bcm2-utils icon indicating copy to clipboard operation
bcm2-utils copied to clipboard

Published 20 hours ago verified publisher icon jclehner

KAON CG3000 Telnet SU

Open thegatodt opened this issue 1 year ago • 8 comments

I have a kaonmedia CG3000 modem with Telnet access, but I need the SU password. I was able to upload a firmware image here. Could someone please help me?

thegatodt avatar Aug 31 '24 02:08 thegatodt

I managed to decompress the firmware and found the hass password.

root:$1$53kXe8YH$8EY.pBJPCxLokumE/Z7gY0:0:0:root:/root:/bin/sh

Any recommended tools for brute force?

thegatodt avatar Sep 02 '24 15:09 thegatodt

Hashcat or John the Ripper should work, try wordlist mode and then incremental mode. You can also check if they have a Samba hash (ie if they ever used Samba to transfer things), those are way easier to crack

Anonymous941 avatar Sep 02 '24 18:09 Anonymous941

I managed to crack the password with hashcat 'Broadcom.' However, when I try to access via telnet and use the SU command, it tells me it's incorrect. Any idea where to go from here? I have physical access to the modem.

thegatodt avatar Sep 05 '24 22:09 thegatodt

Which console are you logging into? CM or RG?

jclehner avatar Sep 10 '24 08:09 jclehner

The modem has the default Factory Key "password" so I can enable Telnet through SNMP. I connect via Telnet to 192.168.100.1

thegatodt avatar Sep 10 '24 13:09 thegatodt

I managed to crack the password with hashcat 'Broadcom.' However, when I try to access via telnet and use the SU command, it tells me it's incorrect. Any idea where to go from here? I have physical access to the modem.

That hash is the default for the RG side, the SU password you refer to is for the CM "eCoS" side, anyway you can find the SU password via the RG side by connecting via uart or if you are in a CM-litte shell you can move to RG's switchCpuConsole (password: Broadcom). Also the SU password is probably brcm and that way you can have a FAT shell.

arrobazo avatar Sep 10 '24 20:09 arrobazo

That hash is the default for the RG side, the SU password you refer to is for the CM "eCoS" side, anyway you can find the SU password via the RG side by connecting via uart or if you are in a CM-litte shell you can move to RG's switchCpuConsole (password: Broadcom). Also the SU password is probably brcm and that way you can have a FAT shell.

I logged into the RG console with the credentials, but I don’t know where to look for the CM console SU password. The only password I find in cat /etc/passwd is the one I already had before. brcm didn't work for me.

thegatodt avatar Sep 11 '24 21:09 thegatodt

If you are already on the RG side, you might be able to read the /dev/ ram, look for this string Proceed with caution! a few bytes before your SU password should appear

arrobazo avatar Sep 11 '24 21:09 arrobazo