• Please review our updated Terms and Rules here

Motorola 6300 Workstation - root password hacking?

1ST1

1ST1

Veteran Member
Joined
Oct 21, 2014
Messages
1,493
Location
near frankfurt/m, germany
Someone (frankhintsch) in Germany has a working Motorola 6300 Unix workstation. And he don't remember the root password. How to get in?

He has a manual which also talks about single mode bootup. But nobody knows how to start single mode. And it looks like that even in single mode it requests for the root password.

Any hints? See more details, photos and manual scans here: http://forum.classic-computing.de/index.php?page=Thread&threadID=12141&action=firstNew

The only current hopely working idea is to raw read the ST-506 (MFM) harddisk with an MFM/Drive reader/emulator ( see here ) and trying to decode the disk and hoping to find the passort (crypted or uncrypted) in /etc/passwd or /etc/shadow (and probably decrypt it with speed of a modern PC).

What do you think?
 
RetroHacker_ and I did something similar with a large lot of UNIX machines from the same owner. We found one that had a SCSI hard disk and cracked the root password from /etc/passwd. It was running an old version of SunOS, which was limited to 3des password encryption, and 8 character passwords. Using some educated tuning with John the Ripper, we retrieved the root password in an afternoon on an dual-core i5 laptop running Linux, and the rest of the accounts within a few days. The previous owner had used the same root password on all of his systems, so we were able to get the original installs of various OSes up and going.

Something to consider: if the machine has Ethernet and will come up (but can't be logged in to), it's worthwhile to see what services are running. There's a good chance something will be misconfigured and/or have known vulnerabilities that can be exploited. For instance, sufficiently old SunOS has a vulnerability in the rlogin system that completely compromises the machine, and rlogin is almost always running.
 
Single user mode is typically entered by telling the system to reboot directly into single user mode, so you'd need to be able to boot it up in the first place.
On the other hand, if you can cause a disk failure that prevents it from going into user mode or network mode, it should halt in single user mode and ask you to fix the problem. Caveat here is that you're usually also in a read only mode.

If it is booting up all the way, it would be a good idea to scan it, like Glitch mentioned. The server is likely to have several exploitable issues from that era.

There are 2 methods that I would have used in the days before breaking the boot sequence was common. First, boot off installation media and escape to the shell, then mount the boot disk and either add a user with a known password hash and UID 0, or modify the root user's password hash to one that was known. You can do this with any editor and not have to rely on the passwd utility targeting the right password file. The second method would have been to install the drive as a secondary in another system and mount and modify the password file as above.
 
Would it be possible to connect the Hard Drive to a Linux Box or a USB to IDE adapter and read the contexts of the Hard Drive to an Image file
using Linux's DD command? That would simply make an Image that could be mounted in Linux.

dd if=<source> of=<target> bs=<byte size> ("USUALLY" some power of 2, and usually not less than 512 bytes.) skip= seek= conv=<conversion>

Larry
 
OP says it's MFM, so no -- MFM drives are tied to the controller they're formatted with, unless you have one of the (mentioned above) modern "attempt to read MFM" solutions.
 
Just for your reference. The reading of the MFM harddisk with the MFM/Drive reader/emulator was successfull, the /etc/passwd file could be located and the root's password hash has been found. One of the members of the forum got the password out of the hash in 10 minutes, the owner himself needed about 6 hours but the result was the same, and it was working.
 
1ST1 said:
Just for your reference. The reading of the MFM harddisk with the MFM/Drive reader/emulator was successfull, the /etc/passwd file could be located and the root's password hash has been found. One of the members of the forum got the password out of the hash in 10 minutes, the owner himself needed about 6 hours but the result was the same, and it was working.
Click to expand...

was it running Motorola System V?
 
You must log in or register to reply here.
Back
Top