Shell access to your ix2/ix4 exposed! “Get yer red hot ssh here!”
So, I promised you guys in Iomega ix4-200d data reconstruction, ssh and more! that I would expose the password to login to the ix2 and ix4 as soon as I could. Well, your wait is finally over!
Let’s start as you normally would, by logging into the support console!
http://192.168.1.1/support.html
Whoa, what’s that I highlighted there and even tossed in an arrow?! Can I MAKE it any more straight forward? Psst.. Click on Support Files :)
Ooh, what’s that little guy down there? Dump? Yea, I didn’t even notice this before (because I had shell access myself ;)) but this is for your benefit!
The system will go through "Gathering system state…"
Why yes, I did go mad with clicking colors and arrows in the win7 version of MSPaint.. Okay, but I digress. :)
Click that bad boy, which will include dump data about your system! Download it, and open it!
Drill down into the dump –> config –> etc –> and open up the file named “shadow” (dump-20100107225620.tar.gz\dump-20100107225620\config\etc)
Find your shadow File in there, and lo and behold, you will have your Iomega root users hash! Now it’s just a matter of cracking it!
It is beyond the scope of this article to tell you how to actually crack the pwd.. (giggle) go here, download john the ripper and you’ll do just fine :)
Taking my seed from my system and running it through a simple alphanumeric search, I come up with username root, password soho! That was easy! That works if you have NO Password set!
Through a collaborative effort with @randyjcress @Kiwi_Si @VirtualisedReal and @gabvirtualworld we were able to determine that by using soho and whatever password you use on the system, that should do it! And really, the credit does primarily go to @randyjcress for leading us in that specific direction so props randy! :)
ie: admin pwd is apples, so login using sohoapples – This is still undergoing verification, but I thought I’d share it out there, while we sort it out!
Disclaimer: The means to perform all of these tasks has been replicated and verified in the wild without requiring any intimate knowledge of the inner workings of the system.
Matt Cowger
I tried all possible combinations (using john) up to 8 chars, so I can guarantee its > 8 chars.