Posts Tagged ‘Shodan’

Trafficware ATMS.now Default Credentials

February 20, 2014

Trafficware’s ATMS.now contains a default account and credentials according to the manual.

Your system administrator should provide you with your user name and password. The installation assigns a
default user with a user-name “naztec” and password “naztec”, which could be retained for training and factory
upgrade purposes. It is recommended that this default login be removed for security and the system
administrator should provide a permanent, secure login for system updates and access.

“ATMS.now is an Advanced Traffic Management System (ATMS) capable of monitoring and controlling thousands of intersection controllers using state-of-the art architectures like TCP/IP and NTCIP.”

Advertisements

PIPS Technology AUTOPLATE Automatic License Plate Recognition (ALPR) Multiple Vulnerabilities

February 19, 2014

PIPS Technology AUTOPLATE is a license plate recognition system used by law enforcement (Shodan search) in stop light camera systems. “PIPS Technology ALPR processors are complete one-box processors for automatic licence plate recognition (ALPR).” By default these devices offer a telnet connection for management that does not require authentication!

They also have a series of default accounts and / or passwords:

Component – Account – Password
html – root – ?
pdb – wl_test – wl_test
ves – vesstore – vesstore
jpeg – ftp_boot – ftp_boot

With the html component credentials you can access the web server for information about the camera’s capture statistics:

http://1.2.3.4/cgiC/capture%20st$ats

Camera 1
fields: 1038585
images: 0
plates: 0
reads : 0
good : 0

Camera 2
fields: 1787601
images: 36781
plates: 5440
reads : 1283
good : 1269

Here is a partial log of what the command interface looks like:

Script started on Tue Nov 19 10:27:32 2013
df$ telnet 1.2.3.4
Trying 1.2.3.4…
Connected to 1.2.3.4.
Escape character is ‘^]’.

ATZ
P372 application Apr 13 2010 12:29:02
P372 Serial Number: 1234
pcb:1, vers:03, rel:x06, build:3145
RAM: 128M @ 128M EPROM: 512k
Flex vers: 16.0, capabilities 003f
Camera firmware: 4.34
362 epld vers: 13
ANPR enabled for: USA Louisiana
Operating system: C EXECUTIVE 3.3
eprom image checksum: 1408
application crc: 4714
current config crc: 1434
reference config crc: 1434
* Installed options: 00200018
* … Compact Flash
* … Basic VES with no security
* … USA Licenceplate recognition
* PIPS Technology AUTOPLATE ™ license plate recognition
* VES – (violation enforcement system)
>>system show
system
flex: flash;3722acyc.z16
exposure: mem:/expose.cnf
startup: mem:/startup.scr
time_server: 2.3.4.5
alt_time_server: 10.1.1.1
font8: flash;font_8.8k
font16: flash;font_16.32k
route: ves
access_list: mem:/access.txt
sntp_enable: 0x13
daytime_port: 0
time_zone: -6
time_poll: 300
sntp_latency: 1000
sntp_window: 200
sntp_debug: 0
sntp_max: 24
brownout: 125
powerdown: 5000
idle_time: 0
idle_mode: 0x7
plate_type: 1
plate_max: 120
plate_min: 50
t_enable: 0
t_period: 600
sio362_debug: 0
led_current: 7
ftp_debug: 0
tn_timeout: 600
access_debug: 0
cc_eds: 0
reload: 0
ping_mode: 1
ping_port: 10010
sysdump: 0
old_script: 1
* CMD:OK
>>active show
active
days:
start_1:
end_1:
start_2:
end_2:
enable: 0
debug: 0
* CMD:OK
>>client show
client
patch: 1
sum: 0
debug: 0
config: 0
threshold: 50
* CMD:OK

..

>>help
Available Commands are:
system
active
client
vf
jpeg
bmp
ves
anpr
log
pdb
capture
closeloop
trigger
ves diag
ves exc
html
mbip
mail
net
key
dump
show
set
clear
barcode
help
install
test
camera
ftp
reset
shutdown
exit
flash
flex
fs
encrypt
sleep
rtelnet
snap
trap
script
ping
jam
option
ata
cld
dir
ls
md
rd
rm
del
ren
cd
check
copy
cmp
type
cat
mkfs
partition
scan
creat
image
make
destroy
tail
gzip
gunzip
kermit
action
>>rtelnet
Require IP address and optional port parameters
>>trap show
not implemented
* CMD:ERROR 1
>>script show
cannot open script show on local disk
attempting to fetch script from server
script not found on server
* CMD:ERROR 1
>>ping
PING 1.2.3.4 (1.2.3.4): 56 data bytes
64 bytes from 1.2.3.4: icmp_seq=0 ttl=59 time=23 ms
64 bytes from 1.2.3.4: icmp_seq=1 ttl=59 time=32 ms
64 bytes from 1.2.3.4: icmp_seq=2 ttl=59 time=42 ms
64 bytes from 1.2.3.4: icmp_seq=3 ttl=59 time=31 ms

— 1.2.3.4 ping statistics —
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 14/54/42 ms
* CMD:OK
>>dir
mem:/
EVENT .OLD w—- 40790 bytes 19/11/2013 7:35:12
EVENT .LOG w—a 1706 bytes 19/11/2013 17:28:52
TIME .TXT w—a 11 bytes 19/11/2013 17:32:26
SYSTEM .INI w—a 4283 bytes 19/11/2013 7:35:20
EXPOSE .CNF w—a 190 bytes 4/05/2013 1:18:26
VES . w–d- dir 4/05/2013 1:19:06
OPENED . w—- 0 bytes 4/05/2013 1:19:10
SEQ . w—a 8 bytes 19/11/2013 17:31:10
ENTROPY .BIN w—a 112 bytes 19/11/2013 17:23:02
MONITOR .INI w—a 67 bytes 16/10/2013 15:33:56
ACCESS1 .DEF w—a 526 bytes 19/11/2013 17:20:54

10 files, 1 subdirectory. Total Disk Capacity: 2048 k, Total shown here: 46 k
* CMD:OK
>>type event.log
19-Nov-2013 07:35:12:(9) ( start), EVENT LOG START UP
19-Nov-2013 07:35:12:(6) ( start), trimming 23 lines from event log history
19-Nov-2013 07:35:12:(9) ( start), integrity: 40 seconds since last update
19-Nov-2013 07:35:12:(6) ( mon_temp), no temperature sensor
19-Nov-2013 07:35:12:(9) ( start), access control list not present
19-Nov-2013 07:35:12:(9) ( start), software options: 00200018
19-Nov-2013 07:35:16:(9) ( start), Hardware JPEG Chip 1 software option not present
19-Nov-2013 07:35:16:(9) ( start), Hardware JPEG Chip 2 software option not present
19-Nov-2013 07:35:17:(6) ( start), sync set to: 625
19-Nov-2013 07:35:17:(9) ( stream), Platform will not support streaming video
19-Nov-2013 07:35:17:(9) ( ves), Software options set are not compatable with encryption or context capture
19-Nov-2013 07:35:17:(9) ( vid_events), VIDEO: P372 twin video input process starting

..

>>cat system.ini
[net]
mask=255.255.255.224
bcast=192.200.200.255
gateway=1.2.3.1
script=mem:/net01.scr
speed=0

..

telnet> close
Connection closed.
df$ exit
exit

Script done on Tue Nov 19 10:33:06 2013

Polycom SoundPoint IP 450 Web Configuration Utility Default User Password

February 17, 2014

The Polycom SoundPoint IP 450 phone uses a web configuration utility that has a default user password according to the manual.

To access the Web Configuration Utility for your phone:

The factory default password for a User is 123

S3 N1031 / N1072 Box IP Camera Web Interface Default Admin Credentials

February 16, 2014

The S3 N1031 (firmware V1.07_STD-1) and N1072 (firmware V1.01_STD-1) “box” IP cameras (Shodan search) contain a default web interface password.

user: 3sadmin
password: 27988303

Epson Stylus Printers Remote Information Disclosure

February 13, 2014

Many models of Epson Stylus printers (Shodan search) answer on port 80 and give up information about the printer. Some is harmless like ink cartridge levels. But it also gives up information including internal IP address, default gateway, SSID, wireless security mode and more. The masked password it sends is just stars not the real password unfortunately!!

Models include:
BX305
BX310FN
BX320FW
BX525WD
BX620FWD
BX620FWD
NX420
NX510
Photo R2000
SX420W
SX510W
TX510FN

epson

SoundPoint / SoundStation IP SIP Phones Multiple Default Passwords

February 12, 2014

SoundPoint and SoundStation IP SIP Phones ship with several default passwords. According to the manual which covers the SIP 2.0 software release and the bootROM 3.2:

Local User Interface Setup Menus
The network configuration menu is accessible from the main menu. Navigate to Menu>Settings>Advanced>Admin Settings>Network Configuration. Advanced Settings are locked by default. Enter the administrator password to unlock. Note that the factory default password is 456.

Local Settings Menu Access
Factory default passwords are:
• User password: 123
• Administrator password: 456

Boot Server Deployment for the Phones
If the provisioning protocol requires an account name and password, the server account name and password must match those configured in the phones. Defaults are: provisioning
protocol: FTP, name: PlcmSpIp, password: PlcmSpIp

Actelis ML620i Web Interface Default Admin Credentials

February 11, 2014

Actelis Networks ML620i ethernet access devices (Shodan search) have a web interface that has a default password of admin / admin.

These devices are used in conjunction with Trafficware ATMS.now systems. The manual for that system actually shows the defaults for Actelis devices:

The LOCAL_UID and LOCAL_PID are optional boxes. If they are left blank, an administrator assigned
User/Password combination will be required to log in. If you choose to utilize a standard login for all Actelis
switches, you can fill in a User/Password value in the LOCAL_UID and LOCAL_PID boxes. Actelis default is
User ID = “admin” and Password = “admin”.

Calix Management System (CMS) Default Admin Account

February 10, 2014

The Calix Management System (CMS) (Shodan search) has a default account called ‘rootgod’ with a default password of ‘root’ according to the manual.

Information required for logging in to CMS Web
To log in to CMS Web, have the following information on hand:
– Your CMS user name and password, provided by your CMS system administrator.
Note: The initial default user name is rootgod and the initial default password is root.

S3 Cube IP Cameras Web Interface Default Admin Credentials

February 9, 2014

S3 Cube IP cameras (Shodan search) contain default admin credentials for the web interface in the following models / firmware:

N8071 V1.04_STD-1, V1.03_STD-1, V1.06_STD-1
N8072 V1.04_STD-1
SI9122 V1.06_STD-1

user: 3sadmin
password: 27988303

Fte Maximal RCM 310 Web Interface Default Password

February 7, 2014

The Fte Maximal RCM 310 (Shodan search) has a default password for the web interface according to the manual. I confirmed this on version 1.3.8.

ftercm310