I was recently given a (Canoga-Perkins 9145E-104) Media converter/NID.
The friend that gave it to me works for a local CLEC and gives me all kinds of working free gear from upgrades etc.
I had assumed that the reset button on the unit would reset the administrative password, but it does not. When I called Canoga-Perkins support, they essentially said the unit is like a padlock. It would have to be sent in to them to have the password reset. Of course I didn't listen and popped the top of the unit to see if there were any CMOS battery or a jumper to clear NV-RAM. My efforts were in vain.
I do however have console access via COM-port (username/password locked) and it doesn't seem like there is any restriction for password attempts.
I talked to the friend that gave it to me to ask if he knew what the password might be. He said it was from before they moved to AAA servers and most likely had a simple 4-6 digit alpha numerical password.
So my thought was this:
Use crunch, or another dictionary-creating script to make a dictionary to try. However, I'm not sure how to pipe this to the COM-port in Windows or Linux.
I am open to any solution with any Distro.
Does anyone have any ideas on a way I could accomplish this task?
Edit:
I found a very similar post, for sending commands over serial connections.
Echo/Pipe command output to Serial line
The user AFH gave some suggestions in the comments there. I'll have to do some reading, as I have no idea how to work out what he is describing.
Edit-2: I had some time to mess with this last night, you can pipe right to ttyUSB0 using minicom. I tested it on Ubuntu and Kali Linux.
Using "crunch 4 4 abcd | sudo minicom"
Because the device prompts for a username & password. I will have to write the dictionary to a file, parse the file adding a "admin" in-between every password attempt. And most likely figure out how to slow the output down a little bit.
I have a friend thats a professional programmer, he said he can write me a program to parse the file adding the admin lines. The only thing left after that is to figure out how to read from the modified file and send it over minicom to the NID.
Best Answer
If you are trying this on ubuntu,
"sudo apt-get install minicom". Use your favorite search engine and follow a online guide to get crunch on your specific version of Ubuntu.
I installed Kali rolling on a old netbook to dedicate it to this task. Its specs are 2x 1.8ghz hyper-theading cores & 2gb ram, You won't require much. If your not into manually installing packages, I'd recommend you go the Kali Linux path. Kali has everything pre-installed that you need for this. It took me about 20 mins after creating the bootable USB to complete fresh-install.
Find out the com port name - ttyUSBx
You need to connect the USB to Serial adapter and find out which serial port it is logically attached to.
Type in "dmesg | grep USB" at the terminal.
you should see something similar to this:
You may need to "chmod 777 /dev/ttyUSB0" depending on permissions, distro etc. In Kali i didn't have to do this. You will know if you need to do it if you cant save the settings in minicom.
Setup minicom with "minicom -s"
This depends on the serial device, mine was the classic
Check your devices manual for its serial settings to connect via console. Make sure to save your config in minicom as default after you exit and confirm its working.
If your device only prompts for a password, you are in luck. you just need to;
"crunch 5 5 abcdefghijklmnopqrstuvwxyz0123456789 | minicom" Use whatever parameters suite your password needs. If your device needs a username and password, or you find that the output needs to be slowed down some. read on...
Create password list:
Depending on what crunch is installed on, and how you setup your Linux Distro initially. You may need to execute it with "sudo ./crunch", "./crunch" or in Kali just "crunch" from the terminal. Create a password list and write to to a file. example "crunch 5 5 abcdefghijklmnopqrstuvwxyz0123456789 -o input.txt". Type man crunch on the Kali terminal for extended instructions.
If you remember any portion of the password, you can significantly reduce the time it would take to unlock your device. There are specific options for this in crunch. Search online for tutorials on the advanced functions of crunch if you are interested.
So, after you run crunch with whatever options suited your needs. You should now have a dictionary file named input.text in your root directory.
Adding a username:
You can now execute the script with, "sudo ./add-user.py" or "./add-user.py". Just make sure the input.txt file is in the same directory and you should be good. Running the script on my poor old netbook took about 35 mins with all lowercase alpha-numeric with 5 digits total.
Pipe from new dictionary to minicom using ttyUSB0
This part is pretty easy, "cat w-user-output.txt | minicom"
that's basically it. but a couple things should be noted, if you are doing a large dictionary, you may want to tinker with how the script prints its output.starting a count in the "for" loop and printing a line update every 50 loops, would speed the script up a bit. also note that in my case, a blank line was interpreted by minicom as a user hitting enter, this allowed me to modify the script to make three blank lines after each attempt. this slowed the output down a little and ensured that it was synchronized with admin first, password attempt second.
EDIT: The three blank lines didn't work. In-between writing this and coming back to check on cracking progress, I found the conoga perkins box user/passwords were being sent out of sync. This is the proper way to slow it down if you need to:
Create a new file in the root directory, name it "slowdown". Edit your file and enter the following.
Do a "chmod +x slowdown" from the terminal.
You can now run "cat w-user-output.txt | ./slowdown | minicom". Adjust the sleep command in the bash script to the fastest you think your device will handle.
I would like to thank Steve, for putting up with my programming related questions while he was many beers into the night, and also for continuing to program it in python even while grumbling about how easy it would be in C#. And also a special thank you to the users "Pimp Juice IT" & "AFH" who both gave me decent suggestions when I was at a roadblock.