Monday, May 22, 2017

12 - Cracking the root password and connecting via SSH to the KANKUN SMART PLUG


- Layout for this exercise:

1 - Cracking the root password with John The Ripper

- This exercise is based on the previous one, where the firmware of Kankun Smart Plug was extracted:

- Checking the interesting contents of the file system, for instance the passwords file /etc/passwd:

- Also, the encrypted file for passwords is /etc/shadow:

- Before using John The Ripper to decrypt the passwords, let's unshadow /etc/passwd and /etc/shadow creating a file test:

unshadow combines /etc/passwd and /etc/shadow:

- Using John The Ripper for decryption, the root password is p9z34c:

2 - Connecting to the network created by Kankun Smart Plug

- When the Smart Plug is plugged, and after 20 seconds of solid blue light, it starts blinking slowly:

- At that time Kankun works as a hotspot or Access Point creating a WiFi network of SSID OK_SP3.

- The device used in this exercise is an Ubuntu virtual machine hosted by a Windows 10, what detects the newly created WiFi network OK_SP3:

- The characteristics of the wireless network OK_SP3:

- The Virtual Machine is attached with the mode Bridged Adapter, so that it is networked directly to OK_SP3:

- Once inside the Ubuntu virtual machine we notice that Kankun (acting as Access Point) assigns an IP to Ubuntu:

3- Accessing via SSH

- From Ubuntu, connected to the network ( of the hotspot Kankun, let's discover any other host:

- The host corresponds to the Kankun Smart Plug, acting as gateway for all possible connected devices to OK_SP3. Pinging it from Ubuntu:

- Let's scan ports of Kankun:

- Once detected that SSH port 22 is open, let's try to connect to Kankun via SSH, taking advantage that we know the root password of the device (p9z34c):

- The connection has all the privileges of the user root:

- Checking the IP of Kankun:

- We have access to the whole root file system of the Kakun Smart Plug: