Nov 112012

Since I didn’t find it anywhere else… Avocent, who makes a heck of a lot of BMCs, and at times (like with Dell’s iDRAC, at least version 6) keeps encrypted passwords in (well, quite possible/probable OEM dependent) “/flash/data0/etc/avctpasswd” (don’t be fooled by the /etc/passwd file) using SHA1 hashed passwords converted into Base64.

I surmise this file is used to protect the real passwords that are stored in clear text elsewhere (among other place, in RAM.)

[WPCM450 ~]$ cat /flash/data0/etc/avctpasswd

This seemingly missing accounts are simply unused slots in the BMC, which allows 16 user defined accounts. A little python program to illustrate (the hashes below, from known passwords, match the hashes above):

$ cat
from sha import sha
import base64
import hashlib

# for these known passwords, print out the hash
for passwd in "hprulez", "ecclectic", "calvin", "lagosi", "frued", "zen":
hash = base64.b64encode(hashlib.sha1(passwd).digest())
print passwd + " hash: " + hash

$ python
hprulez = JEomstocR9Eyj4xqvFcTiQNDD3k=
ecclectic = x0hrTCpCdlkj8phYyQcbcmG8yfU=
calvin = y2VKyPNvhAAW8EOqPk4GeWUpcE0=
lagosi = kA0wp2JHtjhBTDU6uo7DlKQThV4=
frued = MgaZ38Cxsq9wVSMsmwNIZTDMgk8=
zen = P7BaFjs7ClrA9v3pSUGbYjYszwA=

(edit later) And for good measure, a stupid little password cracker that I used later when looking for a password that matched a specific hash ;) Use john the ripper or something unless situation is dire!

from   sha import sha
import base64
import hashlib
import sys

# we're looking for this
prehash = 'XtdLbGTpY0nSIpw/uchvPXPOHpo='

   passwords = open(sys.argv[1]).read().split('\n')
   print "Usage: %s word-file"

# print # for every... xth word
x = 1000000
n = 0

print "looking for password that when hashed matches " + prehash
for p in passwords:
   n += 1
   if p == "":
   hashy = base64.b64encode(hashlib.sha1(p).digest())
   # print "pass:" + p + ":\t" , hashy
   if hashy == 'XtdLbGTpY0nSIpw/uchvPXPOHpo=':
      print "match: %s cracked (word # %s in file) ==> %s" % (hashy, n, p)

   if (n % x) == 0:
      print n


Sorry, the comment form is closed at this time.