Lastly, one might ask "Why would I want to obtain this password?".
JDISKREPORT JAVAW.EXE MISSING PASSWORD
After that, you should be able to log into the telnet console with "admin" and the password you've set. I had to log into the web UI, enable remote console, and (re)set the console password.
My modem's console admin password was not the default "admin", nor the admin password listed on the box. Your situation may be different.Īlso, in case you hadn't figured it out by now, you're going to need telnet console access. Qwest used to be the LEC in my area, and likely the transition hasn't been made to the newer branding in the back-end systems. Linux 2.6.30 ((none)) 05/23/13 _mips_ (2 CPU)ġ4:59:38 PID %usr %system %guest %CPU CPU Commandġ4:59:38 1623 0.00 0.01 0.00 0.01 1 pppd -c ppp0.1 -D 0 -i ptm0.0 -u " -p " AbCDEfgH" -f 0 -k -P " AbCDEfgH" -M 1492Īnd there you have it! In this case, I've altered the password output (shown as AbCDEfgH) to protect my own privacy, but it'll look similarly like jumbled letters and numbers on your command line. And fortunately for us, Actiontec left "pidstat" enabled in busybox, making reading those command line arguments fairly simple with a single command: The "ps" command on these devices has been handicapped to only display 80 columns, leading to output similar to this:ġ623 admin 1144 S pppd -c ppp0.1 -D 0 -i ptm0.0 -u first, when I saw this, I figured it was another dead end, until I realized that "/proc/(pid)/cmdline" displays the command line of any running process. Since the configs contain the encrypted password, we can't directly extract them from there, however fortunately for us, pppd (the service that authenticates and creates the DSL connection) requires the password to either be kept in plain text in a flat config file (not the case here) OR have the password specified on the command line. However, dig a little deeper by trying the undocumented "sh" command, and you'll find that busybox is alive and well on this device, exposing the configs and services that support the router's functions. In addition to this, it would appear to the casual telnet console user that the commonplace busybox shell had been removed or made inaccessible, removing the ability to peer into the embedded linux operating system underneath, and replacing it with a stripped-down properietary shell with limited commands. Nowdays, Actiontec tries to obfuscate/encrypt the password in a config XML, making it just difficult enough for most people to give up on the idea of recovering the password. Back then, Actiontec left the operating system a bit more open, actually placing the PPP credentials in a flat file in /var/tmp/. Some time ago I wrote up a similar procedure to recover a password from an Actiontec M1000 back when Centurylink was known as Qwest (gotta love rebranding).
0 kommentar(er)
