Password reset for ~1998 AIX on RS/6000?

Doug Jackson dougatdoughq at gmail.com
Fri Feb 2 15:10:12 CST 2018


Hi...

>From memory there were a number of remote exploits against AIX 4.x.x

The most simple were against ftpd.

A quick search found this..

https://www.exploit-db.com/exploits/14409/.   This extracts the root user
hash.


Of course if you have local access there is the rlogin vulnerability
against some versions that allowed a normal user to have root privileges
with a trivial command line such as rlogin -l.  But my memory is foggy
there.

Should be a fun task.  One of the nice things about old operating systems
is that there security is pretty well non existent as.things that were zero
days in the 90s are well known now.

Doug




On 3 Feb. 2018 7:49 am, "Ian Finder via cctalk" <cctalk at classiccmp.org>
wrote:

> I had this experience with a Tadpole N40, running AIX 3.
>
> I simply DD'ed the drive, took the image...
> $ strings aix-machine.img | grep root:
> ...to get the password line.
>
> Dump that into a passwd file and run john (the password cracker utility) on
> it for a couple days.
>
> I don't think Linux can mount the early AIX filesystems directly.
>
> On Thu, Feb 1, 2018 at 8:24 PM, r.stricklin via cctalk <
> cctalk at classiccmp.org> wrote:
>
> >
> > On Feb 1, 2018, at 7:28 PM, Tapley, Mark via cctech wrote:
> >
> > >> Image the hard drive off to a raw file using a linux host with a SCSI
> > HBA?
> > >>
> > >> Once that is done, it might be possible to run a hex editor against
> the
> > hard drive (one that doesn't copy the contents into RAM) and then search
> > for the password file. From there you can copy the des hash and use
> rainbow
> > tables / wordfiles to crack it or replace it with a known DES hash?
> >
> > You don't need to do any of these things.
> >
> > > Update, I did locate a CD saying “AIX V4.2.1 for 5765-C34” and this
> URL:
> >
> > All you need is this disk. You can boot it, and use it to start a
> > maintenance shell, from which you can mount the root filesystem and edit
> > the password file(s) directly. The procedure you found will get you
> there,
> > easily.
> >
> > ok
> > bear.
> >
> >
> > --
> > until further notice
> >
> >
>
>
> --
>    Ian Finder
>    (206) 395-MIPS
>    ian.finder at gmail.com
>


More information about the cctech mailing list