What follows next is a selection of the most common banners and their OS. Using these you may find still available default accounts. In any case, remember to identify the type of connection you are dealing with, meaning that a RAS would not only be a RAS, but also a RAS for the IT management, an alarm dialup, or any other kind of dialup among the ones mentioned earlier in the chapter.
Cisco Router Cisco routers are often used as PSTN, ISDN, or X.25 access servers when dealing with networks belonging to SME and corporate companies.
It will introduce itself in the following way (the banner may exist or not):
***********************************************************************
* Access to this computer system is limited to authorised users only. * * Unauthorised users may be subject to prosecution under the Crimes * * Act or State legislation *
It’s also possible to get a different output where, in place of the password-only request, you may find:
#### [Company Name] [Country] [Node #] #####
####### [Network and/or Service Name] #######
################ In case of problems, ################
################ contact Mr. Joe Doe ################
################ at extension n. 2222 ################
###############################################
User Access Verification Username:
Shiva LAN Router Shiva LAN routers are often used as PSTN or X.25 access servers when dealing with networks belonging to SME and ISP companies. More information regarding this OS may be found on http://www.shiva.com. Issue #7 of the following old hacking magazine details a very interesting article on hacking and securing Shiva routers, written by Hybrid: http://www.b4b0.org.
A Shiva router will introduce itself in the following way (banner may or may not exist):
***********************************************************
XYZ Internet Service Provider – IT Department Access
***********************************************************
@ Userid:
Password?
Login incorrect
Gandalf XMUX Gandalf XMUXs are produced by Gandalf Technologies Inc. (Gandalf of Canada, Ltd., in Canada). The Password> request appears only if the XMUX console is password-protected; otherwise, you’ll find yourself directly at the XMUX console (the Primary Console Menu). You can find XMUX on both PSTN and X.25 networks.
Password >
Gandalf [System Name]
Rev A1 Primary Console Menu [date]
Node: [nodename] [time]
Primary Menu ...
Motorola Codex 6505 Motorola Codex 6505 is a multiplexer, typically connected to PSTN, ISDN, and X.25 networks. It may act like an “ancient” VoIP PBX, connecting different office branches via X.25 networks, allowing the execution of both voice and data links, as well as a PAD functionality (refer to “How X.25 Networks Work,” later in this chapter, for further information regarding PADs).
Chapter 6: Unconventional Data Attack Vectors
153
Connected to the Control Port on Node "XXX", at 10-OCT-2002 10:33:20 Codex 6505 PAD, Version V2.13
Copyright (C) 1989-1992 by Motorola Information Systems Enter Password:
Digital Equipment Corporation DECserver The DECserver, as the name implies, is a server made by the Digital Equipment Corporation (acquired by Compaq, which was then acquired by HP), the same company that makes the VAX and Alpha machines that we’ll cover later. If the owner of the server put a password on it, enter a # prompt.
DECservers are commonly found on PSTN and X.25 networks. When requesting Username, you can enter any value because a check is not performed.
#
****************************************************************
Welcome to [Company Name] DEC Server 3100 on Node XYZ Username:
VOS by Stratus VOS is an operating system produced by Stratus Inc. It is usually used in nonstop environments for heavy analysis and production jobs, such as credit card management, software development for mainframes, and, generally, banking applications.
It can be attacked when performing PSDN scanning on both public and private X.25 networks.
Maximum number of access attempts has been exceeded. %bsh01#vt_open_1
PRIMOS by Prime Inc. Running on the Prime company’s mainframes, the Primos Operating System is in fairly wide use and is commonly found on PSDN worldwide, though mainly used by telcos.
PRIMENET 23.3.0 INTENGCOM ER!
HP3000 HP3000 is an older machine from Hewlett Packard, running on MPE/V, iX, X, or XL OS releases. It can be found both on PSTN and X.25 networks and usually does not have a banner. More information can be found at http://docs.hp.com/ and http://en.wikipedia .org/wiki/HP3000.
MPE:
EXPECTED A :HELLO COMMAND (CIERR 6057) MPE:
EXPECTED [SESSION NAME,]USER.ACCT[,GROUP] (CIERR 1424) or
EXPECTED HELLO, :JOB, :DATA, OR (CMD) AS LOGON. (CIERR 1402) MPE: HELLO FIELD.SUPPORT
Password =
VCX Pad VCX Pads can be found on X.25 networks all over the world, with a particularly strong presence in Europe, the United States, some African and Asian countries, Australia, and New Zealand.
VCX PAD NODE SFERRANET
Otherwise, you may encounter a generic prompt, without the banner request:
[company_name] orig:-Or also:
VCX Pad
Release 1.3.9.7 Service name?
Chapter 6: Unconventional Data Attack Vectors
155
Pick Systems Pick Systems were created by Mr. Dick Pick (no jokes!). These machines were widely distributed from the ’70s until the first half of the ’80s. Pick Systems Inc. is headquartered at Irvine, California, with sales and support offices in the UK, France, South Africa, and Singapore. These are also the countries where you’ll find Pick machines on X.25 networks.
You can easily identify a Pick System thanks to its login prompt, which usually contains the hour, the date, and the Logon please request.
More information can be found at http://www.picksys.com/index.html and at http://
en.wikipedia.org/wiki/Pick_operating_system.
UN 2001 07:05:54 Logon please:
IBM VM/CMS VM/CMS stands for Virtual Machine/CMS, an S/390 mainframe by IBM.
VM/CMSs are generally linked to SIM3270, 3278, VTAM, and ISM systems. They are used primarily in educational environments (universities in the U.S.), large companies, and financial environments.
. or
.Please Logon:
But also (in its more standard version):
VM/ESA ONLINE--XXXX --PRESS BREAK KEY TO BEGIN SESSION._
HCPCFC015E Command not valid before LOGON: ______
Enter one of the following commands:
LOGON userid (Example: LOGON VMUSER1)
MSG userid message (Example: MSG VMUSER2 GOOD MORNING) LOGOFF
IBM AS/400 IBM AS/400 runs OS/400 as an operating system. You may encounter this OS on both PSTN and PSDN networks. Although on PSTN, you usually won’t encounter a banner but instead a direct identification request:
UserID?
Password?
On PSTN/ISDN and PSDN networks and using a terminal emulator program, you may see the screen shown in Figure 6-4.
You can find more information at http://www.as400.ibm.com/.
DEC VAX/VMS or AXP/OpenVMS VAX/VMS and Alpha/OpenVMS machines were originally produced by DEC, which was acquired years ago by Compaq, which was then acquired by HP. You may find them connected on PSTN and PSDN networks, serving an infinite variety of possible applications and uses.
Warning - Unauthorised access prohibited Welcome to node [NODE], a VAX/VMS 5.5-4.
Figure 6-4 AS/400 on xterm
Chapter 6: Unconventional Data Attack Vectors
157
This is a ACME INC. Network Node Username:
Password:
User authorisation failure
Sun Solaris You can find Sun Solaris on X.25 networks. These networks run a special release of Solaris, which includes the Sun Solaris X.25 stack.
SunLink X.29 Terminal Service login:
Santa Cruz Operation SCO UNIX SCO Unix machines can be found on both PSTN and X.25 networks, usually in very old environments.
Welcome to SCO UNIX System V/386 Release 3.2 X25!login:
IBM AIX You can recognize X.25 release for the IBM AIX from its login request:
IBM AIX Version 3 for RISC System/6000 X25login: