"MIPS" Pentesting
Elliot Fernandes
Welcome to Linux (ZEM300) for MIPS
Kernel 2.4.20 Treckle on an MIPS
Has anyone come across this before? It seems to be a login point for a security device (physical security) at the network. Thing is, I have no documentation on the "MIPS", neither from google or from anywhere else. Anyone got ideas on this? And I'm running hydra with a wordlist, and a bruteforcer at the same time on it.
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
Robin Wood
> When testing a network, I was using nmap and I came up with a system that had port 23 open. So I netcat'ed into it and I got:
>
> Welcome to Linux (ZEM300) for MIPS
> Kernel 2.4.20 Treckle on an MIPS
>
> Has anyone come across this before? It seems to be a login point for a security device (physical security) at the network. Thing is, I have no documentation on the "MIPS", neither from google or from anywhere else. Anyone got ideas on this? And I'm running hydra with a wordlist, and a bruteforcer at the same time on it.
>
Googling "Kernel 2.4.20 Treckle" gives back these two links
http://plug.org.in/pipermail/plug-mail/2009-November/006785.html
http://hk.zksoftware.com/bbs/viewthread.php?tid=406
which suggests it could be a fingerprint scanner.
Robin
alessandro telami
Hi,
try the following link: http://en.wikipedia.org/wiki/MIPS_architecture
Regards
Cyber-threats
> Date: Mon, 4 Jan 2010 03:32:52 -0800
> From: elliotf...@yahoo.com
> Subject: "MIPS" Pentesting
> To: pen-...@securityfocus.com
_________________________________________________________________
Have more than one Hotmail account? Link them together to easily access both
http://clk.atdmt.com/UKM/go/186394591/direct/01/
merc
i found this sounded like what you found...
http://www.zk-usa.com/edk_zem300.php
--
CEH, CCENT, Security+, Network+, A+, Project+, MCP, CIW Associate
http://www.securitywire.com
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x24BB1F0D06C05B31
Elliot Fernandes
Interesting ports on 192.168.5.2:
Not shown: 99 closed ports
PORT STATE SERVICE VERSION
23/tcp open telnet ZKSoftware ZEM300 embedded linux telnetd (Kernel 2.4.20; MIPS)
Service Info: Host: Treckle; OS: Linux
I did a UDP scan but no ports were open, so I couldn't use SNMP to gather data that would allow me to access the device's login hash. A TCP scan reveals only one open port, 23. I'm still prompted for a login when I connect to port 23. It doesn't seem to use default passwords like Admin, admin, password, etc, and I couldn't find a default password for this device in any default password list. I tried to force a buffer overflow into the device by using a very long password string by doing:
ncat 192.168.5.2 23 < /dev/random
and at the same time I was Hping'ing the device to check it's uptime. But it didn't reboot...That's all the info I have on the device. If I get a shell, I'll post info on how the compiler compiles my exploits, and how exploits, if possible, work under this device.
--- On Mon, 1/4/10, Reggie Wheeler <whee...@comcast.net> wrote:
> From: Reggie Wheeler <whee...@comcast.net>
> Subject: RE: "MIPS" Pentesting
> To: "'Elliot Fernandes'" <elliotf...@yahoo.com>
> Date: Monday, January 4, 2010, 5:28 PM
> I found some information that may
> help you and anyone else wondering what it
> is that you found. There is way too much to put in an
> email so I will just
> give the links. http://en.wikipedia.org/wiki/MIPS_architecture This
> link
> will explain to you what a MIPS processor is, who created
> them and how they
> are used today.
> http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla:en-US:of
> ficial&ei=aetBS9ffPMKUtgfJ4byJCQ&sa=X&oi=spell&resnum=0&ct=result&cd=1&ved=0
> CAYQBSgA&q=Linux+MIPS&spell=1 This google link will
> give you all of the
> information you want on MIPS linux porting and the
> different Linux flavors
> that can be ported to work with the MIPS processor.
>
> Hope this helps you out please post more info I am curious
> to know what you
> found.
Wayne Dawson
Appears to be a biometric device.
"ZEM300 uses 32 bit parallel high-speed 400 MHz CPU ZK6001 that can be conveniently connected with TFT,USB Host, WIFI, GPRS/CDMA and such external equipments."
-----Original Message-----
From: listb...@securityfocus.com [mailto:listb...@securityfocus.com] On Behalf Of Elliot Fernandes
Sent: Monday, January 04, 2010 3:33 AM
To: pen-...@securityfocus.com
Subject: "MIPS" Pentesting
http://www.iacertification.org
------------------------------------------------------------------------
This email and any files transmitted with it are confidential and intended solely for the use of the individual to whom they are addressed. If you have received this email in error, please delete this email from your system.
Abuse 007
Can you sniff the network segment it is in, or are you multiple hops away?
Adrian Puente Z.
Hash: SHA1
As I can recall MIPS is an processor architecture. Some kind of embedded
devices, so if you make a really aggressive attack as the hydra in the
defaults threads settings does you can cause a DOS consumming all the hw
resources.
http://www.zk-usa.com/edk_zem500.php
Maybe this is too obvious, you have tried with the default password?
In my experience attacking directly this kind of devices is useless, I
prefer to control a machine in the same segment (I've made a Portable
WireShark)
http://hackarandas.com/blog/2009/10/08/truly-portable-wireshark/ ad wait
for a password. Other technique that has been really usefull is
controlling the domain controller and have access to the computers in
the Admin Segments It happens that someone has a neat well docummented
excell file with all the devices passwords.
Sometimes the sum of the vuls is the way of getting to the targets.
Greets,
- --
Adri�n Puente Z.
[www.hackarandas.com]
Donde las ideas se dispersan en bytes...
"... ruego a mi orgullo que se acompa�e siempre de mi prudencia,
y si alg�n d�a mi prudencia se echara a volar, que al menos
pueda volar junto con mi locura"
--Nietzche
Huella: FBD6 4C36 2557 C64C 1318 70A8 F561 CB6F 4E40 5AFB
http://www.hackarandas.com/apuente_at_hackarandas.com.asc.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAktFkPoACgkQW2tF/eN2yfbTfQCfUPcBu2XdJopGx8jCpD2rs5rz
rnwAnjKdmQhYJKq5NCRQedytVPugYrM6
=8yBU
-----END PGP SIGNATURE-----
Zack Payton
list of possible users and passwords and then use something like Hydra
to run a massive parallel brute force.
Additionally you could call the company in the link Wayne pointed out
above and find out from them their default passwords (perhaps you can
download a PDF of the manual). Additionally the manual may give you
some ideas for filenames you could grab/write using TFTP (which the
site says the ZEM supports).
Z
Shawn Merdinger
Though not directly referring to your device, this might be helpful.
From a Google search using limiters: site:hk.zksoftware.com telnet
See: http://hk.zksoftware.com/bbs/viewthread.php?tid=519&extra=&page=1
Cheers,
--scm
