Posts Tagged ‘Red Team’

Dedicated Micros DV-IP Series Devices Default Credentials

March 1, 2014

Dedicated Micros makes a set of devices under the DV-IP label. In some cases they do not require passwords to access. In other cases they come with default accounts. Below is a list of devices with links to the manual and quoted bits about passwords.

DV-IP ATM

Select Configuration Options. The unit will prompt for a username and password. The default settings are dm and web respectively.

DV-IP Codec

The image shows the User Accounts Administration page. The default passwords are:
Webpage Configuration : Username = dm : password = web
FTP Admin : Username = dmftp : password = ftp
Telnet : Username = dm: password = telnet

DV-IP Encoder

The image shows the User Accounts Administration page. The default passwords are:
Webpage Configuration : Username = dm : password = web
FTP Admin : Username = dmftp : password = ftp
Telnet : Username = dm: password = telnet

DV-IP Express

By default, no Usernames and Passwords are required to access any of the various menus. Usernames and Passwords can however be added to regulate access to the Configuration and Viewer menus.

DV-IP Server

dvip-1

DV-IP NV1 & NV4

By default, no Usernames and Passwords are required to access any of the various menus. Usernames and Passwords can however be added to regulate access to the Configuration and Viewer menus, refer to the ‘Display Settings-> User Accounts’ menu for information on establishing Usernames and Passwords

Advertisements

Mitsubishi Energy Saving Data Collecting Server (EcoWebServer III) MES3-255C-EN Default Credentials

February 28, 2014

The Mitsubishi Energy Saving Data Collecting Server (EcoWebServer III) MES3-255C-EN uses several default credentials according to the manual. These require local access for the software and do not appear to work for the web server.

Enter the maintenance password (factory setting: ecopass) in the Password field, and click the [Change] button.

Writing the project via LAN
Select the [Write in this product via LAN.] radio button, and input the login ID and password for system administration in the [Login ID] and [Password] text boxes respectively.
(The default login ID and password are “ecoV” and “ecopass“.)

Reading the project via LAN
Select the [Read from this product via LAN.] radio button, and input the login ID and password for system administration in the [Login ID] and [Password] text boxes respectively.
(The default login ID and password are “ecoV” and “ecopass“.)

Checking the project via LAN
Select the [ Via Ethernet.] radio button, and input the login ID and passwordfor system administration in the [Login ID] and[Password] text boxes respectively.
(The default login ID and password are “ecoV” and “ecopass“.)

Changing the data acquisition login ID and password
The following describes the steps for changing the data acquisition login ID and password.
* The default data acquisition login ID and password are “guest” and “user“, respectively.
(The default system administration login ID and password are “ecoV” and “ecopass“, respectively.)

Dedicated Micros Eco Range 9/16 DVR Units Default Credentials

February 22, 2014

The Dedicated Micros Eco Range Eco 9 and Eco 16 DVR units contain several default passwords or unpassworded access according to the user manual.

Default PPP password

Once the remote computer has been configured to dial-up to the Eco, enter the PPP_Link2 IP address that was allocated to the port on the unit to make a remote dial up connection.
NOTE: The IP address used to dial in to the unit is the IP address used for PPP_Link2. The PPP IP address used in System Options->Network Settings->PPP Selection is the base PPP IP Address. The dial in address is one greater than this. Ie if the PPP IP address is defined as “10.0.0.1”, the PPP IP address required to connect to the unit is “10.0.0.2”.
The unit will request a username and password, as defined in the ‘profiles’ configuration file. The default settings are ‘username’ and ‘password’.

Installation / Menu System

User Password
A password can be set to prohibit unauthorised access to the menu systems. The default setting is Off.

Web Access

If a password has been configured it will be necessary to enter the Username and Password information to gain access to the unit. The default user name and password are dm and web.

Dedicated Micros Eco4 Default Unpassworded Access

February 15, 2014

The Dedicated Micros Eco4 multi-channel recording and playback device allows for complete access without credentials according to the manual.

By default, no Usernames and Passwords are required to access any of the various menus. Usernames and Passwords can however be added to regulate access to the Configuration and Viewer menus, refer to the ‘Display Settings-> User Accounts’ menu for information on establishing Usernames and Passwords.

Seon Explorer MX-HD DVR Default Password

February 14, 2014

The Seon Explorer MX-HD Basic and Plus Mobile DVR contains a default password according to the manual.

CAUTION: DVR Password Security
The default password is 11111111. For security purposes, Seon recommends that the user default login
and system settings passwords should be changed. Seon is not responsible if the password is lost or
forgotten.

seon

Dedicated Micros NetVu Observer Default Admin Credentials

February 8, 2014

The Dedicated Micros NetVu Observer video management software contains a default administrator account according to the manual.

The first time the application is launched it will display the Users window with two accounts preloaded. The software requires an administrator to log in to add new User or admin accounts. The default username and password are admin and password respectively. These should be changed as soon as possible to maintain security. Click the Login button at the top of the pane and enter the administrator username and password.

Dedicated Micros NetVu Console Default Unpassworded Access

February 1, 2014

The Dedicated Micros NetVu Console does not require authentication to access by default according to the manual.

There are no default usernames and passwords for any Account Type. If none are assigned, access will be granted to all users and no request for a username and password will be made.

The available account types for which users and passwords can
be assigned privileges are:
Admin FTP
Telnet
Serial
Web Page Configuration
Admin Camera Protection

Dedicated Micros Pick-a-Point Default User Password

January 24, 2014

The Dedicated Micros Pick-a-Point is a dedicated IP keyboard solution with joystick control and has a default user password according to the manual.

1 On power up the unit will automatically load the software application.
2 Log Off with the User password 9999.
3 Log in to the application using the provided Installer logon.

Brocade ServerIron ADX 1016 Multiple Vulnerabilities

January 2, 2014

The Brocade ServerIron ADX 1016 (Shodan search) contains a default administrator account according to the manual:

The password | nopassword parameter indicates whether the user must enter a password. If you
specify password, enter the string for the user’s password.

NOTE
There is a default username “admin” and the password “brocade”. For the security purpose, you may
want to delete the default username. You will have to create at least one username in order to delete
it. Otherwise, the default username will be automatically created after rebooted.

By default Telnet does not require a password:

Enabling Telnet password
To assign a password for Telnet session access, enter the following command.
ServerIronADX(config)# enable telnet password secretsalso

With physical access you can reset the administrator password:

By default, the CLI does not require passwords. However, if someone has configured a password for
the ServerIron ADX but the password has been lost, you can regain super-user access to the
ServerIron ADX using the following procedure.
NOTE
Recovery from a lost password requires direct access to the serial port and a system reset.
Follow the steps listed below to recover from a lost password.
1. Start a CLI session over the serial interface to the ServerIron ADX.
2. Reboot the ServerIron ADX.
3. While the system is booting, before the initial system prompt appears, enter b to enter the boot
monitor mode.
4. Enter no password at the prompt. (You cannot abbreviate this command.)
5. Enter boot system flash primary at the prompt. This command causes the device to bypass the
system password check.
6. After the console prompt reappears, assign a new password.

AXESS TMC X1 / X2 Multiple VUlnerabilities

December 30, 2013

AXESS TMC makes a set of terminals that manage Time & Attendance as well as Access Control. For example the X1 and X2 perform a lot of functions in a compact unit and still offer remote management capability (Shodan search and look for “X1/X2 Configuration”).

These devices have default administrator credentials for the web and FTP interface: admin / admin

As an admin you can gain access to other passwords due to them being stored in plaintext. For the web interface they are shown on the different screens. For FTP (or HTTP browse file menu) they are available in the PARAMETERS.TXT file:

OperatorPassword=00000
RemotePassword=admin

[GPRS]
[..]
User=””
Password=””

[FtpClient]
ServerURL=
User=””
Password=””

[USB]
Enabled=1
PasswordUSB=00000

There is an XSS vulnerability in /file_manager.cgi (CVE-2013-78000) via file upload as demonstrated here:

x1-xss1

x1-xss2

x1-xss3

For red teamers access to this device could allow for remote disabling of physical security features. The /biometric.cgi page lets you manipulate the biometric sensors or disable them completely if they are already enabled. It isn’t as good as popping the door locks but sure makes it easier for physical access!

x1-biometrics

The /access.cgi page can also let you manipulate access controls or disable them completely:

x1-accesscontrol