When I first got serial port access to my Circle, I grabbed the \/etc\/shadow file and started running “John The Ripper” to attempt to crack the root password (it’s been running for 47 days). \u00a0The hope was that I could crack the password, making it easier for others to get into their Circle devices (without requiring a serial port).<\/p>\n
Well, I just installed the latest firmware from Circle, and found that they have changed to using key-based ssh login instead of password. \u00a0In the process, they’ve removed the root password (so you can’t login as root anymore, unless you have their private ssh key).<\/p>\n
The new \/mnt\/shares\/usr\/bin\/startcircle script has the following line:<\/p>\n
[ -f $DIR\/scripts\/authorized_keys ] && { diff $DIR\/scripts\/authorized_keys \/etc\/dropbear\/authorized_keys > \/dev\/null || { cp -f $DIR\/scripts\/authorized_keys \/etc\/dropbear\/authorized_keys; sed -i -e 's\/root:[^:]*:\/root:*:\/g' \/etc\/shadow<\/strong>; } }<\/pre>\nThe above line copies an ssh ‘authorized_keys’ file from \/mnt\/shares\/usr\/bin\/scripts to \/etc\/dropbear. \u00a0It also removes the password for the user ‘root’ in ‘\/etc\/shadow’.<\/p>\n
The new ‘\/etc\/dropbear\/authorized_keys’ has one entry for Circle’s key:<\/p>\n
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuIaD23ac41XZp5AcSSOunHXHYN38dF2YX+rmb0QT4zxKFnccl6BpzoxGb604rPc4eQ477glWyM4D\/jTIyaKqmA7P1iVMym8v5nSXH6haSc\/KrzV5EizmalXd4+eoK8ddSgpoci0P9oul3yiWtvccwN5WQ5H\/DZhyYvdM73kKnYh3JUllx8JnGi1Qa0nhNGfrhIqaApTc\/AyIAFR9I8wtp5KR98xRH5u\/hEm1IMB5lo7yS6yJUcupIctnW\/C2qUOD7WtWzZvJtgAmmhh+A1XLU42PruPtTfQ2EAHUmNJ+xVssUl3N2cIhvCt1sm5o8DymttOS4xot6Ni06UZ\/LK\/iKw== tzhang@gateway<\/pre>\nIt’s not possible to brute-force an ssh RSA key, and it’s no longer possible to login as ‘root’ with a password, so there’s no longer any point to continue the password cracking process.<\/p>\n
No worries, though – we can still get in without a serial port or the root password. \u00a0I’ll post details on modifying a firmware update image to add a new user (with root privileges) soon.<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
When I first got serial port access to my Circle, I grabbed the \/etc\/shadow file and started running “John The Ripper” to attempt to crack the root password (it’s been running for 47 days). \u00a0The hope was that I could crack the password, making it easier for others to get into their Circle devices (without … Continue reading “There’s no longer any point to cracking the root password”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"http:\/\/www.hackspot.net\/CircleBlog\/wp-json\/wp\/v2\/posts\/125"}],"collection":[{"href":"http:\/\/www.hackspot.net\/CircleBlog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.hackspot.net\/CircleBlog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.hackspot.net\/CircleBlog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.hackspot.net\/CircleBlog\/wp-json\/wp\/v2\/comments?post=125"}],"version-history":[{"count":4,"href":"http:\/\/www.hackspot.net\/CircleBlog\/wp-json\/wp\/v2\/posts\/125\/revisions"}],"predecessor-version":[{"id":152,"href":"http:\/\/www.hackspot.net\/CircleBlog\/wp-json\/wp\/v2\/posts\/125\/revisions\/152"}],"wp:attachment":[{"href":"http:\/\/www.hackspot.net\/CircleBlog\/wp-json\/wp\/v2\/media?parent=125"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.hackspot.net\/CircleBlog\/wp-json\/wp\/v2\/categories?post=125"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.hackspot.net\/CircleBlog\/wp-json\/wp\/v2\/tags?post=125"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}