Archive for November, 2013

Impinj Speedway RFID Reader Default root Credentials

November 11, 2013

Impinj Speedway RFID readers (Shodan search) have a default root account for telnet access.

Log in to the reader. Default credentials are:
user name: root
password: impinj

This gives you access to a custom shell with menu commands:

df:~ # telnet 1.2.3.4
Trying 1.2.3.4…
Connected to 1.2.3.4.
Escape character is ‘^]’.

Impinj Powered RFID Reader Octane.v3.2.1 (Speedway-00-23-53) (0)

Speedway-00-23-53 login: root
Password:
> ?

Commands:
reboot – Reboots the system.
exit – Exit this submenu and return to the parent menu.
help – Displays this help message.
? – Displays this help message.

Sub-menus:
config – Submenu of configuration commands.
show – Submenu of elements that may have their configuration or status
shown.
transfer – Submenu of transfer commands.
> show
show > ?

Commands:
access – Show users and their access level.
exit – Exit this submenu and return to the parent menu.
help – Displays this help message.
. – Exit this submenu and return to the parent menu.
? – Displays this help message.

Sub-menus:
all – Submenu of multi-category info display commands.
image – Submenu of image status commands.
logging – Submenu of logging status commands.
network – Submenu of network status commands.
rfid – Submenu of RFID status commands.
snmp – Submenu of SNMP status commands.
system – Submenu of system status commands.
show > image
show image >

Econolite Products Default Credentials

November 5, 2013

ASC/2M-1000 Ethernet Feature to Connect to ASC/3 Locals has an ethernet module with a default pass of ‘dbps’. ASC/2M-1000 Ethernet Feature to Connect to ASC/2S Locals has the same default.

According to an Econolite document about capturing packets, they also have a default terminal password:

Enter you user name and password.
Factory default is:
User name: admin
Password: admin

MyPBX Default Credentials & Cleartext Transmission

November 4, 2013

MyPBX by Yeastar (Shodan search) has default credentials and they are transmitted via GET request over HTTP. Since the credentials are in GET parameters the URL may appear in system logs too:

GET /rawman?action=login&username=admin&secret=password HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.16
Host: 192.168.5.150
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://192.168.5.150/static/config/home.html
Proxy-Connection: Keep-Alive
X-Requested-With: XMLHttpRequest
Accept: */*

From the user manual:

From your web browser, input the IP address of the MyPBX server.
If this is the first time you are configuring MyPBX, please use the default
settings below:
IP Address: http://192.168.5.150
Username: admin
Password: password

Sunday Shodan Defaults

November 3, 2013

According to the manual the Schleifenbauer PDU Gateway has default credentials:

In order to continue you will be asked for a user name and password:
default user name = power (no password)
Change this at the GATEWAY tab asap for security reasons.


According to the online wiki, the MikroTik RouterOS WebFig interface (Shodan search) has default admin credentials:

Every router is factory pre-configured with IP address 192.168.88.1/24 on ether1 port. Default username is admin with empty password.


NEC VOIP phones have a “Web Programming” interface (Shodan search) that is often open to the Internet and it has default credentials:

User Name = ADMIN.
Password = 632379.


AirOS is the operating system for Ubiquiti M Series products. According to the manual version 5.5.4 has a default password:

Enter ubnt in the Username and Password fields, and select the appropriate choices from the Country and Language drop-down lists. Check the box next to IĀ agree to these terms of use, and click Login.

Upon subsequent login, the standard login screen appears. Enter ubnt in the Username and Password fields, and click Login.

Elastix PBX Default Credentials

November 1, 2013

Elastix PBX systems (Shodan search) install with multiple default passwords according to the wiki manual:

Initial access to the Web interface

Enter in the Web interface:

Open web browser and go to https://ip-address-of-elastix-server/
Username: admin
Password: palosanto

Initial access to third party applications

To use Sugar CRM:

Username: admin
Password: password
To use A2bill:

Username: admin
Password: mypassword
Operator Flash Panel (from 0.6 version):

Password: eLaStIx.2oo7
For accessing Freepbx (without being contracted) use:

Username: admin
Password: admin
For accessing vtigerCRM use:

Username: admin
Password: admin

elastix