AdSense

Monday, May 22, 2017

12 - Cracking the root password and connecting via SSH to the KANKUN SMART PLUG



CRACKING THE ROOT PASSWORD AND CONNECTING VIA SSH TO THE KANKUN SMART PLUG

- Layout for this exercise:




1 - Cracking the root password with John The Ripper

- This exercise is based on the previous one, where the firmware of Kankun Smart Plug was extracted:

https://dgmsp.blogspot.com/2017/05/11-extracting-and-analyzing-firmware-of.html

- Checking the interesting contents of the file system, for instance the passwords file /etc/passwd:




- Also, the encrypted file for passwords is /etc/shadow:





- Before using John The Ripper to decrypt the passwords, let's unshadow /etc/passwd and /etc/shadow creating a file test:







unshadow combines /etc/passwd and /etc/shadow:







- Using John The Ripper for decryption, the root password is p9z34c:




2 - Connecting to the network created by Kankun Smart Plug

- When the Smart Plug is plugged, and after 20 seconds of solid blue light, it starts blinking slowly:




- At that time Kankun works as a hotspot or Access Point creating a WiFi network of SSID OK_SP3.

- The device used in this exercise is an Ubuntu virtual machine hosted by a Windows 10, what detects the newly created WiFi network OK_SP3:




- The characteristics of the wireless network OK_SP3:










- The Virtual Machine is attached with the mode Bridged Adapter, so that it is networked directly to OK_SP3:





- Once inside the Ubuntu virtual machine we notice that Kankun (acting as Access Point) assigns an IP 192.168.10.140 to Ubuntu:






3- Accessing via SSH


- From Ubuntu, connected to the network (192.168.10.0/24) of the hotspot Kankun, let's discover any other host:





- The host 192.168.10.253 corresponds to the Kankun Smart Plug, acting as gateway for all possible connected devices to OK_SP3. Pinging it from Ubuntu:




- Let's scan ports of Kankun:





- Once detected that SSH port 22 is open, let's try to connect to Kankun via SSH, taking advantage that we know the root password of the device (p9z34c):






- The connection has all the privileges of the user root:




- Checking the IP of Kankun:





- We have access to the whole root file system of the Kakun Smart Plug: