Posts Tagged ‘Telnet’

Calix C7 Integrated Management System (IMS) Multiple Vulnerabilities

February 6, 2014

Calix C7 Integrated Management System (IMS) (Shodan search) has a secure login on port 8196 using a Java client. The default account of ‘rootgod’ with a password of ‘root’ works as well as a sysadmin/sysadmin account.

The telnet banner also gives up the internal IP address:

calix-internal

Advertisements

Netsynt CRD Voice Router Telnet CLI Default Password

February 4, 2014

The Netsynt CRD Voice Router (Shodan search) provides command line access via Telnet (port 23) and has a default password of ‘netsynt’ according to the manual:

netsynt

Audemat FMB80 RDS Encoder Default root Credentials

January 28, 2014

“…The Audemat FMB80 RDS encoder is considered by many to be the industry standard. With over 10,000 encoders in use by broadcasters all over the world, Audemat has a wealth of experience and a well-deserved reputation for innovation and excellence. The heart of the FMB80 is the IP2 system, an Audemat innovation that puts the power of an entire computer inside the encoder. The IP2 system allows for great flexibility in configuration and communication, including the ability to ‘tunnel’ through the FMB80s’ Ethernet ports and establish serial communication with other devices. IP2 also allows the FMB80 to communicate via a serial port or over a TCP/IP connection, and in various data protocols such as EBU -UER SPB490, UECP and ASCII…”

The Audemat FMB80 RDS Encoder (Shodan search) contains default root credentials for the telnet service according to the manual.

By default, the FMB 80 is delivered with one user defined, login “root” password “root” with a userlevel of Root.

Audemat-Aztec FMB80 RDS Encoding

AZTEC Radiomedia ‘FMB80’ Telnet server
You are Client No. 1 out of 5
User:root
Password:****
Type HELP for list of commands
🙂
help
*** FMB80 : HELP COMMANDS ***

HELP.APPLI : Application specific help commands
HELP.BASIC : BASIC Interpreter commands help
HELP.DNS : DNS client commands help
HELP.EVENTS : Events commands help
HELP.FILE : File system commands help
HELP.FTP : FTP server commands help
HELP.FTP_CLIENT : FTP client commands help
HELP.HTTP_CLIENT : HTTP client commands help
HELP.HISTO : Log file commands help
HELP.MAIL : E-mail client commands help
HELP.MULTICAST : Multicast group commands help
HELP.NETCOM : NETCOM help commands
HELP.NETWORK : Network commands help
HELP.PPP : PPP commands help
HELP.SCHEDULER : SCHEDULER rules and commands help
HELP.SNMP : SNMP agent commands help
HELP.SYSTEM : System commands help
HELP.TIMERS : Timers commands help
HELP.TELNET_CLIENT : Telnet client commands help
HELP.UDP : UDP client/server commands help
HELP.USERS : Login and password table commands help
HELP.WEB : Web server commands help
HELP.SNTP : SNTP commands help
HELP.APPLI
*** FMB80 : OTHER HELP COMMANDS ***

HELP.RDS.SYSTEM Help on RDS System Commands
HELP.RDS.ENCODER Help on RDS Encoder Commands
HELP.RDS.SCROLL Help on RDS RT & PS scroll Commands
HELP.DSN Help on RDS Data Set related Commands
HELP.PSN Help on RDS Programme Service related Commands
HELP.STATUS Help on Supervision Related Commands
HELP.REL Help on Relay Output related Commands
HELP.DIG Help on Digital Input related Commands
HELP.TEMP Help on Temperature Sensor related Commands
HELP.RDS.ENCODER
*** FMB80 : RDS ENCODER CONFIGURATION COMMANDS HELP ***

BYPASS=i RDS ON i=0, RDS OFF i=1
LEVEL=i, LEVEL? Set/Display RDS Output level i=1-3199
PHASE=i, PHASE? Set/Display RDS Output phase i=0-359
SYNCHRO=X, SYNCHRO? Set/Display Sync mode X= AUTO, EXT or INT
PILOT? Display Pilot detection status
CT.OFFSET=i Local Time Offset X 1/2HR -24 to +24
(See CENELEC prEN 50067:1998 page 28)
CT=i Enable(1)/Disable(0) Group 4 Transmission
TA.CONTROL=a,b,c a=Min no. of grps between two 14B/15B grps
TA.CONTROL.{MIN|ON|OFF}=n n=0-15
EONTA.CONTROL=a,b,c b(,c)=No. of 14B/15B grps at TA=1(,0) transition
EONTA.CONTROL.{MIN|ON|OFF}=n n=0-15
PST=i Character code table selection i=0-3
RADIOTEXT=X X=LONG Broadcast 64 chars, X=SHORT Broadcast text only
REP_2A=i Enable(1)/Disable(0) 2A-group repetition
when sending a new radiotext.
GSIZE.CYC=i Maximise Cyclic buffer size for group i=0-15 or all, 16
GSIZE.PRIORITY=g Set Cyclic buffer priority g=0A-15B
DSN.CURR=i Select Data Set for transmission i=1-6
DSN(n).LIST=a,b,c,d,… Create Data Set with Main PSN a, EON PSN,s b,c etc
n=1 to 6 (Current DSN not accepted)
DSN(d).PSN(p).EON={1|0} Enable(1)/Disable(0) EON’s in DSN d and PSN p
GROUPS=i Set groups retransmission i=00000000-FFFFFFFF
RDS.IN=i Set GROUPS mode i=0-4
ALPHA=, Send alphanumeric message (80 char)
NUM10=, Send numeric message (10 digits)
(gv: see prEN 50067:1997, page 19 for valid codes)
ODA.gv.AID=xxxx Set AID (x=0-9, A-F)
ODA.gv.MSG=xxxx Set MSG (x=0-9, A-F)
ODA.gv.MSG2=xxxx Set MSG2 (x=0-9, A-F)
ODA.gv.TO=n Set TO (n=0-255)
ODA.gv.REPEAT=n Set REPEAT (n=0-15)
ODA.gv.SPACE=n Set SPACE (n=0-15)
ODA.gv.NB=n Set NB (n=1-60)
ODA.gv.WINDOW=n Set WINDOW (n=0-60)
ODA.gv.DELAY=n Set DELAY (n=1-59)
ODA.RPGS=g1,g2,… Set relative priority
PILOT?
1
HELP.DSN
*** FMB80 : DSN CONFIGURATION COMMANDS HELP ***

DSN=D Set Data Set ‘D’ for DSN and PSN configuration, D=0-6
DSN Display DSN config for DSN D

‘DSN(d).’ may go before next DSN commands
LIST=a,b,c,d,… Make PSN list a=0-255

Brocade ServerIron ADX 1016 Multiple Vulnerabilities

January 2, 2014

The Brocade ServerIron ADX 1016 (Shodan search) contains a default administrator account according to the manual:

The password | nopassword parameter indicates whether the user must enter a password. If you
specify password, enter the string for the user’s password.

NOTE
There is a default username “admin” and the password “brocade”. For the security purpose, you may
want to delete the default username. You will have to create at least one username in order to delete
it. Otherwise, the default username will be automatically created after rebooted.

By default Telnet does not require a password:

Enabling Telnet password
To assign a password for Telnet session access, enter the following command.
ServerIronADX(config)# enable telnet password secretsalso

With physical access you can reset the administrator password:

By default, the CLI does not require passwords. However, if someone has configured a password for
the ServerIron ADX but the password has been lost, you can regain super-user access to the
ServerIron ADX using the following procedure.
NOTE
Recovery from a lost password requires direct access to the serial port and a system reset.
Follow the steps listed below to recover from a lost password.
1. Start a CLI session over the serial interface to the ServerIron ADX.
2. Reboot the ServerIron ADX.
3. While the system is booting, before the initial system prompt appears, enter b to enter the boot
monitor mode.
4. Enter no password at the prompt. (You cannot abbreviate this command.)
5. Enter boot system flash primary at the prompt. This command causes the device to bypass the
system password check.
6. After the console prompt reappears, assign a new password.

Visual UpTime Select ASE Default Admin Credentials

December 28, 2013

The Fluke Networks Visual UpTime Select Analysis Service Element (ASE) (Shodan search) contains default administrator credentials for telnet access according to the manual.

Bring up the login: prompt by pressing Enter one or more times. At the login: prompt, type admin in lowercase and press Enter. At the Password: prompt, type the ASE password (visual in all lowercase is the default password) and press Enter 10 ASE Installation Instructions to bring up the Admin> prompt. For more information about password settings, see “Changing the ASE password.”

Output from a session:

login: admin
Password: ******

Admin> sh

APPFILTER

App Filters are DISABLED.

Application FLOWS and SERVERS will be
collected for all hosts in all subnets.

Local Subnets
==================

CIRCUIT
Circuits In Use = 3 of 155

COMMUNITY

Read-Write Community : private
Public read-only : Yes
Read-Only Community : public

ETHERNET

MAC Address: 00A00E1EAAC5

Interface Eth 1 (SPAN):

Speed: Auto
Actual: 100 Mbps
Duplex: Full

Interface Eth 2 (LAN):

Speed: Auto
Actual: 100 Mbps
Duplex: Full

EVENT

Elapsed Time Event Description
———— —————–
37d-02:39:20 IP Circuit 1030 is Active
37d-02:43:43 IP Circuit 1030 is Inactive
63d-08:34:06 IP Circuit 1030 is Active
63d-21:33:36 IP Circuit 1030 is Inactive
70d-07:29:13 IP Circuit 1030 is Active
70d-07:34:34 Line Status change: LAN interface is UP
70d-07:34:52 Line Status change: WAN interface is UP
70d-07:43:43 IP Circuit 1030 is Inactive
70d-07:44:32 Line Status change: LAN interface is DOWN
70d-07:44:32 Line Status change: WAN interface is DOWN
106d-15:59:13 IP Circuit 1030 is Active
106d-16:03:36 IP Circuit 1030 is Inactive
168d-18:14:14 IP Circuit 1030 is Active
168d-18:18:37 IP Circuit 1030 is Inactive
203d-17:14:14 IP Circuit 1030 is Active
203d-22:03:37 IP Circuit 1030 is Inactive
204d-16:34:06 IP Circuit 1030 is Active
204d-16:43:44 IP Circuit 1030 is Inactive
225d-21:34:06 IP Circuit 1030 is Active
225d-21:36:28 Line Status change: LAN interface is UP
225d-21:36:37 Line Status change: WAN interface is UP
225d-21:44:19 Line Status change: LAN interface is DOWN
225d-21:44:19 Line Status change: WAN interface is DOWN
225d-22:33:36 IP Circuit 1030 is Inactive
229d-18:24:20 IP Circuit 1030 is Active
229d-18:28:43 IP Circuit 1030 is Inactive
235d-18:24:20 IP Circuit 1030 is Active
235d-18:33:36 IP Circuit 1030 is Inactive
236d-17:54:20 IP Circuit 1030 is Active
236d-17:58:43 IP Circuit 1030 is Inactive
241d-16:14:13 IP Circuit 1030 is Active
241d-16:18:36 IP Circuit 1030 is Inactive
241d-20:24:20 IP Circuit 1030 is Active
241d-20:28:43 IP Circuit 1030 is Inactive
260d-03:49:06 IP Circuit 1030 is Active
260d-03:58:44 IP Circuit 1030 is Inactive
334d-23:09:20 IP Circuit 1030 is Active
334d-23:13:43 IP Circuit 1030 is Inactive
420d-10:44:13 IP Circuit 1030 is Active
420d-22:03:36 IP Circuit 1030 is Inactive
438d-15:22:16 Bad SNMP community name from 10.34.43.1
478d-14:24:20 IP Circuit 1030 is Active
478d-14:33:37 IP Circuit 1030 is Inactive
480d-02:34:36 Bad SNMP community name from 10.34.43.1
486d-11:14:13 IP Circuit 1030 is Active
486d-11:18:37 IP Circuit 1030 is Inactive
486d-17:09:19 IP Circuit 1030 is Active
486d-17:18:36 IP Circuit 1030 is Inactive
486d-19:24:19 IP Circuit 1030 is Active

FILTER

Filter Method: MAC

Router
IP Address MAC Dir
—————- —————– —
Filter 1: 10.34.12.253 00:0E:38:EF:E5:08 WAN

ID
Visual UpTime Select IP Transport 10/100 Ethernet Inline ASE

Software version: I 2.5.019 – Feb 20 2007
Serial Number: 0122-0010949
Installed memory: 128M

Protected by U.S. patents: 5,867,483; 5,521,907; 6,058,102;
6,147,998; and 6,564,214.

This product may also be protected by other U.S. or foreign patents.

Copyright (c) 1995-2006 Fluke Corporation(R).
All Rights Reserved.

LAN interface IP Address: 10.34.12.150
LAN interface Subnet Mask: 255.255.255.0
Default Router IP Address: 10.34.12.254

Running for 19 days 21 hours 13 minutes 26 seconds

IP
Management IP address: 10.34.12.150
Management IP subnet mask: 255.255.255.0
SLIP interface address: NONE
SLIP interface subnet mask: NONE
Primary router address: 10.34.12.254

IP Statistics
In Receives: 125806088 Out Requests: 904356
In Delivers: 4243925 Out Discards: 0
In Header Errors: 3 Out No Routes: 0
In Address Errors: 120154348 Reassemble Requests: 8
In Unknown Protocols: 0 Reassemble Oks: 4
In Discards: 0 Reassemble Fails: 0
Datagrams Fragmented: 0 Forwarded Datagrams: 0
Fragments Created: 0
Fragment Fails: 0

LINK

Interface type: Ethernet

PASSWD

SECURITY
The security table is empty

Host address security is DISABLED

SERIAL
Console/SLIP speed : 19200

SITE
NAME:
LOCATION:
CONTACT:

SLA
Inter-ASE messaging: ON
Fixed Local SLA IP Address: 10.34.12.150

SLIP
Connection Type : Dial

SPAN

Span Mode: ON

STATUS
This ASE has been running for 19d-21:13:27.
Ethernet Eth 1 (WAN) link state is up
Ethernet Eth 2 (LAN) link state is up

VLAN

Management VLAN: None (Auto)
SLA VLAN: None

Admin>

ASUS RT-N13U Router Default Admin Account

December 10, 2013

The ASUS RT-N13U router is based on BusyBox and ships with a default admin account (password is ‘admin’) for the telnet and HTTP service.

df:/home/df # telnet 1.2.3.4
Trying 1.2.3.4…
Connected to 1.2.3.4.
Escape character is ‘^]’.

RT-N13U login: admin
Password:

BusyBox v1.12.1 (2009-10-09 18:04:11 CST) built-in shell (ash)
Enter ‘help’ for a list of built-in commands.

# cat /etc/passwd
admin:jKkTCfzjlNNsk:0:0:Adminstrator:/:/bin/sh
# exit
Connection closed by foreign host.
df:/home/df #

Alvarion BreezeACCESS VL Default Credentials

December 7, 2013

The Alvarion BreezeACCESS VL contains default credentials for telnet access according to the manual.

breezeaccess

df:/home/df # telnet 1.2.3.4
Trying 1.2.3.4…
Connected to 1.2.3.4.
Escape character is ‘^]’.

Select Access Level
===================
1 – Read-Only
2 – Installer
3 – Administrator
Main Access Point >>> 3

Enter password (up to 8 printable ASCII chars)
> *******

BreezeACCESS/AU-NI
Official Release Version – 4.3.28
Release Date: Wed Jul 02 20:01:24 2003
Main Menu
=========
1 – Info Screens
2 – Unit Control
3 – Basic Configuration
4 – Site Survey
5 – Advanced Configuration
X – Exit
Main Access Point >>> 1

BreezeACCESS/AU-NI
Official Release Version – 4.3.28
Release Date: Wed Jul 02 20:01:24 2003
Info Screens
============
1 – Show Unit Status
2 – Show Basic Configuration
3 – Show Advanced Configuration
S – Show All Parameters
Main Access Point >>> 1

Unit Type : Access Unit
Unit MAC Address : 00-20-D6-C1-31-6B
Current Number of Associations : 8
Number of Associations Since Last Reset : 30

Unit Hardware Version : E
Flash Type : Type S 4M

Flash Versions
==============
Current Version : 4.3.28
Shadow Version : NONE
Version After Reset : 4.3.28

Console Speed : 9600
Press any key to return >

BreezeACCESS/AU-NI
Official Release Version – 4.3.28
Release Date: Wed Jul 02 20:01:24 2003
Info Screens
============
1 – Show Unit Status
2 – Show Basic Configuration
3 – Show Advanced Configuration
S – Show All Parameters
Main Access Point >>>
telnet> close

ASUS WL520gu Wireless Router Multiples Vulnerabilities

December 6, 2013

The ASUS WL520gu Wireless Router (Shodan search) has a default account of admin/admin. It uses basic authentication so the “logout” function doesn’t properly terminate the web application session allowing persistent access from the browser that previous authenticated to it.

Also there are two pages that return cleartext passphrases and obscure them with javascript:

http://localhost/Basic_GOperation_Content.asp
WPA-PSK passphrase returned in clear (CVE-2013-78002):
wl520-passphrase

http://localhost/Advanced_Wireless_Content.asp
WPA Pre-Shared Key returned in clear (CVE-2013-78003):
wl520-wpa_preshared

By default telnet is enabled allowing remote admin access using the same default:

df:/home/df # telnet 1.2.3.4
Trying 1.2.3.4…
Connected to 1.2.3.4.
Escape character is ‘^]’.
WL-0022159F09A9 login: admin
Password:
[admin@WL-0022159F09A9 root]$ cd /etc
[admin@WL-0022159F09A9 etc]$ cat passwd
admin:$1$$CoERg7ynjYLsj2j4glJ34.:0:0:root:/usr/local/root:/bin/sh
nobody:x:99:99:nobody:/:/sbin/nologin
[admin@WL-0022159F09A9 etc]$

Impinj Speedway RFID Reader Default root Credentials

November 11, 2013

Impinj Speedway RFID readers (Shodan search) have a default root account for telnet access.

Log in to the reader. Default credentials are:
user name: root
password: impinj

This gives you access to a custom shell with menu commands:

df:~ # telnet 1.2.3.4
Trying 1.2.3.4…
Connected to 1.2.3.4.
Escape character is ‘^]’.

Impinj Powered RFID Reader Octane.v3.2.1 (Speedway-00-23-53) (0)

Speedway-00-23-53 login: root
Password:
> ?

Commands:
reboot – Reboots the system.
exit – Exit this submenu and return to the parent menu.
help – Displays this help message.
? – Displays this help message.

Sub-menus:
config – Submenu of configuration commands.
show – Submenu of elements that may have their configuration or status
shown.
transfer – Submenu of transfer commands.
> show
show > ?

Commands:
access – Show users and their access level.
exit – Exit this submenu and return to the parent menu.
help – Displays this help message.
. – Exit this submenu and return to the parent menu.
? – Displays this help message.

Sub-menus:
all – Submenu of multi-category info display commands.
image – Submenu of image status commands.
logging – Submenu of logging status commands.
network – Submenu of network status commands.
rfid – Submenu of RFID status commands.
snmp – Submenu of SNMP status commands.
system – Submenu of system status commands.
show > image
show image >

Verint Nextiva S1900e Series Default Unauthenticated Access

October 31, 2013

Verint Nextiva S1900e series devices (Shodan search) allow unauthenticated access to HTTP and telnet by default. According to the manual:

Designed for video monitoring and surveillance over IP networks, the Nextiva S1900e series is a highly compact, single-input or -output edge device.

Web interface:

verint1

verint2

Telnet:

df:/home/df # telnet 1.2.3.4
Trying 1.2.3.4…
Connected to 1.2.3.4.
Escape character is ‘^]’.

***********************************************************
* Verint Video Solutions S1970e VRU – 1.2.3.4 *
***********************************************************
Main Menu
———————————————————–
Menus:
1) Serial Port
2) Access Management
3) System Status
4) Network
5) Ethernet Communication
6) Advanced

Commands:
s) Save Settings
r) Reboot System
l) Load Default Configuration
q) Quit
***********************************************************
Command: !”‘^]
telnet> close
Connection closed.
df:/home/df #