From de03d2c4ccd8abf0794f9b4360a9996aadf16ef3 Mon Sep 17 00:00:00 2001
From: naksper <61098366+naksper@users.noreply.github.com>
Date: Sun, 12 Mar 2023 23:45:40 +0100
Subject: [PATCH] Update research-security.md

---
 en/research-security.md | 126 +++-------------------------------------
 1 file changed, 7 insertions(+), 119 deletions(-)

diff --git a/en/research-security.md b/en/research-security.md
index 7532b04..51fc0d7 100644
--- a/en/research-security.md
+++ b/en/research-security.md
@@ -1,121 +1,8 @@
-# OpenIPC Wiki
-[Table of Content](../index.md)
 
-Access to SSH, telnet, FTP and other services
----------------------------------------------
-
-Very often stock firmware provides access to its operating system but the
-access is closed with an undisclosed password. We can recover a cryptographic
-hash of that password while extracting a copy of the firmware image.
-
-### Password hash
-
-```
-$1$bh2njiGH$4duacOMcXDh6myANzbZTf.
-```
-The hashed salt password string consists of three parts: hashing algorithm
-identifier, salt and password hash, each of which is preceded by a dollar sign.
-The first part, `$1`, is the hashing algorithm encoded with one (rarely two)
-characters. It denotes the cryptographic method used to generate the hash:
-
-- `$1` - MD5 algorithm.
-- `$2` - Blowfish algorithm.
-- `$2a` - eksblowfish algorithm
-- `$5` - SHA-256 algorithm
-- `$6` - SHA-512 algorithm
-
-The second part, `$bh2njiGH`, is a salt - a character string added to the
-plaintext password before hashing it in order to randomize the resulting hashes
-for the same password and prevent [rainbow table][1] attacks.
-
-The last part, `$4duacOMcXDh6myANzbZTf.`, is the hash. When you enter a
-password, it is concatinated with the provided salt then hashed using the
-provided hashing algorithm and the result is compared to the hash.
-Same password, salt and hashing method will always produce the same result.
-
-Hashing algorithms are one-way encryption methods meaning the hash cannot be
-decrypted back to a plaintext password, but it is possible to perform hashing
-of available variants of plaintext passwords until the match is found.
-This method is called the [brute-force attack][2].
-
-IP cameras tend to utilize a relatively simple and fast MD5 hashing algorithm
-so using a password-breaking software and powerful computing resources the
-original plaintext password can be picked in a matter of weeks or days, if not
-hours, especially using high-quality dictionaries.
-
-In the example above we used password "openipc". You can check the validity of
-the password using either `mkpasswd` or `openssl`:
-```
-$ mkpasswd -m md5crypt -S bh2njiGH openipc
-$1$bh2njiGH$4duacOMcXDh6myANzbZTf.
-$ openssl passwd -1 -salt bh2njiGH openipc
-$1$bh2njiGH$4duacOMcXDh6myANzbZTf.
-```
-
-When the password is found, it is wise to share it publicly, so that other
-researchers in the field could dedicate their cryptographic resources to
-discover even more yet unknown passwords. Sharing is caring, boys!
-
-### Some passwords that we found in different firmware
-```
-| Hash                                  | Plain text |
-|---------------------------------------|------------|
-| $1$MoCJ1nRA$NfsI1wlYcWoF5MbU4t3Og0    | ivdev      |
-| $1$ZebZnWdY$QZ1Aa.7hwBshCS5k40MUE1    | xc12345    |
-| $1$d3VPdE0x$Ztn09cyReJy5Pyn           | runtop10   |
-| $1$qFa2kfke$vJob19l64Q6n8FvP8/kvJ0    | wabjtam    |
-| $1$rHWQwR5V$i4FVDvwhuzau8msvAfHEt.    | 2601hx     |
-| $1$tiaLlxGM$byeTUfQgqyET5asfwwNjg0    | hichiphx   |
-| $1$0Me7S3z5$.uQ4Pr/QjJQ/0JUZI0w4m.    |            |
-| $1$4dAkkeWK$HCy0K1z8E.wAuwgLV8bWd/    |            |
-| $1$7bfnUEjV$3ogadpYTDXtJPV4ubVaGq1    |            |
-| $1$7BqzlCqK$nQXIfc53c1ACEwzNg7G3D.    |            |
-| $1$cNGGWwI/$5/mZTMlcVfJlpE5DGrdsl/    |            |
-| $1$FMNq4QIj$lJg6WzZxy1HWl3sL.YwIq1    |            |
-| $1$IZfqary9$IrG6loat5pDTBLr6ksKTD0    |            |
-| $1$ocmTTAhE$v.q2/jwr4BS.20KYshYQZ1    |            |
-| $1$OIKWDzOV$WjZNcNtHSKVscbi9WQcpu/    |            |
-| $1$rnjbbPTD$tR9oAIWgUp/jRrhjDuUwp0    |            |
-| $1$RYIwEiRA$d5iRRVQ5ZeRTrJwGjRy.B0    |            |
-| $1$uF5XC.Im$8k0Gkw4wYaZkNzuOuySIx/    |            |
-| $1$vN9F.lHa$E09mbCRo70834AUfkytpX     |            |
-| $1$wbAnPk8f$yz0PI9vnyLRmWbENUnce3/    |            |
-| $1$ybdHbPDn$ii9aEIFNiolBbM9QxW9mr0    |            |
-| $1$yq01TaSp$lkN/azu3IxE97owy27pve.    |            |
-| $1$yFuJ6yns$33Bk0I91Ji0QMujkR/DPi1    |            |
-| $1$yi$FS7W5j1RJmbRHDe0El/zX/          |            |
-| $1$yi$MiivC6pLdwS0zp0pa0cUq1          | qw1234qw   |
-| $Dg.cUjtWGTIVkuFS0ZYbN1               | fx1805     |
-| $enWsv2cbxPCrd0WeXUXtX0               | nobody     |
-| $qZV4X6DTqMHUDIyZG.8PH.               |            |
-| $z2VkRbfNoE/xHLBj8i2cv.               | ftp        |
-| 7wtxBdUGBnuoY                         | runtop10   |
-| 9B60FC59706134759DBCAEA58CAF9068      | Fireitup   |
-| LHjQopX4yjf1Q                         | ls123      |
-| ab8nBoH3mb8.g                         | helpme     |
-| absxcfbgXtb3o                         | xc3511     |
-| xt5USRjG7rEDE                         | j1/_7sxw   |
-| $1$EmcmB/9a$UrsXTlmYL/6eZ9A2ST2Yl/    |            |
-
-```
-
-### Software
-
-- [Hashcat](https://hashcat.net/)
-- [John The Ripper](https://www.openwall.com/john/)
-- [Hydra](https://github.com/vanhauser-thc/thc-hydra)
-
-
-[1]: https://en.wikipedia.org/wiki/Rainbow_table
-[2]: https://en.wikipedia.org/wiki/Brute-force_attack
-
-
-
-
-Altenative way to get access to full working system
+Alternative way to get access to full working system.
 ---------------------------------------------------
 
-You will not have origilnal root pass but you will be able get into :)
+You will not have original root pass but you will be able get into :)
 
 ### Limited shell access
 TESTED on GOKE SOC. over the UART interface it is possible to get into a limited shell, but this shell does not load full working system.
@@ -129,7 +16,7 @@ Once we are in limited shell it is need to mount ROM filesystem:
 mount -t jffs2 /dev/mtdblock3 /rom
 ```
 
-Also wil be great to mount sd card to copy some files:
+Also will be great to mount sd card to copy some files:
 ```
 mount
 mount -a
@@ -137,7 +24,7 @@ mount /dev/mmcblk0p1 on /mnt/s0
 ```
 
 ### Modifying the file system
-on /rom filesystem you can edit the /room/etc/passwd file but once the device restarts it will be set to default, this happends because there is a guide bin file writing to passwd file on each start, so we need to modify this executable.
+on /rom filesystem you can edit the /room/etc/passwd file but once the device restarts it will be set to default, this happens because there is a guide bin file writing to passwd file on each start, so we need to modify this executable.
 
 copy system.dat to sd card
 ```
@@ -152,7 +39,7 @@ cd squashfs-temp
 unsquashfs system.dat
 ```
 
-find guide file and hexedit to modify where "/etc/passwd" is writen and change one leter, for example "/etc/passwT". This file will be created on start instead of passwd replaced.
+find guide file and hexedit to modify where "/etc/passwd" is written and change one letter, for example "/etc/passwT". This file will be created on start instead of passwd replaced.
 
 re squash the file system:
 ```
@@ -161,5 +48,6 @@ mksquashfs ./squashfs-root ./file -comp xz -no-xattrs -noappend -no-exports -all
 
 and copy back from sd card to /rom directory on goke soc.
 
-now you can edit /rom/etc/passwd with your own pass, and whe you restart the device you will have full working system with your own pass.
+now you can edit /rom/etc/passwd with your own pass, and when you restart the device you will have full working system with your own pass.
+