*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;* *,;*,;*,;*,;*,;*,;*,;*,;*,; <&#<>.<>./<^>\.<>.<>#&> ;*,;*,;*,;*,;*,;*,;*,fuckup !;;;;::--==--::--==--::--:[ ]:--::--==--::--==--::;;;;! :: :: :: :: ;: ^^.;>.;>.;>.^^.;>.;>.;>^^ K - 1 i n e #5 ^^.;>.;>.;>.^^.;>.;>.;>^^ :; ;; ;: :: Follow Me Down :: `:==--::--==--::--==--::--==--::--==--::--==--::-- ]:--::--==--::--==--::--==:' ^ ^ ^ Summer 2000 ^ ^ ^ *: 'A Nettwerked Product' :* *: :* *: :* *: [-] Introduction .......................................... The Clone :* *: (-) Contact Information ................................... The Clone :* *:-=><=--=><=--=><=--=><=--=><=--=><=--=><=--=><=--=><=--=><=--=><=--=>g4p<=:* *: Featuring... *: (x) 'Shopping Cart Vulnerabilities' ....................... PsychoSpy :* *: (x] 'The Internet Told Me So' ............................. Untoward :* *: (x) 'Passive Fingerprinting' .............................. PsychoSpy :* *: (x) 'Default Password List [Version 3.00]' ................ Eric Knight :* *: (x) '4ncifer Manifest' .................................... 4ncifer :* *: (x) 'Internet Explorer 5 Force Feeding' ................... PsychoSpy :* *: (x) 'RADIO DIRECTION FINDING WITH PCS/GSM MOBILE TERMINALS' Wargames :* *: (x) 'Our First Exploration in a Downtown Drain' ........... Magma/Miklos :* *: (x) 'The Comprehensive Guide to Paytel Canada payphones' .. The Clone :* *: [-] Credits ............................................... The Clone :* *: [-] Shouts ................................................ The Clone :* *: :* *: :* *: :* *: :* p e e k a b o o . . . =-=- == -= - . -= = =- -= - = ., . , -=-=-=-=- =- -= -= =- = = -= = , . =- © © ©©©©© ©©©©© ©©©©© © © ©©©©© ©©©© © © ©©©©© © © © © © ©©©© © © © © © ©©©© ©©©© ©©© ©©©© © © © ©© © © © © © © © © © © © © © © © © © ©©©©© © © ©© ©© ©©©©© © © © © ©©©©© © © . net == - , , ;; ;: ; ; / ; / ; ; ; ; / ;/;/; / ; / ; ;; - - = - -= = - .,. ,. -= =- = = - .,. , - , ,. , =- -= - -= , , . . . ., =- -= = .=, , , ., , ., , Introduction -- Welcome once again for another edition of K-1ine zine. I am your writer/editor Mr.T Clone, who is literally melting into his chair as he writes under the insane Canadian summer heat - 28 degrees (celcius). At the present time I am wondering to myself why in the hell I'm bothering to do this considering the circumstances; it must be the heat getting to my half-functional brain telling myself to do some writing or it's going to shut off completely. Yes yes yes, it's the summer of 2000. For some of you reading this it probably feels like just yesterday when you were writing your final exams before the summer of 69, BUT suddenly without warning the rocks of reality smash you in the nose and you realize it's the summer of 2000... the only tests you're going to be taking are those damn prostate exams. They are neccessary believe it or not. Get your prostate exam done today or tomorrow if you're a male baby boomer who hasn't thought about this. -[sidetracked]- Argh I need a shower - a nice cool shower... mmm... *droowl* Argh I hate you all. Enjoy this compilation of files that have been on my site for more than a week. Enjoy it because I told you to. For some real fancy dancey writings, go to www.iamhappyblue.com For some high quality hacking/phreaking documentation, go to http://phrack.infonexus.com For wholesome Canadian zine packed full of yummy goodness, keep on reading. If your girl is on her rag and she's giving you shit, slap the bitch in the mouth! -=-=- The Muthafuckin' New Skool; The Clone -=-=- - Contact -- Comments/Questions/Submissions: theclone@nettwerked.net Check out my site: (Nettwerked) http://www.nettwerked.net Shoot me an ICQ message: (UIN) 79198218 -- Shopping Cart Vulnerabilities - by PsychoSpy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sorry about this but it has to be done considering the seriousness this text could bring along. *************** LEGAL DISCLAIMER *************** That's correct! It's the legal bull shit we HAVE to go through! This text is for educational purposes only. Any illegal use of the information contained in this text is highly discouraged. The writter of this text takes no responsibilities for any actions which are taken as a result of the following text. *************** /LEGAL DISCLAIMER *************** Well here comes yet another text for me! I'm just in one of those writing moods right now. So, you want some credit cards to card stuff with huh? And now a days with the online transactions systems that they have in place, the credit card generators just don't work anymore! They actually verify the credit card on an online database to make sure everything is correct! Damn eh! Looking for a solution to this problem? Well my friend, I've got it for you. Using the methods I will detail in this text, I have gotten over 3,000 Credit Card numbers in less than 2 hours! Mind you I usually just trade them to people for software, favours etc. it's still kinda cool. So, we've all seen those small ma and pa style of online stores, right? They have ALL got some sort of Shopping Cart type of CGI script, which is almost always designed by some guy who knows nothing about security and barely knows how to password protect. The biggest problem with these sites is that the programmers don't have a clue what world readable means. So, what ends up happening is that credit card numbers are left in directories, and files which are, duh, world readable, and, in many cases, un-encrypted. There are also some problems with a couple programs which allow anyone to change the administrators password without knowing the original one (administration password for the scripts). So, on we go into the details of some different scripts and how we can access the credit card numbers (along with address, zip, phone# etc.) Listed at the end of this text are the various scripts which have been found to set transaction (order) log files to a default of world readable. So, the first attack I will outline is for the sites with the order log being world readable problem. Here's what you do to find tons of credit cards quickly. 1. Go to your favourite search engine 2. Type in the executable name, exposed directory name, or any other exposed files (like the order logs themselves) 3. Once the search pops up weed through these sites 4. If you type in an executable name, then once you're at the executable, erase the executable name, and insert the exposed directory, and order log. OR If you searched for the order log than it's right there OR If you searched for the exposed directory, type in the name of the order log. 5. Save the order log to your hard drive, or any other storage device and you have REAL WORKING credit cards to use for whatever you please! 6. DON'T BE STUPID! OR YOU WILL GET CAUGHT! Excercise EXTREME caution if you purchase anything with these. In fact, I HIGHLY suggest you DON'T. The other attack is one that is specific to the WebCart32 program which is used by many small-medium, and even some large, sites. Search for any of these sites to gain targets. Than once you've found a site go to the undocumented URLs of: http://charon/scripts/cart32.exe/cart32clientlist This will give you a list of usernames and passwords for Cart32 Administrator access to different clients on the server (NOTE: A client is basically a shopping site). Mind you these passwords are hashed, but can still be used in a creative way. An example of this is to embed the hashed password into a specially crafter URL that would allow the attacker to prime the server to run an arbitrary command when an order is confirmed: http://charon/scripts/c32web.exe?TabName=Cart32%2B&Action=Save+Cart32%2B+Tab &SaveTab=Cart32%2B&Client=foobar&ClientPassword=e%21U%23_%25%28%5D%5D%26%25*%2B-a &Admin=&AdminPassword=&TabToSave=Cart32%2B&PlusTabToSave=Run+External+Program &UseCMDLine=Yes&CMDLine=cmd.exe+%2Fc+dir+%3E+c%3A%5Cfile.txt The above URL would set the cart's properties to spawn a shell, perform a directory listing and pipe the output to a file called file.txt on the root of the C: drive when an order is confirmed. After doing this, the attacker would then create an order and confirm it, thus executing the command (NOTE: This specific URL would not work on any webserver, you need to replace the password details and client info with the one for the site you're working on, I think you get the idea). The second vulnerability in this sopping cart system is that you can change the Admin password for the script, without knowing the original. This is done with another undocumented file at: http://charon/scripts/c32web.exe/ChangeAdminPassword Is that crazy stuff or what? I'm sorry, but this programmer must have been COMPLETELY out to lunch when he programmed this. Either that or he wanted one hell of a lot of shopping sites to be at his whim. Anyways, here's the list of known shopping carts with the world readable order log problem. I am sure there are more out there, and I'm sure some of these have been fixed. Either way, there are still TONS of vulnerable sites out there. Selena Sol's WebStore 1.0 http://www.extropia.com/ Platforms: Win32 / *Nix (Perl5) Executable: web_store.cgi Exposed Directory: Admin_files Exposed Order info: Admin_files/order.log Status: Commercial ($300)/ Demo available. PGP Option available?: Yes Order Form v1.2 http://www.io.com/~rga/scripts/cgiorder.html Platforms: Win32 / *Nix (Perl5) Executable: ? Exposed Directory: Varies, commonly "Orders" "order" "orders" etc.. Exposed Order Info: order_log_v12.dat (also order_log.dat) Status: Shareware ($15/$25 registration fee) PGP Option available?: Unknown. Seaside Enterprises EZMall 2000 http://www.ezmall2000.com/ Platforms: Win32 / *Nix (Perl5) Executable: mall2000.cgi Exposed Directory: mall_log_files Exposed Order Info: order.log Status: Commercial ($225.00+ options) PGP Option Available?: YES QuikStore http://www.quikstore.com/ Platforms: Win32 / *Nix (Perl5) Executable: quikstore.cgi Exposed Order info: quikstore.cfg* (see note) Status: Commercial ($175.00+ depending on options) PGP Option Available?: Unknown. NOTE: Although the order information itself is secured behind an htaccess name/pwd pair, the config file is not. The config file is world readable, and contains the CLEAR TEXT of the ADMINS user id and password - rendering the entire shopping cart vulnerable to an intruder. QuikStore's "password protected Online Order Retrieval System" can be wide open to the world. (Armed with the name and pwd, the web visitor IS the administrator of the shopping cart, and can view orders, change settings and order information - the works.) PDGSoft's PDG Shopping Cart 1.5 http://www.pdgsoft.com/ Platforms: Win32 / *Nix (C/C++(?)) Executable: shopper.cgi Exposed Directory: PDG_Cart/ (may differ between installs) Exposed Order info: PDG_Cart/order.log Exposed Config info: PDG_Cart/shopper.conf (see note) Status: Commercial ($750+ options) PGP Option Available?: Unknown. (Couldn't get a yes or no outta them) NOTE: if they renamed the order log, shopper.conf will tell you where it's at and what it was named - worse, shopper.conf exposes the clear text copy of Authnet_Login and Authnet_Password, which gives you full remote administrative access to the cart. shopper.conf is world readable and totally unsecured. Mercantec's SoftCart http://www.mercantec.com/ Platform: Win32 (*Nix?) Executable: SoftCart.exe (version unknown) Exposed Directory: /orders and /pw Exposed Order Info: Files ending in "/orders/*.olf" Exposed Config Info: /pw/storemgr.pw (user ID and encrypted PW for store mgr?) PGP Option Available?: Unknown Mountain Network Systems Inc. http://www.mountain-net.com Platform: ? Exposed Directories: /config, /orders (and others. They're all listed in config-file) Exposed Order Info: orders.txt Exposed Config Info: mountain.cfg PGP Option Available?: Unknown Status: Commercial, ranging from $399 to $4650. Cybercash 2.1.4 - http://www.cybercash.com Platforms: Sparc? Exposed directory: /smps-2.1.4-solaris-sparc/ Exposed order info: Several files, as far as I can see. Many are located in the /db/credit directory. Whats worse: Exposed admin-password and configuration-files: admin.pw and admin.conf. Status: commercial. Perlshop Version? Platforms? Executable file: perlshop.cgi Exposed directory: /store/customers/, /store/temp_customers/ Exposed orderinfo: Several files, eight-digit numbered names. Status: adverware. Only requirement is to display a "powered by perlshop" - logo on page. Well then, this is the end of another FINE file created by PsychoSpy (if I do say so myself). I hope this file is useful to someone out there, and if anyone has any questions about this or any of my other files, please do not hesitate to contact me. My contact info is below, and you can almost always catch me at irc.2600.net #2600ca. Anyways, greet'z go out to the usual people, The Clone, Enoch_Root, and all the guys at #2600ca and who are in the Canadian scene. Keep up the good work! Hail Non-Existent Crew! -- PsychoSpy PsychoSpy@softhome.net ICQ#: 5057653 --- -=-=-=- You can close your windows lock your doors leave me leaning on widows sucking on whores I know that ugly men in beautiful ties can fool you with their business card lives allow your finger into their pies hide you from their wives The internet told me so, and with a silly buffer overflow I know where you were last night that's right You can call it done say you never loved me that we had our fun and that was all it was meant to be and that was all I was meant to be but I've seen your personal emails business men fetish she-males selling you amongst themselves retail I know you in perfect bitmap detail the internet told me so and with a silly buffer overflow I know where you were last night that's right I know who you were last night. -untoward --- poor jew-spotting technique, Alan. Slavic jews lack any distinguishing facial features. Hitler must of had a tough time with them Slavic jews Man... I sound like some sort of neo-nazi DIY racewar pamphlet. Passive Fingerprinting - By PsychoSpy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ So, here's the scenario. You found this sweet server that you want to get into. Do you just jump right in and start trying things? I sure hope not! Your first task should be to gather information about the server. Unfortunately a lot of the time when we do this the server figures out what we're doing, and starts to keep tabs on us before we can even get started, causing some serious misfortune to many a hacker. Is there a solution? Sure there is! What's the solution you ask? The solution is Passive Fingerprinting. With passive fingerprinting you can ID a remote host, without them knowing! So, now you want to know how to do. Well, I guess that's the whole point to this text so here we go! With this method you can determine the operating system and a few other characteristics of the remote host using nothing more then sniffer traces. Although it's not 100% accurate, you can get surprisingly good results. A proof of concept tool based on some of the concepts which I'll talk about in this text, was developed by Craig Smith. Also, the subterrain crew has developed siphon, a passive port mapping and OS fingerprinting tool. Traditionally, fingerprinting of Operating Systems has been accomplished by active tools like queso and nmap. These tools work on the principle that every OS's IP stack has it's own characteristics and idiosyncrasies. i.e. different operating system respond differently to a variety of malformed packets. All that has to be done it to build a database on how the different OS's respond to the different malformed packets. Once this has been done, to determine the OS of a remote host/server all one has to do is send it a variety of malformed packets, figure out how it responds, and then compare the responses to those in the database. Fyodor's nmap is tool of choice when using this methodology, he has also written a highly detailed and interesting paper on this. Now on to passive fingerprinting. Passive fingerprinting follows the same general concept but is implemented differently. Passive fingerprinting is based on sniffer traces from the remote system. Instead of actively querying the remote system, all one needs to do is capture packets sent to and from the remote system. Based on the sniffer traces of these packets, you can determine the OS of the remote system. Exactly as is done in active fingerprinting, passive is based on the idea that every OS's IP stack has it's own characteristics. By analyzing these sniffer traces and IDing these differences, you can (fairly accurately) determine the OS of the remote system. Now you're asking what the signatures in the packets we look at are. So, we'll answer that now. There are four areas that we will look at to figure out what OS is being used. There are more that can be used, but these are the most used and basic. - TTL - This is what the OS sets the Time To Live on the outbound packet - Windows Size - This is what the OS sets the Window Size at. (duh!) - DF - Does the OS set the Don't Fragment bit? - TOS - Does the OS set the Type of Service? If so, to what? By analyzing these areas of a packet, you might be able to determine the remote OS. This method is not 100% accurate, and works better on some OS's than others. No single signature can reliably tell you the remote OS. However, by look at several signatures and combining all of them, you can significantly increase the accuracy of IDing the remote system. Just in case you don't completely get it yet, and would like it, I have included an example. Below is the sniffer trace of a system sending a packet. This system launched a mountd exploit against a, so I want to learn more about it. Yeah I know it's not a server we're attacking but it's the best example I could find. Let's pretend it's a server we're going to attack though. Obviously we don't want to finger or nmap the box because that would give us away immediately. Instead, I want to study the information passively. This signature was captured using snort (a great sniffer.) 04/20-21:41:48.129662 129.142.224.3:659 -> 172.16.1.107:604 TCP TTL:45 TOS:0x0 ID:56257 ***F**A* Seq: 0x9DD90553 Ack: 0xE3C65D7 Win: 0x7D78 Based on our 4 criteria, we identify the following: * TTL: 45 * Window Size: 0x7D78 (or 32120 in decimal) * DF: The Don't Fragment bit is set * TOS: 0x0 Since we now have this information, we compare this to a database of signatures. First, we take a look at the TTL used by the remote system. From the trace above, as you can see, the TTL was set to 45. This means that it most likely went through 19 hops to reach us, so the original TL was set to 64. Based on this TTL, the box seems to be Linux or FreeBSD. The TTL is confirmed by doing a traceroute to the system. Obviously we're concerned that the remote box will detect us, so we set our traceroute time-to-live to be one or two hops less then the remote most (-m option). For example in this case we would do a traceroute to the remote host, but using only 18 hops. This gives to the path info, without actually touching the remote system. What next? We move on and compare the Window Size. The window size is another effective tool, more specifically what Windows Size was used and how often the size changes. In the example signature, we see it set at 0x7D78, which is a default Window Size used in Linux. As another point, Linux, FreeBSD, and Solaris tend to keep the same Window Size for a whole session. However, Cisco Routers and Micro$oft Windows/NT Window Sizes are constantly changing. It has been found that Window Size is more accurate if taken into effect after the initial three-way handshake. For more info on Window Size, grab a copy of "TCP/IP Illustrated Volume 1" (a GREAT book if your interested in learning more about networking) in Chapter 20. Unfortunately the DF bit has very little value to us. Most systems use the DF bit set so we're somewhat FUBAR on that account. But, it does make it somewhat easier to ID the few systems that do not use the DF flag (examples are SCO and OpenBSD). One thing to remember is that, just like Active Fingerprinting, Passive Fingerprinting has a few limitations. The first is that applications that build their own packets, will not use the same signatures as the OS. Another is that it is pretty easy for a remote system to adjust the TTL, Window Size, DF, and TOS settings on the packets. As was said earlier, we are not limited to the four signatures which we discussed earlier. There are others that can be used, such as TCP or IP options, initial sequence numbers, and IP Identification numbers. As an example, Cisco routers tend to start IP Ident numbers at 0, instead of randomly assigning them. Another idea is that ICMP payloads can be used. Max Vision discusses using ICMP payload type or TCP options for remote host identification. Microsoft ICMP Request payloads are alphabetic, but Solaris or Linux ICMP Request payloads have alphabetic and symbolic characters. Passive fingerprinting is also a tool that servers will use to figure out who/what/where you are while making an attack if you aren't so stealthy. As a conclusion all I can say is that as hackers we need every tool available to us to keep us in the shadows. Why broadcast what we're trying to do to the servers we're attacking if we can keep them in the dark, and keep ourselves in a stealth like manner. Greet'z go out to The Clone (YOU ROCK!!) and Enoch_Root. This has been yet another fine production of the Non-Existent Crew (WE'RE ALL CANADIAN EH!! ;-) -- PsychoSpy PsychoSpy@softhome.net ICQ#: 5057653 07.15.00 --- Default Password List Version 3.00 Maintained by Eric Knight (knight@securityparadigm.com) Last Update: July 6th, 2000 Updates Available at: http://www.securityparadigm.com/defaultpw.htm Protocol can be any network protocol name, or CONSOLE for requiring physical access or MULTI meaning any console connection Manufacturer Product Revision Protocol User ID Password Access Level Comment 3COM Office Connect ISDN Routers 5x0 Telnet? n/a PASSWORD Admin 3COM adm (none) 3COM admin synnet 3COM debug synnet 3COM manager manager 3COM monitor monitor 3COM read synnet 3COM security security 3COM tech tech 3COM write synnet Advanced Integration BIOS Console n/a Advance Admin AMI PC BIOS Console n/a AM Admin AMI PC BIOS Console n/a AMI Admin AMI PC BIOS Console n/a A.M.I Admin AMI PC BIOS Console n/a AMI_SW Admin AMI PC BIOS Console n/a AMI?SW Admin AMI PC BIOS Console n/a aammii Admin AMI PC BIOS Console n/a AMI!SW Admin AMI PC BIOS Console n/a AMI.KEY Admin AMI PC BIOS Console n/a AMI.KEZ Admin AMI PC BIOS Console n/a AMI~ Admin AMI PC BIOS Console n/a AMIAMI Admin AMI PC BIOS Console n/a AMIDECOD Admin AMI PC BIOS Console n/a AMIPSWD Admin AMI PC BIOS Console n/a amipswd Admin AMI PC BIOS Console n/a AMISETUP Admin AMI PC BIOS Console n/a BIOSPASS Admin AMI PC BIOS Console n/a CMOSPWD Admin AMI PC BIOS Console n/a HEWITT RAND Admin Amptron BIOS Console n/a Polrty Admin AST BIOS Console n/a SnuFG5 Admin AT&T 3B2 Firmware Console n/a mcp Admin Autodesk Autocad Multi autocad autocad User AWARD BIOS Console n/a Award Admin AWARD BIOS Console n/a AWARD_SW Admin AWARD BIOS Console n/a SW_AWARD Admin AWARD BIOS Console n/a AWARD?SW Admin AWARD BIOS Console n/a lkwpeter Admin AWARD BIOS Console n/a LKWPETER Admin AWARD BIOS Console n/a j262 Admin AWARD BIOS Console n/a j256 Admin AWARD BIOS Console n/a ?award Admin AWARD BIOS Console n/a 01322222 Admin AWARD BIOS Console n/a 256256 Admin AWARD BIOS Console n/a 589589 Admin AWARD BIOS Console n/a 589721 Admin AWARD BIOS Console n/a admin Admin AWARD BIOS Console n/a alfarome Admin AWARD BIOS Console n/a aLLy Admin AWARD BIOS Console n/a aPAf Admin AWARD BIOS Console n/a award Admin AWARD BIOS Console n/a AWARD SW Admin AWARD BIOS Console n/a award.sw Admin AWARD BIOS Console n/a award_? Admin AWARD BIOS Console n/a award_ps Admin AWARD BIOS Console n/a AWARD_PW Admin AWARD BIOS Console n/a awkward Admin AWARD BIOS Console n/a BIOS Admin AWARD BIOS Console n/a biosstar Admin AWARD BIOS Console n/a biostar Admin AWARD BIOS Console n/a CONCAT Admin AWARD BIOS Console n/a condo Admin AWARD BIOS Console n/a CONDO Admin AWARD BIOS Console n/a CONDO, Admin AWARD BIOS Console n/a djonet Admin AWARD BIOS Console n/a efmukl Admin AWARD BIOS Console n/a g6PJ Admin AWARD BIOS Console n/a h6BB Admin AWARD BIOS Console n/a HELGA-S Admin AWARD BIOS Console n/a HEWITT RAND Admin AWARD BIOS Console n/a HLT Admin AWARD BIOS Console n/a j09F Admin AWARD BIOS Console n/a j322 Admin AWARD BIOS Console n/a j64 Admin AWARD BIOS Console n/a lkw peter Admin AWARD BIOS Console n/a lkwpeter Admin AWARD BIOS Console n/a PASSWORD Admin AWARD BIOS Console n/a SER Admin AWARD BIOS Console n/a setup Admin AWARD BIOS Console n/a SKY_FOX Admin AWARD BIOS Console n/a SWITCHES_SW Admin AWARD BIOS Console n/a Sxyz Admin AWARD BIOS Console n/a SZYX Admin AWARD BIOS Console n/a t0ch20x Admin AWARD BIOS Console n/a t0ch88 Admin AWARD BIOS Console n/a TTPTHA Admin AWARD BIOS Console n/a TzqF Admin AWARD BIOS Console n/a wodj Admin AWARD BIOS Console n/a ZAAADA Admin AWARD BIOS Console n/a zbaaaca Admin AWARD BIOS Console n/a zjaaadc Admin Axis NETCAM 200/240 root pass Bay Networks Router Manager (none) Admin Bay Networks Router User (none) User Bay Networks SuperStack II security security Admin Bay Networks Switch 350T n/a NetICs Admin Biostar BIOS Console n/a Biostar Admin Biostar BIOS Console n/a Q54arwms Admin Breezecom Breezecom Adapters 4.x n/a Super Breezecom Breezecom Adapters 3.x n/a Master Breezecom Breezecom Adapters 2.x n/a laflaf Cayman Cayman DSL n/a (none) Admin Cisco IOS cisco cisco Cisco IOS enable cisco IOS technically has no "default pw' Cisco IOS 2600 series n/a c but these are common misconfigurations Cisco IOS n/a cc Cisco IOS n/a cisco Cisco IOS n/a Cisco router Cisco CiscoWorks 2000 guest (none) User Cisco CiscoWorks 2000 admin cisco Admin Cisco ConfigMaker cmaker cmaker Admin Compaq BIOS n/a Compaq Admin Concord BIOS n/a last Admin Crystalview OutsideView 32 Crystal Admin CTX International BIOS n/a CTX_123 Admin CyberMax BIOS n/a Congress Admin Daewoo BIOS n/a Daewuu Admin Datacom BSASX/101 n/a letmein Admin Daytek BIOS n/a Daytec Admin Dell BIOS n/a Dell Admin Develcon Orbitor Default Console n/a BRIDGE Admin Develcon Orbitor Default Console n/a password Admin Dictaphone ProLog NETOP (none) Dictaphone ProLog NETWORK NETWORK Dictaphone ProLog PBX PBX Digicorp Router n/a BRIDGE Admin Digicorp Router n/a password Admin Digital Equipment BIOS n/a komprie Admin Digital Equipment DEC-10 1 syslib Admin Digital Equipment DEC-10 1 operator Admin Digital Equipment DEC-10 1 manager Admin Digital Equipment DEC-10 2 maintain Admin Digital Equipment DEC-10 2 syslib Admin Digital Equipment DEC-10 2 manager Admin Digital Equipment DEC-10 2 operator Admin Digital Equipment DEC-10 30 games User Digital Equipment DEC-10 5 games User Digital Equipment DEC-10 7 maintain User Digital Equipment DecServer n/a ACCESS Admin Digital Equipment DecServer n/a SYSTEM Admin Digital Equipment IRIS Multi accounting accounting Admin Digital Equipment IRIS Multi boss boss Admin Digital Equipment IRIS Multi demo demo User Digital Equipment IRIS Multi manager manager Admin Digital Equipment IRIS Multi PDP11 PDP11 User Digital Equipment IRIS Multi PDP8 PDP8 User Digital Equipment IRIS Multi software software User Digital Equipment RSX 1,1 SYSTEM Admin Digital Equipment RSX BATCH BATCH User Digital Equipment RSX SYSTEM MANAGER Admin Digital Equipment RSX SYSTEM SYSTEM Admin Digital Equipment RSX USER USER User Digital Equipment Terminal Server Port 7000 n/a access User Digital Equipment Terminal Server Port 7000 n/a system Admin Digital Equipment VMS Multi ALLIN1 ALLIN1 Digital Equipment VMS Multi ALLIN1MAIL ALLIN1MAIL Digital Equipment VMS Multi ALLINONE ALLINONE Digital Equipment VMS Multi BACKUP BACKUP Digital Equipment VMS Multi DCL DCL Digital Equipment VMS Multi DECMAIL DECMAIL Digital Equipment VMS Multi DECNET DECNET Digital Equipment VMS Multi DECNET NONPRIV Digital Equipment VMS Multi DECNET DECNET Digital Equipment VMS Multi DEFAULT USER Digital Equipment VMS Multi DEFAULT DEFAULT Digital Equipment VMS Multi DEMO DEMO Digital Equipment VMS Multi FIELD FIELD Digital Equipment VMS Multi FIELD SERVICE Digital Equipment VMS Multi FIELD TEST Digital Equipment VMS Multi FIELD DIGITAL Digital Equipment VMS Multi GUEST GUEST Digital Equipment VMS Multi HELP HELP Digital Equipment VMS Multi HELPDESK HELPDESK Digital Equipment VMS Multi HOST HOST Digital Equipment VMS Multi HOST HOST Digital Equipment VMS Multi INFO INFO Digital Equipment VMS Multi INGRES INGRES Digital Equipment VMS Multi LINK LINK Digital Equipment VMS Multi MAILER MAILER Digital Equipment VMS Multi MBMANAGER MBMANAGER Digital Equipment VMS Multi MBWATCH MBWATCH Digital Equipment VMS Multi NETCON NETCON Digital Equipment VMS Multi NETMGR NETMGR Digital Equipment VMS Multi NETNONPRIV NETNONPRIV Digital Equipment VMS Multi NETPRIV NETPRIV Digital Equipment VMS Multi NETSERVER NETSERVER Digital Equipment VMS Multi NETSERVER NETSERVER Digital Equipment VMS Multi NETWORK NETWORK Digital Equipment VMS Multi NEWINGRES NEWINGRES Digital Equipment VMS Multi NEWS NEWS Digital Equipment VMS Multi OPERVAX OPERVAX Digital Equipment VMS Multi POSTMASTER POSTMASTER Digital Equipment VMS Multi PRIV PRIV Digital Equipment VMS Multi REPORT REPORT Digital Equipment VMS Multi RJE RJE Digital Equipment VMS Multi STUDENT STUDENT Digital Equipment VMS Multi SYS SYS Digital Equipment VMS Multi SYSMAINT SYSMAINT Digital Equipment VMS Multi SYSMAINT SERVICE Digital Equipment VMS Multi SYSMAINT DIGITAL Digital Equipment VMS Multi SYSTEM SYSTEM Digital Equipment VMS Multi SYSTEM MANAGER Digital Equipment VMS Multi SYSTEM OPERATOR Digital Equipment VMS Multi SYSTEM SYSLIB Digital Equipment VMS Multi SYSTEST UETP Digital Equipment VMS Multi SYSTEST_CLIG SYSTEST_CLIG Digital Equipment VMS Multi SYSTEST_CLIG SYSTEST Digital Equipment VMS Multi TELEDEMO TELEDEMO Digital Equipment VMS Multi TEST TEST Digital Equipment VMS Multi UETP UETP Digital Equipment VMS Multi USER PASSWORD Digital Equipment VMS Multi USERP USERP Digital Equipment VMS Multi VAX VAX Digital Equipment VMS Multi VMS VMS Dynix Library Systems Dynix circ User Dynix Library Systems Dynix LIBRARY (none) User Dynix Library Systems Dynix SETUP (none) Admin Efficient Speedstream DSL n/a admin Admin Enox BIOS Console n/a xo11nE Admin Epox BIOS Console n/a central Admin Ericsson Ericsson Acc netman netman Flowpoint Flowpoint DSL admin admin Admin Freetech BIOS Console n/a Posterie Admin Galacticomm Major BBS Multi Sysop Sysop Admin Hewlett-Packard HP 2000/3000 MPE/xx ADVMAIL HPOFFICE,DATA Hewlett-Packard HP 2000/3000 MPE/xx ADVMAIL HP Hewlett-Packard HP 2000/3000 MPE/xx FIELD SUPPORT Hewlett-Packard HP 2000/3000 MPE/xx FIELD MGR Hewlett-Packard HP 2000/3000 MPE/xx FIELD SERVICE Hewlett-Packard HP 2000/3000 MPE/xx FIELD MANAGER Hewlett-Packard HP 2000/3000 MPE/xx FIELD HPP187,SYS Hewlett-Packard HP 2000/3000 MPE/xx FIELD LOTUS Hewlett-Packard HP 2000/3000 MPE/xx FIELD HPWORD,PUB Hewlett-Packard HP 2000/3000 MPE/xx FIELD HPONLY Hewlett-Packard HP 2000/3000 MPE/xx HELLO MANAGER.SYS Hewlett-Packard HP 2000/3000 MPE/xx HELLO MGR.SYS Hewlett-Packard HP 2000/3000 MPE/xx HELLO FIELD.SUPPORT Hewlett-Packard HP 2000/3000 MPE/xx HELLO OP.OPERATOR Hewlett-Packard HP 2000/3000 MPE/xx MAIL MAIL Hewlett-Packard HP 2000/3000 MPE/xx MAIL REMOTE Hewlett-Packard HP 2000/3000 MPE/xx MAIL TELESUP Hewlett-Packard HP 2000/3000 MPE/xx MAIL HPOFFICE Hewlett-Packard HP 2000/3000 MPE/xx MAIL MPE Hewlett-Packard HP 2000/3000 MPE/xx MANAGER TCH Hewlett-Packard HP 2000/3000 MPE/xx MANAGER SYS Hewlett-Packard HP 2000/3000 MPE/xx MANAGER SECURITY Hewlett-Packard HP 2000/3000 MPE/xx MANAGER ITF3000 Hewlett-Packard HP 2000/3000 MPE/xx MANAGER HPOFFICE Hewlett-Packard HP 2000/3000 MPE/xx MANAGER COGNOS Hewlett-Packard HP 2000/3000 MPE/xx MANAGER TELESUP Hewlett-Packard HP 2000/3000 MPE/xx MGE VESOFT Hewlett-Packard HP 2000/3000 MPE/xx MGE VESOFT Hewlett-Packard HP 2000/3000 MPE/xx MGR SYS Hewlett-Packard HP 2000/3000 MPE/xx MGR CAROLIAN Hewlett-Packard HP 2000/3000 MPE/xx MGR VESOFT Hewlett-Packard HP 2000/3000 MPE/xx MGR XLSERVER Hewlett-Packard HP 2000/3000 MPE/xx MGR SECURITY Hewlett-Packard HP 2000/3000 MPE/xx MGR TELESUP Hewlett-Packard HP 2000/3000 MPE/xx MGR HPDESK Hewlett-Packard HP 2000/3000 MPE/xx MGR CCC Hewlett-Packard HP 2000/3000 MPE/xx MGR CNAS Hewlett-Packard HP 2000/3000 MPE/xx MGR WORD Hewlett-Packard HP 2000/3000 MPE/xx MGR COGNOS Hewlett-Packard HP 2000/3000 MPE/xx MGR ROBELLE Hewlett-Packard HP 2000/3000 MPE/xx MGR HPOFFICE Hewlett-Packard HP 2000/3000 MPE/xx MGR HPONLY Hewlett-Packard HP 2000/3000 MPE/xx MGR HPP187 Hewlett-Packard HP 2000/3000 MPE/xx MGR HPP189 Hewlett-Packard HP 2000/3000 MPE/xx MGR HPP196 Hewlett-Packard HP 2000/3000 MPE/xx MGR INTX3 Hewlett-Packard HP 2000/3000 MPE/xx MGR ITF3000 Hewlett-Packard HP 2000/3000 MPE/xx MGR NETBASE Hewlett-Packard HP 2000/3000 MPE/xx MGR REGO Hewlett-Packard HP 2000/3000 MPE/xx MGR RJE Hewlett-Packard HP 2000/3000 MPE/xx MGR CONV Hewlett-Packard HP 2000/3000 MPE/xx OPERATOR SYS Hewlett-Packard HP 2000/3000 MPE/xx OPERATOR DISC Hewlett-Packard HP 2000/3000 MPE/xx OPERATOR SYSTEM Hewlett-Packard HP 2000/3000 MPE/xx OPERATOR SUPPORT Hewlett-Packard HP 2000/3000 MPE/xx OPERATOR COGNOS Hewlett-Packard HP 2000/3000 MPE/xx PCUSER SYS Hewlett-Packard HP 2000/3000 MPE/xx RSBCMON SYS Hewlett-Packard HP 2000/3000 MPE/xx SPOOLMAN HPOFFICE Hewlett-Packard HP 2000/3000 MPE/xx WP HPOFFICE Hewlett-Packard Vectra Console n/a hewlpack Admin IBM AIX Multi guest (none) User IBM AIX Multi guest guest User IBM BIOS Console n/a IBM Admin IBM BIOS Console n/a MBIU0 Admin IBM BIOS Console n/a sertafu Admin IBM OS/400 Multi ibm password IBM OS/400 Multi ibm 2222 IBM OS/400 Multi ibm service IBM OS/400 Multi qpgmr qpgmr IBM OS/400 Multi qsecofr qsecofr IBM OS/400 Multi qsecofr 11111111 IBM OS/400 Multi qsecofr 22222222 IBM OS/400 Multi qserv qserv IBM OS/400 Multi qsvr qsvr IBM OS/400 Multi qsvr ibmcel IBM OS/400 Multi qsysopr qsysopr IBM OS/400 Multi secofr secofr IBM POS CMOS Console ESSEX IBM POS CMOS Console IPC IBM VM/CMS Multi $ALOC$ (none) IBM VM/CMS Multi ADMIN (none) IBM VM/CMS Multi AP2SVP (none) IBM VM/CMS Multi APL2PP (none) IBM VM/CMS Multi AUTOLOG1 (none) IBM VM/CMS Multi BATCH (none) IBM VM/CMS Multi BATCH1 (none) IBM VM/CMS Multi BATCH2 (none) IBM VM/CMS Multi CCC (none) IBM VM/CMS Multi CMSBATCH (none) IBM VM/CMS Multi CMSUSER (none) IBM VM/CMS Multi CPNUC (none) IBM VM/CMS Multi CPRM (none) IBM VM/CMS Multi CSPUSER (none) IBM VM/CMS Multi CVIEW (none) IBM VM/CMS Multi DATAMOVE (none) IBM VM/CMS Multi DEMO1 (none) IBM VM/CMS Multi DEMO2 (none) IBM VM/CMS Multi DEMO3 (none) IBM VM/CMS Multi DEMO4 (none) IBM VM/CMS Multi DIRECT (none) IBM VM/CMS Multi DIRMAINT (none) IBM VM/CMS Multi DISKCNT (none) IBM VM/CMS Multi EREP (none) IBM VM/CMS Multi FSFADMIN (none) IBM VM/CMS Multi FSFTASK1 (none) IBM VM/CMS Multi FSFTASK2 (none) IBM VM/CMS Multi GCS (none) IBM VM/CMS Multi IDMS (none) IBM VM/CMS Multi IDMSSE (none) IBM VM/CMS Multi IIPS (none) IBM VM/CMS Multi IPFSERV (none) IBM VM/CMS Multi ISPVM (none) IBM VM/CMS Multi IVPM1 (none) IBM VM/CMS Multi IVPM2 (none) IBM VM/CMS Multi MAINT (none) IBM VM/CMS Multi MOESERV (none) IBM VM/CMS Multi NEVIEW (none) IBM VM/CMS Multi OLTSEP (none) IBM VM/CMS Multi OP1 (none) IBM VM/CMS Multi OPERATNS (none) IBM VM/CMS Multi OPERATOR (none) IBM VM/CMS Multi PDMREMI (none) IBM VM/CMS Multi PENG (none) IBM VM/CMS Multi PROCAL (none) IBM VM/CMS Multi PRODBM (none) IBM VM/CMS Multi PROMAIL (none) IBM VM/CMS Multi PSFMAINT (none) IBM VM/CMS Multi PVM (none) IBM VM/CMS Multi RDM470 (none) IBM VM/CMS Multi ROUTER (none) IBM VM/CMS Multi RSCS (none) IBM VM/CMS Multi RSCSV2 (none) IBM VM/CMS Multi SAVSYS (none) IBM VM/CMS Multi SFCMI (none) IBM VM/CMS Multi SFCNTRL (none) IBM VM/CMS Multi SMART (none) IBM VM/CMS Multi SQLDBA (none) IBM VM/CMS Multi SQLUSER (none) IBM VM/CMS Multi SYSADMIN (none) IBM VM/CMS Multi SYSCKP (none) IBM VM/CMS Multi SYSDUMP1 (none) IBM VM/CMS Multi SYSERR (none) IBM VM/CMS Multi SYSWRM (none) IBM VM/CMS Multi TDISK (none) IBM VM/CMS Multi TEMP (none) IBM VM/CMS Multi TSAFVM (none) IBM VM/CMS Multi VASTEST (none) IBM VM/CMS Multi VM3812 (none) IBM VM/CMS Multi VMARCH (none) IBM VM/CMS Multi VMASMON (none) IBM VM/CMS Multi VMASSYS (none) IBM VM/CMS Multi VMBACKUP (none) IBM VM/CMS Multi VMBSYSAD (none) IBM VM/CMS Multi VMMAP (none) IBM VM/CMS Multi VMTAPE (none) IBM VM/CMS Multi VMTLIBR (none) IBM VM/CMS Multi VMUTIL (none) IBM VM/CMS Multi VSEIPO (none) IBM VM/CMS Multi VSEMAINT (none) IBM VM/CMS Multi VSEMAN (none) IBM VM/CMS Multi VTAM (none) IBM VM/CMS Multi VTAMUSER (none) Intel Shiva Guest (none) User Intel Shiva root (none) Admin Iwill BIOS Console n/a iwill Admin JetWay BIOS Console n/a spooml Admin Joss Technology BIOS Console n/a 57gbzb Admin Joss Technology BIOS Console n/a technolgi Admin Lantronics Lantronics Terminal Server TCP 7000 n/a access Admin Lantronics Lantronics Terminal Server TCP 7000 n/a system Admin Leading Edge BIOS Console n/a MASTER Admin Linksys Linksys DSL n/a admin Admin Linux Slackware Multi gonzo (none) User Linux Slackware Multi satan (none) User Linux Slackware Multi snake (none) User Linux UCLinux for UCSIMM Multi root uClinux Admin Livingston Livingston Portmaster 3 !root (none) Lucent System 75 bciim bciimpw Lucent System 75 bcim bcimpw Lucent System 75 bcms bcmspw Lucent System 75 bcms bcmspw Lucent System 75 bcnas bcnaspw Lucent System 75 blue bluepw Lucent System 75 browse browsepw Lucent System 75 browse looker Lucent System 75 craft craft Lucent System 75 craft craftpw Lucent System 75 craft craftpw Lucent System 75 cust custpw Lucent System 75 enquiry enquirypw Lucent System 75 field support Lucent System 75 inads indspw Lucent System 75 inads indspw Lucent System 75 inads inads Lucent System 75 init initpw Lucent System 75 locate locatepw Lucent System 75 maint maintpw Lucent System 75 maint rwmaint Lucent System 75 nms nmspw Lucent System 75 rcust rcustpw Lucent System 75 support supportpw Lucent System 75 tech field M Technology BIOS Console n/a mMmM Admin MachSpeed BIOS Console n/a sp99dd Admin Magic-Pro BIOS Console n/a prost Admin Megastar BIOS Console n/a star Admin Mentec Micro/RSX MICRO RSX Admin Micron BIOS Console n/a sldkj754 Admin Micron BIOS Console n/a xyzall Admin Micronics BIOS Console n/a dn_04rjc Admin Microsoft Windows NT Multi (null) (none) User "Redbutton Hole" Microsoft Windows NT Multi Administrator Administrator Admin Microsoft Windows NT Multi Administrator (none) Admin Microsoft Windows NT Multi Guest Guest User Microsoft Windows NT Multi Guest (none) User Microsoft Windows NT Multi IS_$hostname (same) User hostname = your server name Microsoft Windows NT Multi User User User Mintel Mintel PBX n/a SYSTEM Admin Motorola Motorola Cablerouter cablecom router Admin NCR NCR UNIX Multi ncrm ncrm Admin Netopia Netopia 7100 (none) (none) Netopia Netopia 9500 netopia netopia NeXT NeXTStep Multi me (none) User NeXT NeXTStep Multi root NeXT Admin NeXT NeXTStep Multi signa signa User Nimble BIOS Console n/a xdfk9874t3 Admin Nortel Meridian PBX Serial login 0000 AUTH codes in LD 8 Nortel Meridian PBX Serial spcl 0000 AUTH codes in LD 8 Novell Netware Multi ADMIN ADMIN Novell Netware Multi ADMIN (none) Novell Netware Multi ARCHIVIST (none) Novell Netware Multi ARCHIVIST ARCHIVIST Novell Netware Multi BACKUP (none) Novell Netware Multi BACKUP BACKUP Novell Netware Multi CHEY_ARCHSVR CHEY_ARCHSVR Novell Netware Multi CHEY_ARCHSVR (none) Novell Netware Multi FAX FAX Novell Netware Multi FAX (none) Novell Netware Multi FAXUSER FAXUSER Novell Netware Multi FAXUSER (none) Novell Netware Multi FAXWORKS (none) Novell Netware Multi FAXWORKS FAXWORKS Novell Netware Multi GATEWAY GATEWAY Novell Netware Multi GATEWAY GATEWAY Novell Netware Multi GATEWAY (none) Novell Netware Multi GUEST TSEUG Novell Netware Multi GUEST GUESTGUEST Novell Netware Multi GUEST GUESTGUE Novell Netware Multi GUEST GUEST Novell Netware Multi GUEST (none) Novell Netware Multi HPLASER (none) Novell Netware Multi HPLASER HPLASER Novell Netware Multi LASER (none) Novell Netware Multi LASER LASER Novell Netware Multi LASERWRITER LASERWRITER Novell Netware Multi LASERWRITER (none) Novell Netware Multi MAIL (none) Novell Netware Multi MAIL MAIL Novell Netware Multi POST (none) Novell Netware Multi POST POST Novell Netware Multi PRINT (none) Novell Netware Multi PRINT PRINT Novell Netware Multi PRINTER (none) Novell Netware Multi PRINTER PRINTER Novell Netware Multi ROOT (none) Novell Netware Multi ROOT ROOT Novell Netware Multi ROUTER (none) Novell Netware Multi SABRE (none) Novell Netware Multi SUPERVISOR NETFRAME Novell Netware Multi SUPERVISOR NFI Novell Netware Multi SUPERVISOR NF Novell Netware Multi SUPERVISOR HARRIS Novell Netware Multi SUPERVISOR SUPERVISOR Novell Netware Multi SUPERVISOR (none) Novell Netware Multi SUPERVISOR SYSTEM Novell Netware Multi TEST TEST Novell Netware Multi TEST (none) Novell Netware Multi USER_TEMPLATE (none) Novell Netware Multi USER_TEMPLATE USER_TEMPLATE Novell Netware Multi WANGTEK (none) Novell Netware Multi WANGTEK WANGTEK Novell Netware Multi WINDOWS_PASSTHRU WINDOWS_PASSTHRU Novell Netware Multi WINDOWS_PASSTHRU (none) Novell Netware Multi WINSABRE SABRE Novell Netware Multi WINSABRE WINSABRE Nurit NOS $system (none) Admin Osicom Osicom Plus T1/PLUS 56k write private Osicom NETPrint 1000E/NDS Telnet sysadm sysadm Admin Osicom NETPrint 1500E/N Telnet sysadm sysadm Admin Osicom NETPrint 2000E/N Telnet sysadm sysadm Admin Osicom NETPrint 1000E/B Telnet sysadm sysadm Admin Osicom NETPrint 2000E/B Telnet sysadm sysadm Admin Osicom NETPrint 1000E/N Telnet sysadm sysadm Admin Osicom NETPrint 2000E/N Telnet sysadm sysadm Admin Osicom NETPrint 1000 T/B Telnet sysadm sysadm Admin Osicom NETPrint 2000 T/B Telnet sysadm sysadm Admin Osicom NETPrint 1000 T/N Telnet sysadm sysadm Admin Osicom NETPrint 2000 T/N Telnet sysadm sysadm Admin Osicom NETPrint 1500 E/B Telnet sysadm sysadm Admin Osicom NETPrint 1500E/N Telnet sysadm sysadm Admin Osicom NETPrint 1500T/N Telnet sysadm sysadm Admin Osicom NETPrint 1000E/D Telnet sysadm sysadm Admin Osicom NETPrint 500 E/B Telnet sysadm sysadm Admin Osicom NETPrint 500 E/N Telnet sysadm sysadm Admin Osicom NETPrint 500 T/B Telnet sysadm sysadm Admin Osicom NETPrint 500 T/N Telnet sysadm sysadm Admin Osicom NETCommuter Remote Access Server Telnet sysadm sysadm Admin Osicom JETXPrint 1000E/B Telnet sysadm sysadm Admin Osicom JETXPrint 1000E/N Telnet sysadm sysadm Admin Osicom JETXPrint 1000T/N Telnet sysadm sysadm Admin Osicom JETXPrint 500 E/B Telnet sysadm sysadm Admin Osicom NETCommuter Remote Access Server Telnet Manager Manager Admin Osicom NETCommuter Remote Access Server Telnet guest guest User Osicom NETCommuter Remote Access Server Telnet echo echo User Osicom NETCommuter Remote Access Server Telnet debug d.e.b.u.g User Osicom NETPrint 1500 E/B Telnet Manager Manager Admin Osicom NETPrint 1500 E/B Telnet guest guest User Osicom NETPrint 1500 E/B Telnet echo echo User Osicom NETPrint 1500 E/B Telnet debug d.e.b.u.g User Osicom NETPrint 1000E/D Telnet Manager Manager Admin Osicom NETPrint 1000E/D Telnet guest guest User Osicom NETPrint 1000E/D Telnet echo echo User Osicom NETPrint 1000E/D Telnet debug d.e.b.u.g User Osicom NETPrint 1000E/NDS Telnet Manager Manager Admin Osicom NETPrint 1000E/NDS Telnet guest guest User Osicom NETPrint 1000E/NDS Telnet echo echo User Osicom NETPrint 1000E/NDS Telnet debug d.e.b.u.g User Osicom NETPrint 1500E/N Telnet Manager Manager Admin Osicom NETPrint 1500E/N Telnet guest guest User Osicom NETPrint 1500E/N Telnet echo echo User Osicom NETPrint 1500E/N Telnet debug d.e.b.u.g User Osicom NETPrint 2000E/N Telnet Manager Manager Admin Osicom NETPrint 2000E/N Telnet guest guest User Osicom NETPrint 2000E/N Telnet echo echo User Osicom NETPrint 2000E/N Telnet debug d.e.b.u.g User Packard Bell BIOS Console n/a bell9 Admin Prime PrimeOS Multi guest guest User Prime PrimeOS Multi guest1 guest User Prime PrimeOS Multi guest1 guest1 User Prime PrimeOS Multi mail mail User Prime PrimeOS Multi mfd mfd User Prime PrimeOS Multi netlink netlink User Prime PrimeOS Multi prime prime User Prime PrimeOS Multi primenet primenet User Prime PrimeOS Multi primenet primeos User Prime PrimeOS Multi primos_cs primos User Prime PrimeOS Multi primos_cs prime User Prime PrimeOS Multi system prime Admin Prime PrimeOS Multi system system Admin Prime PrimeOS Multi tele tele User Prime PrimeOS Multi test test User QDI BIOS Console n/a QDI Admin QDI SpeedEasy BIOS Console n/a lesarotl Admin Quantex BIOS Console n/a teX1 Admin Quantex BIOS Console n/a xljlbj Admin Radio Shack Radio Shack Screen Saver Console n/a RS User Ramp Networks WebRamp wradmin trancell Research BIOS Console n/a Col2ogro2 Admin Semaphore PICK O/S DESQUETOP Semaphore PICK O/S DS Semaphore PICK O/S DSA Semaphore PICK O/S PHANTOM Shuttle BIOS n/a Spacve Admin Siemens PhoneMail poll tech Siemens PhoneMail sysadmin sysadmin Siemens PhoneMail tech tech Siemens ROLM PBX admin pwp Siemens ROLM PBX eng engineer Siemens ROLM PBX op op Siemens ROLM PBX op operator Siemens ROLM PBX su super Siemens Nixdorf BIOS Console n/a SKY_FOX Admin Silicon Graphics IRIX Multi 4Dgifts 4Dgifts Admin Silicon Graphics IRIX Multi 4Dgifts (none) Admin Silicon Graphics IRIX Multi demos (none) Admin Silicon Graphics IRIX Multi Ezsetup (none) Admin Silicon Graphics IRIX Multi field field Admin Silicon Graphics IRIX Multi OutOfBox (none) Admin Silicon Graphics IRIX Multi tour tour Admin Silicon Graphics IRIX Multi tutor (none) Admin Silicon Graphics IRIX Multi tutor tutor Admin SuperMicro BIOS Console n/a ksdjfg934t Admin Taco Bell Proprietary System (?) rgm rollout Taco Bell Proprietary System (?) tacobell (none) Tinys BIOS Console n/a tiny Admin TMC BIOS Console n/a BIGO Admin Toshiba BIOS Console n/a 24Banc81 Admin Toshiba BIOS Console n/a Toshiba Admin Toshiba BIOS Console n/a toshy99 Admin UNIX Generic Multi adm adm UNIX Generic Multi adm (none) UNIX Generic Multi admin admin UNIX Generic Multi administrator administrator UNIX Generic Multi administrator (none) UNIX Generic Multi anon anon UNIX Generic Multi bbs bbs UNIX Generic Multi bbs (none) UNIX Generic Multi bin sys UNIX Generic Multi bin sys UNIX Generic Multi checkfs checkfs UNIX Generic Multi checkfsys checkfsys UNIX Generic Multi checksys checksys UNIX Generic Multi daemon daemon UNIX Generic Multi daemon (none) UNIX Generic Multi demo demo UNIX Generic Multi demo (none) UNIX Generic Multi demos demos UNIX Generic Multi demos (none) UNIX Generic Multi dni (none) UNIX Generic Multi dni dni UNIX Generic Multi fal (none) UNIX Generic Multi fal fal UNIX Generic Multi fax (none) UNIX Generic Multi fax fax UNIX Generic Multi ftp (none) UNIX Generic Multi ftp ftp UNIX Generic Multi games games UNIX Generic Multi games (none) UNIX Generic Multi gopher gopher UNIX Generic Multi gropher (none) UNIX Generic Multi guest guest UNIX Generic Multi guest guestgue UNIX Generic Multi guest (none) UNIX Generic Multi halt halt UNIX Generic Multi halt (none) UNIX Generic Multi informix informix UNIX Generic Multi install install UNIX Generic Multi lp lp UNIX Generic Multi lp bin UNIX Generic Multi lp lineprin UNIX Generic Multi lp (none) UNIX Generic Multi lpadm lpadm UNIX Generic Multi lpadmin lpadmin UNIX Generic Multi lynx lynx UNIX Generic Multi lynx (none) UNIX Generic Multi mail (none) UNIX Generic Multi mail mail UNIX Generic Multi man man UNIX Generic Multi man (none) UNIX Generic Multi me (none) UNIX Generic Multi me me UNIX Generic Multi mountfs mountfs UNIX Generic Multi mountfsys mountfsys UNIX Generic Multi mountsys mountsys UNIX Generic Multi news news UNIX Generic Multi news (none) UNIX Generic Multi nobody (none) UNIX Generic Multi nobody nobody UNIX Generic Multi nuucp (none) UNIX Generic Multi operator operator UNIX Generic Multi operator (none) UNIX Generic Multi oracle (none) UNIX Generic Multi postmaster postmast UNIX Generic Multi postmaster (none) UNIX Generic Multi powerdown powerdown UNIX Generic Multi rje rje UNIX Generic Multi root root UNIX Generic Multi root (none) UNIX Generic Multi setup setup UNIX Generic Multi shutdown shutdown UNIX Generic Multi shutdown (none) UNIX Generic Multi sync sync UNIX Generic Multi sync (none) UNIX Generic Multi sys sys UNIX Generic Multi sys system UNIX Generic Multi sys bin UNIX Generic Multi sysadm sysadm UNIX Generic Multi sysadm admin UNIX Generic Multi sysadmin sysadmin UNIX Generic Multi sysbin sysbin UNIX Generic Multi system_admin (none) UNIX Generic Multi system_admin system_admin UNIX Generic Multi trouble trouble UNIX Generic Multi umountfs umountfs UNIX Generic Multi umountfsys umountfsys UNIX Generic Multi umountsys umountsys UNIX Generic Multi unix unix UNIX Generic Multi user user UNIX Generic Multi uucp uucp UNIX Generic Multi uucpadm uucpadm UNIX Generic Multi web (none) UNIX Generic Multi web web UNIX Generic Multi webmaster webmaster UNIX Generic Multi webmaster (none) UNIX Generic Multi www (none) UNIX Generic Multi www www Verifone Verifone Junior 2.05 (none) 166816 Vextrec Technology BIOS Console n/a Vextrex Vobis BIOS Console n/a merlin Wim Bervoets WIMBIOSnbsp BIOS Console n/a Compleri Admin WWWBoard WWWADMIN.PL HTTP WebAdmin WebBoard Admin Xyplex Routers Port 7000 n/a access User Xyplex Routers Port 7000 n/a system Admin Xyplex Terminal Server Port 7000 n/a access User Xyplex Terminal Server Port 7000 n/a system Admin Zenith BIOS Console n/a 3098z Admin Zenith BIOS Console n/a Zenith Admin ZEOS BIOS Console n/a zeosx Admin Zyxel Generic Routers n/a 1234 Admin "Credits toward collecting these default passwords go to the Security Focus VULN-DEV mailing list, and specifically to contributors such as: Roel of Temmingh, Nathan Einwechter , George Kurtz, Stephen Friedl, Sebastian Andersson, Jonathan Leto, Mike Blomgren, Knud Erik H0jgaard , Axel Dunkel, Mathias Bogaert, Jonatan Leto, Chris Owen, Jim Wildman, Santiago Zapata, Brian S. DuRoss, M J , Will Spencer, Kevin Reynolds, MaxVision, Bluefish, Runar Jensen, Ex Machina, Matt van Amsterdam, Daniel Monjar, Rodrigo Bardosa, Damir Rajnovic, and scores of others." --- .4ncifer manifest ; 001 ; 07.06-00 ************************************************************************ Since I first started learning about computers, I was amazed by this new culture, this select group of people. We are smart, clever, and hold true to our personal morals. Some people, I quickly learned after that, seem to take enjoyment from using what real hackers code. These 'script kiddies' bother me as much as the next hacker; they don't have these morals, the ethics of a true hacker. A hacker, in my personal opinion, is a person, a rebel, that uses their talents, gifts, and knowledge to commandeer more knowledge and skills to gain more knowledge and skills on top of that. They thrive by learning. They absorb, expand, and control. This control is what scares the 'others'. You've probably never heard of me. That's perfectly alright. Anonymity is just as sacred as popularity. I don't deface websites. I can, but I don't. I don't see the need. Maybe, someday, there will be, but neither my political -or- social demand such defacements. I reserve quick judgment upon people who do deface websites. They might have their reasons, and these motives show themselves in the defacements. People are entitled to their opinion, as much as I am mine, but the few (maybe most) who deface just to do it are pathetic. They may have the 'skillz' to achieve the defacement, but if there isn't any honor in the act, what does that show of the person committing it? True hackers have this honor. They simply learn to do so. I've witnessed people argue about how the media throws the term 'hacker' around. I agree that they don't use the term correctly, but they don't use the terms 'cracker' or 'phreak' plausibly either. Being a cracker does not denote a criminal, the same with a hacker. There are bad crackers & good crackers. There are bad hackers & good crackers. The media simply doesn't understand the whole picture. This culture of ours is too complex and volatile for the media to keep up. There are a few worthwhile hacker news sites. www.hackernews.com being the best in my opinion. We all desire knowledge. This we gain; whether legally or illegally. I think that it shouldn't be illegal if the server doesn't know you're there. Coming out of all of that, you may be a little confused. Never have I denoted even my existence upon the internet, except for this one time in which I get out my cents. I will know disappear again. I hope I have encouraged some people to become true hackers, not script kiddies. I hope I have discouraged the blatant use of web defacing. I hope I have encouraged actually having ethics and staying with them; they are all that define a person. I hope I have made a good impression with all who read this, and that those people thrive, not merely stay alive. As a leaving statement: "Learn to love to read, and you'll love to learn all the more. Then only comes experience, then, all the more, you'll score." --- Uhm, well, never to get high... I used to let a thin layer of elmer's school glue dry on my arm and peel it off like the aliens from that 80's sci-fi show "V" Intro ~~~~~ Internet Explorer 5, and the mail and news clients which come with it (on Win95/98/2K) are very strange in that they choose to ignore user input. More specifically, this allows us to manually force a file onto the target computer, despite all prompts and warnings. How can this be done? ~~~~~~~~~~~~~~~~~~~~~ We begin by creating a simple HTML FrameSet and embed, in base 64, our file: What happens? ~~~~~~~~~~~~~ What we do now is create a very simple HTML Mail or News file and send it to the target computer. When they receive this file, and open it, the recipient will be prompted as to whether they would like to "save" "open" or "cancel". None of these really work. When the recipient decides which one to choice, the files is being injected into the temp folder. Selecting any of the three choices becomes completely useless. The file is still delivered to the temp folder. Even if their system's "Security Zone" sets it to DISABLE, they just get a slightly different prompt which only allows you to press OK, and this is, once again, useless. No matter what, the file is delivered into the temp folder. So? What next? ~~~~~~~~~~~~~~ Well, next create a second file which contains a new ActiveX control: (CLSID:15589FA1-C456-11CE-BF01-00AA0055595A) Which allows us to execute files locally. We embed the simple JavaScripting that runs this together with the ActiveX control, in base 64, and embed that in a second html frame: Then we apply the VERY simple HTTP-EQUIV meta tag of refresh. and repack again in base64. What are the results? ~~~~~~~~~~~~~~~~~~~~~ The first file deposits the *.exe and second *.mhtml files into the temp directory. The client will be asked as to save, open, or cancel. No matter what choice they make, these files will be deposited as soon as the prompt has been close. The meta refresh will bounce to the *.mhtml in the temp dir, open it and execute the JavaScript and ActiveX control and run the *.exe. None of the Security Zone settings will prevent this because we are working locally from the temp directory. Now you want to do this over e-mail? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Of course it can! You have a greater chance of failing though. Create two sets of html messages: The first one comprising of the file to be delivered: Note: to be executed from mail client. Simple *.bat containing @exit The second comprising of a fraudulent, manufactured *.url: Content-Type: application/octet-stream; name=3D"Microsoft TechNet Security.url" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=3D"Microsoft TechNet Security.url" [DEFAULT] BASEURL=3DC:\WINDOWS\TEMP\refresh.bat [InternetShortcut] URL=3DC:\WINDOWS\TEMP\refresh.bat We include a fake link: .... The recipient will then be forced to entertain the fraudulent *.url -- You can get any local .exe to execute in IE by referring to it in the CODEBASE parameter of an ActiveX object tag. The CLASSID can be anything but all zeros. Here is a code snippet, courtesy of Dildog, which will execute calc.exe if it is in c:\windows\system32\ The other problem is the fact that .exe files can get downloaded to your local system without you being able to cancel the operation. I tested the malware exploit on win98 with medium security settings (the default) and it worked as promised. But what was far worse was it worked at the high security setting also. A warning message came up saying "Due to your security settings you cannot download that file." You press OK and the file is downloaded anyway. Then it executes when used as the codebase of an ActiveX control. The demo exploit won't work in W2K because the temp directory where the .exe is downloaded to is "c:\documents and settings\'username'\local settings\temp". If it is possible to get the username through JavaScript and another ActiveX control it could possibly be made to work there also. I hope you enjoyed this file and find it useful. It's early in the morning/late at night so I'm kinda burnt. The Non-Existent Crew rocks! Where proud to be Canadian eh! -- PsychoSpy PsychoSpy@softhome.net ICQ#: 5057653 --- RADIO DIRECTION FINDING WITH PCS/GSM MOBILE TERMINALS Bunny Hunting the Cell Towers by wargames --== RDF Theory ==-- "Blah blah blah Ginger! Blah blah. Blah blah blah blah! Blah Ginger!"[1] If you want something about RDF theory, I suppose I can cook something together, but I'm sure you'd prefer just to get some useful HowTo info. --== RDF on ClearNET CDMA (Sony CMB1207) ==-- Once in field service mode, the display shows the cell number (PN Offset) and signal strength. No usable signal and the weakest usable signal are displayed as 0x80 and the strongest normally encountered signal will be shown as 0xFF. Beyond the normal range, the meter will wrap around to the range 0x00 to 0x7F. Power levels in this range indicate the base station is less than 150m away from the handset. Clearnet's cell sites are usually configured with 3 cells per tower. Cells are separated by a PseudoNoise Offset (cell-specific CDMA channel code) of 168, and are nominally 120 degrees apart. Repeaters will most likely look like odd cells. Circling the tower, 2 of the offsets will be related, while one is way out to lunch and has a very narrow (and far-reaching corridor). Geckobeach [2] reports that Clearnet orients their towers with the middle PN offset facing south - There is evidence that in Edmonton (in the southeast and downtown areas at least) the middle offset faces east. This may not hold true in all places - verify the orientation of the PN offsets with the angle of the cells and a compass. This pattern of fixing PN offset direction makes cell hunting quite simple. Look for a transition of 'L=H-336' or 'H=L+336'. The L->H transition indicates that, for a northbound observer, the cell is located on a west vector +/-5deg. Cells aren't perfect radiators - they do spill over somewhat. In a worst-case scenario, at the intersection of 3 towers' coverage, "thrashing", (fast random or circular handoffs) may occur as 6 antennae pick up a handset in their zone. Oscillation between 2 PN offsets is a sure sign of having found a cell boundary. Follow it home and tag it. H-L transitions for a southbound observer obviously indicates a cell to the east. Repeater behaviour is not clearly defined. --== RDF on MicroCell GSM (N5190 v5.81 ) ==-- In their infinite cleverness, Nokia's engineers put the required data displays on different screens. This is mostly a minor inconvenience, since the 5190's test mode shows far more infomation than the Qualcomm digital engine in the Sony handset. The information requred to trace cells is located on screens 3 and 11, with some useful tidbits found on 4 and 1. Screen 3 shows signal strength and control channel numbers for the currently serving cell, along with it's 2 nearest neighbours. Screen 11 gives CGI (Cell Global Identity) information. Screen 4 continues the nearest neighbour display, allowing us to predict which cells it is possible for us to move into, and the timing advance parameter on screen 1 offers clues to the distance from the base station. screen 1 3 4 11 L1 533 -72 xxx 533 27-72 27 516 6-93 6 CC:302 NC37? L2 0 1 x xxxx 523 15-84 15 513 2-96 2 LAC: 3100 L3 27 27 536 13-86 13 515 -1100 -1 CH : 533 L4 CCCH N N N N N CID: 10063 When interpreted as MCC:MNC:LAC:CID, the format of the CGI data resembles, in no small way, the numbering conventions used for ethernet addresses. In fact the CGI number is globally unique to that antenna. The first to fields are the Country Code and Network Code. These are an assigned prefix, and the latter 2 fields are essentially a manufacturer / operator serial number. Just as there can be many ethernet cards whose MAC addresses end in 'C0:FF:EE', there can be many cells whose LAC/CID pair is 1264/8430. The ethernet analogy remains appropriate when considering the base station as a router. A computer can (and often does) have multiple network adaptors, so does a base station - each cell can be cosidered to be a NIC. The 5190's data display is unique in that it diplays, for each control channel, 2 numbers RxL and PLCC (Receive Level and Path Loss Compensation Coeffiecient) such that PLCC-RxL=99. The list of neighbourly cells is sorted by signal strength, thus making a relatively easy job of predicting the which cell will be the next service cell. Screen 3 may be the most useful for finding the tower, but screen 11 is where the actual tower ID is. Do not be fooled by the control channel ID - it is only a channel. It can and will change with network load. That said, control channel ID is the fastest way to find a cell. Whenever the control channel changes, compare the old and new values to see if they indicate a new cell or merely a new channel. If a new cell seems more probable, verify this on screen 11. Apparently MicroCell orients their cells in the shape of a capital 'Y', numbered 1-3 clockwise from the southeast sector. (I'll have to verify that - Edmonton seems to be wierd for cell configs.) Screens 4 and 5 are more neighbours. Likely, you won't need to use their information, except maybe to bootstrap your seach. GSM is a time-sensitive protocol. To compensate for distance from the tower, the network can direct the phone to transmit sooner, rather than later. This is shown in the timing advance paramaeter, found on screen 1, line 3, field 2. It varies between 0 ("is that a tower in your pocket or are you just happy to see me?") up to 63 (nearly a long-distance call). For what it's worth, the maximum radius of a GSM cell is 35km, due to this timing sensitivity. Thus, 1 unit of timing advance is approximately equal to being 550m from the tower. What with the size of cells in metro areas, it's doubtful that this value should ever go above 12. Nonetheless, it may serve as a useful way to check your work. --== RDF in action ==-- [image] Mapping begins by defining a "Base Point". This is a point on a map tagged with a vector approximating the direction of arrival of the signal. If this vector is copied and rotated 90 degrees and 180 degrees, projections of the resultant vectors will cross vectors describing the boundaries of the cell. Should an extension move the cell into a zone served by another base station, reverse the sense of the vector and reproject. Connecting the zone crossings and extrapolating will establish a corridor in which it may be said with a high degree of certainty that a base station is located. Position within the corridor may be established by way of signal strength and PN/CGI indicators. All that remains is to travel the corridor until the cell is within visual range. --== RDF Approximation/Optimization ==-- [image] 1) The following method optimizes search complexity at the expense of time and resource requirements. By plotting signal strengths at regular intervals (street intersections, for example) over a large enough area, perhaps 10 km^2 and connecting the appropriate points (ie. by average signal strength or by cell ID) it becomes possible to narrow cell locations to a small area. The inefficiency of this method lies in the requirement for a large amount of travel and that the plotted points (if not chosen correctly) may only converge very slowly if at all. This method is recommended for mapping microcells in congested "antenna jungles," and as a bootstrap for other methods. --== ==-- [image] 2) The following method optimizes search complexity and time at the expense of accuracy and possibly resource requirements. Once a cell boundary is located, a flattened spiral search takes place. Simply travel along the cell line, reversing direction after F(n) units of travel, where F(n) is the nth Fibonacci number[3], n is the number of the turn, and one travel unit is 200m. Since F(8)=13, the 8th pass along the line will be 1.6km, more than long enough to establish the true direction of the cell. Disadvantages include the fact that the resultant location may be difficult to access, improbable or incorrect, further compounded by the difficulties of staying on the cell line. That accounts for most of the wasted travel, since the Fibonacci search is naturally efficient. This method is recommended for open but complicated areas like refineries where it may not be obvious in which direction the cell lies, due to the "cleverness" of some site engineer. Other useful search techniques will be posted as they are described. --== RDF References ==-- [1] Far Side. You know the one - "What we say, what dogs hear." [2] http://www.geckobeach.com/cellular/ [3] F(i+1)=F(i)+F(i-1). F(0)=0, F(1)=1. F(x) -> 0, 1, 1, 2, 3, 5, 8, 13, ... [image] Images accompanying this paper (and the latest html version) can be found at http://www.edmc.net/~wargames/df-paper.html --- Monday July 3rd 2000 - Our First Exploration in a Downtown Drain ______________________________________________________________________ Magma and I decided it was time to go and explore. Being new at this, we weren't exactely sure where to start. Since exploring a building is rather risky to begin with, we thought a drain is a realatively safe place for a couple of new explorers to check out. After a couple weeks, Magma spotted a nice drain Drain we could possibly explore. So, we had the drain figured out, we next had to plan up how to enter and what to bring on this little expedition. Magma brought a maglight, and, I brought along another maglight, and the camera around my neck. Since this was a drain, we had to wait for a day when there was no percipitation so water level of the drain was fairly shallow for us to walk in. Also, for safety sake, being downtown, the safest time to not be spotted in this activity would be to go at night. Magma added the note that we travel the drain at around 11pm. The reason for this is that teenagers walking around that time of night is not nearly as suspicious as teenagers downtown at like 3am. It is now July 3rd, and Magma and I decided this night is as good as any to begin exploring. Boy, were we in for a surprise. Magma had driven us to a restaurant a few blocks off the drain, and we walked to the drain from there. To aviod arousing suspicion, we changed into our draining gear (rubber boots, and shorts) at a parking garage with a bathroom across the street from the drain. Once at the drain, we slipped into the channel, and began walking into the tunnel. At first glimpse we expected the drain to just get smaller, and close into a wall or something. Instead, the tunnel took us along a few turns, never seeming to end. As we walked, we could only see but 30 or 40 feet ahead from our flashlights and after that, pitch black. Along our travels, we came across an orfice [image] door. I quickly got closer, and peered inside which forms a new tunnel to lead us elsewhere. I went inside, and was quickly stopped by large pipes blocking my travels. After climbing below and above them, I decided I wasn't getting anywhere, and returned to the opening where Magma was waiting for me. As we walked through the cool water in the tunnel, to our surprise, we were constantly being hit by fish that were swimming in this water. At sometimes, Magma and I were being tripped up by these fish, that were hard to avoid, considering the number of them. Another pest on our trip were the number of spiderwebs we walked through. Nevertheless, we were still enjoying ourselves and continued along the tunnel. About 20 minutes through the drain, we came along another rather large tunnel. tunnel Both Magma and I detoured through it, only coming to a stop by a large steel grate. Having only flashlights, and a camera, we had no choice but to turn around, and continue through the main drain. Tunnel We came across a few more larger drains, but decided to continue on through the main drain. After about 45 minutes, we came closer to the sound of rushing water, and then a dim light. As we travelled closer, the light grew brighter, and the rush of water more intenese, and louder. At this point, we did not want to take the chance of being seen, so we turned off the maglights and walked to towards the light in front of us. pumping station To our disappointement, we came to the end of tonight's journey. What lay ahead was the light of streetlights. A large steel grate blocked us from exiting the tunnel into the water pump stations. Already statisfied with what we had found and explored, we decided it was best for us to return back through the main drain, and back home. The trip back was very quick. Since we were now walking with the current, our speed was signifcantly faster, and also, now that we were familiar with the area, we needn't be so slow, and cautious of what's ahead. We made it back out of the drain, climbed up out of the channel, and changed back into normal clothes at the parking garage. We then got back into Magmas car, and returned home after a great trip of what shall be one of many more drains to explore. Reference: (with image) http://internettrash.com/users/mtghu/drain01.htm --- Well would you look at all the happy people.... ð cyb0rg_asm/#haxordogs looks ð theclone grins happy-like Do you see 'em cyb0rg_asm are they still shining? yes, shiny. ÛÛ 'The Comprehensive Guide to Paytel Canada payphones' Written by: The Clone On Friday July 14, 2000 ÛÛ __________ ./_CONTENTS_\. ` ` .; Disclaimer .; PayTel Canada offices .; Protel Model Phones .; Intellicall Model Phones .; Resources .; Conclusion .; Contact .; Shouts _,_ Disclaimer -- Within the pages of this document is information pertaining to the technological ins and outs of a huge chunk of the payphone market in Canada. I am by no way responsible for any damage someone or somebody causes by reading this document. If you want to break something and risk a fine or prison time, by all means leave me the hell out of it. In other words, if I in some way AM contributing to that slight increase in Canadian youth crime, I don't take responsibility for it. So please, use this information to learn and grow and not to piss off your phone company, the police department, or national defense. _-_ 'PayTel Canada offices' Several months ago, in my document titled 'The Complete Guide to the Elcotel Payphone' I listed off every Corporation that currently has an account with Elcotel; this included specific account information in alphabetical order. From what I assume, that information was deemed useful by my readers so for that I've taken a similar approach with this section. For now, here is a list of every PayTel office in Canada in order from west to north - just a good resource for Canadian phreakers who may be interested in this company. __ Paytel's national head office is located in Surrey, British Columbia, with the following branch offices in: Alberta (Calgary), Ontario (Toronto, Markham), Quebec (Mirabel), New Brunswick (Moncton) and Nova Scotia (Dartmouth). Western Canada (Head Office) 2428 King George Hwy Surrey, BC V4P 1H5 Tel: (604) 542-2010 Fax: (604) 542-2011 Toll-free: 1-877-542-2010 Ontario Region 6 Adelaide Street East Suite 500 Toronto, ON M5C 1H6 Tel: (416) 504-7400 Fax: (416) 504-7211 Customer Service: 1-800-265-2953 info@paytelcanada.com Quebec Region 17,000, rue Charles bureau 100 Mirabel, PQ J7J 1X9 Tel: (405) 433-0001 Fax: (405) 433-1303 Toll-free: 1-877-433-3553 Eastern Region 201 Brownlow Avenue Unit 57 Dartmouth, NS B3B 1W2 Tel: (902) 468-1716 Fax: (902) 468-1717 Toll-free: 1-877-575-7555 _-_ 'Protel Model Phones' Protel, Inc. of Lakeland, Florida is North Americas leading manufacturer of smart public payphones. In 1984 Protel introduced the first line-powered smart payphone in the USA. Protel were one of the first key-players in the development of the first Customer Owned Customer Operated Telephones (COCOT) in the early 1990's, and have strived to bring quality yet cost effective phones to millions of people around the globe. Protel develops several payphones, though only having slight differences between them, which are unique and interesting to mess around with for a couple of obvious reasons; interaction with the phones' diagnostic - statistical information is possible by using a series of secret codes, and physical/remote security is fairly weak. This is just the type of thing any telephone enthusiast loves to read. Note: I haven't personally found an abundant amount of these payphones within Edmonton in comparison to the Intellicall model phones, but keep in mind, the telecommunications industry is an ever-changing one so who knows what to expect in the next six months or so. Keep your eyes peeled and lemme know if you find any Protel Model payphones in your area. PayTel Canada's Protel Phone ---------------------------- This is one of the few widely distributed Protel phones in Canada: http://home.edmc.net/~theclone/protel.jpg Payphones and Accessories ------------------------- http://www.protelinc.com/PROTELInt/payphone/Fpayph.htm Protel Locations ---------------- Restaurants - Truck Stops - Schools - Service Stations - Churches - Airports - Bowling Alleys - Night Clubs - Bingo Parlors - Resorts - Low-income Housing - Convenience Stores - Apartments - Bars - Lounges - Hotels - Motels Features -------- - When dialing a call on a Protel phone, the phone slowly dials each digit while it waits for you to finish dialing or finish paying. You'll be able to hear this in the background, but it is often quiet so open your damn ears! - Leaving a Protel receiver off the hook for too long will cause the phone to produce an interesting beeping sound. - Credit Card slots; some of these phones DO have credit card slots which accept many major credit cards (ie. Visa, Mastercard, e.t.c). - Internal Alarms; can be disabled by entering *# and the correct two to four digit pin code, most likely in default mode and easily bruteforceable. - Ringers; Protel model phones will most often ring when called. After five rings a modem carrier will pick up which is sometimes followed by an automated voice that reads off how much money is in the phone including the date/time. Special Features ---------------- - A particularly special feature about the Protel model payphones are the unique Protel-only *# options that allow any phreaker to learn about the phones' internal information simply by entering a few codes. Here are the *#6X codes I'm aware of at this present time: ` *#61 should give you ANI information ` *#62 will ID the software version the phone is utilizing ` *#65 sometimes discloses the phones company's HQ modem number - in Canada the modem carrier number would belong to PayTel Canada. ` *#68 disables the phone all together ! Tip: by hand-scanning other *# codes (ie. *#0X, *#1X, *#2X, e.t.c.) you may find more neat options like the ones noted above. Remote Administration Software ------------------------------ * Expressnet - ftp://208.49.251.4/Xv150.exe - (official Protel software) ftp://208.49.251.4/XnetV151.exe - "" * Panorama - http://filexfer.tripod.com * Pronet - http://www.protelinc.com/PROTELInt/pronet/fpronet.htm Security Issues --------------- 'Physical Administration' To my knowledge there are two ways to gain physical administrative powers on a Protel model payphone, the first way is somewhat easier. Here's what you do; ` Enter *# and then the correct four digit admin PIN code which are most likely defaults such as: *#1234, *#5555, *#9999, and so on. Once you enter the correct PIN code you will have total access to all menus, rate tables, and will have the ability to alter restrictions on what phone numbers can be dialed. ` The second way is quite a bit more difficult but is successful nonetheless. After entering the correct two to four digit *# alarm code, and opening the phone with the proper keys, you will notice a 'setup' button on the printed circuit board. Press the button and immediately you'll be prompted for the correct PIN code. ` Enter *#000000 (6 digits) - at this point you will have total access to all menus, rate tables, including the ability to alter restrictions on what phone numbers can be dialed. 'Remote Administration' Remote Administration of the Protel phone can be both enjoyable and profitable, if done correctly. In this section, I'll be explaining step by step on how to successfully take over a payphone or many payphones by using just a computer with a modem and the proper software. The first thing you'll need in order to successfully take over a Protel payphone remotely is the particular payphone's phone number. This can be accomplished by either writing down the phone number listed on the phone, or by entering *#61 with the receiver off the hook. Secondly, you're going to need the right payphone administration software. Remember; some software which might work for administering one payphone may not necessarily work for another. The reason for this is that some software just isn't compatible with the payphones' chip, making it impossible to even connect to the phone correctly. Another reason may be that the software you're using doesn't allow you to enter the necessary number of digits that would be required of you when prompted for the PIN code. In this case, you'll need software that allows you to enter a 6-8 digit payphone admin PIN. The PIN code; because of the fact that most payphone administration PIN codes (by default) are a series of numbers with only one number and 6-8 digits, and if we remember that the internal physical administration PIN for the Protel is *#000000, I would say that the default PIN for all Protel phones is likely an easy guess. 'Audio File coin return exploit' Many of the Protel payphones throughout eastern Canada and parts of the United States which are owned and operated by Bell (called BOCUT's) are vulnerable to a particularly interesting form of phone fraud. This vulnerability will allow anyone on one of these phones to make a local call and then get their money spit back into the coin return. Now as some of you may already know, as a service provided to ensure customers aren't being ripped off when they insert that 25/35¢ for a call, phone companies have what they call a "coin return policy". This policy states that if a customer inserts his/her money for the call but are unable to complete the call due to technical problems on the part of the CO, then the operator must empty out the appropriate change. Now adays with the advent of new telecom based technologies, all an operator would be required to do is play a specific frequency into the receiver to subsequently cause the phone to empty. What I'm getting to is this; if anyone on a regular quality land-line was to be called by someone on a Protel model BOCUT, and then the person on the land-line was to play the coin-return frequency, they could quite possibly automate what any operator has the power to do. This little exploit is known as the 'Green Box', but alt.phreaking's 'Cyber Thief' coined this the 'Protel-Box' for the obvious reason that it only works on Protel model phones. DIY, baby: ==> <== The frequency in '.WAV' format: http://home.edmc.net/~theclone/freecall.wav ==> <== Canadian Distributors --------------------- C. G. Industries Limited 30 Shields Court Markham, Ont. L3R8V2 Phone: 905-475-5093 Fax: 905-475-5389 http://www.cgil.com International Connectors & Cable, Inc. (ICC) 16918 Edwards Rd. Cerritos, CA 90703-2400 Phone: 562-926-0734 Fax: 562-926-5290 Toll Free: 1-800-333-7776 http://www.icc-payphone.com Palco Telecom, Inc. 7825 Flint Road S.E. Calgary, Alberta T2H 1G3 (800) 661-1886 (403) 255-4481 Fax: (403) 259-0101 http://www.palcotel.com Pay Phone Technologies 80D Centurian Drive Unit 8 Markham, ON L3R 8C1 905-947-8216 Fax: 905-947-8209 Toll Free: 1-877-488-0041 http://www.foc-ppt.com -`- 'Intellicall Model Phones' `` Using advanced technology and the experience of over 12 years in the industry, Intellicall produces two payphone models that may both be customized with a variety of options to meet the demands of your locations. The UltraTel payphone is the economical workhorse of the industry for those installations that use AC power. The AstraTel payphone is the proven answer where line power is preferred. Both are highly robust systems that deliver the long term reliability required in any successful payphone network. '' Paytel Canada's Intellicall Phone --------------------------------- Paytel Canada distributes this model of payphone by Intellicall called the AstraTel 2: http://home.edmc.net/~theclone/astraltel2.jpg Intellicall: 'AstraTel & Ultratel' Audio Samples --------------------------------------------------- http://www.payphone-directory.org/sounds/wav/web/intvoice.wav http://www.payphone-directory.org/sounds/wav/web/intavoice.wav http://www.payphone-directory.org/sounds/wav/web/a.wav http://www.payphone-directory.org/sounds/wav/web/intring.wav Payphones and Accessories ------------------------- http://www.universal-comm.net/intell.htm Intellicall Locations --------------------- Restaurants - Truck Stops - Schools - Service Stations - Churches - Airports - Bowling Alleys - Night Clubs - Bingo Parlors - Resorts - Low-income Housing - Convenience Stores - Apartments - Bars - Lounges - Hotels - Motels Features -------- [On UltraTel Models] - After Approximately five rings, a modem carrier will pick up - Some models of this phone have a scrambled keypad, that is, when you dial a number, the tones you hear don't match the numbers you push. After a call is completed, the scrambling ends. - This phone requires an AC power source to function properly. - During a call, it will take your money as soon as it thinks the call is answered. If it is left off the hook too long it will say: "Please hang up and try again." [On AstraTel Models] - After Approximately five rings, a modem carrier will pick up - It has a 14,400 baud modem, which is very fast for a pay phone. It runs only on phone line power. If you don't deposit enough for a call, you will be told to just deposit the difference. - if you leave this phone off hook too long it will generate a fake fast busy signal. Special Features ---------------- Toll Fraud Prevention -- The fraud prevention is this: if you call your friend on an Intellicall phone (UltraTel & AstraTel models) and your friend answers, the phone will automatically dial '111'. If you were to call this phone from either the payphone next to it or from a cellphone; have it ring once, pick it up and then hang up, and pick it up again you'd get an unrestricted dial tone which would allow you to use a tone dialer (since the keypad is temporarly disabled) to make free local calls. The auto-111 DTMF tones override the dialtone, thus preventing toll-fraud. Security Issues --------------- - Internal Alarm Bruteforcing - Internal Alarm Bruteforcing can be done by firstly entering pound then a four digit PIN. Because of previous problems involving the disclosure of alarm codes, I will not be posting it on this article. Too many people were abusing the #CPC code that was mentioned on the 'Complete Guide to the Elcotel Payphone', and because of that Canada Payphone changed the PIN and set up a trap (at least in Edmonton) which automatically caused the phone to dial out for help. If you wish to bruteforce the PIN then all the power to you. 'Phone Seizing Problems - will give free phone calls' Well whaddya know, the very same exploit I discovered on the Elcotel 9520C model payphones works on the Intellicall model payphones as well. When will these payphone developers and their distributors ever take their security seriously? The answer is; until the specific fraud being committed has reached such prevalent levels that the chance of a yearly revenue is slim to none. Using a twenty dollar Genexxa 33-Number Memory Pocket Tone Dialer from Radio Shack, one can easily take advantage of Paytel's incompetence in relation to call seizing. -- Typical Scenario -- CALL TO PAYTEL CANADA Operator: Paytel Canada, how may I help you? Phantom Phreak: Yes, may I have the number for directory assistance? Operator: Just a moment... Phantom Phreak: Thank-you. Operator: 1-877-542-2010 Phantom Phreak: No no no, thank-you! * Operator Hangs Up * * Phantom Phreak is dropped to an unrestricted line, and then proceeds to play his pre-programmed 7 digit DTMF tones into the receiver allowing him a free local call. * Useful Numbers: The keypad isn't disabled when using these local numbers, meaning you will not need to go through the trouble of using a tone-dialer: ** 0 ** 411 ** 611 ** 811 ** 911 (?) | see: 'SKANNING' at www.nettwerked.net for a listing of thousands of these: | * Blocked From Area - Will eventually drop you to an unrestricted line * Call Cannot Be Completed - Will eventually drop you to an unrestricted line * Disconnected - Will eventually drop you to an unrestricted line * Not In Service - Will eventually drop you to an unrestricted line * Unsuccessful VMB Login Attempts - will usually drop you to an unrestricted line after several unsuccessful login attempts (not recommended) Modem Carrier Numbers (AstraTel 2): 519-576-0354 - Kitchener, Ontario, Canada 780-483-9783 - Edmonton, Alberta, Canada 780-456-9983 - 127St/139Ave: Edmonton, Alberta, Canada 905-453-9794 - Halifax, Nova Scotia, Canada (corner of Robie and Young streets) 'Resources' Resources list - URL's of web-sites that helped me with the R&D for this document: -+ GHU - The Grasshopper Unit: http://internettrash.com/users/mtghu/ -+ Intellicall Inc: http://www.intellicall.com/ -+ Pay Phone Directory: http://www.payphone-directory.org -+ PayTel Canada: http://www.paytelcanada.com/ -+ Protel Inc: http://protelinc.com -+ Protel Inc (ftp): ftp://protelinc.com -+ Tatung Telecom: http://www.tatungtel.com/ 'Conclusion' I'd firstly like to thank some people who helped directly and indirectly with the creation of this document: Cyber Thief, Magma, Miklos, and RT. Secondly: Oh you big scary Telecom companies popping up everywhere trying to make a buck (or should I say 'quarter') off the slowly dying payphone industry in Canada, without ever paying attention to security. I'm not going to chant about how you guys should INCREASE your security. See that's just something honest 'white hat' folks do. The more you make it easier for the Canadian phreakers to exploit you physically and remotely, the better. Although I don't mind a challenge every now and again... or do I? All this STUFF just comes so easily to me... tee-hee. Def Con 8: YES! Hack Canada and several of their Canadian friends will be attending Def Con 8 this year for some good 'ol fashion fun! This will be Hack Canada's second year attending this crazy Las Vegas conference, and we plan on having a few surprises for all you people. Look for a lot more pictures and reviews this year - hell just look for us and share your beer, eh. PeAcE OuT... _ Contact me _ E-mail: theclone@nettwerked.net ICQ: 79198218 IRC: haxordogs.net [#haxordogs, #nettwerked] URL - http://www.nettwerked.net Shouts: Hack Canada & Haxordogs A P R E - D E F C O N 2 0 0 0 R E L E A S E --- Credits: I would like to give credit to the following people for helping with this issue of K-1ine - if it wasn't for you guys I don't think this issue would of been released. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 4ncifer, Eric Knight, Magma/Miklos, PsychoSpy, Untoward, and lastly to Wargames -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Thanks you guys, seriously. I'm very happy to see all the contributions. Remember: Articles are ALWAYS welcomed. If you have something you'd like to see on this zine, feel free to send me an e-mail. Even if you're worried that the article is "lame" or "isn't technical" or something like that, send it anyways. Remember: everyone has something to offer to the scene. Show your support. -- Shouts: Hack Canada (www.hackcanada.com) and Haxordogs (www.haxordogs.net), k-rad-bob @ b0g (www.b0g.org), #2600ca crew, Ottawa 2600; mainly Kybo_Ren, RT, The Non-Existent Crew, lastly to everyone and anyone who gives a shit about the Canadian H/P scene. A N E T T W E R K E D P R O D U C T