Find out more Available Service by your NAS

For non-expandable NAS, there might be some hidden services open but not shown in web admin. You may use nmap to explore.

Scan for Available Service

Below is a report generated by namp to Promise SmartStor Zero by nmap -v -A 192.168.0.147 (replace 192.168.0.147 by the IP of your NAS).

-v to provide more information
-A to detect OS

Starting Nmap 6.40 ( http://nmap.org ) at 2014-01-13 23:29 CST
NSE: Loaded 110 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Ping Scan at 23:29
Scanning 192.168.0.147 [2 ports]
Completed Ping Scan at 23:29, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:29
Completed Parallel DNS resolution of 1 host. at 23:29, 0.00s elapsed
Initiating Connect Scan at 23:29
Scanning NS2500 (192.168.0.147) [1000 ports]
Discovered open port 443/tcp on 192.168.0.147
Discovered open port 445/tcp on 192.168.0.147
Discovered open port 139/tcp on 192.168.0.147
Discovered open port 80/tcp on 192.168.0.147
Discovered open port 111/tcp on 192.168.0.147
Discovered open port 2049/tcp on 192.168.0.147
Discovered open port 3689/tcp on 192.168.0.147
Discovered open port 873/tcp on 192.168.0.147
Discovered open port 548/tcp on 192.168.0.147
Completed Connect Scan at 23:29, 0.17s elapsed (1000 total ports)
Initiating Service scan at 23:29
Scanning 9 services on NS2500 (192.168.0.147)
Completed Service scan at 23:29, 12.14s elapsed (9 services on 1 host)
NSE: Script scanning 192.168.0.147.
Initiating NSE at 23:29
Completed NSE at 23:29, 1.33s elapsed
Nmap scan report for NS2500 (192.168.0.147)
Host is up (0.0098s latency).
Not shown: 991 closed ports
PORT     STATE SERVICE     VERSION
80/tcp   open  http        lighttpd 1.4.23
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Promise Advanced Storage Manager
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3         2049/tcp  nfs
|   100003  2,3         2049/udp  nfs
|   100005  1,2,3        714/udp  mountd
|   100005  1,2,3        717/tcp  mountd
|   100011  1,2          713/udp  rquotad
|   100021  1,3,4      45575/tcp  nlockmgr
|   100021  1,3,4      58893/udp  nlockmgr
|   100024  1            730/udp  status
|_  100024  1            733/tcp  status
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
443/tcp  open  ssl/http    lighttpd 1.4.23
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Promise Advanced Storage Manager
| ssl-cert: Subject: commonName=www.promise.com.tw/organizationName=Promise/stateOrProvinceName=Taiwan/countryName=TW
| Issuer: commonName=www.promise.com.tw/organizationName=Promise/stateOrProvinceName=Taiwan/countryName=TW
| Public Key type: rsa
| Public Key bits: 1024
| Not valid before: 2007-05-18T09:07:22+00:00
| Not valid after:  2017-05-15T09:07:22+00:00
| MD5:   97af 942d 9a91 968e 5f64 1c80 2c3a beea
|_SHA-1: ea8f c14f 6799 5c5c fd2d c878 1865 73b9 5939 a2ad
|_ssl-date: 2011-11-30T13:04:31+00:00; -2y44d2h25m19s from local time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_CBC_128_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC2_CBC_128_CBC_WITH_MD5
|_    SSL2_RC4_128_EXPORT40_WITH_MD5
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
548/tcp  open  afp         Netatalk 2 (name: SMARTSTORE; protocol 3.1)
| afp-serverinfo: 
|   | Server Flags: 0x837d
|   |   Super Client: Yes
|   |   UUIDs: No
|   |   UTF8 Server Name: Yes
|   |   Open Directory: Yes
|   |   Reconnect: No
|   |   Server Notifications: Yes
|   |   TCP/IP: Yes
|   |   Server Signature: Yes
|   |   ServerMessages: Yes
|   |   Password Saving Prohibited: Yes
|   |   Password Changing: No
|   |_  Copy File: Yes
|   Server Name: SMARTSTORE
|   Machine Type: Netatalk
|   AFP Versions: AFPVersion 1.1, AFPVersion 2.0, AFPVersion 2.1, AFP2.2, AFPX03, AFP3.1
|   UAMs: DHCAST128, Cleartxt Passwrd
|   Server Signature: 0093c0a80093c0a80093c0a80093c0a8
|   Network Address 1: 192.168.0.147
|_  UTF8 Server Name: SMARTSTORE
873/tcp  open  rsync       (protocol version 30)
2049/tcp open  nfs         2-3 (RPC #100003)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3         2049/tcp  nfs
|   100003  2,3         2049/udp  nfs
|   100005  1,2,3        714/udp  mountd
|   100005  1,2,3        717/tcp  mountd
|   100011  1,2          713/udp  rquotad
|   100021  1,3,4      45575/tcp  nlockmgr
|   100021  1,3,4      58893/udp  nlockmgr
|   100024  1            730/udp  status
|_  100024  1            733/tcp  status
3689/tcp open  daap        mt-daapd DAAP svn-1586
Service Info: OS: Unix

Host script results:
| nbstat: 
|   NetBIOS name: SMARTSTORE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
|   Names
|     SMARTSTORE<00>       Flags: <unique><active>
|     SMARTSTORE<03>       Flags: <unique><active>
|     SMARTSTORE<20>       Flags: <unique><active>
|     WORKGROUP<1e>        Flags: <group><active>
|_    WORKGROUP<00>        Flags: <group><active>
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.31)
|   Computer name: smartstore
|   NetBIOS computer name: 
|   Domain name: workgroup
|   FQDN: smartstore.workgroup
|_  System time: 2011-11-30T13:04:31+00:00
| smb-security-mode: 
|   Account that was used for smb scripts: guest
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol

NSE: Script Post-scanning.
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.11 seconds

As you may see from the report, there is one hidden rsync on tcp 873 is open (marked by red color).

But there are more, you need to specific ports to scan. According to Mike Makuch, there is a telnet service on port 2380 (usually 23) in Promise SmartStor NS4300N. I try to scan Promise SmartStor Zero for port from 2300 to 2399 by nmap -A -p2300-2399 192.168.0.147 (replace 192.168.0.147 by the IP of your NAS) and get following result:

Starting Nmap 6.40 ( http://nmap.org ) at 2014-01-14 09:46 CST
Nmap scan report for NS2500 (192.168.0.147)
Host is up (0.0057s latency).
Not shown: 99 closed ports
PORT     STATE SERVICE VERSION
2380/tcp open  telnet  Linux telnetd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds

See Who is Listening

If you mat login to the NAS, use netstat -tulpn to see which process is listening upon a ports. Here is a same result from Asustor AS-602T running ADM 2.1 Beta.

root@AS602T:/volume1/.@root # netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      25335/sshd
tcp        0      0 0.0.0.0:631             0.0.0.0:*               LISTEN      9985/cupsd
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      27031/myhttpd
tcp        0      0 0.0.0.0:3260            0.0.0.0:*               LISTEN      29285/iscsi-scstd
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      25192/lighttpd
tcp        0      0 0.0.0.0:8001            0.0.0.0:*               LISTEN      25192/lighttpd
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      9959/mysqld
tcp        0      0 :::21                   :::*                    LISTEN      31699/proftpd: (acc
tcp        0      0 :::22                   :::*                    LISTEN      25335/sshd
tcp        0      0 :::631                  :::*                    LISTEN      9985/cupsd
tcp        0      0 :::3260                 :::*                    LISTEN      29285/iscsi-scstd
tcp        0      0 :::8000                 :::*                    LISTEN      25192/lighttpd
tcp        0      0 :::8001                 :::*                    LISTEN      25192/lighttpd
tcp        0      0 :::80                   :::*                    LISTEN      9955/apache2
udp        0      0 0.0.0.0:8888            0.0.0.0:*                           26526/hostmand
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           10295/avahi-daemon:
udp        0      0 0.0.0.0:53277           0.0.0.0:*                           10295/avahi-daemon:
udp        0      0 0.0.0.0:38966           0.0.0.0:*                           1059/dhclient
udp        0      0 0.0.0.0:68              0.0.0.0:*                           1059/dhclient
udp        0      0 :::29428                :::*                                1059/dhclient

Your admin is Not root

When I try to use rsync to sync remote and local folder, it asks for password. The default password for admin doesn’t work.

rsync -av 192.168.0.147::SMARTNAVI/VOLUME1/PUBLIC/TEST /home/amigo/Test2

192.168.0.147 can be replaced by IP of your NAS.
SMARTNAVI/VOLUME1/PUBLIC/TEST can be replaced by source. Use rsync 192.168.0.147 to list all available module
/home/amigo/Test2 can be replaced by destination.
add -e or –rsh to disable SSH. It cannot be user to connect to rsync daemon.

Then I use telnet 192.168.0.147 2380 but fails. My privilege is not allowed to login.

Trying 192.168.0.147...
Connected to 192.168.0.147.
Escape character is '^]'.
NS2500 R2.0 A1 (Version 02.01.0000.17) - Promise Technology, INC.
smartstore login: admin
Password: 

BusyBox v1.00-rc2 (2006.11.07-01:55+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

admin isn't allowed to login!
Connection closed by foreign host.

Brute-fore your Password

I google for password recoery and follow a thread on Security StackExchange to give THC-Hydra a try. You need to download the source and compile yourself. It’s very well document in the README file.

I try to brute-force for telnet with a user name engmode found by Mike Makuch.

hydra -l engmode -x 7:7:a1 192.168.0.147 telnet -s 2380

-l  to specific user name.
-x 7:7:a1 for mask of combination beginning with minimum and maximum for 7 characters and mix letters without capital and numbers.
-s to specific port number.

Without a good dictionary, it took a very long time for brute-force. I didn’t finish running all combination and give up.

Final Thoughts

It’s interested to learn some new things about security. A new challenge to break into my own NAS. Excited and Fun! 🙂

Read the Source

In PCDVD Forum: Promise SmartStor Zero 的功能並不是只在管理界面，要不要檢查看看您的 NAS?, hchihwei leave an interesting comment:

拿到root的方法很簡單 ， 因為他是閹割的版本
原本她有修改root的方法 因為被閹割了 所以他把他關起來了
修改密碼的地方在 網頁的介面中

用檢視原始碼就可以看到，然後用 chrome 開發人員工具 把她打開 就可以修改了

In English, he mentioned that you may use Chrome to login the web admin of Promise SmartStor Zero. Press F12 to developer tools and enable the source code to change root password.

Sometimes you just need to dirty your hands to read the source code, maybe faster than brute-force.

Reference

1. nmap
2. Promise SmartStor Zero
3. DigitalOcean: How To Use Nmap to Scan for Open Ports on your VPS
4. Mike Makuch’s home page: telnet/rsync access to Promise ns4300n NAS
5. Promise SmartStor NS4300N
6. nixCraft: Linux: Find Out Which Process Is Listening Upon a Port
7. Asustor: ADM
8. Asustor: AS-602T
9. Samba: rsync
10. Security StackExchange: Password recovery tool over telnet or http basic auth
11. THC-Hydra
12. Pro Hack: Basics of cracking FTP and Telnet accounts
13. PCDVD Forum: Promise SmartStor Zero 的功能並不是只在管理界面，要不要檢查看看您的 NAS?