DSM-G600, DNS-3xx and NSA-220 Hack Forum

Unfortunately no one can be told what fun_plug is - you have to see it for yourself.

You are not logged in.

Announcement

#1 2006-08-16 23:36:20

mchinand
Member
Registered: 2006-08-04
Posts: 6

Telnet login

I've been able to login remotely through telnet. I've built a busybox binary that contains telnetd. For some reason it hangs when trying to use /bin/sh as the shell, so I modifed the /etc/passwd file to use ash in my busybox. Here's what my fun_plug file looks like to get this working:

Code:

cp /mnt/HD_a2/passwd /etc/passwd
cd /dev && /mnt/HD_a2/busybox3 makedevs ptyp c 2 0 0 9
cd /dev && /mnt/HD_a2/busybox3 makedevs ttyp c 3 0 0 9
/mnt/HD_a2/busybox3 telnetd

/mnt/HD_a2/passwd contains my modified passwd file to change the shell and home directory, here the line for user admin:

Code:

admin:x:500:500:Linux User,,,:/:/mnt/HD_a2/ash

Maybe copying of the passwd file should only be done once and not included in fun_plug, I'm not sure how changes to /etc/passwd are preserved on reboot. /mnt/HD_a2/ash is a symbolic link to /mnt/HD_a2/busybox3. Sala, do you want to include this busybox binary along with your other files?

--Mike

Offline

 

#2 2006-08-17 01:38:48

sala
Member / Site Admin
From: Estonia
Registered: 2006-07-28
Posts: 731
Website

Re: Telnet login

Sure, you can send it to support (at) sala.pri.ee


DSM-G600 - NetBSD hdd-boot - 80GB Samsung SP0802N
NSA-220 - Gentoo armv5tel 20110121 hdd-boot - 2x 2TB WD WD20EADS

Offline

 

#3 2006-08-18 17:15:46

sala
Member / Site Admin
From: Estonia
Registered: 2006-07-28
Posts: 731
Website

Re: Telnet login

Thanks for busybox binary! But we can't do much with admin login. We need root and here it is tongue

fun_plug file

Code:

#!/bin/sh
if [ ! -e /mnt/HD_a2/ash ]
then
  ln -s /mnt/HD_a2/busybox /mnt/HD_a2/ash
fi
if [ ! `grep root /etc/shadow` ]
then
  echo kontroll.`grep admin /etc/shadow` >> /etc/shadow
  /mnt/HD_a2/sed -i -e 's/kontroll.admin/root/' /etc/shadow
fi
/mnt/HD_a2/sed -i -e 's/root:.*/root:x:0:0:Linux User,,,:\/:\/mnt\/HD_a2\/ash/' /etc/passwd
cd /dev && /mnt/HD_a2/busybox makedevs ptyp c 2 0 0 9
cd /dev && /mnt/HD_a2/busybox makedevs ttyp c 3 0 0 9
/mnt/HD_a2/busybox telnetd &

busybox and sed binary
http://dns323.kood.org/downloads/busybo … .1.tar.bz2

PS: root password is same with admin user

Last edited by sala (2006-10-14 21:45:22)


DSM-G600 - NetBSD hdd-boot - 80GB Samsung SP0802N
NSA-220 - Gentoo armv5tel 20110121 hdd-boot - 2x 2TB WD WD20EADS

Offline

 

#4 2006-10-13 05:28:31

tksm
Member
Registered: 2006-09-27
Posts: 16

Re: Telnet login

works fine, just need to add a non-root login for telnet inorder to run services such as icecast, any suggestions?

Offline

 

#5 2006-10-13 08:02:16

sala
Member / Site Admin
From: Estonia
Registered: 2006-07-28
Posts: 731
Website

Re: Telnet login

Add a usable shell to admin user and you'll good to go.

admin:x:500:500:Linux User,,,:/:/mnt/HD_a2/ash


DSM-G600 - NetBSD hdd-boot - 80GB Samsung SP0802N
NSA-220 - Gentoo armv5tel 20110121 hdd-boot - 2x 2TB WD WD20EADS

Offline

 

#6 2006-10-14 19:16:39

BertrandB
Member
From: Dijon (France)
Registered: 2006-09-16
Posts: 119
Website

Re: Telnet login

sala wrote:

T
fun_plug file
...
echo kontroll.`grep admin /etc/shadow` >> /etc/shadow
/mnt/HD_a2/sed -i -e 's/kontroll.admin/root/' /etc/shadow
/mnt/HD_a2/sed -i -e 's/root:.*/root:x:0:0:Linux User,,,:\/:\/mnt\/HD_a2\/ash/' /etc/passwd

is a bit buggy

look at my /etc/shadow

Code:

# more /etc/shadow
admin:Lnrqv6ozs4FEc:0:0:99999:7:::
nobody:pACwI1fCXYNw6:0:0:99999:7:::
xx:qckv4r4OOsJ0U:13400:0:99999:7:::
root:Lnrqv6ozs4FEc:0:0:99999:7:::
root:Lnrqv6ozs4FEc:0:0:99999:7:::
root:Lnrqv6ozs4FEc:0:0:99999:7:::
root:Lnrqv6ozs4FEc:0:0:99999:7:::
ssssss:YgPrCERZPbIxM:13428:0:99999:7:::
root:Lnrqv6ozs4FEc:0:0:99999:7::

Oh my "code" (sory my god) if you create an user the /etc/shadow grows ...

and

Code:

# more /etc/shadow
admin:Lnrqv6ozs4FEc:0:0:99999:7:::
nobody:pACwI1fCXYNw6:0:0:99999:7:::
xx:qckv4r4OOsJ0U:13400:0:99999:7:::
root:Lnrqv6ozs4FEc:0:0:99999:7:::
root:Lnrqv6ozs4FEc:0:0:99999:7:::
root:Lnrqv6ozs4FEc:0:0:99999:7:::
root:Lnrqv6ozs4FEc:0:0:99999:7:::
sophie:YgPrCERZPbIxM:13428:0:99999:7:::
ssssss:Lnrqv6ozs4FEc:0:0:99999:7::

Oh ok when i create a new user the /etc/shadow is flashed ... it's why

Offline

 

#7 2006-10-14 21:03:14

sala
Member / Site Admin
From: Estonia
Registered: 2006-07-28
Posts: 731
Website

Re: Telnet login

Thanks for your report smile
Now all readme's have fixed fun_plug

/sys/mtd1/shadow at /dev/mtdblock0 is flashed!
/etc/shadow will be flashed only if you change your user setting with D-Link web interface.
So if you haven't changed your user settings after starting to use telnet then your shadow file is OK, but you still need a new fun_plug for telnet!

If your /etc/shadow looks like BertrandB's example then you may want to fix this but it is not crucial!
a) Using vi

Code:

/mnt/HD_a2/busybox vi /etc/shadow

and delete unneeded root entries.
If you are not familiar with vi then do not use it!!!
b) You can also copy shadow file to your hard disk, delete unneeded root entries and then copy it back to /etc
After using one of these fixing steps, go to web interface and change admin password, so your fixed /etc/shadow will get flashed.


DSM-G600 - NetBSD hdd-boot - 80GB Samsung SP0802N
NSA-220 - Gentoo armv5tel 20110121 hdd-boot - 2x 2TB WD WD20EADS

Offline

 

#8 2006-10-14 22:56:20

BertrandB
Member
From: Dijon (France)
Registered: 2006-09-16
Posts: 119
Website

Re: Telnet login

sala wrote:

After using one of these fixing steps, go to web interface and change admin password, so your fixed /etc/shadow will get flashed.

another way to flash the /etc/shadow :

Code:

mount /sys/mtd1
cp /etc/shadow /sys/mtd1
umount /sys/mtd1

Offline

 

#9 2006-10-31 17:55:09

sala
Member / Site Admin
From: Estonia
Registered: 2006-07-28
Posts: 731
Website

Re: Telnet login

Here is another way to enable telnet on DSM-G600. This time there is no need of busybox at all.

Code:

if [ ! `grep root /etc/shadow` ]
then
  echo kontroll.`grep admin /etc/shadow` >> /etc/shadow
  /mnt/HD_a2/sed -i -e 's/kontroll.admin/root/' /etc/shadow
fi
/mnt/HD_a2/sed -i -e 's/root:.*/root:x:0:0:Linux User,,,:\/:\/mnt\/HD_a2\/dash/' /etc/passwd
for i in 0 1 2 3 4 5 6 7
do
  /mnt/HD_a2/mknod /dev/ttyp$i c 3 $i
  /mnt/HD_a2/mknod /dev/ptyp$i c 2 $i
done
/mnt/HD_a2/utelnetd &

Files needed:
sed - http://dns323.kood.org/downloads/sed-4.1.5.tar.bz2
utelnetd, dash and mknod - http://dns323.kood.org/downloads/utelne … od.tar.bz2

This method may needs some tweaks, a better shell than dash or some utelnetd hacks to make it run smoother.


DSM-G600 - NetBSD hdd-boot - 80GB Samsung SP0802N
NSA-220 - Gentoo armv5tel 20110121 hdd-boot - 2x 2TB WD WD20EADS

Offline

 

#10 2006-11-17 11:01:39

mitsus
New member
Registered: 2006-11-17
Posts: 4

Re: Telnet login

Hi all, i've create a fun_plug file how to explain from http://dns323.kood.org/dsmg600/howto:telnet, but when i launch


$ telnet <ip of my dsmg600>
Trying xxx.xxx.x.xxx...
Connected to 192.168.1.147 (192.168.1.147).
Escape character is '^]'.

DSM-G600 login: admin
Password:
warning: cannot change to home directory


BusyBox v1.00-pre1 (2005.10.27-08:04+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.


ls
ls
sl


I don't see anythink.
I've changed my shell into ash, installing it from an RPM, but telnet on dsmg600 don't' work.

Help me!

Regards.

Offline

 

#11 2006-11-17 13:44:32

sala
Member / Site Admin
From: Estonia
Registered: 2006-07-28
Posts: 731
Website

Re: Telnet login

..connect to your DSM-G600 with telnet client with root user and with password you have specified for admin in web interface.

Login as root not as admin. You need only admin user password.


DSM-G600 - NetBSD hdd-boot - 80GB Samsung SP0802N
NSA-220 - Gentoo armv5tel 20110121 hdd-boot - 2x 2TB WD WD20EADS

Offline

 

#12 2007-01-06 22:59:12

JohnGalt
New member
Registered: 2007-01-06
Posts: 2

Re: Telnet login

Thanks everyone (especially, sala!) for putting together such an excellent forum.

I've a bunch of files and folders on my DSM G600 hard drive backed up by NERO backitup 2 software but I need to delete them. I was not able to delete them so I am now trying to telnet in to the DSM G600 as root and then delete them. But so far it has not worked.

This is what I did:

1. I first tested the fun_plug script using the

Code:

dmesg > /mnt/HD_a2/dmesg.out

and it worked. In my root folder, I had the dmesg.out file with all the boot messages.

2. I followed instructions at http://dns323.kood.org/dsmg600/howto:telnet for creating a new fun_plug. Put the busybox and sed in my HD_a2 directory. Rebooted.
Ran nmap to see if a telnet port was opened. No luck. Also tried to telnet to the box, got no port available response. I can see that the script is being executed since I did see the new symlink ash created in the root directory.

3. Also tried the method described here by sala using utelnetd, dash, and mknod but again no luck.

I am running the latest firmware with the version B. Has dlink broken something in the new version that none of these methods to telnet are working.

Any ideas as to why this is happening? I'd appreciate a response. Many thanks.

JG

Offline

 

#13 2007-01-07 02:19:27

sala
Member / Site Admin
From: Estonia
Registered: 2006-07-28
Posts: 731
Website

Re: Telnet login

Files should be at the root of your hard drive not in any directory. HD_a2 is just mount point and you are not seeing it anywhere (not in samba and nor ftp by default).


DSM-G600 - NetBSD hdd-boot - 80GB Samsung SP0802N
NSA-220 - Gentoo armv5tel 20110121 hdd-boot - 2x 2TB WD WD20EADS

Offline

 

#14 2007-01-07 23:35:12

JohnGalt
New member
Registered: 2007-01-06
Posts: 2

Re: Telnet login

Sala, thanks for the tip. Actually, I had put the files in the root of the hard drive as well and yet it was not working. And, the issue was that my FTP client (WS_FTP) did not change the execute permission of the files even though it showed that it had changed. I installed cygwin and then was able to fix the problem. Everything works great now. I am wondering if I can install tcsh on it now and have the autocompletion available to me!

sala wrote:

Files should be at the root of your hard drive not in any directory. HD_a2 is just mount point and you are not seeing it anywhere (not in samba and nor ftp by default).

Offline

 

#15 2007-01-08 08:22:43

sala
Member / Site Admin
From: Estonia
Registered: 2006-07-28
Posts: 731
Website

Re: Telnet login

JohnGalt wrote:

I am wondering if I can install tcsh on it now and have the autocompletion available to me!

bash has already auto completion.


DSM-G600 - NetBSD hdd-boot - 80GB Samsung SP0802N
NSA-220 - Gentoo armv5tel 20110121 hdd-boot - 2x 2TB WD WD20EADS

Offline

 

#16 2007-01-10 16:25:16

skit
New member
Registered: 2007-01-10
Posts: 3

Re: Telnet login

Hi,

first I'm a newbee and english is not my native language.

I still have problems to log in via telnet.  fun_plug is setup correctly (imo).
After "telnet dsm-g600" an try to login as root this message appears

Connected to dsm-g600.
Escape character is '^]'.

DSM-G600 login: root
login: no valid shadow password
Connection closed by foreign host.

What could be wrong? Can anyone help?

Thanks
skit

Offline

 

#17 2007-01-10 19:36:07

sala
Member / Site Admin
From: Estonia
Registered: 2006-07-28
Posts: 731
Website

Re: Telnet login

skit wrote:

Hi,

first I'm a newbee and english is not my native language.

I still have problems to log in via telnet.  fun_plug is setup correctly (imo).
After "telnet dsm-g600" an try to login as root this message appears

Connected to dsm-g600.
Escape character is '^]'.

DSM-G600 login: root
login: no valid shadow password
Connection closed by foreign host.

What could be wrong? Can anyone help?

Thanks
skit

Have you setup a password for admin user from web interface?


DSM-G600 - NetBSD hdd-boot - 80GB Samsung SP0802N
NSA-220 - Gentoo armv5tel 20110121 hdd-boot - 2x 2TB WD WD20EADS

Offline

 

#18 2007-01-10 19:42:36

skit
New member
Registered: 2007-01-10
Posts: 3

Re: Telnet login

Have you setup a password for admin user from web interface?

Yes, and tried to change the password from the web interface and rebooting / restarting after that - without any success.

Offline

 

#19 2007-01-15 20:17:36

austinstat
New member
Registered: 2007-01-15
Posts: 2

Re: Telnet login

Another Newbie whith an /etc/shadow question.

I have been able to set up both telnet and dropbear ssh succesfully and can log in, but here is my problem. 

When I first set up telnet my web admin password was blank.  Since then I have changed my web admin to a specific password, but my root password remains blank. 

I can change the root password using a passwd command, but once the DSM-G600 is rebooted it reverts back to root having a blank password. 
I also tried changing the admin password using the passwd command, but still after reboot root is back to a blank password. 

I also deleted the root entry in /etc/shadow thinking that the if statement wasn't being called in fun_plug, but again after reboot /etc/shadow looks just as it did after I first set it up with root and admin having a blank password. 

When I log into the web interface however admin requires the set password I set. 

Any ideas? 

Thank you

Offline

 

#20 2007-01-15 21:22:22

skit
New member
Registered: 2007-01-10
Posts: 3

Re: Telnet login

skit wrote:

Hi,

first I'm a newbee and english is not my native language.

I still have problems to log in via telnet.  fun_plug is setup correctly (imo).
After "telnet dsm-g600" an try to login as root this message appears

Connected to dsm-g600.
Escape character is '^]'.

DSM-G600 login: root
login: no valid shadow password
Connection closed by foreign host.

What could be wrong? Can anyone help?

Thanks
skit

I could solve my problem (resetting the box to defaults, formatting the HD and doing a "fresh" setup).
Nearly everything works fine.

skit

Offline

 

#21 2007-01-16 09:33:39

BertrandB
Member
From: Dijon (France)
Registered: 2006-09-16
Posts: 119
Website

Re: Telnet login

austinstat wrote:

Another Newbie whith an /etc/shadow question.

I have been able to set up both telnet and dropbear ssh succesfully and can log in, but here is my problem. 

When I first set up telnet my web admin password was blank.  Since then I have changed my web admin to a specific password, but my root password remains blank.

Ok it's because /etc/shadow issaved in flash.

first edit /etc/shadow
second delete the line with root
third change again the admin passwd with the web interface or create anther account (this flash /etc/shadow)
fouth reboot

Offline

 

#22 2007-01-17 04:11:27

austinstat
New member
Registered: 2007-01-15
Posts: 2

Re: Telnet login

BertrandB wrote:

austinstat wrote:

Another Newbie whith an /etc/shadow question.

I have been able to set up both telnet and dropbear ssh succesfully and can log in, but here is my problem. 

When I first set up telnet my web admin password was blank.  Since then I have changed my web admin to a specific password, but my root password remains blank.

Ok it's because /etc/shadow issaved in flash.

first edit /etc/shadow
second delete the line with root
third change again the admin passwd with the web interface or create anther account (this flash /etc/shadow)
fouth reboot

BertrandB

Thank you for your help.  That worked like a charm. 

Thanks again.

Offline

 

#23 2007-02-06 23:27:03

foogy
Member
Registered: 2007-02-06
Posts: 9

Re: Telnet login

I have a very strange problem with telnet.

There is no problem to log in (although password i blank).

The problem is that the telnet session disconnects as soon as I hit the backspace key, or when using tab completion.

I have used my dsm-g600 with telnet for a couple of weeks witout any problems. What might be the problem that disconnects my telnet session???
I have tried both putty and winXP cmd line telnet.

Here is my fun_plug:

#!/bin/sh
if [ ! -e /mnt/HD_a2/ash ]
then
    ln -s /mnt/HD_a2/busybox /mnt/HD_a2/ash
fi
if [ ! -e /bin/bash ]
then
    ln -s /mnt/HD_a2/bin/bash /bin/bash
fi
if [ ! -e /bin/bzip2 ]
then
    ln -s /mnt/HD_a2/bin/bzip2 /bin/bzip2
fi
if [ ! -e /bin/ctorrent ]
then
    ln -s /mnt/HD_a2/bin/ctorrent /bin/ctorrent
fi
if [ ! -e /bin/joe ]
then
    ln -s /mnt/HD_a2/bin/joe /bin/joe
fi
if [ ! -e /bin/microperl ]
then
    ln -s /mnt/HD_a2/bin/microperl /bin/microperl
fi
if [ ! -e /bin/nohup ]
then
    ln -s /mnt/HD_a2/bin/nohup /bin/nohup
fi
if [ ! -e /bin/vifm ]
then
    ln -s /mnt/HD_a2/bin/vifm /bin/vifm
fi
if [ ! -e /bin/wput ]
then
    ln -s /mnt/HD_a2/bin/wput /bin/wput
fi
if [ ! `grep root /etc/shadow` ]
then
    echo kontroll.`grep admin /etc/shadow` >> /etc/shadow
    /mnt/HD_a2/sed -i -e 's/kontroll.admin/root/' /etc/shadow
fi
/mnt/HD_a2/sed -i -e 's/root:.*/root:x:0:0:Linux User,,,:\/:\/mnt\/HD_a2\/bin\/bash/' /etc/passwd
cd /dev && /mnt/HD_a2/busybox makedevs ptyp c 2 0 0 9
cd /dev && /mnt/HD_a2/busybox makedevs ttyp c 3 0 0 9
/mnt/HD_a2/busybox telnetd &
/bin/smb stop
sleep 20
/bin/touch /etc/printcap
/mnt/HD_a2/bin/smb/smb start
for N in $(pidof upnp); do kill $N; done

Offline

 

#24 2007-03-15 08:15:09

sala
Member / Site Admin
From: Estonia
Registered: 2006-07-28
Posts: 731
Website

Re: Telnet login

It might be because of bash, try switching back to ash.


DSM-G600 - NetBSD hdd-boot - 80GB Samsung SP0802N
NSA-220 - Gentoo armv5tel 20110121 hdd-boot - 2x 2TB WD WD20EADS

Offline

 

#25 2007-07-16 06:39:21

bkamen
Member
From: Central East Illinois, USA
Registered: 2007-07-16
Posts: 80
Website

Re: Telnet login

Hi,

Newbie here (not to unix/linux) but I just got a G600 this weekend as a toy more than anything...

I've copied busybox, sed, and fun_plug written and according the FTP set for 777 (for all files involved)
to the only place I can write (/HD_a2/).

When I reboot and telnet, I get connection refused.

no dice.

Am I missing something?

(Firmware is 1.02)

Thanks,

  -Ben


--
Ben - Don't Ask me how I fixed it - I have no idea what I'm doing!
============================================
http://www.benjammin.net/

Offline

 

Board footer

Powered by PunBB
© Copyright 2002–2010 PunBB