mjhjmtu

I'm trying to reverse engineering an IP camera firmware and found the complete ROM OS but I would like to find out the system password so I have looked at /etc/passwd.

The file is not there, it is instead in /etc/default/passwd and here is its content:

# cat passwd
admin:hgZXuon0A2DxN:0:0:Administrator:/etc/config:/bin/sh
viewer::1:1:Viewer:/:/dev/null

So now I am searching for the shadow file and there is such file in the complete ROM?

So I'm a bit confused here what is the encryption type used on this system?
Btw I want to learn on how to do it not just lookup a password table (btw it would work on the web ui but not on telnet) and every tutorial seems to use this type of hash:

root:$6$jcs.3tzd$aIZHimcDCgr6rhXaaHKYtogVYgrTak8I/EwpUSKrf8cbSczJ3E7TBqqPJN2Xb.8UgKbKyuaqb78bJ8lTWVEP7/:0:0:root:/root:/bin/bash

Not the one I have

In that form (that is before /etc/shadow and without any $...$ prefix) it is probably (3)DES based hashing, see https://en.wikipedia.org/wiki/Crypt_%28C%29#Traditional_DES-based_scheme and the table above that paragraph:

The original password encryption scheme was found to be too fast and thus subject to brute force enumeration of the most likely passwords.[10] In Seventh Edition Unix,[12] the scheme was changed to a modified form of the DES algorithm

If you use this tool https://github.com/psypanda/hashID it says on your value:

Analyzing 'hgZXuon0A2DxN'
[+] DES(Unix)
[+] Traditional DES
[+] DEScrypt

A brute forcing tool like hashcat should be able to find the original password based on that. It also tells you for your specific hash that the hash value is wrong (for this reason: https://hashcat.net/forum/thread-3809.html) in which case, if this is really a hash it is probably instead hgZXuon0A2DxM.

Note an interesting "feature" of this kind of password storage (if it is truely ancient DES-based Unix storage): only the first 8 bytes (hence characters because then UTF-8 was unheard of) are taken into account, so that limits the space of possible values.

Rather than trying to crack this I'd look up the make/model and find out what the default password is for it. This type of information is ubiquitous on the internet.

Websites like this one titled: I do not know what user name and password to enter when setting up my network camera, have this info which is a lot easier than having to actually crack it:

Manufacturer Default user name Default password
ACTi Admin 123456
Axis root pass
D-Link admin [none]
IQinVision root system
LinkSys admin admin
Panasonic [none] [none]
Sony admin admin
TRENDnet admin admin

Sites like this are a dime a dozen and unless you changed the password, it's going to be one of the default ones for your make/model.

Your device

The company stardot is on this list: IP Cameras Default Passwords Directory.

Stardot: admin/admin

Nobody can tell you what this system exactly does unless someone has exactly the same IP camera (and you forgot to mention the exact brand and model).

But we can guess: /etc/default/passwd is probably a template that's copied from the flash rom to /etc/passwd, which probably resides in an overlay file system in another partition of the flash rom. Any changes made to the actual password will be in this partition; so having the ROM image is not enough.

But you can try the default password. There are tools that can crack unix passwords given enough time and memory.

BTW, there's also a reverse engineering stackexchange.

Your question about the format of that password being in a strange for you, is that actually nowadays you can have a lot of encrypted password formats in Unix/Linux.

In a distant past, the default and most common format was passwords encrypted using the crypt algorithm. which is the case you are presenting us with.

The shadow file was also a later addition, and in archaic Linuxes (or embedded actually), you can find the encrypted password in /etc/passwd. So I would not be so much surprised on not finding the shadow file.

Nowadays you have several formats, that are easily identified by their first characters.

So you have:

crypt - no stardand starting identifier, fixed 13 ascii characters as length.

$1$ - md5

$2a$ - Blowfish

$2y$ - Blowfish, with correct handling of 8 bit characters

$5$ - sha256

$6$ - sha512

see Understanding and generating the hash stored in /etc/shadow