Canoga-Perkins Password recovery (Brute-forcing via COM port)
If you are trying this on ubuntu,
"sudo apt-get install minicom". Use your favorite search engine and follow a online guide to get crunch on your specific version of Ubuntu.
I installed Kali rolling on a old netbook to dedicate it to this task. Its specs are 2x 1.8ghz hyper-theading cores & 2gb ram, You won't require much. If your not into manually installing packages, I'd recommend you go the Kali Linux path. Kali has everything pre-installed that you need for this. It took me about 20 mins after creating the bootable USB to complete fresh-install.
Find out the com port name - ttyUSBx
You need to connect the USB to Serial adapter and find out which serial port it is logically attached to.
Type in "dmesg | grep USB" at the terminal.
you should see something similar to this:
You may need to "chmod 777 /dev/ttyUSB0" depending on permissions, distro etc. In Kali i didn't have to do this. You will know if you need to do it if you cant save the settings in minicom.
Setup minicom with "minicom -s"
This depends on the serial device, mine was the classic
- 9600 bps
- 8 data bits
- No parity
- 1 stop bit.
Check your devices manual for its serial settings to connect via console. Make sure to save your config in minicom as default after you exit and confirm its working.
If your device only prompts for a password, you are in luck. you just need to;
"crunch 5 5 abcdefghijklmnopqrstuvwxyz0123456789 | minicom" Use whatever parameters suite your password needs. If your device needs a username and password, or you find that the output needs to be slowed down some. read on...
Create password list:
Depending on what crunch is installed on, and how you setup your Linux Distro initially. You may need to execute it with "sudo ./crunch", "./crunch" or in Kali just "crunch" from the terminal. Create a password list and write to to a file. example "crunch 5 5 abcdefghijklmnopqrstuvwxyz0123456789 -o input.txt". Type man crunch on the Kali terminal for extended instructions.
If you remember any portion of the password, you can significantly reduce the time it would take to unlock your device. There are specific options for this in crunch. Search online for tutorials on the advanced functions of crunch if you are interested.
So, after you run crunch with whatever options suited your needs. You should now have a dictionary file named input.text in your root directory.
Adding a username:
Copy the python script into a new file. For simplicity, name it "add-user.py" and put it in the root directory. Open up a terminal window and "chmod 777 add-user.py". This will give it read/write access and allow you to execute the script. do a "ls -la", the script should be green in the list. (in kali and ubuntu).
You can now execute the script with, "sudo ./add-user.py" or "./add-user.py". Just make sure the input.txt file is in the same directory and you should be good. Running the script on my poor old netbook took about 35 mins with all lowercase alpha-numeric with 5 digits total.
Pipe from new dictionary to minicom using ttyUSB0
This part is pretty easy, "cat w-user-output.txt | minicom"
that's basically it. but a couple things should be noted, if you are doing a large dictionary, you may want to tinker with how the script prints its output.starting a count in the "for" loop and printing a line update every 50 loops, would speed the script up a bit. also note that in my case, a blank line was interpreted by minicom as a user hitting enter, this allowed me to modify the script to make three blank lines after each attempt. this slowed the output down a little and ensured that it was synchronized with admin first, password attempt second.
EDIT: The three blank lines didn't work. In-between writing this and coming back to check on cracking progress, I found the conoga perkins box user/passwords were being sent out of sync. This is the proper way to slow it down if you need to:
Create a new file in the root directory, name it "slowdown". Edit your file and enter the following.
Do a "chmod +x slowdown" from the terminal.
You can now run "cat w-user-output.txt | ./slowdown | minicom". Adjust the sleep command in the bash script to the fastest you think your device will handle.
I would like to thank Steve, for putting up with my programming related questions while he was many beers into the night, and also for continuing to program it in python even while grumbling about how easy it would be in C#. And also a special thank you to the users "Pimp Juice IT" & "AFH" who both gave me decent suggestions when I was at a roadblock.