# What sort of encryption is used?/Problem w/ Filanet Interjak

## mvip

Well, not really gentoo oriented, but rather just security oriented (and Linux).

This is the thing, I received an "old" router the other day, a Filanet 200 router, the only problem though, is that I don't have the admin-password for it, and there's no way to reset it.

What's interesting with this router thought, is that it's running Linux, and that it got really cool features.

What I do got though, is a CD with the settings that was uploaded to it. However, the password-row is encrypted and I do not know what sort of encryption that's used.

The string is as follows:

"+13a147aeb396f9ff537743ce52280b7fb7d2a0a8d16be202c0b5f1031"

Is it possible to figure out what sort of encryption that's used from that line? And if so, anyone knows how hard it is to brute-force it (or any other way to break it)?

Regards,

mvipLast edited by mvip on Sat Dec 24, 2005 9:15 am; edited 1 time in total

----------

## cynric

Never used one, but found the following through a google search:

 *Quote:*   

> We know of one product that provides all the functions you want. (Whether you should entrust all these functions to one unit is another matter and depends on how crucial connectivity is for your remote office.) Filanet's InterJak 200 is an Internet service appliance that provides two USB and two FireWire ports for file and print sharing, DHCP server services, Network Address Translation (NAT), and a firewall with as many as 50 filters. The appliance also offers an optional VPN that uses PPTP or 56-bit Data Encryption Standard (DES) or 168-bit Triple DES (3DES) IP Security (IPSec).

 

That seems to be consitent across other sites as well. In terms of cracking it, that would depend on your machine. There are some projects out there for building dedicated DES cracking machines, but that's probably beyond what you want to get into. Most likely running a dictionary attack would work. However, I know that with Cisco routers, you can reset the password by booting it into a different mode. There might be an option comparable on the filanet.

I do wonder if it's just plain linux whether that's an MD5 hash ... anyway, perhaps someone more knowledgable will know. Good luck.

----------

## NeddySeagoon

mvip,

Well,my first guess would be md5 but the key you posted is not 128 bits, its about twice that.

I'm not sure what that is the password hash of - the root password ?

As its a linux box at heart, if you can get it to boot into single user mode, you can set the root password to anything you like.

The FLASH memory probably has two or more real partitions, so you can erase Linux for an update without erasing the boot code.

On many embedded systems you can boot into the bootloader directly and change the kernel startup paramters.

Typing help at the prompt is often useful. Its not too different to a PC linux. Adding single to the kernel boot line, when you find it will have the desired affect. 

You need to work out how to attach a terminal and get into the boot loader.

The manual hints that you can because it mentions a reduced functionality system for doing firmware updates.

I would not bother to attempt to brute force it. Any system admin worthy of the name will have used a strong password. In conjunction with strong encryption, it will take a very long time. Many of these boxes have a 'reset to factory defaults' jumper inside. You switch off, move the jumper and boot. Wait a while, switch off, then put the jumper back to normal and boot. All settings erased.

The device uses uLinux - it may be worth reading the micro linux web site.

----------

## cynric

I agree that you'd be better of trying to reset as opposed to brute force. NeddySeagoon, you mentioned reset jumpers. Is that normal for routers? A little OT, but am curious.

----------

## NeddySeagoon

cynric,

Well, my domestic no-name one has a reset jumper.

I don'r know if its normal.

----------

## Monkeh

 *cynric wrote:*   

> I agree that you'd be better of trying to reset as opposed to brute force. NeddySeagoon, you mentioned reset jumpers. Is that normal for routers? A little OT, but am curious.

 

Most (probably all) home routers have a small button or pinhole to reset to factory defaults. Settings are stored in what's basically the same as a PC's CMOS, and thus can be cleared, though if it doesn't give you a button/jumper/etc for it, you might need to get creative.

----------

## cynric

*nods* I guess I was thinking more "high-end" equipment.

----------

## Monkeh

 *cynric wrote:*   

> *nods* I guess I was thinking more "high-end" equipment.

 

High-end stuff (aka Cisco's) almost certainly can be reset in the same way. Probably via a jumper of some sort (I wouldn't put an external reset on one).

----------

## magic919

You wouldn't need to bridge a jumper to recover a password on a Cisco you have physical access to.  Even Cisco will tell you how to do that.

----------

## cynric

Yeah, on Cisco you just boot into rommon; or something like that. I've never been inside one or even a Linksys, but neither of which would seem to benefit from jumpers of any sort. Was mainly wondering if anyone knew for sure, but I think it's been settled essentially ;) Unfortunately, the actual question about encryption is still up for grabs.

----------

## Monkeh

 *magic919 wrote:*   

> You wouldn't need to bridge a jumper to recover a password on a Cisco you have physical access to.  Even Cisco will tell you how to do that.

 

Fair enough. I know little about 'em, but as a general rule I dislike things you merely need physical access to to compromise  :Razz: 

----------

## cynric

Anything is going to be at a much higher risk if someone has physical access to it.

----------

## Monkeh

 *cynric wrote:*   

> Anything is going to be at a much higher risk if someone has physical access to it.

 

Of course,  but password/whateverless admin and/or settings reset on something I might well be using as a core router worries me, unless it can either be padlocked or is inside the box.

----------

## mvip

Well, much interesting came out of this posting. Even though I asked about the encryption, and answers came about other stuff, it still helped. I actually found a password-reset button after opening up the box. The button was accessable from the outside with a screwdriver, but it was not marked at all on the outside, and was located behind the net on the side, hence not visible.

However, I did not have any luck, even though I reseted the password. It actually seems like the reset didn't work at all. 

My next approach was to open it up and remove the battery that was located on the inside of the unit for a minute, in hope of creating a reset. But this approach failed too. 

Now I don't really know what to do. I've been looking for jumbers on the inside of the box that creates a reset, but I cannot find any that's maked with any reset.

Anyone got any more suggestions?

mvip

----------

## Monkeh

The reset probably did work.. Are you sure you have the right default user/pass?

----------

## mvip

Think so.

Well, according to the manual, the defualt setting is admin/AaBbCcDdEe.

I've tried that without any success. I also tried the username that was given in the config-file (see original post) in combination with the default password, and that didn't give me any luck either.

What I do fear though, is that hte "default password" that it goes back to is the password given in the config-file that was uploaded.

mvip

----------

## Monkeh

That would defeat the point of a default password, now wouldn't it? It should have been restored to factory condition. Tried admin/admin? (quite common..)

----------

## magic919

It says to remove power.  Press button.  Apply power and hold button for 10 secs.

----------

## mvip

Thanks a lot magic919. It worked. My bad though, cause I just found it in one of the manuals that came with the box.

Well, the next problem I ran into was that I cannot log into the device in "reset" mode. I can access it through telnet, and it accepts the default password and everything, but I get some java-problems when I try to login to the web. I've tried using like 3 different browsers and 3 different machines (windows, mac and Linux), and they all give me the same error.

Anyone that can figure out how to reset the password using telnet? 

As I interpreted the manual, I'm sceptic to the fact that it's possible, but not sure though.

Tried using the "config" part using telnet, without succeding very well.

Anyone got any suggestions?

----------

## NeddySeagoon

mvip,

Its a linux box - try 

```
whoami
```

  to find out your user name and 

```
passwd
```

to reset that users password.

You are probably root. Is the prompt # (root)  or $ (ordinary user) ?

You need to power up with the reset switch held down, then again with it relesed to get normal operation with the default settings.

----------

## mvip

NeddySeagoon,

What you say makes sense....if I was given a standard shell on the router. However, I'm only given some sort of modified shell with very restricted possibilties. Cannot really figure out how to change the password from there though.

mvip

----------

## NeddySeagoon

mvip,

Are you allowed to su ?

----------

## mvip

NeddySeagoon,

This is the output of "help" in the shell.

-----------

> help

arp        

config     [-q]

df         

dnscache   [-c] [-l hostname/ipaddr]

enable     [passwd]

exit       

flash      

help       [command]

memory     

netstat    

network    

ping       host [count [size]]

postmortem 

ps         

quit       

route      

smbsess    

status     [E-mail addresses]

sync       

syslog     

timeout    [disable|minutes]

uptime     [-c] [-s interval] [-d]

version

-------------

mvip

----------

## cynric

I'm not of much help, but am following the thread. I just want to make sure here, we are trying to get the 'enable' password?

----------

## mvip

Cynric,

Well, assuming that the "enable" password equals the "normal" administrator password, but probably...yes.

mvip

----------

## cynric

*nods* My router experience is only with Cisco. Chopped up shell. Enable gives root/admin privs. Figured that was the same here, especially given the help output.

----------

