Update research-security.md

2023-03-12 23:47:27 +01:00 · 2023-03-12 23:47:27 +01:00 · 1ca5822c42
parent de03d2c4cc
commit 1ca5822c42
1 changed files with 112 additions and 0 deletions
--- a/en/research-security.md
+++ b/en/research-security.md
@ -1,3 +1,115 @@
+# OpenIPC Wiki
+[Table of Content](../index.md)
+
+Access to SSH, telnet, FTP and other services
+---------------------------------------------
+
+Very often stock firmware provides access to its operating system but the
+access is closed with an undisclosed password. We can recover a cryptographic
+hash of that password while extracting a copy of the firmware image.
+
+### Password hash
+
+```
+$1$bh2njiGH$4duacOMcXDh6myANzbZTf.
+```
+The hashed salt password string consists of three parts: hashing algorithm
+identifier, salt and password hash, each of which is preceded by a dollar sign.
+The first part, `$1`, is the hashing algorithm encoded with one (rarely two)
+characters. It denotes the cryptographic method used to generate the hash:
+
+- `$1` - MD5 algorithm.
+- `$2` - Blowfish algorithm.
+- `$2a` - eksblowfish algorithm
+- `$5` - SHA-256 algorithm
+- `$6` - SHA-512 algorithm
+
+The second part, `$bh2njiGH`, is a salt - a character string added to the
+plaintext password before hashing it in order to randomize the resulting hashes
+for the same password and prevent [rainbow table][1] attacks.
+
+The last part, `$4duacOMcXDh6myANzbZTf.`, is the hash. When you enter a
+password, it is concatinated with the provided salt then hashed using the
+provided hashing algorithm and the result is compared to the hash.
+Same password, salt and hashing method will always produce the same result.
+
+Hashing algorithms are one-way encryption methods meaning the hash cannot be
+decrypted back to a plaintext password, but it is possible to perform hashing
+of available variants of plaintext passwords until the match is found.
+This method is called the [brute-force attack][2].
+
+IP cameras tend to utilize a relatively simple and fast MD5 hashing algorithm
+so using a password-breaking software and powerful computing resources the
+original plaintext password can be picked in a matter of weeks or days, if not
+hours, especially using high-quality dictionaries.
+
+In the example above we used password "openipc". You can check the validity of
+the password using either `mkpasswd` or `openssl`:
+```
+$ mkpasswd -m md5crypt -S bh2njiGH openipc
+$1$bh2njiGH$4duacOMcXDh6myANzbZTf.
+$ openssl passwd -1 -salt bh2njiGH openipc
+$1$bh2njiGH$4duacOMcXDh6myANzbZTf.
+```
+
+When the password is found, it is wise to share it publicly, so that other
+researchers in the field could dedicate their cryptographic resources to
+discover even more yet unknown passwords. Sharing is caring, boys!
+
+### Some passwords that we found in different firmware
+```
+| Hash                                  | Plain text |
+|---------------------------------------|------------|
+| $1$MoCJ1nRA$NfsI1wlYcWoF5MbU4t3Og0    | ivdev      |
+| $1$ZebZnWdY$QZ1Aa.7hwBshCS5k40MUE1    | xc12345    |
+| $1$d3VPdE0x$Ztn09cyReJy5Pyn           | runtop10   |
+| $1$qFa2kfke$vJob19l64Q6n8FvP8/kvJ0    | wabjtam    |
+| $1$rHWQwR5V$i4FVDvwhuzau8msvAfHEt.    | 2601hx     |
+| $1$tiaLlxGM$byeTUfQgqyET5asfwwNjg0    | hichiphx   |
+| $1$0Me7S3z5$.uQ4Pr/QjJQ/0JUZI0w4m.    |            |
+| $1$4dAkkeWK$HCy0K1z8E.wAuwgLV8bWd/    |            |
+| $1$7bfnUEjV$3ogadpYTDXtJPV4ubVaGq1    |            |
+| $1$7BqzlCqK$nQXIfc53c1ACEwzNg7G3D.    |            |
+| $1$cNGGWwI/$5/mZTMlcVfJlpE5DGrdsl/    |            |
+| $1$FMNq4QIj$lJg6WzZxy1HWl3sL.YwIq1    |            |
+| $1$IZfqary9$IrG6loat5pDTBLr6ksKTD0    |            |
+| $1$ocmTTAhE$v.q2/jwr4BS.20KYshYQZ1    |            |
+| $1$OIKWDzOV$WjZNcNtHSKVscbi9WQcpu/    |            |
+| $1$rnjbbPTD$tR9oAIWgUp/jRrhjDuUwp0    |            |
+| $1$RYIwEiRA$d5iRRVQ5ZeRTrJwGjRy.B0    |            |
+| $1$uF5XC.Im$8k0Gkw4wYaZkNzuOuySIx/    |            |
+| $1$vN9F.lHa$E09mbCRo70834AUfkytpX     |            |
+| $1$wbAnPk8f$yz0PI9vnyLRmWbENUnce3/    |            |
+| $1$ybdHbPDn$ii9aEIFNiolBbM9QxW9mr0    |            |
+| $1$yq01TaSp$lkN/azu3IxE97owy27pve.    |            |
+| $1$yFuJ6yns$33Bk0I91Ji0QMujkR/DPi1    |            |
+| $1$yi$FS7W5j1RJmbRHDe0El/zX/          |            |
+| $1$yi$MiivC6pLdwS0zp0pa0cUq1          | qw1234qw   |
+| $Dg.cUjtWGTIVkuFS0ZYbN1               | fx1805     |
+| $enWsv2cbxPCrd0WeXUXtX0               | nobody     |
+| $qZV4X6DTqMHUDIyZG.8PH.               |            |
+| $z2VkRbfNoE/xHLBj8i2cv.               | ftp        |
+| 7wtxBdUGBnuoY                         | runtop10   |
+| 9B60FC59706134759DBCAEA58CAF9068      | Fireitup   |
+| LHjQopX4yjf1Q                         | ls123      |
+| ab8nBoH3mb8.g                         | helpme     |
+| absxcfbgXtb3o                         | xc3511     |
+| xt5USRjG7rEDE                         | j1/_7sxw   |
+| $1$EmcmB/9a$UrsXTlmYL/6eZ9A2ST2Yl/    |            |
+
+```
+
+### Software
+
+- [Hashcat](https://hashcat.net/)
+- [John The Ripper](https://www.openwall.com/john/)
+- [Hydra](https://github.com/vanhauser-thc/thc-hydra)
+
+
+[1]: https://en.wikipedia.org/wiki/Rainbow_table
+[2]: https://en.wikipedia.org/wiki/Brute-force_attack
+
+

 Alternative way to get access to full working system.
 ---------------------------------------------------