English 简体中文 繁體中文 한국 사람 日本語 Deutsch русский بالعربية TÜRKÇE português คนไทย french

搜索
奶昔论坛»板块 交流 技术 TP-LINK新固件SSH密码几乎无解
查看: 303|回复: 2

TP-LINK新固件SSH密码几乎无解

[复制链接]
Luochancy
发表于 4 天前 | 显示全部楼层 |阅读模式

厌倦了滚动浏览相同的帖子?当您创建帐户后,您将始终回到您离开的地方。注册帐户,不仅可以享受无广告的清爽界面!

您需要 登录 才可以下载或查看,没有账号?注册

×
本帖最后由 Luochancy 于 2025-2-19 02:39 编辑

洛手头上有一台R473G V3,想折腾一下
查了下N3发现SSH密码通过MAC就可以算
然后算半天密码不对
然后就想着去解更新包看看
一看不知道,TP-LINK更新了SSH密码计算方式



固件来源:TP-LINK
解包工具:https://zhiwanyuzhou.com/
文件位置:/etc/init.d/dropbear



这是原来的:
#!/bin/sh /etc/rc.common
# Copyright (C) 2006-2010 OpenWrt.org
# Copyright (C) 2006 Carlos Sobrinho

START=50
STOP=50

SERVICE_USE_PID=1

NAME=dropbear
PROG=/usr/sbin/dropbear
PIDCOUNT=0
EXTRA_COMMANDS="killclients"
EXTRA_HELP="        killclients Kill ${NAME} processes except servers and yourself"

getNewPasswd()
{
        . /lib/functions.sh
        local macAddr=""
        macAddr=$(ubus call tddpServer getInfo '{"infoMask":1,"sep":"-"}' | sed 's/-//g' | jsonfilter -e '@.mac')
        echo "macAddr from tddp config is $macAddr" > /dev/console

        local key=$(echo -n "$macAddr" | md5sum)
        key=$(echo ${key:0:16})
        #echo "key is $key" > /dev/console

        echo ${key}
}

setNewPasswd()
{
        local newPasswd=`getNewPasswd`
        #echo "newPasswd is $newPasswd" > /dev/console
        (echo "$newPasswd";sleep 1;echo "$newPasswd") | passwd > /dev/null
}

setDefaultPasswd()
{
        cp /rom/etc/passwd /etc/passwd &> /dev/null
}

dropbear_start()
{
        append_ports()
        {
                local ifname="$1"
                local port="$2"

                grep -qs "^ *$ifname:" /proc/net/dev || {
                        append args "-p $port"
                        return
                }

                for addr in $(
                        ifconfig "$ifname" | sed -ne '
                                /addr: *fe[89ab][0-9a-f]:/d
                                s/.* addr: *\([0-9a-f:\.]*\).*/\1/p
                        '
                ); do
                        append args "-p $addr:$port"
                done
        }


        local section="$1"

        # Customized kill switch
        config_get_bool ssh_port_switch "${section}" ssh_port_switch 0
        echo "ssh_port_switch is $ssh_port_switch" > /dev/console
        if [ "$ssh_port_switch" != "1" ]; then
                echo "set default passwd" > /dev/console
                setDefaultPasswd
                return 0
        fi

        # check if section is enabled (default)
        local enabled
        config_get_bool enabled "${section}" enable 1
        [ "${enabled}" -eq 0 ] && return 1

        setNewPasswd

        # verbose parameter
        local verbosed
        config_get_bool verbosed "${section}" verbose 0

        # increase pid file count to handle multiple instances correctly
        PIDCOUNT="$(( ${PIDCOUNT} + 1))"

        # prepare parameters (initialise with pid file)
        local pid_file="/var/run/${NAME}.${PIDCOUNT}.pid"
        local args="-P $pid_file"
        local val
        # A) password authentication
        config_get_bool val "${section}" PasswordAuth 1
        [ "${val}" -eq 0 ] && append args "-s"
        # B) listen interface and port
        local port
        local interface
        config_get interface "${section}" Interface
        config_get interface "${interface}" ifname "$interface"
        config_get port "${section}" Port 22
        append_ports "$interface" "$port"
        # C) banner file
        config_get val "${section}" BannerFile
        [ -f "${val}" ] && append args "-b ${val}"
        # D) gatewayports
        config_get_bool val "${section}" GatewayPorts 0
        [ "${val}" -eq 1 ] && append args "-a"
        # E) root password authentication
        config_get_bool val "${section}" RootPasswordAuth 1
        [ "${val}" -eq 0 ] && append args "-g"
        # F) root login
        config_get_bool val "${section}" RootLogin 1
        [ "${val}" -eq 0 ] && append args "-w"
        # G) host keys
        config_get val "${section}" rsakeyfile
        [ -f "${val}" ] && append args "-r ${val}"
        config_get val "${section}" dsskeyfile
        [ -f "${val}" ] && append args "-d ${val}"

        # execute program and return its exit code
        [ "${verbosed}" -ne 0 ] && echo "${initscript}: section ${section} starting ${PROG} ${args}"
        SERVICE_PID_FILE="$pid_file" service_start ${PROG} ${args}
}

keygen()
{
        for keytype in rsa dss; do
                # check for keys
                key=dropbear/dropbear_${keytype}_host_key
                [ -f /tmp/$key -o -s /etc/$key ] || {
                        # generate missing keys
                        mkdir -p /tmp/dropbear
                        [ -x /usr/bin/dropbearkey ] && {
                                /usr/bin/dropbearkey -t $keytype -f /tmp/$key 2>&- >&- && exec /etc/rc.common "$initscript" start
                        } &
                exit 0
                }
        done

        lock /tmp/.switch2jffs
        mkdir -p /etc/dropbear
        mv /tmp/dropbear/dropbear_* /etc/dropbear/
        lock -u /tmp/.switch2jffs
        chown root /etc/dropbear
        chmod 0700 /etc/dropbear
}

start()
{
        [ -s /etc/dropbear/dropbear_rsa_host_key -a \
          -s /etc/dropbear/dropbear_dss_host_key ] || keygen

        config_load "${NAME}"
        config_foreach dropbear_start dropbear
}

stop()
{
        local pid_file pid_files
        
        pid_files=`ls /var/run/${NAME}.*.pid 2>/dev/null`
        
        [ -z "$pid_files" ] && return 1
        
        for pid_file in $pid_files; do
                SERVICE_PID_FILE="$pid_file" service_stop ${PROG} && {
                        rm -f ${pid_file}
                }
        done
}

killclients()
{
        local ignore=''
        local server
        local pid

        # if this script is run from inside a client session, then ignore that session
        pid="$$"
        while [ "${pid}" -ne 0 ]
         do
                # get parent process id
                pid=`cut -d ' ' -f 4 "/proc/${pid}/stat"`
                [ "${pid}" -eq 0 ] && break

                # check if client connection
                grep -F -q -e "${PROG}" "/proc/${pid}/cmdline" && {
                        append ignore "${pid}"
                        break
                }
        done

        # get all server pids that should be ignored
        for server in `cat /var/run/${NAME}.*.pid`
         do
                append ignore "${server}"
        done

        # get all running pids and kill client connections
        local skip
        for pid in `pidof "${NAME}"`
         do
                # check if correct program, otherwise process next pid
                grep -F -q -e "${PROG}" "/proc/${pid}/cmdline" || {
                        continue
                }

                # check if pid should be ignored (servers, ourself)
                skip=0
                for server in ${ignore}
                 do
                        if [ "${pid}" == "${server}" ]
                         then
                                skip=1
                                break
                        fi
                done
                [ "${skip}" -ne 0 ] && continue

                # kill process
                echo "${initscript}: Killing ${pid}..."
                kill -KILL ${pid}
        done
}

这是现在(2.2.1 Build 240514 Rel.58724n)
#!/bin/sh /etc/rc.common
# Copyright (C) 2006-2010 OpenWrt.org
# Copyright (C) 2006 Carlos Sobrinho

START=50
STOP=50

SERVICE_USE_PID=1

NAME=dropbear
PROG=/usr/sbin/dropbear
PIDCOUNT=0
EXTRA_COMMANDS="killclients"
EXTRA_HELP="        killclients Kill ${NAME} processes except servers and yourself"

getNewPasswd()
{
        local key_code=`/usr/sbin/dbg_passwd_gen`
        local key=$(echo ${key_code:0:6})
        local code=$(echo ${key_code:6:38})
        #echo "Password: $key" > /dev/console
        echo "Authorized code: $code" > /dev/console
        echo ${key}
        echo ${code}
}

setNewPasswd()
{
        local ret=`getNewPasswd`
        local newPasswd=`echo $ret | awk '{print $1}'`
        local newAuthCode=`echo $ret | awk '{print $2}'`
        #echo "newPasswd is $newPasswd" > /dev/console
        (echo "$newPasswd";sleep 1;echo "$newPasswd") | passwd > /dev/null
        uci set ${NAME}.$1.AuthCode="$newAuthCode"
        uci commit ${NAME}
}

setDefaultPasswd()
{
        cp /rom/etc/passwd /etc/passwd &> /dev/null
}

dropbear_start()
{
        append_ports()
        {
                local ifname="$1"
                local port="$2"

                grep -qs "^ *$ifname:" /proc/net/dev || {
                        append args "-p $port"
                        return
                }

                for addr in $(
                        ifconfig "$ifname" | sed -ne '
                                /addr: *fe[89ab][0-9a-f]:/d
                                s/.* addr: *\([0-9a-f:\.]*\).*/\1/p
                        '
                ); do
                        append args "-p $addr:$port"
                done
        }


        local section="$1"

        # Customized kill switch
        config_get_bool ssh_port_switch "${section}" ssh_port_switch 0
        echo "ssh_port_switch is $ssh_port_switch" > /dev/console
        if [ "$ssh_port_switch" != "1" ]; then
                echo "set default passwd" > /dev/console
                setDefaultPasswd
                return 0
        fi

        # check if section is enabled (default)
        local enabled
        config_get_bool enabled "${section}" enable 1
        [ "${enabled}" -eq 0 ] && return 1

        # debug firmware use default password
        setDefaultPasswd

        # verbose parameter
        local verbosed
        config_get_bool verbosed "${section}" verbose 0

        # increase pid file count to handle multiple instances correctly
        PIDCOUNT="$(( ${PIDCOUNT} + 1))"

        # prepare parameters (initialise with pid file)
        local pid_file="/var/run/${NAME}.${PIDCOUNT}.pid"
        local args="-P $pid_file"
        local val
        # A) password authentication
        config_get_bool val "${section}" PasswordAuth 1
        [ "${val}" -eq 0 ] && append args "-s"
        # B) listen interface and port
        local port
        local interface
        config_get interface "${section}" Interface
        config_get interface "${interface}" ifname "$interface"
        config_get port "${section}" Port 22
        append_ports "$interface" "$port"
        # C) banner file
        config_get val "${section}" BannerFile
        [ -f "${val}" ] && append args "-b ${val}"
        # D) gatewayports
        config_get_bool val "${section}" GatewayPorts 0
        [ "${val}" -eq 1 ] && append args "-a"
        # E) root password authentication
        config_get_bool val "${section}" RootPasswordAuth 1
        [ "${val}" -eq 0 ] && append args "-g"
        # F) root login
        config_get_bool val "${section}" RootLogin 1
        [ "${val}" -eq 0 ] && append args "-w"
        # G) host keys
        config_get val "${section}" rsakeyfile
        [ -f "${val}" ] && append args "-r ${val}"
        config_get val "${section}" dsskeyfile
        [ -f "${val}" ] && append args "-d ${val}"

        # execute program and return its exit code
        [ "${verbosed}" -ne 0 ] && echo "${initscript}: section ${section} starting ${PROG} ${args}"
        SERVICE_PID_FILE="$pid_file" service_start ${PROG} ${args}
}

keygen()
{
        for keytype in rsa dss; do
                # check for keys
                key=dropbear/dropbear_${keytype}_host_key
                [ -f /tmp/$key -o -s /etc/$key ] || {
                        # generate missing keys
                        mkdir -p /tmp/dropbear
                        [ -x /usr/bin/dropbearkey ] && {
                                /usr/bin/dropbearkey -t $keytype -f /tmp/$key 2>&- >&- && exec /etc/rc.common "$initscript" start
                        } &
                exit 0
                }
        done

        lock /tmp/.switch2jffs
        mkdir -p /etc/dropbear
        mv /tmp/dropbear/dropbear_* /etc/dropbear/
        lock -u /tmp/.switch2jffs
        chown root /etc/dropbear
        chmod 0700 /etc/dropbear
}

start()
{
        [ -s /etc/dropbear/dropbear_rsa_host_key -a \
          -s /etc/dropbear/dropbear_dss_host_key ] || keygen

        config_load "${NAME}"
        config_foreach dropbear_start dropbear
}

stop()
{
        local pid_file pid_files

        pid_files=`ls /var/run/${NAME}.*.pid 2>/dev/null`

        [ -z "$pid_files" ] && return 1

        for pid_file in $pid_files; do
                SERVICE_PID_FILE="$pid_file" service_stop ${PROG} && {
                        rm -f ${pid_file}
                }
        done
}

killclients()
{
        local ignore=''
        local server
        local pid

        # if this script is run from inside a client session, then ignore that session
        pid="$$"
        while [ "${pid}" -ne 0 ]
         do
                # get parent process id
                pid=`cut -d ' ' -f 4 "/proc/${pid}/stat"`
                [ "${pid}" -eq 0 ] && break

                # check if client connection
                grep -F -q -e "${PROG}" "/proc/${pid}/cmdline" && {
                        append ignore "${pid}"
                        break
                }
        done

        # get all server pids that should be ignored
        for server in `cat /var/run/${NAME}.*.pid`
         do
                append ignore "${server}"
        done

        # get all running pids and kill client connections
        local skip
        for pid in `pidof "${NAME}"`
         do
                # check if correct program, otherwise process next pid
                grep -F -q -e "${PROG}" "/proc/${pid}/cmdline" || {
                        continue
                }

                # check if pid should be ignored (servers, ourself)
                skip=0
                for server in ${ignore}
                 do
                        if [ "${pid}" == "${server}" ]
                         then
                                skip=1
                                break
                        fi
                done
                [ "${skip}" -ne 0 ] && continue

                # kill process
                echo "${initscript}: Killing ${pid}..."
                kill -KILL ${pid}
        done
}




以下是关键字段
# 新计算方式
getNewPasswd()
{
        local key_code=`/usr/sbin/dbg_passwd_gen`
        local key=$(echo ${key_code:0:6})
        local code=$(echo ${key_code:6:38})
        #echo "Password: $key" > /dev/console
        echo "Authorized code: $code" > /dev/console
        echo ${key}
        echo ${code}
}


#旧计算方式
getNewPasswd()
{
        . /lib/functions.sh
        local macAddr=""
        macAddr=$(ubus call tddpServer getInfo '{"infoMask":1,"sep":"-"}' | sed 's/-//g' | jsonfilter -e '@.mac')
        echo "macAddr from tddp config is $macAddr" > /dev/console

        local key=$(echo -n "$macAddr" | md5sum)
        key=$(echo ${key:0:16})
        #echo "key is $key" > /dev/console

        echo ${key}
}




根据这个脚本分析出TP-LINK在新版固件(指使用改版OpenWRT固件路由器)修改了ROOT密码计算方式
现在需要由dbg_passwd_gen这个二进制文件来生成不知道撒玩意的东西然后再去算
但是解包却没有看到这玩意的踪影
有点怀疑是TP-LINK是在更新后才释放这个文件,但是固件找不到也就提不出来
希望有大佬能折腾一下这玩意
quot, pid, amp, local, get
爱生活,爱奶昔~
回复

使用道具 举报

btpanel
发表于 4 天前 来自手机 | 显示全部楼层
既然能解包再封包,理论上替换shadow里的内容就可以啦,或者看看是不是有个启动时的uci配置教本自动重置了shadow内容
只要telnet能成功登录后,想怎么操作就怎么操作。都是敲命令
例如:
cd
ls
ls -l
cat
passwd
爱生活,爱奶昔~
回复 支持 反对

使用道具 举报

btpanel
发表于 4 天前 来自手机 | 显示全部楼层
binwalk解压原始固件,
squashfs-root文件系统
/etc目录
重新mksquashfs压缩回去。

楼主拿到shadow文件就可以替换了。用别的知道密码的openwrt的shadow替换密码部分就可以了
比如$1$/upNzzBq$n6dSjhrukZDsXFFm33doL1替换$1$tHiYRbC2$zCy8uUkCeF8Rwa8p2yPKX1。保存文件打包回去再上传,重启。
我给的$1$/upNzzBq$n6dSjhrukZDsXFFm33doL1就是admin。替换后root密码就是admin
我的TL-ER3210G提取出来的默认密码就是$1$tHiYRbC2$zCy8uUkCeF8Rwa8p2yPKX1。有高手能反推出密码吗?tp用openwrt内核的路由器是不是都是这个密码啊。
另外拿到root ttl进系统了后能改什么呢?改插件?
爱生活,爱奶昔~
回复 支持 反对

使用道具 举报

返回列表 发新帖

Powered by Nyarime. Licensed

GMT+8, 2025-2-23 22:46 , Processed in 0.059926 second(s), 21 queries , Gzip On, Redis On
发帖际遇 ·手机版 ·小黑屋 ·RSS ·奶昔网 | 沪ICP备13020230号-1 |  沪公网安备 31010702007642号

登录切换风格
 快速回复 返回顶部 返回列表