For non-expandable NAS, there might be some hidden services open but not shown in web admin. You may use nmap to explore.
Scan for Available Service
Below is a report generated by namp to Promise SmartStor Zero by nmap -v -A 192.168.0.147 (replace 192.168.0.147 by the IP of your NAS).
-v to provide more information
-A to detect OS
Starting Nmap 6.40 ( http://nmap.org ) at 2014-01-13 23:29 CST
NSE: Loaded 110 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Ping Scan at 23:29
Scanning 192.168.0.147 [2 ports]
Completed Ping Scan at 23:29, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:29
Completed Parallel DNS resolution of 1 host. at 23:29, 0.00s elapsed
Initiating Connect Scan at 23:29
Scanning NS2500 (192.168.0.147) [1000 ports]
Discovered open port 443/tcp on 192.168.0.147
Discovered open port 445/tcp on 192.168.0.147
Discovered open port 139/tcp on 192.168.0.147
Discovered open port 80/tcp on 192.168.0.147
Discovered open port 111/tcp on 192.168.0.147
Discovered open port 2049/tcp on 192.168.0.147
Discovered open port 3689/tcp on 192.168.0.147
Discovered open port 873/tcp on 192.168.0.147
Discovered open port 548/tcp on 192.168.0.147
Completed Connect Scan at 23:29, 0.17s elapsed (1000 total ports)
Initiating Service scan at 23:29
Scanning 9 services on NS2500 (192.168.0.147)
Completed Service scan at 23:29, 12.14s elapsed (9 services on 1 host)
NSE: Script scanning 192.168.0.147.
Initiating NSE at 23:29
Completed NSE at 23:29, 1.33s elapsed
Nmap scan report for NS2500 (192.168.0.147)
Host is up (0.0098s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
80/tcp open http lighttpd 1.4.23
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Promise Advanced Storage Manager
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3 2049/tcp nfs
| 100003 2,3 2049/udp nfs
| 100005 1,2,3 714/udp mountd
| 100005 1,2,3 717/tcp mountd
| 100011 1,2 713/udp rquotad
| 100021 1,3,4 45575/tcp nlockmgr
| 100021 1,3,4 58893/udp nlockmgr
| 100024 1 730/udp status
|_ 100024 1 733/tcp status
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
443/tcp open ssl/http lighttpd 1.4.23
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Promise Advanced Storage Manager
| ssl-cert: Subject: commonName=www.promise.com.tw/organizationName=Promise/stateOrProvinceName=Taiwan/countryName=TW
| Issuer: commonName=www.promise.com.tw/organizationName=Promise/stateOrProvinceName=Taiwan/countryName=TW
| Public Key type: rsa
| Public Key bits: 1024
| Not valid before: 2007-05-18T09:07:22+00:00
| Not valid after: 2017-05-15T09:07:22+00:00
| MD5: 97af 942d 9a91 968e 5f64 1c80 2c3a beea
|_SHA-1: ea8f c14f 6799 5c5c fd2d c878 1865 73b9 5939 a2ad
|_ssl-date: 2011-11-30T13:04:31+00:00; -2y44d2h25m19s from local time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_CBC_128_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC2_CBC_128_CBC_WITH_MD5
|_ SSL2_RC4_128_EXPORT40_WITH_MD5
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
548/tcp open afp Netatalk 2 (name: SMARTSTORE; protocol 3.1)
| afp-serverinfo:
| | Server Flags: 0x837d
| | Super Client: Yes
| | UUIDs: No
| | UTF8 Server Name: Yes
| | Open Directory: Yes
| | Reconnect: No
| | Server Notifications: Yes
| | TCP/IP: Yes
| | Server Signature: Yes
| | ServerMessages: Yes
| | Password Saving Prohibited: Yes
| | Password Changing: No
| |_ Copy File: Yes
| Server Name: SMARTSTORE
| Machine Type: Netatalk
| AFP Versions: AFPVersion 1.1, AFPVersion 2.0, AFPVersion 2.1, AFP2.2, AFPX03, AFP3.1
| UAMs: DHCAST128, Cleartxt Passwrd
| Server Signature: 0093c0a80093c0a80093c0a80093c0a8
| Network Address 1: 192.168.0.147
|_ UTF8 Server Name: SMARTSTORE
873/tcp open rsync (protocol version 30)
2049/tcp open nfs 2-3 (RPC #100003)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3 2049/tcp nfs
| 100003 2,3 2049/udp nfs
| 100005 1,2,3 714/udp mountd
| 100005 1,2,3 717/tcp mountd
| 100011 1,2 713/udp rquotad
| 100021 1,3,4 45575/tcp nlockmgr
| 100021 1,3,4 58893/udp nlockmgr
| 100024 1 730/udp status
|_ 100024 1 733/tcp status
3689/tcp open daap mt-daapd DAAP svn-1586
Service Info: OS: Unix
Host script results:
| nbstat:
| NetBIOS name: SMARTSTORE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
| Names
| SMARTSTORE<00> Flags: <unique><active>
| SMARTSTORE<03> Flags: <unique><active>
| SMARTSTORE<20> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
|_ WORKGROUP<00> Flags: <group><active>
| smb-os-discovery:
| OS: Unix (Samba 3.0.31)
| Computer name: smartstore
| NetBIOS computer name:
| Domain name: workgroup
| FQDN: smartstore.workgroup
|_ System time: 2011-11-30T13:04:31+00:00
| smb-security-mode:
| Account that was used for smb scripts: guest
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
NSE: Script Post-scanning.
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.11 seconds
As you may see from the report, there is one hidden rsync on tcp 873 is open (marked by red color).
But there are more, you need to specific ports to scan. According to Mike Makuch, there is a telnet service on port 2380 (usually 23) in Promise SmartStor NS4300N. I try to scan Promise SmartStor Zero for port from 2300 to 2399 by nmap -A -p2300-2399 192.168.0.147 (replace 192.168.0.147 by the IP of your NAS) and get following result:
Starting Nmap 6.40 ( http://nmap.org ) at 2014-01-14 09:46 CST
Nmap scan report for NS2500 (192.168.0.147)
Host is up (0.0057s latency).
Not shown: 99 closed ports
PORT STATE SERVICE VERSION
2380/tcp open telnet Linux telnetd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
See Who is Listening
If you mat login to the NAS, use netstat -tulpn to see which process is listening upon a ports. Here is a same result from Asustor AS-602T running ADM 2.1 Beta.
root@AS602T:/volume1/.@root # netstat -tulpn Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 25335/sshd tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 9985/cupsd tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 27031/myhttpd tcp 0 0 0.0.0.0:3260 0.0.0.0:* LISTEN 29285/iscsi-scstd tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 25192/lighttpd tcp 0 0 0.0.0.0:8001 0.0.0.0:* LISTEN 25192/lighttpd tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 9959/mysqld tcp 0 0 :::21 :::* LISTEN 31699/proftpd: (acc tcp 0 0 :::22 :::* LISTEN 25335/sshd tcp 0 0 :::631 :::* LISTEN 9985/cupsd tcp 0 0 :::3260 :::* LISTEN 29285/iscsi-scstd tcp 0 0 :::8000 :::* LISTEN 25192/lighttpd tcp 0 0 :::8001 :::* LISTEN 25192/lighttpd tcp 0 0 :::80 :::* LISTEN 9955/apache2 udp 0 0 0.0.0.0:8888 0.0.0.0:* 26526/hostmand udp 0 0 0.0.0.0:5353 0.0.0.0:* 10295/avahi-daemon: udp 0 0 0.0.0.0:53277 0.0.0.0:* 10295/avahi-daemon: udp 0 0 0.0.0.0:38966 0.0.0.0:* 1059/dhclient udp 0 0 0.0.0.0:68 0.0.0.0:* 1059/dhclient udp 0 0 :::29428 :::* 1059/dhclient
Your admin is Not root
When I try to use rsync to sync remote and local folder, it asks for password. The default password for admin doesn’t work.
rsync -av 192.168.0.147::SMARTNAVI/VOLUME1/PUBLIC/TEST /home/amigo/Test2
192.168.0.147 can be replaced by IP of your NAS.
SMARTNAVI/VOLUME1/PUBLIC/TEST can be replaced by source. Use rsync 192.168.0.147 to list all available module
/home/amigo/Test2 can be replaced by destination.
add -e or –rsh to disable SSH. It cannot be user to connect to rsync daemon.
Then I use telnet 192.168.0.147 2380 but fails. My privilege is not allowed to login.
Trying 192.168.0.147... Connected to 192.168.0.147. Escape character is '^]'. NS2500 R2.0 A1 (Version 02.01.0000.17) - Promise Technology, INC. smartstore login: admin Password: BusyBox v1.00-rc2 (2006.11.07-01:55+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. admin isn't allowed to login! Connection closed by foreign host.
Brute-fore your Password
I google for password recoery and follow a thread on Security StackExchange to give THC-Hydra a try. You need to download the source and compile yourself. It’s very well document in the README file.
I try to brute-force for telnet with a user name engmode found by Mike Makuch.
hydra -l engmode -x 7:7:a1 192.168.0.147 telnet -s 2380
-l to specific user name.
-x 7:7:a1 for mask of combination beginning with minimum and maximum for 7 characters and mix letters without capital and numbers.
-s to specific port number.
Without a good dictionary, it took a very long time for brute-force. I didn’t finish running all combination and give up.
Final Thoughts
It’s interested to learn some new things about security. A new challenge to break into my own NAS. Excited and Fun! 🙂
Read the Source
In PCDVD Forum: Promise SmartStor Zero 的功能並不是只在管理界面,要不要檢查看看您的 NAS?, hchihwei leave an interesting comment:
拿到root的方法很簡單 , 因為他是閹割的版本 原本她有修改root的方法 因為被閹割了 所以他把他關起來了 修改密碼的地方在 網頁的介面中 用檢視原始碼就可以看到,然後用 chrome 開發人員工具 把她打開 就可以修改了
In English, he mentioned that you may use Chrome to login the web admin of Promise SmartStor Zero. Press F12 to developer tools and enable the source code to change root password.
Sometimes you just need to dirty your hands to read the source code, maybe faster than brute-force.
Reference
- nmap
- Promise SmartStor Zero
- DigitalOcean: How To Use Nmap to Scan for Open Ports on your VPS
- Mike Makuch’s home page: telnet/rsync access to Promise ns4300n NAS
- Promise SmartStor NS4300N
- nixCraft: Linux: Find Out Which Process Is Listening Upon a Port
- Asustor: ADM
- Asustor: AS-602T
- Samba: rsync
- Security StackExchange: Password recovery tool over telnet or http basic auth
- THC-Hydra
- Pro Hack: Basics of cracking FTP and Telnet accounts
- PCDVD Forum: Promise SmartStor Zero 的功能並不是只在管理界面,要不要檢查看看您的 NAS?
