avctpasswd

 code, hack, ipmi, python, security, tech
Nov 112012
 

Since I didn’t find it anywhere else… Avocent, who makes a heck of a lot of BMCs, and at times (like with Dell’s iDRAC, at least version 6) keeps encrypted passwords in (well, quite possible/probable OEM dependent) “/flash/data0/etc/avctpasswd” (don’t be fooled by the /etc/passwd file) using SHA1 hashed passwords converted into Base64.

I surmise this file is used to protect the real passwords that are stored in clear text elsewhere (among other place, in RAM.)

[WPCM450 ~]$ cat /flash/data0/etc/avctpasswd
@:@:1:1:@:@:/bin/bash:0x0:0
root:y2VKyPNvhAAW8EOqPk4GeWUpcE0=:2:2:Administrator:/flash/data0/home/root:/bin/bash:0x1FF:1
deadbeef:P7BaFjs7ClrA9v3pSUGbYjYszwA=:3:0:@:/flash/data0/home/deadbeef:/bin/bash:0x1FF:1
xxxdellxxx:JEomstocR9Eyj4xqvFcTiQNDD3k=:4:0:@:/flash/data0/home/xxxdellxxx:/bin/bash:0x1FF:1
frankenstein:kA0wp2JHtjhBTDU6uo7DlKQThV4=:5:0:@:/flash/data0/home/frankenstein:/bin/bash:0x1F3:0
kcrw:x0hrTCpCdlkj8phYyQcbcmG8yfU=:6:0:@:/flash/data0/home/kcrw:/bin/bash:0x1FF:0
george_orwell:MgaZ38Cxsq9wVSMsmwNIZTDMgk8=:7:0:@:/flash/data0/home/george_orwell:/bin/bash:0x1F3:1
@:@:8:8:@:@:/bin/bash:0x0:0
@:@:9:9:@:@:/bin/bash:0x0:0
@:@:10:10:@:@:/bin/bash:0x0:0
@:@:11:11:@:@:/bin/bash:0x0:0
@:@:12:12:@:@:/bin/bash:0x0:0
@:@:13:13:@:@:/bin/bash:0x0:0
@:@:14:14:@:@:/bin/bash:0x0:0
@:@:15:15:@:@:/bin/bash:0x0:0
@:@:16:16:@:@:/bin/bash:0x0:0

This seemingly missing accounts are simply unused slots in the BMC, which allows 16 user defined accounts. A little python program to illustrate (the hashes below, from known passwords, match the hashes above):

$ cat p.py
from sha import sha
import base64
import hashlib

# for these known passwords, print out the hash
for passwd in "hprulez", "ecclectic", "calvin", "lagosi", "frued", "zen":
hash = base64.b64encode(hashlib.sha1(passwd).digest())
print passwd + " hash: " + hash

$ python p.py
hprulez = JEomstocR9Eyj4xqvFcTiQNDD3k=
ecclectic = x0hrTCpCdlkj8phYyQcbcmG8yfU=
calvin = y2VKyPNvhAAW8EOqPk4GeWUpcE0=
lagosi = kA0wp2JHtjhBTDU6uo7DlKQThV4=
frued = MgaZ38Cxsq9wVSMsmwNIZTDMgk8=
zen = P7BaFjs7ClrA9v3pSUGbYjYszwA=

(edit later) And for good measure, a stupid little password cracker that I used later when looking for a password that matched a specific hash ;) Use john the ripper or something unless situation is dire!

#!/usr/bin/python
from   sha import sha
import base64
import hashlib
import sys

# we're looking for this
prehash = 'XtdLbGTpY0nSIpw/uchvPXPOHpo='

try:
   passwords = open(sys.argv[1]).read().split('\n')
except:
   print "Usage: %s word-file"
   sys.exit(1)

# print # for every... xth word
x = 1000000
n = 0

print "looking for password that when hashed matches " + prehash
for p in passwords:
   n += 1
   if p == "":
      continue
   hashy = base64.b64encode(hashlib.sha1(p).digest())
   # print "pass:" + p + ":\t" , hashy
   if hashy == 'XtdLbGTpY0nSIpw/uchvPXPOHpo=':
      print "match: %s cracked (word # %s in file) ==> %s" % (hashy, n, p)
      sys.exit(0)

   if (n % x) == 0:
      print n

sys.exit(1)

Sorry, the comment form is closed at this time.