Challenge: This afternoon, a co-worker came to me and ask my help to retrieve her forgotten admin password for HP Web JetAdmin login. The situation was that she had been using another created profile too often to remember the default admin account logon credential. She tried the default password ‘admin’ but it did not work.
First, I asked whether this software uses any database to store password since I thought we can open any database tables. She said there was a MS SQL server installed on the server but she did not think we are using the database server now.
Then I figured it might use the flat file to store such user credential information, even I trusted such big company as HP would not do so. But anyway, I asked to take a look at the Web Jetadmin server. And I hope I can figure something more out from the web server logon script.
[updated according to derkeiler.com]
This password string has three elements:
– 6a206d14 is the initialization vector for the algorithm
– 000a is the length of the encrypted data (and double the length of the clear text)
– 7c2bc3cd3358153cffb5 is the actual encrypted data
Of course, some smart HP engineers thought who would figure out the passwords if they encrypted them. Yeah, they almost got us. After we saw these encrypted text, my co-worker was sad and said she would have to ask HP for the support.
But wait, I still get her admin password back even it has been encrypted.
- Locate the users credential file under the program installation directory. Ours is on C:/program files/HP Web Jetadmin.
- After make a backup copey, then use any text editor (I prefer WordPad) to open the ~/auth/local.user (not sure the file name is local.users or local.user) file.
- Since we have more than two accounts in that file, and she knows another non-admin account’s password (say, user1), I just copy everything after user1: and paste it after admin:.
- Launch HP Web Jetadmin web URL, and use admin as the username, and whatever she used for her second user user1 as the password. And voila, we just got in!
Well, HP will say: hi, you just assume you already knew another account/password. Otherwise, how can you de-crypt my admin password.
Really, how about I just paste whatever the encrypted password I used to access to HP Web Jetadmin on the Internet, and tell everyone what it meant in plain text. Then anyone can open the local.user file and paste it as the admin password. Is not that Great, or Scared?
Updated on 01/29/2008: After checking the Internet, and find http://www.derkeiler.com/Mailing-Lists/Securiteam/2004-04/0106.html is talking about HP Web Jetadmin security issues. Some of them mentioned about the “password disclosure and decryption”.