{"id":673,"date":"2012-11-11T19:59:01","date_gmt":"2012-11-11T19:59:01","guid":{"rendered":"https:\/\/trouble.org\/?p=673"},"modified":"2013-05-22T19:29:41","modified_gmt":"2013-05-22T19:29:41","slug":"avctpasswd","status":"publish","type":"post","link":"https:\/\/trouble.org\/?p=673","title":{"rendered":"avctpasswd"},"content":{"rendered":"<p>Since I didn&#8217;t find it anywhere else&#8230; Avocent, who makes a heck of a lot of BMCs, and at times (like with Dell&#8217;s iDRAC, at least version 6) keeps encrypted passwords in (well, quite possible\/probable OEM dependent) &#8220;\/flash\/data0\/etc\/avctpasswd&#8221; (don&#8217;t be fooled by the \/etc\/passwd file) using SHA1 hashed passwords converted into Base64.<\/p>\n<p>I surmise this file is used to protect the real passwords that are stored in clear text elsewhere (among other place, in RAM.)<\/p>\n<div class=\"codecolorer-container bash blackboard\" style=\"overflow:auto;white-space:nowrap;\"><div class=\"bash codecolorer\"><span class=\"br0\">&#91;<\/span>WPCM450 ~<span class=\"br0\">&#93;<\/span>$ <span class=\"kw2\">cat<\/span> <span class=\"sy0\">\/<\/span>flash<span class=\"sy0\">\/<\/span>data0<span class=\"sy0\">\/<\/span>etc<span class=\"sy0\">\/<\/span>avctpasswd<br \/>\n<span class=\"sy0\">@<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"nu0\">1<\/span>:<span class=\"nu0\">1<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"sy0\">\/<\/span>bin<span class=\"sy0\">\/<\/span>bash:0x0:<span class=\"nu0\">0<\/span><br \/>\nroot:<span class=\"re2\">y2VKyPNvhAAW8EOqPk4GeWUpcE0<\/span>=:<span class=\"nu0\">2<\/span>:<span class=\"nu0\">2<\/span>:Administrator:<span class=\"sy0\">\/<\/span>flash<span class=\"sy0\">\/<\/span>data0<span class=\"sy0\">\/<\/span>home<span class=\"sy0\">\/<\/span>root:<span class=\"sy0\">\/<\/span>bin<span class=\"sy0\">\/<\/span>bash:0x1FF:<span class=\"nu0\">1<\/span><br \/>\ndeadbeef:<span class=\"re2\">P7BaFjs7ClrA9v3pSUGbYjYszwA<\/span>=:<span class=\"nu0\">3<\/span>:<span class=\"nu0\">0<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"sy0\">\/<\/span>flash<span class=\"sy0\">\/<\/span>data0<span class=\"sy0\">\/<\/span>home<span class=\"sy0\">\/<\/span>deadbeef:<span class=\"sy0\">\/<\/span>bin<span class=\"sy0\">\/<\/span>bash:0x1FF:<span class=\"nu0\">1<\/span><br \/>\nxxxdellxxx:<span class=\"re2\">JEomstocR9Eyj4xqvFcTiQNDD3k<\/span>=:<span class=\"nu0\">4<\/span>:<span class=\"nu0\">0<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"sy0\">\/<\/span>flash<span class=\"sy0\">\/<\/span>data0<span class=\"sy0\">\/<\/span>home<span class=\"sy0\">\/<\/span>xxxdellxxx:<span class=\"sy0\">\/<\/span>bin<span class=\"sy0\">\/<\/span>bash:0x1FF:<span class=\"nu0\">1<\/span><br \/>\nfrankenstein:<span class=\"re2\">kA0wp2JHtjhBTDU6uo7DlKQThV4<\/span>=:<span class=\"nu0\">5<\/span>:<span class=\"nu0\">0<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"sy0\">\/<\/span>flash<span class=\"sy0\">\/<\/span>data0<span class=\"sy0\">\/<\/span>home<span class=\"sy0\">\/<\/span>frankenstein:<span class=\"sy0\">\/<\/span>bin<span class=\"sy0\">\/<\/span>bash:0x1F3:<span class=\"nu0\">0<\/span><br \/>\nkcrw:<span class=\"re2\">x0hrTCpCdlkj8phYyQcbcmG8yfU<\/span>=:<span class=\"nu0\">6<\/span>:<span class=\"nu0\">0<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"sy0\">\/<\/span>flash<span class=\"sy0\">\/<\/span>data0<span class=\"sy0\">\/<\/span>home<span class=\"sy0\">\/<\/span>kcrw:<span class=\"sy0\">\/<\/span>bin<span class=\"sy0\">\/<\/span>bash:0x1FF:<span class=\"nu0\">0<\/span><br \/>\ngeorge_orwell:<span class=\"re2\">MgaZ38Cxsq9wVSMsmwNIZTDMgk8<\/span>=:<span class=\"nu0\">7<\/span>:<span class=\"nu0\">0<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"sy0\">\/<\/span>flash<span class=\"sy0\">\/<\/span>data0<span class=\"sy0\">\/<\/span>home<span class=\"sy0\">\/<\/span>george_orwell:<span class=\"sy0\">\/<\/span>bin<span class=\"sy0\">\/<\/span>bash:0x1F3:<span class=\"nu0\">1<\/span><br \/>\n<span class=\"sy0\">@<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"nu0\">8<\/span>:<span class=\"nu0\">8<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"sy0\">\/<\/span>bin<span class=\"sy0\">\/<\/span>bash:0x0:<span class=\"nu0\">0<\/span><br \/>\n<span class=\"sy0\">@<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"nu0\">9<\/span>:<span class=\"nu0\">9<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"sy0\">\/<\/span>bin<span class=\"sy0\">\/<\/span>bash:0x0:<span class=\"nu0\">0<\/span><br \/>\n<span class=\"sy0\">@<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"nu0\">10<\/span>:<span class=\"nu0\">10<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"sy0\">\/<\/span>bin<span class=\"sy0\">\/<\/span>bash:0x0:<span class=\"nu0\">0<\/span><br \/>\n<span class=\"sy0\">@<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"nu0\">11<\/span>:<span class=\"nu0\">11<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"sy0\">\/<\/span>bin<span class=\"sy0\">\/<\/span>bash:0x0:<span class=\"nu0\">0<\/span><br \/>\n<span class=\"sy0\">@<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"nu0\">12<\/span>:<span class=\"nu0\">12<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"sy0\">\/<\/span>bin<span class=\"sy0\">\/<\/span>bash:0x0:<span class=\"nu0\">0<\/span><br \/>\n<span class=\"sy0\">@<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"nu0\">13<\/span>:<span class=\"nu0\">13<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"sy0\">\/<\/span>bin<span class=\"sy0\">\/<\/span>bash:0x0:<span class=\"nu0\">0<\/span><br \/>\n<span class=\"sy0\">@<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"nu0\">14<\/span>:<span class=\"nu0\">14<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"sy0\">\/<\/span>bin<span class=\"sy0\">\/<\/span>bash:0x0:<span class=\"nu0\">0<\/span><br \/>\n<span class=\"sy0\">@<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"nu0\">15<\/span>:<span class=\"nu0\">15<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"sy0\">\/<\/span>bin<span class=\"sy0\">\/<\/span>bash:0x0:<span class=\"nu0\">0<\/span><br \/>\n<span class=\"sy0\">@<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"nu0\">16<\/span>:<span class=\"nu0\">16<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"sy0\">@<\/span>:<span class=\"sy0\">\/<\/span>bin<span class=\"sy0\">\/<\/span>bash:0x0:<span class=\"nu0\">0<\/span><\/div><\/div>\n<p>This seemingly missing accounts are simply unused slots in the BMC, which allows 16 user defined accounts. A little python program to illustrate (the hashes below, from known passwords, match the hashes above):<\/p>\n<div class=\"codecolorer-container python blackboard\" style=\"overflow:auto;white-space:nowrap;\"><div class=\"python codecolorer\">$ cat p.<span class=\"me1\">py<\/span><br \/>\n<span class=\"kw1\">from<\/span> <span class=\"kw3\">sha<\/span> <span class=\"kw1\">import<\/span> <span class=\"kw3\">sha<\/span><br \/>\n<span class=\"kw1\">import<\/span> <span class=\"kw3\">base64<\/span><br \/>\n<span class=\"kw1\">import<\/span> hashlib<br \/>\n<br \/>\n<span class=\"co1\"># for these known passwords, print out the hash<\/span><br \/>\n<span class=\"kw1\">for<\/span> passwd <span class=\"kw1\">in<\/span> <span class=\"st0\">&quot;hprulez&quot;<\/span><span class=\"sy0\">,<\/span> <span class=\"st0\">&quot;ecclectic&quot;<\/span><span class=\"sy0\">,<\/span> <span class=\"st0\">&quot;calvin&quot;<\/span><span class=\"sy0\">,<\/span> <span class=\"st0\">&quot;lagosi&quot;<\/span><span class=\"sy0\">,<\/span> <span class=\"st0\">&quot;frued&quot;<\/span><span class=\"sy0\">,<\/span> <span class=\"st0\">&quot;zen&quot;<\/span>:<br \/>\n<span class=\"kw2\">hash<\/span> <span class=\"sy0\">=<\/span> <span class=\"kw3\">base64<\/span>.<span class=\"me1\">b64encode<\/span><span class=\"br0\">&#40;<\/span>hashlib.<span class=\"me1\">sha1<\/span><span class=\"br0\">&#40;<\/span>passwd<span class=\"br0\">&#41;<\/span>.<span class=\"me1\">digest<\/span><span class=\"br0\">&#40;<\/span><span class=\"br0\">&#41;<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<span class=\"kw1\">print<\/span> passwd + <span class=\"st0\">&quot; hash: &quot;<\/span> + <span class=\"kw2\">hash<\/span><br \/>\n<br \/>\n$ python p.<span class=\"me1\">py<\/span><br \/>\nhprulez <span class=\"sy0\">=<\/span> JEomstocR9Eyj4xqvFcTiQNDD3k<span class=\"sy0\">=<\/span><br \/>\necclectic <span class=\"sy0\">=<\/span> x0hrTCpCdlkj8phYyQcbcmG8yfU<span class=\"sy0\">=<\/span><br \/>\ncalvin <span class=\"sy0\">=<\/span> y2VKyPNvhAAW8EOqPk4GeWUpcE0<span class=\"sy0\">=<\/span><br \/>\nlagosi <span class=\"sy0\">=<\/span> kA0wp2JHtjhBTDU6uo7DlKQThV4<span class=\"sy0\">=<\/span><br \/>\nfrued <span class=\"sy0\">=<\/span> MgaZ38Cxsq9wVSMsmwNIZTDMgk8<span class=\"sy0\">=<\/span><br \/>\nzen <span class=\"sy0\">=<\/span> P7BaFjs7ClrA9v3pSUGbYjYszwA<span class=\"sy0\">=<\/span><\/div><\/div>\n<p>(edit later) And for good measure, a stupid little password cracker that I used later when looking for a password that matched a specific hash ;) Use john the ripper or something unless situation is dire!<\/p>\n<div class=\"codecolorer-container python blackboard\" style=\"overflow:auto;white-space:nowrap;height:800px;\"><div class=\"python codecolorer\"><span class=\"co1\">#!\/usr\/bin\/python<\/span><br \/>\n<span class=\"kw1\">from<\/span> &nbsp; <span class=\"kw3\">sha<\/span> <span class=\"kw1\">import<\/span> <span class=\"kw3\">sha<\/span><br \/>\n<span class=\"kw1\">import<\/span> <span class=\"kw3\">base64<\/span><br \/>\n<span class=\"kw1\">import<\/span> hashlib<br \/>\n<span class=\"kw1\">import<\/span> <span class=\"kw3\">sys<\/span><br \/>\n<br \/>\n<span class=\"co1\"># we're looking for this<\/span><br \/>\nprehash <span class=\"sy0\">=<\/span> <span class=\"st0\">'XtdLbGTpY0nSIpw\/uchvPXPOHpo='<\/span><br \/>\n<br \/>\n<span class=\"kw1\">try<\/span>:<br \/>\n&nbsp; &nbsp;passwords <span class=\"sy0\">=<\/span> <span class=\"kw2\">open<\/span><span class=\"br0\">&#40;<\/span><span class=\"kw3\">sys<\/span>.<span class=\"me1\">argv<\/span><span class=\"br0\">&#91;<\/span><span class=\"nu0\">1<\/span><span class=\"br0\">&#93;<\/span><span class=\"br0\">&#41;<\/span>.<span class=\"me1\">read<\/span><span class=\"br0\">&#40;<\/span><span class=\"br0\">&#41;<\/span>.<span class=\"me1\">split<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">'<span class=\"es0\">\\n<\/span>'<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<span class=\"kw1\">except<\/span>:<br \/>\n&nbsp; &nbsp;<span class=\"kw1\">print<\/span> <span class=\"st0\">&quot;Usage: %s word-file&quot;<\/span><br \/>\n&nbsp; &nbsp;<span class=\"kw3\">sys<\/span>.<span class=\"me1\">exit<\/span><span class=\"br0\">&#40;<\/span><span class=\"nu0\">1<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<br \/>\n<span class=\"co1\"># print # for every... xth word<\/span><br \/>\nx <span class=\"sy0\">=<\/span> <span class=\"nu0\">1000000<\/span><br \/>\nn <span class=\"sy0\">=<\/span> <span class=\"nu0\">0<\/span><br \/>\n<br \/>\n<span class=\"kw1\">print<\/span> <span class=\"st0\">&quot;looking for password that when hashed matches &quot;<\/span> + prehash<br \/>\n<span class=\"kw1\">for<\/span> p <span class=\"kw1\">in<\/span> passwords:<br \/>\n&nbsp; &nbsp;n +<span class=\"sy0\">=<\/span> <span class=\"nu0\">1<\/span><br \/>\n&nbsp; &nbsp;<span class=\"kw1\">if<\/span> p <span class=\"sy0\">==<\/span> <span class=\"st0\">&quot;&quot;<\/span>:<br \/>\n&nbsp; &nbsp; &nbsp; <span class=\"kw1\">continue<\/span><br \/>\n&nbsp; &nbsp;hashy <span class=\"sy0\">=<\/span> <span class=\"kw3\">base64<\/span>.<span class=\"me1\">b64encode<\/span><span class=\"br0\">&#40;<\/span>hashlib.<span class=\"me1\">sha1<\/span><span class=\"br0\">&#40;<\/span>p<span class=\"br0\">&#41;<\/span>.<span class=\"me1\">digest<\/span><span class=\"br0\">&#40;<\/span><span class=\"br0\">&#41;<\/span><span class=\"br0\">&#41;<\/span><br \/>\n&nbsp; &nbsp;<span class=\"co1\"># print &quot;pass:&quot; + p + &quot;:\\t&quot; , hashy<\/span><br \/>\n&nbsp; &nbsp;<span class=\"kw1\">if<\/span> hashy <span class=\"sy0\">==<\/span> <span class=\"st0\">'XtdLbGTpY0nSIpw\/uchvPXPOHpo='<\/span>:<br \/>\n&nbsp; &nbsp; &nbsp; <span class=\"kw1\">print<\/span> <span class=\"st0\">&quot;match: %s cracked (word # %s in file) ==&gt; %s&quot;<\/span> % <span class=\"br0\">&#40;<\/span>hashy<span class=\"sy0\">,<\/span> n<span class=\"sy0\">,<\/span> p<span class=\"br0\">&#41;<\/span><br \/>\n&nbsp; &nbsp; &nbsp; <span class=\"kw3\">sys<\/span>.<span class=\"me1\">exit<\/span><span class=\"br0\">&#40;<\/span><span class=\"nu0\">0<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<br \/>\n&nbsp; &nbsp;<span class=\"kw1\">if<\/span> <span class=\"br0\">&#40;<\/span>n % x<span class=\"br0\">&#41;<\/span> <span class=\"sy0\">==<\/span> <span class=\"nu0\">0<\/span>:<br \/>\n&nbsp; &nbsp; &nbsp; <span class=\"kw1\">print<\/span> n<br \/>\n<br \/>\n<span class=\"kw3\">sys<\/span>.<span class=\"me1\">exit<\/span><span class=\"br0\">&#40;<\/span><span class=\"nu0\">1<\/span><span class=\"br0\">&#41;<\/span><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Since I didn&#8217;t find it anywhere else&#8230; Avocent, who makes a heck of a lot of BMCs, and at times (like with Dell&#8217;s iDRAC, at least version 6) keeps encrypted passwords in (well, quite possible\/probable OEM dependent) &#8220;\/flash\/data0\/etc\/avctpasswd&#8221; (don&#8217;t be fooled by the \/etc\/passwd file) using SHA1 hashed passwords converted into Base64. I surmise this [&hellip;]<\/p>\n","protected":false},"author":44,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[31,146,154,172,4,6],"tags":[175,174,158,113,173],"class_list":["post-673","post","type-post","status-publish","format-standard","hentry","category-code","category-hack","category-ipmi-2","category-python","category-security","category-tech","tag-all-that-jazz","tag-avocent","tag-bmc","tag-ipmi","tag-under-the-hood"],"_links":{"self":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/673","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=673"}],"version-history":[{"count":25,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/673\/revisions"}],"predecessor-version":[{"id":706,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/673\/revisions\/706"}],"wp:attachment":[{"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=673"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=673"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=673"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}