 192.168.10.253 corresponds to the Kankun Smart Plug, acting as gateway for all possible connected devices to OK_SP3. Pinging it from Ubuntu:
- Let's scan ports of Kankun:
- Once detected that SSH port 22 is open, let's try to connect to Kankun via SSH, taking advantage that we know the root password of the device (p9z34c):
- The connection has all the privileges of the user root:
- Checking the IP of Kankun:
- We have access to the whole root file system of the Kakun Smart Plug:
