Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KAON CG3000 Telnet SU #68

Open
thegatodt opened this issue Aug 31, 2024 · 8 comments
Open

KAON CG3000 Telnet SU #68

thegatodt opened this issue Aug 31, 2024 · 8 comments

Comments

@thegatodt
Copy link

I have a kaonmedia CG3000 modem with Telnet access, but I need the SU password.
I was able to upload a firmware image here.
Could someone please help me?
@thegatodt
Copy link
Author

I managed to decompress the firmware and found the hass password.

root:$1$53kXe8YH$8EY.pBJPCxLokumE/Z7gY0:0:0:root:/root:/bin/sh

Any recommended tools for brute force?

@Anonymous941
Copy link

Hashcat or John the Ripper should work, try wordlist mode and then incremental mode. You can also check if they have a Samba hash (ie if they ever used Samba to transfer things), those are way easier to crack

@thegatodt
Copy link
Author

I managed to crack the password with hashcat 'Broadcom.' However, when I try to access via telnet and use the SU command, it tells me it's incorrect. Any idea where to go from here? I have physical access to the modem.

@jclehner
Copy link
Owner

Which console are you logging into? CM or RG?

@thegatodt
Copy link
Author

The modem has the default Factory Key "password" so I can enable Telnet through SNMP.
I connect via Telnet to 192.168.100.1

@arrobazo
Copy link

I managed to crack the password with hashcat 'Broadcom.' However, when I try to access via telnet and use the SU command, it tells me it's incorrect. Any idea where to go from here? I have physical access to the modem.

That hash is the default for the RG side, the SU password you refer to is for the CM "eCoS" side, anyway you can find the SU password via the RG side by connecting via uart or if you are in a CM-litte shell you can move to RG's switchCpuConsole (password: Broadcom). Also the SU password is probably brcm and that way you can have a FAT shell.

@thegatodt
Copy link
Author

That hash is the default for the RG side, the SU password you refer to is for the CM "eCoS" side, anyway you can find the SU password via the RG side by connecting via uart or if you are in a CM-litte shell you can move to RG's switchCpuConsole (password: Broadcom). Also the SU password is probably brcm and that way you can have a FAT shell.

I logged into the RG console with the credentials, but I don’t know where to look for the CM console SU password. The only password I find in cat /etc/passwd is the one I already had before.
brcm didn't work for me.

@arrobazo
Copy link

If you are already on the RG side, you might be able to read the /dev/ ram, look for this string Proceed with caution! a few bytes before your SU password should appear

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jclehner @arrobazo @Anonymous941 @thegatodt