I hope you are aware that you can also simply change the two strings in the firmware, for example to
csdev:$1$eyPcxmTg$sytqkZd2hmk2JWSeTZi1H/:16148:0:99999:7::: gve6776696577:$1$xDz96xgq$FsovEQ3MZuqYRcWru6oU01:16176:0:99999:7:::to change the passwords to be the same as the usernames are.
The regular expression format for
pam-unix.so passwords beginning with "
$1$" is
\$1\$[^$]{1,8}\$[./0-9A-Za-z]{22}which means the
csdev cannot have worked (allowed access with
any password) with standard
pam-unix.so, because it has invalid hash length (21 characters instead of 22); and any login attempts should yield
user "csv" has corrupted passwd entry system log messages (typically into
/var/log/auth.log in Debian derivatives).
Similarly, the
gve6776696577 cannot have worked (allowed access with
any password) using standard
pam-unix.so, because
pam_unix/pam_unix_passwd.c:MD5Name(crypt_md5) will only use the first 8 characters from the salt, and as it passes the entire password hash construction (starting with
$1$), the result will never match because the salt parts will differ. Thus, any login attempts should yield
user "gve6776696577" has corrupted passwd entry system log messages (typically into
/var/log/auth.log in Debian derivatives).
Assuming the system used PAM, you can find the PAM login configuration in the firmware image in
/etc/pam.d/login file. It typically contains a
@include common-auth, so that the actual config is in
/etc/pam.d/common-auth, with the first non-comment line being
auth [success=1 default=ignore] pam_unix.so nullokwhich means
pam_unix.so is the primary authenticator. Its sources are at Github at
linux-pam/modules/pam_unix/, so if you're investigating a security failure, it is quite possible an attacker not only added those two accounts but also replaced the
pam_unix.so binary as well.
If you examine
/etc/issue,
/etc/lsb-release, and
/etc/os-release files in the firmware image, you can tell what base Linux distribution this uses. This would be important to investigate any further.
The full
/etc/shadow lines show that the
csdev account was created in 2014-03-19, and the
gve6776696577 one in 2014-04-16 (assuming UTC time; might also be one day before or later depending on time zone), if not faked/synthesized by modifying
/etc/shadow directly instead via e.g. the
passwd command.
Why do you need to crack these hashes? Do you suspect nefarious access? Or are you investigating why these accounts cannot be logged in? Or for some other reason?