Author Topic: Default ssh credentials from the Rigol DHO814  (Read 5799 times)

0 Members and 1 Guest are viewing this topic.

Offline user1783Topic starter

  • Newbie
  • Posts: 1
  • Country: de
Default ssh credentials from the Rigol DHO814
« on: January 10, 2024, 11:02:16 pm »
Hello together,

I have the Rigol DHO814 Oscilloscope. I have connected the scope via LAN to my test / labor Network. By performing of a nmap scan i have identified, that there is a ssh server on the scope available.

Does someone know the default credentials because on the Internet I find nothing.

BR
 

Offline cte

  • Regular Contributor
  • *
  • Posts: 62
  • Country: de
Re: Default ssh credentials from the Rigol DHO814
« Reply #1 on: January 13, 2024, 05:03:37 pm »
I don't know the root password, but the Rigol DHO800/900 series runs on Android, so you can use the android debug bridge for shell access.

adb connect <ip-address>:55555
adb shell


UPDATE:
User Randy222 posted a pretty good description here: https://www.eevblog.com/forum/testgear/hacking-the-rigol-dho800900-scope/msg5280037/#msg5280037
« Last Edit: January 15, 2024, 04:11:16 pm by cte »
⚡ To avoid electric shock, ensure that your instrument is correctly grounded.
 

Online ebastler

  • Super Contributor
  • ***
  • Posts: 7375
  • Country: de
Re: Default ssh credentials from the Rigol DHO814
« Reply #2 on: January 13, 2024, 07:52:04 pm »
According to this post, ftp access works with user "admin" and password "rigol". Any chance those credentials might work for ssh also?
 

Offline gabiz_ro

  • Regular Contributor
  • *
  • Posts: 121
  • Country: ro
Re: Default ssh credentials from the Rigol DHO814
« Reply #3 on: January 13, 2024, 08:52:11 pm »
I may be wrong but ssh server is started but without any configuration loaded to say so.
If my memory doesn't trick me even with known password can't connect.

In other words ssh server is started but config files aren't present at expected path.
There is a script startssh that pass arguments for files path, never tried direct but after kill ssh process and run startssh worked.

You may also generate and replace id_rsa key and other required files with your keys

For Rigol default you may use a good gpu and hashcat to crack the key
To not spend much time password is seven letter long, just for testing.
I do this and find password to be adilzhu
 
The following users thanked this post: voltsandjolts

Online Fungus

  • Super Contributor
  • ***
  • Posts: 17519
  • Country: 00
Re: Default ssh credentials from the Rigol DHO814
« Reply #4 on: January 13, 2024, 09:17:09 pm »
I don't think it will do much anyway.

ADB is much more useful.
 

Offline cte

  • Regular Contributor
  • *
  • Posts: 62
  • Country: de
Re: Default ssh credentials from the Rigol DHO814
« Reply #5 on: January 13, 2024, 10:30:47 pm »
None of the username / password combinations worked.

But the ssh server has public key authentication enabled. You can use adb to add your own public key to /data/ssh/authorized_keys. The file will be overwritten with default values on the next reboot, though.

❯ ssh -oHostKeyAlgorithms=+ssh-rsa root@172.23.0.109
Host key fingerprint is SHA256:T/ZGjMJBBlryAc60zFdp7ydOMsvJUQCk/OqYz0ytCJ8
+---[RSA 2048]----+
|    +o*o+.       |
|   B B =+        |
|    X o..o       |
|     o . .oo     |
|      . So+ o    |
|     o  +=+o.    |
|.   o .o O.oo    |
| o X .  = ..     |
|  E.*            |
+----[SHA256]-----+
rk3399_rigol:/ # id
uid=0(root) gid=0(root) groups=0(root),
rk3399_rigol:/ # uname -a
Linux localhost 4.4.126 #72 SMP PREEMPT Tue Jul 18 13:47:35 CST 2023 aarch64
rk3399_rigol:/ # uptime
 06:29:19 up 44 min,  0 users,  load average: 4.14, 4.25, 4.10
rk3399_rigol:/ #


BTW: There are three public keys enabled by default: adil@ubuntu-SSD, sj03955@rigol.com and android@rigol.com. So whoever has the matching private key can log in to your scope should you open port 22 to the public.  :-DD
⚡ To avoid electric shock, ensure that your instrument is correctly grounded.
 
The following users thanked this post: egonotto

Offline lownoise

  • Contributor
  • Posts: 15
  • Country: de
Re: Default ssh credentials from the Rigol DHO814
« Reply #6 on: January 14, 2024, 05:38:07 am »
You can put your key at the end of start_rigol_app.sh, then it will be loaded at every start.
Btw, with ">>" the key will be added, with ">" the other three keys will be overwritten  ;)
 

Offline Randy222

  • Frequent Contributor
  • **
  • Posts: 786
  • Country: ca
Re: Default ssh credentials from the Rigol DHO814
« Reply #7 on: January 15, 2024, 03:22:03 pm »
You can put your key at the end of start_rigol_app.sh, then it will be loaded at every start.
Btw, with ">>" the key will be added, with ">" the other three keys will be overwritten  ;)
That doesn't work for me.

/system is a ro filesystem by the time that start script runs.

I will post full how-to SSH in the hacking thread --> https://www.eevblog.com/forum/testgear/hacking-the-rigol-dho800900-scope/

@cte , it could be for support reasons? I have seen such with other vendors for other products, they tell you "open ssh for my IP", then ssh in to poke around at the problem you created. But yeah, do not expose you scope to public.
« Last Edit: January 15, 2024, 03:52:48 pm by Randy222 »
 

Offline gabiz_ro

  • Regular Contributor
  • *
  • Posts: 121
  • Country: ro
Re: Default ssh credentials from the Rigol DHO814
« Reply #8 on: January 15, 2024, 04:51:59 pm »
you may remount /system as rw
 

Offline Randy222

  • Frequent Contributor
  • **
  • Posts: 786
  • Country: ca
Re: Default ssh credentials from the Rigol DHO814
« Reply #9 on: January 15, 2024, 04:58:24 pm »
you may remount /system as rw
yes, but from when/where you do it matters.
in via adb as su - (aka root), a mount -o remount,rw /system fails.
if I remount direct from adb, it works.
 

Offline lownoise

  • Contributor
  • Posts: 15
  • Country: de
Re: Default ssh credentials from the Rigol DHO814
« Reply #10 on: January 15, 2024, 05:27:51 pm »
There are two authorized_keys...

       original:  \system\etc\ssh\authorized_keys  (ro)

 and a copy :  \data\ssh\authorized_keys  (overwritten at every restart)
 
I had no idea how to get my key into the original \system\etc\ssh\authorized_keys,

so i add it to \data\ssh\authorized_keys on every restart with the entry in the start_rigol_app.sh

Both solutions work, but adding the key to the original \system\etc\ssh\authorized_keys is of course the better solution :-+
 

Offline Randy222

  • Frequent Contributor
  • **
  • Posts: 786
  • Country: ca
Re: Default ssh credentials from the Rigol DHO814
« Reply #11 on: January 15, 2024, 08:39:37 pm »
There are two authorized_keys...

       original:  \system\etc\ssh\authorized_keys  (ro)

 and a copy :  \data\ssh\authorized_keys  (overwritten at every restart)
 
I had no idea how to get my key into the original \system\etc\ssh\authorized_keys,

so i add it to \data\ssh\authorized_keys on every restart with the entry in the start_rigol_app.sh

Both solutions work, but adding the key to the original \system\etc\ssh\authorized_keys is of course the better solution :-+
Did editing just the keys file in /data/ssh/ survive a reboot?

sshd_config points directly to the auth keys file in /data/ssh/

I'll go check, but when I edited the keys file in /system/etc/ssh/ , my edits somehow showed up in the keys file in /data/ssh/
I don't see any symlink between the two.
I suspect some start script copies the file from /system over to /data

 

Offline cte

  • Regular Contributor
  • *
  • Posts: 62
  • Country: de
Re: Default ssh credentials from the Rigol DHO814
« Reply #12 on: January 15, 2024, 10:01:55 pm »
@Randy222: The start script is in /system/bin/start-ssh (see below)

Actual copying is done here:

if [[ ! -f $AUTHORIZED_KEYS && -f $DEFAULT_AUTHORIZED_KEYS ]]; then
    cat $DEFAULT_AUTHORIZED_KEYS > $AUTHORIZED_KEYS
fi


Code: [Select]
#!/system/bin/sh

umask 077

# DEBUG=1

DSA_KEY=/data/ssh/ssh_host_dsa_key
DSA_PUB_KEY=/data/ssh/ssh_host_dsa_key.pub
RSA_KEY=/data/ssh/ssh_host_rsa_key
RSA_PUB_KEY=/data/ssh/ssh_host_rsa_key.pub
AUTHORIZED_KEYS=/data/ssh/authorized_keys
DEFAULT_AUTHORIZED_KEYS=/system/etc/security/authorized_keys.default

if [ ! -f $DSA_KEY ]; then
    /system/bin/ssh-keygen -t dsa -f $DSA_KEY -N ""
    chmod 600 /$DSA_KEY
    chmod 644 $DSA_PUB_KEY
fi

if [ ! -f $RSA_KEY ]; then
    /system/bin/ssh-keygen -t rsa -f $RSA_KEY -N ""
    chmod 600 /$RSA_KEY
    chmod 644 $RSA_PUB_KEY
fi

if [[ ! -f $AUTHORIZED_KEYS && -f $DEFAULT_AUTHORIZED_KEYS ]]; then
    cat $DEFAULT_AUTHORIZED_KEYS > $AUTHORIZED_KEYS
fi


if [ "1" == "$DEBUG" ] ; then
    # run sshd in debug mode and capture output to logcat
    /system/bin/logwrapper /system/bin/sshd -f /system/etc/ssh/sshd_config -D -d
else
    # don't daemonize - otherwise we can't stop the sshd service
    /system/bin/sshd -f /system/etc/ssh/sshd_config -D
fi
⚡ To avoid electric shock, ensure that your instrument is correctly grounded.
 

Offline Randy222

  • Frequent Contributor
  • **
  • Posts: 786
  • Country: ca
Re: Default ssh credentials from the Rigol DHO814
« Reply #13 on: January 15, 2024, 10:26:18 pm »
@Randy222: The start script is in /system/bin/start-ssh (see below)

Actual copying is done here:

if [[ ! -f $AUTHORIZED_KEYS && -f $DEFAULT_AUTHORIZED_KEYS ]]; then
    cat $DEFAULT_AUTHORIZED_KEYS > $AUTHORIZED_KEYS
fi


Code: [Select]
#!/system/bin/sh

umask 077

# DEBUG=1

DSA_KEY=/data/ssh/ssh_host_dsa_key
DSA_PUB_KEY=/data/ssh/ssh_host_dsa_key.pub
RSA_KEY=/data/ssh/ssh_host_rsa_key
RSA_PUB_KEY=/data/ssh/ssh_host_rsa_key.pub
AUTHORIZED_KEYS=/data/ssh/authorized_keys
DEFAULT_AUTHORIZED_KEYS=/system/etc/security/authorized_keys.default

if [ ! -f $DSA_KEY ]; then
    /system/bin/ssh-keygen -t dsa -f $DSA_KEY -N ""
    chmod 600 /$DSA_KEY
    chmod 644 $DSA_PUB_KEY
fi

if [ ! -f $RSA_KEY ]; then
    /system/bin/ssh-keygen -t rsa -f $RSA_KEY -N ""
    chmod 600 /$RSA_KEY
    chmod 644 $RSA_PUB_KEY
fi

if [[ ! -f $AUTHORIZED_KEYS && -f $DEFAULT_AUTHORIZED_KEYS ]]; then
    cat $DEFAULT_AUTHORIZED_KEYS > $AUTHORIZED_KEYS
fi


if [ "1" == "$DEBUG" ] ; then
    # run sshd in debug mode and capture output to logcat
    /system/bin/logwrapper /system/bin/sshd -f /system/etc/ssh/sshd_config -D -d
else
    # don't daemonize - otherwise we can't stop the sshd service
    /system/bin/sshd -f /system/etc/ssh/sshd_config -D
fi

I guess I missed it, wasn't looking for it, kinda suspected what was going on after my edit to keys file in /system/etc/ssh

Not sure why they copy back the keys file, and then reference /data/ssh/ keys file in sshd_config , maybe so you can edit the keys file in /data area since /data is mounted rw ?



 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf