Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Latvenergo RIGAS HES-2 HACKED!
From: Zhang Xinghu <zhangxinghu () rocketmail com>
Date: Tue, 3 May 2011 08:48:42 -0700 (PDT)

Latvenergo RIGAS TEC-2 软件漏洞分析技术

http://www.latvenergo.lv/pls/portal/docs/PAGE/LATVIAN/IMAGES/razosana_tec_r.jpg
RIGAS TEC-2 (Heat Power Plant)

Latvian Energy Grid
http://upload.wikimedia.org/wikipedia/en/6/68/Latvian_grid.png

SCADA:
http://img197.imageshack.us/i/11845309.png/
http://img853.imageshack.us/i/82004790.png/
http://img835.imageshack.us/i/11297056.png/
http://img811.imageshack.us/i/24628503.png/
http://img708.imageshack.us/i/46434198.png/
http://img42.imageshack.us/i/69536191.png/
http://img268.imageshack.us/i/91060646.png/
http://img573.imageshack.us/i/20665870.png/
http://img705.imageshack.us/i/91159778.png/
http://img850.imageshack.us/i/21524239.png/

http://83.136.143.114/ and http://85.15.193.254/

login: henriks
password: :henry50

--------------------------------------------------------------------------------------

rb-aciems 83.136.143.114
username cisco privilege 15 secret 5 $1$FKKk$t2NOQP.vSScMbwJWERNU0/ (password "cisco")
username henriks privilege 15 secret 5 $1$o8TS$N/hEZX99OrJYekQGffJOK0 (password "henriks")
username alfreds privilege 15 secret 5 $1$oezl$miNkMEnzGLy4CVwT3XA7y/
username ugis privilege 15 secret 5 $1$yL4P$ErYRu.UU1lcireNDTvA2T1
username agritis privilege 15 secret 5 $1$bPCB$p8PoLDo6JydfwhqmksEJb/
username normis privilege 15 secret 5 $1$xOvT$E6SYwEiiZw4iXSKPwdd3V.

rb-aciems 85.15.193.254
username cisco privilege 15 secret 5 $1$FKKk$t2NOQP.vSScMbwJWERNU0/
username henriks privilege 15 secret 5 $1$o8TS$N/hEZX99OrJYekQGffJOK0
username alfreds privilege 15 secret 5 $1$oezl$miNkMEnzGLy4CVwT3XA7y/
username ugis privilege 15 secret 5 $1$yL4P$ErYRu.UU1lcireNDTvA2T1
username agritis privilege 15 secret 5 $1$bPCB$p8PoLDo6JydfwhqmksEJb/
username normis privilege 15 secret 5 $1$xOvT$E6SYwEiiZw4iXSKPwdd3V.

rb-ast63 83.136.143.77
username cisco privilege 15 secret 5 $1$K3qC$bgVeSjpVpmWtgFX8roEpc. (password "cisco")
username henriks privilege 15 secret 5 $1$o8TS$N/hEZX99OrJYekQGffJOK0 (password "henry50")
username alfreds privilege 15 secret 5 $1$oezl$miNkMEnzGLy4CVwT3XA7y/
username ugis privilege 15 secret 5 $1$yL4P$ErYRu.UU1lcireNDTvA2T1
username agritis privilege 15 secret 5 $1$bPCB$p8PoLDo6JydfwhqmksEJb/
username normis privilege 15 secret 5 $1$xOvT$E6SYwEiiZw4iXSKPwdd3V.
username aivars privilege 15 secret 5 $1$Ez4w$eLBbFOCZpm1//M1D9Qysa1 (password "sunset")
username arnis privilege 15 secret 5 $1$mBOT$6U31Bpe.2ye4lCBoJl.wX.

rb-jwl 83.136.137.253
username henriks privilege 15 secret 5 $1$o8TS$N/hEZX99OrJYekQGffJOK0 (password "henry50")
username alfreds privilege 15 secret 5 $1$oezl$miNkMEnzGLy4CVwT3XA7y/
username ugis privilege 15 secret 5 $1$yL4P$ErYRu.UU1lcireNDTvA2T1
username agritis privilege 15 secret 5 $1$bPCB$p8PoLDo6JydfwhqmksEJb/
username normis privilege 15 secret 5 $1$xOvT$E6SYwEiiZw4iXSKPwdd3V.
username arnis privilege 15 secret 5 $1$L0oT$eUM9yV8Yb8NT/xJaou8CR/

rb-tec2-ibedro 83.136.143.66 (85.15.200.1)
username cisco privilege 15 secret 5 $1$2gKA$AkkCIcEviInzKmgA9uYY.1 (password "cisco")
username henriks privilege 15 secret 5 $1$o8TS$N/hEZX99OrJYekQGffJOK0 (password "henry50")
username alfreds privilege 15 secret 5 $1$oezl$miNkMEnzGLy4CVwT3XA7y/
username ugis privilege 15 secret 5 $1$yL4P$ErYRu.UU1lcireNDTvA2T1
username agris privilege 15 secret 5 $1$4yfS$GmtMLYEvnMmNLimx3cIEs.
username agritis privilege 15 secret 5 $1$bPCB$p8PoLDo6JydfwhqmksEJb/
username normis privilege 15 secret 5 $1$EGe6$n09ZOVK0/Z47LY5QOrmly0
username gints privilege 15 secret 5 $1$Qkow$2epiPs8stbDFNXk35KIiG. (password "wttpc")
username arnis privilege 15 secret 5 $1$pzmn$iIoY5KsH/KicXQcnihQwe0

-----------------------------------------------------------------------------------------
Rigas TEC-2 Router configuration: 

Current configuration : 8665 bytes
!
! Last configuration change at 18:36:17 EET-EDT Mon May 1 2011 by henriks
! NVRAM config last updated at 21:11:22 EET-EDT Mon May 1 2011
!
version 12.4
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname rb-tec2-ibedro
!
boot-start-marker
boot-end-marker
!
logging buffered 32768 debugging
enable secret 5 $1$1Jog$NgC5Ve1J4ZV4d.Ns4cYuK/
!
no aaa new-model
!
resource policy
!
clock timezone EET 2
clock summer-time EET-EDT recurring last Sun Mar 3:00 last Sun Oct 3:00
clock calendar-valid
ip subnet-zero
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.40.8.0 10.40.8.1
!
ip dhcp pool IP-phones
   network 10.40.8.0 255.255.255.128
   default-router 10.40.8.1
   dns-server 10.0.37.1 10.0.37.2
   domain-name int.letcom.lv
   option 150 ip 10.0.38.1 10.0.38.2
   lease 7
!
!
ip vrf LE_Inet
 rd 29600:76
!
ip vrf MGMT
 rd 29600:74
!
ip domain name int.letcom.lv
ip host letccm1.int.letcom.lv 10.0.38.1
ip host letccm2.int.letcom.lv 10.0.38.2
ip name-server 10.0.37.1
ip name-server 10.0.37.2
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-667169674
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-667169674
 revocation-check none
 rsakeypair TP-self-signed-667169674
!
!
crypto pki certificate chain TP-self-signed-667169674
 certificate self-signed 01
  3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 36363731 36393637 34301E17 0D303631 30313230 38313835
  365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3636 37313639
  36373430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  A0F4672C 6EF80F91 9D851665 82D889B2 80B941CF 83D43B3B 4FB12E26 6275EC81
  6B8DCEBC 31A61E8C BDC16231 06483344 A72D8E7F 6A599EEA EB1289C7 F0F38C0F
  AE7B9658 329F7576 1DB562B1 DBABCB63 3C659189 213BD2AD C63BF833 5B56E96D
  8D97B277 01B887ED 4C144C2F 518D68A7 5017A4AE 9220ED74 41A7F894 6B176679
  02030100 01A37730 75300F06 03551D13 0101FF04 05300301 01FF3022 0603551D
  11041B30 19821779 6F75726E 616D652E 796F7572 646F6D61 696E2E63 6F6D301F
  0603551D 23041830 16801433 BBC541C9 12011912 3A3411C7 21226E63 E1054730
  1D060355 1D0E0416 041433BB C541C912 0119123A 3411C721 226E63E1 0547300D
  06092A86 4886F70D 01010405 00038181 0029FB38 3C4E3003 559F8E97 114C14D4
  058CD8AB A10E34B1 9A596DB7 0118BDC1 2E057694 E274966D 4328410E B6DE0433
  A8DDFEA3 8331D8B5 0108ECE6 B72A86DE 3100A6B5 6E4C40FE 7C3D67D8 29E27DC1
  070E7AAF AD4E89DB C584A12A DA889080 36AEF818 171F4CFB C84723DD 00AEA553
  7FC6B43A A3D5954C 4C093C54 6FD742F5 22
  quit
username cisco privilege 15 secret 5 $1$2gKA$AkkCIcEviInzKmgA9uYY.1
username henriks privilege 15 secret 5 $1$o8TS$N/hEZX99OrJYekQGffJOK0
username alfreds privilege 15 secret 5 $1$oezl$miNkMEnzGLy4CVwT3XA7y/
username ugis privilege 15 secret 5 $1$yL4P$ErYRu.UU1lcireNDTvA2T1
username agris privilege 15 secret 5 $1$4yfS$GmtMLYEvnMmNLimx3cIEs.
username agritis privilege 15 secret 5 $1$bPCB$p8PoLDo6JydfwhqmksEJb/
username normis privilege 15 secret 5 $1$EGe6$n09ZOVK0/Z47LY5QOrmly0
username gints privilege 15 secret 5 $1$Qkow$2epiPs8stbDFNXk35KIiG.
username arnis privilege 15 secret 5 $1$pzmn$iIoY5KsH/KicXQcnihQwe0
!
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.74
 encapsulation dot1Q 74
 ip vrf forwarding MGMT
 ip address 10.33.1.22 255.255.255.252
 no snmp trap link-status
!
interface FastEthernet0/0.75
 description VoIP
 encapsulation dot1Q 75
 ip address 10.40.255.30 255.255.255.252
 no snmp trap link-status
!
interface FastEthernet0/0.76
 encapsulation dot1Q 76
 ip vrf forwarding LE_Inet
 ip address 83.136.143.66 255.255.255.252
 no snmp trap link-status
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/1.2
 encapsulation dot1Q 2
 ip vrf forwarding MGMT
 ip address 10.100.15.113 255.255.255.240
 no snmp trap link-status
!
interface FastEthernet0/1.3
 encapsulation dot1Q 3
 ip vrf forwarding LE_Inet
 ip address 85.15.200.1 255.255.255.248
 no snmp trap link-status
!
interface FastEthernet0/1.4
 description VoIP
 encapsulation dot1Q 4
 ip address 10.40.8.1 255.255.255.128
 no snmp trap link-status
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.40.255.29
ip route vrf LE_Inet 0.0.0.0 0.0.0.0 83.136.143.65
ip route vrf MGMT 0.0.0.0 0.0.0.0 10.33.1.21
!
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
logging 10.1.37.7
access-list 23 permit 10.10.10.0 0.0.0.7
snmp-server community r05n3pcom RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps ds1
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps xgcp
snmp-server enable traps flash insertion removal
snmp-server enable traps ds3
snmp-server enable traps envmon
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps atm subif
snmp-server enable traps bgp
snmp-server enable traps bulkstat collection transfer
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps dial
snmp-server enable traps dsp card-status
snmp-server enable traps entity
snmp-server enable traps event-manager
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmobile
snmp-server enable traps ipmulticast
snmp-server enable traps mpls ldp
snmp-server enable traps mpls traffic-eng
snmp-server enable traps mpls vpn
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps rtr
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps vsimaster
snmp-server enable traps vtp
snmp-server enable traps voice poor-qov
snmp-server enable traps voice fallback
snmp-server enable traps dnis
snmp-server enable traps dnis
snmp-server host 10.0.19.49 r05n3pcom
snmp-server host 10.2.0.49 r05n3pcom
!
!
!
control-plane
!
!
!
voice-port 0/3/0
 cptone FI
!
voice-port 0/3/1
 cptone FI
!
voice-port 0/3/2
 cptone FI
!
voice-port 0/3/3
 cptone FI
!
ccm-manager redundant-host LETCCM1
ccm-manager mgcp
no ccm-manager fax protocol cisco
ccm-manager music-on-hold
ccm-manager config server LETCCM1 LETCCM2
ccm-manager config
!
mgcp
mgcp call-agent LETCCM2 2427 service-type mgcp version 0.1
mgcp dtmf-relay voip codec all mode out-of-band
mgcp rtp unreachable timeout 1000 action notify
mgcp modem passthrough voip mode nse
mgcp modem passthrough voip codec g711alaw
mgcp package-capability rtp-package
no mgcp package-capability res-package
mgcp package-capability sst-package
no mgcp package-capability fxr-package
mgcp package-capability pre-package
no mgcp timer receive-rtcp
mgcp sdp simple
mgcp fax t38 inhibit
mgcp rtp payload-type g726r16 static
!
mgcp profile default
!
!
!
dial-peer voice 999030 pots
 service mgcpapp
 port 0/3/0
!
dial-peer voice 999033 pots
 service mgcpapp
 port 0/3/3
!
dial-peer voice 999031 pots
 service mgcpapp
 port 0/3/1
!
!
dial-peer voice 999032 pots
 service mgcpapp
 port 0/3/2
!
!
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server 10.33.1.21
!
end
-------------------------------------------------------------------------------------
China Youth Hackers Alliance
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]