|
Next: S.M.A.R.T. hard drive warning
|
| Author |
Message |
Joined: Jun 19, 2005
Posts: 8
|
(Msg. 16) Posted: Mon Jun 20, 2005 6:28 pm
Post subject: Re: hacking Synology DS-101 - PROGRESS!!! [Login to view extended thread Info.]
|
|
|
| rocka wrote: |
Maybe it would be usefull to start an SSH deamon on the box (if possible somehow), so we could avoid fighting with "SynoPassword:" ...
|
There is no SSH installed as far as I can see from exploring the filesystem via php. I haven't got past the SynoPassword thing either. I think I'll need to do more digging about. I did notice while messing about that the root user has /bin/ash set as the shell whereas the admin user has /bin/sh. Perhaps it's worth trying to create a new user on the system and set it up with the same group and shell as the root user and see if the SynoPassword thing still happens.
Cheers,
WF |
|
| Back to top |
|
 | |
Joined: Jun 19, 2005
Posts: 8
|
(Msg. 17) Posted: Wed Jun 22, 2005 11:13 am
Post subject: Re: hacking Synology DS-101 - PROGRESS!!! [Login to view extended thread Info.]
|
|
|
|
| Okay, I think I've got the root password now - at least it's not coming up Login incorrect. Instead I'm getting that SynoPassword prompt that appears when you try to log in using the Admin account or any other user account.
How annoying. I think I'll just get my Linux box built and use that to do my rsync and SSH stuff - probably quicker!
|
>> Stay informed about: hacking Synology DS-101 |
|
| Back to top |
|
| |
Joined: Jul 01, 2005
Posts: 8
|
(Msg. 18) Posted: Fri Jul 01, 2005 4:45 am
Post subject: Re: hacking Synology DS-101 - PROGRESS!!! [Login to view extended thread Info.]
|
|
|
Just got my DS-101 yesterday - thanks to those of you that have already made progress on getting console access to this little puppy...
Can I suggest using PHPTerm? http://phpterm.sourceforge.net/
Download v3.0, copy the phpterm.php, menu.js and phpterm.css filed to the ds-101's web share, rename phpterm.php to phpterm.php3 and browse to http://{ds-101}/phpterm.php3 Do not enter a username or password, just click ok. And there you should have root console access in your browser. 
Unfortunately running vi seems to break something, and the ds-101 needs to be reset before you can regain access. If anyone has another way of editing files, please shout!
Oh, and does anyone have a copy of the default inetd.conf? In my eagerness I managed to overwrite my backup 
frl >> Stay informed about: hacking Synology DS-101 |
|
| Back to top |
|
| |
Joined: Jul 01, 2005
Posts: 11
|
(Msg. 19) Posted: Fri Jul 01, 2005 5:10 am
Post subject: Re: hacking Synology DS-101 - PROGRESS!!! [Login to view extended thread Info.]
|
|
|
Thanks for the PHPTerminal tip!
I checked out /bin/busybox using 'strings' and it seems to contain the magical 'SynoPassword:' string. Thus, it seems to me that Synology has modified busybox to make the extra password check.
Does anyone have any idea on how to get past this one?
One idea would be to create an unmodified busybox binary, upload it to
the system, make symlink /bin/nopass_sh -> /bin/busybox and change the
shell of the user in /etc/passwd to /bin/nopass_sh.
However, I do not know how to compile an unmodified busybox binary
that would run on DS-101. >> Stay informed about: hacking Synology DS-101 |
|
| Back to top |
|
| |
Joined: Jul 01, 2005
Posts: 11
|
(Msg. 20) Posted: Fri Jul 01, 2005 5:12 am
Post subject: Re: hacking Synology DS-101 - PROGRESS!!! [Login to view extended thread Info.]
|
|
|
|
|
| Back to top |
|
| |
Joined: Jul 01, 2005
Posts: 8
|
(Msg. 21) Posted: Fri Jul 01, 2005 5:43 am
Post subject: Re: hacking Synology DS-101 - PROGRESS!!! [Login to view extended thread Info.]
|
|
|
|
|
| Back to top |
|
| |
Joined: Jul 01, 2005
Posts: 11
|
(Msg. 22) Posted: Fri Jul 01, 2005 5:49 am
Post subject: Re: hacking Synology DS-101 - PROGRESS!!! [Login to view extended thread Info.]
|
|
|
Binaries compiled for Linksys NSLU2 seem to run on DS-101.
I downloaded and extracted busybox from:
http://ipkgfind.nslu2-linux.org/details.php?package=busybox-base
This seems to run on DS-101 without problems.
However, changing the shell of a user to point to this new binary did not help to overcome the "SynoPassword" problem. I believe now that the prompt is presented by telnetd (/usr/sbin/telnetd) which is also provided by busybox.
As the busybox compiled for NSLU2 does not seem to contain telnetd functionality, so far I haven't figured out how to replace telnetd with a non-synology one. An alternative could be to install sshd. >> Stay informed about: hacking Synology DS-101 |
|
| Back to top |
|
| |
Joined: May 09, 2005
Posts: 5
|
(Msg. 23) Posted: Fri Jul 01, 2005 6:45 am
Post subject: Re: hacking Synology DS-101 - PROGRESS!!! [Login to view extended thread Info.]
|
|
|
|
|
| Back to top |
|
| |
Joined: Jul 01, 2005
Posts: 8
|
(Msg. 24) Posted: Fri Jul 01, 2005 6:51 am
Post subject: Re: hacking Synology DS-101 - PROGRESS!!! [Login to view extended thread Info.]
|
|
|
Given the DS-101 is (from what I understand) based on very similar hardware to the NSLU2, jaxe's appraoch of looking at the hack's already done to that box seems sensible.
I've got the dropbear ssh files from here:
http://ipkgfind.nslu2-linux.org/details.php?package=dropbear&official=&format=
onto the DS-101, but there seems to be some dependancy issues when running it, involving libutil.
Promising stuff though. >> Stay informed about: hacking Synology DS-101 |
|
| Back to top |
|
| |
Joined: Jul 01, 2005
Posts: 11
|
(Msg. 25) Posted: Fri Jul 01, 2005 9:59 am
Post subject: Re: hacking Synology DS-101 - PROGRESS!!! [Login to view extended thread Info.]
|
|
|
Dropbear would be sweet. I believe that we are getting very close.
One major item that is missing is a way to recover if the box is unable to reboot due to some mistakes made to configuration. Without that, there is slightly too a high risk involved in experimenting with the box...
With, for example, NSLU2, there seems to be several methods. http://www.nslu2-linux.org/wiki/HowTo/HomePage
Any ideas? >> Stay informed about: hacking Synology DS-101 |
|
| Back to top |
|
| |
Joined: Jul 01, 2005
Posts: 11
|
(Msg. 26) Posted: Fri Jul 01, 2005 10:29 am
Post subject: Re: hacking Synology DS-101 - PROGRESS!!! [Login to view extended thread Info.]
|
|
|
Hmm, "hacking" SynoPassword was too easy. The code to calculate it is right there in the source code distributed by Synology, in source\busybox100p2\loginutils\login.c function ErrSYNOICheckPasswd.
The password changes daily. The code for today is 707-0101
The following program creates a new password for each day:
| Code: |
#include <time.h>
#include <sys/time.h>
int main()
{
struct timeval tvTime;
struct tm tmOutput;
char szPasswd[9];
int i;
gettimeofday(&tvTime, 0);
localtime_r(&(tvTime.tv_sec), &tmOutput);
tmOutput.tm_mon += 1;
szPasswd[8] = 0;
if (tmOutput.tm_mon < 10)
szPasswd[0] = '0' + tmOutput.tm_mon;
else
szPasswd[0] = 'a' + tmOutput.tm_mon - 10;
szPasswd[1] = '0' + tmOutput.tm_mon / 10;
szPasswd[2] = '0' + tmOutput.tm_mon % 10;
szPasswd[3] = '-';
szPasswd[4] = '0' + tmOutput.tm_mday / 16;
if (tmOutput.tm_mday % 16 < 10)
szPasswd[5] = '0' + tmOutput.tm_mday % 16;
else
szPasswd[5] = 'a' + tmOutput.tm_mday % 16 - 10;
for (i = 12; i > 0; i--) {
if (!(tmOutput.tm_mon % i) && !(tmOutput.tm_mday % i)) {
break;
}
}
szPasswd[6] = '0' + i / 10;
szPasswd[7] = '0' + i % 10;
printf("%s\n", szPasswd);
return 0;
}
|
>> Stay informed about: hacking Synology DS-101 |
|
| Back to top |
|
| |
Joined: Jun 19, 2005
Posts: 8
|
(Msg. 27) Posted: Fri Jul 01, 2005 12:24 pm
Post subject: Re: hacking Synology DS-101 - PROGRESS!!! [Login to view extended thread Info.]
|
|
|
Excellent work getting around the SynoPassword. I did start ploughing through the code but you beat me to it! I can successfully log in as root now using the original root password
I've cobbled together a PHP script to do the same. Hopefully I've nailed it together okay but the test will come later in the month I think  Save it with a .php3 extension if you're putting it on the DS-101.
| Code: |
<?php
$synopass = array();
$tmOutput = localtime(time(),'1');
$tmOutput['tm_mon']++;
$synopass[0] = dechex($tmOutput['tm_mon']);
$synopass[1] = floor($tmOutput['tm_mon']/10);
$synopass[2] = $tmOutput['tm_mon'] % 10;
$synopass[3] = '-';
$synopass[4] = floor($tmOutput['tm_mday'] / 16);
$synopass[5] = dechex($tmOutput['tm_mday'] % 16);
for ($i = 12; $i > 0; $i--)
{
if (!($tmOutput['tm_mon'] % $i) && !($tmOutput['tm_mday'] % $i))
{
break;
}
}
$synopass[6] = floor($i/10);
$synopass[7] = $i % 10;
$password = implode("",$synopass);
echo "SynoPassword Today is : $password";
?>
|
(By the way, the { and } are curly brackets)
Now all I need is SSH and rsync - It's looking really promising. I've got two of these things and want to get them synchronising themselves overnight.
>> Stay informed about: hacking Synology DS-101 |
|
| Back to top |
|
| |
Joined: Jul 01, 2005
Posts: 11
|
(Msg. 28) Posted: Fri Jul 01, 2005 2:47 pm
Post subject: Re: hacking Synology DS-101 - PROGRESS!!! [Login to view extended thread Info.]
|
|
|
|
|
| Back to top |
|
| |
Joined: Jun 19, 2005
Posts: 8
|
(Msg. 29) Posted: Fri Jul 01, 2005 3:10 pm
Post subject: Re: hacking Synology DS-101 - PROGRESS!!! [Login to view extended thread Info.]
|
|
|
| jaxe wrote: |
| How do you get the original root password exactly? |
It was an inspired lucky guess. I just tried a few obvious ones and nearly fell off my chair when I got to the SynoPassword prompt!!!
Should it be posted here do you think? What's the implications? Probably none unless someone is running a hacked DS-101 with telnet enabled on a public network.
>> Stay informed about: hacking Synology DS-101 |
|
| Back to top |
|
| |
Joined: Jul 01, 2005
Posts: 11
|
(Msg. 30) Posted: Fri Jul 01, 2005 3:30 pm
Post subject: Re: hacking Synology DS-101 - PROGRESS!!! [Login to view extended thread Info.]
|
|
|
Security by obscurity is never of any value - especially if the password is really that easy to guess.
Just post it here, I'd say. If anyone enables telnetd or sshd, they should be aware that their box is wide open. >> Stay informed about: hacking Synology DS-101 |
|
| Back to top |
|
| |
FAQ
Profile
Private Messages
Log in
