3COM Netbuilder
From Sfvlug
This box is a 1U 19" rack mountable router, found in a dumpster in Woodland Hills, CA. by DualDFlipFlop. The following information was collected by DualDFlipFlop and members of the San Fernando Valley Linux User Group.
Contents |
SERIAL CONSOL ACTIVITIES
Console Settings: 9600N81
Serial console boot log:
passed. Self Tests Passed
System boot in progress ... Primary then Secondary Loading file /primary/boot.68k uncompressed image File read - size 1473476 bytes load completed move completed checksum verified Running image - address 40D000 NETBuilder Loader Version 1.0 Decompressing brouter image... .................................................done Wed Dec 31 16:00:14 1969 Path 1 AVAILABLE Fri Feb 17 21:21:02 2006 System Initialized and Running Fri Feb 17 21:21:02 2006 Path 2 AVAILABLE
NOTE: During the boot up, through the 10BaseT we get some very strange frames, in fact, tcpdump just shows time stamps, and no other information.
Our login attempts..
NetLogin: Sorry // No idea what happened here @ NetLogin: // Ok, so we need a username... NetLogin: password // Not a password... Password: NetLogin: admin // admin / admin Password: NetLogin: admin // admin / password Password: NetLogin: root // Oh wait. root / password Password: Welcome to the Columbia Network // Don't worry that didn't spoil anything. [1]1sour_Los Rob# // SCORE!
No joke, the previous owners of this router used "root" as their root account, and "password" as their password.
Note: console times out. Gives you an '@' and then you're done.
10BaseT ACTIVITIES
So now we telnet to it's IP
IP Address: IP removed
Let's take a look at the nmap results:
TCP Results:
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-07-16 00:22 PDT Interesting ports on IP removed: (The 1661 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 23/tcp open telnet 855/tcp open unknown MAC Address: 08:00:02:20:37:CC (Bridge Communications) Nmap finished: 1 IP address (1 host up) scanned in 14.237 seconds
UDP Results:
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-07-16 00:20 PDT Interesting ports on IP removed: (The 1473 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 67/udp open|filtered dhcpserver 68/udp open|filtered dhcpclient 77/udp open|filtered priv-rje 161/udp open|filtered snmp 520/udp open|filtered route MAC Address: 08:00:02:20:37:CC (Bridge Communications) Nmap finished: 1 IP address (1 host up) scanned in 88.603 seconds
Loging on through telnet as root.
First let's look at the system info...
[3]1sour_Los Rob#SysInfo System Information Summary CPU 68302 Firmware version 1.0.11 RAM size 8388604 bytes Flash File System size 8388608 bytes Port 1 MAC Address 08-00-02-20-37-CC Port 2 MAC Address 08-00-02-20-37-CD Port 3 MAC Address 08-00-02-20-37-CE Port 4 MAC Address 08-00-02-20-37-CF
Other Info We Scored
Default TTL: 30 Network: IP removed/26 Reassembly Time: 15 MTU: 1500 Broadcast: IP removed
Doesn't this look familiar?
[23]1sour_Los Rob#df
PRIMARY <dir> 5-02-1997 14:00
0 file(s) 0 bytes
1 subdirectory(s)
6566912 bytes free
Looks similar to DOS file system prompt. More interestingly, you can see the various boot files, and you can set boot order. It seems that PRIMARY is aliased to A:, and chances are good test and secondary are mapped to other drive letters. Perhaps we can add something else to this to say, hack the planet?
Some Contact Info
Found a number in SysContact Phone number removed which turned out to be a tech support line that the previous owners could call for services, repairs, and general tech support. (I called and asked around a little further)
Other Things We Found
From the shell, type SF to get to the sytem menu. While this router allows multiple admins to connect, it does NOT allow multiple people to enter this menu. Here you can change the console port speed. (advisable, 9600 is slow)
There is a boot statistic option which can be cleared, however it showed it being only booted 9 times since the last time it was cleared (which was most likely never cleared). We booted the machine no more than 5 times.
Interesting Packet Logging
When consoled into the unit and someone nmap's it, you get the following:
xsTUNrcv-unknown pack type(1E)bd_1st(7BF124)
xscb1(8D73C4)xscb2(8D734C)
xsTUNrcv-unknown pack type(C)bd_1st(7BF6C4)
xscb1(8D73C4)xscb2(8D734C)
xsTUNrcv-unknown pack type(1603)bd_1st(7BF82C)
xscb1(8D7D6C)xscb2(8D7CF4)
^CxsTUNrcv-unknown pack type(0)bd_1st(7BEE54)
xscb1(8D7224)xscb2(8D71AC)
#xsTUNrcv-unknown pack type(300)bd_1st(7BF4E4)
xscb1(8D73CC)xscb2(8D7354)
xsTUNrcv-unknown pack type(3A00)bd_1st(7BDBBC)
xscb1(8D739C)xscb2(8D7324)
xsTUNrcv-unknown pack type(5A)bd_1st(7BE4CC)
xscb1(8D73CC)xscb2(8D7354)
Hardware Discovery
We found that if you plug into the AUI, it kills the RJ45.
This is what the serial console reported:
Sun Jul 16 15:17:56 2006 Path 1 DOWN Sun Jul 16 15:18:04 2006 Path 1 UP
Why? Because the AUI and RJ45 are linked to the same adapter. We tried switching the ethernet from the RJ45 to an AUI->RJ45 adapter and everything was kosher again. This unit can't be used as an ethernet router.
ACCESSING THE MENU SYSTEM
Now, what do we do with it, what commands are available...
Let's look a little closer to the menu pages:
Welcome to the Columbia Network
[1]1sour_Los Rob#help
Invalid command - try ?, -? or MENU // how helpful!
[2]1sour_Los Rob#?
----------------------------Configuration Commands-----------------------------
ADD [!<port>] [-<service>] <set-name> <set-member>
DELete [!<port>] [-<service>] <set-name> <set-member>
FLush [!<port>] [-<service>] <param-name>
MEnu [-<service>] [<param-name>]
SET [!<port>] [-<service>] <param-name> = <value> ...
SETDefault [!<port>] [-<service>] <param-name> = <value> ...
SHow [!<port>] [-<service>] <param-name> ...
SHowDefault [!<port>] [-<service>] <param-name> ...
SysconF [number]
SysInfo [number]
-----------------------------SYS Service Commands------------------------------
COpy [<device>:]<src_filename> [<device>:][<dest_filename>]
DEFine <macro name> = (<text>)
DiskFiles [<device>:][<path>]
DLTest [ Abort|DestAddr|PArameters|PktCount|PktSize|RAte|RcvCheck|
SrcAddr|START|STATistics|StatUs|TestMode|TestDuration|ZeroStats ]
DO <macro name>[+<macro name>] [<params>]
Echo [-n] <string>
GET [<IP address>:][<src_path>/]<src_filename> [<device>:][<dest_path
>/][<dest_filename>]
InStall Simple User Interface
Listen
MacAddrConvert <MacAddress>
--<CR> to continue, Q to quit--
MakeDir [<device>:][<path>]<subdirectory name>
MONitor
PAuse [ <seconds> ]
PUT [<device>:][<src_path>/]<src_filename> [<IP address>:][<path>/][<
dest_filename>]
ReBoot
REMote [ <IP address> ] [<command>]
RemoveDir [<device>:][<path>/]<subdirectory name>
RemoveFile [<device>:][<path>/]<file name>
ReName [<device>:][<path>/]<old name> <new name>
SysPassWord
TELnet <IP address>
UNDefine <macro name>
---------------------------AuditLog Service Commands---------------------------
AuditLog AuditLog [<priorityLevel> is [LogEMerg | LogALert | LogCRitical |
LogERror | LogWArning | LogNOtice | LogINfo | LogDEbug] ] <"message">
-----------------------------PATH Service Commands-----------------------------
DIal !<port|path> -<POrt|PAth> ["<dial-string>" ]
HangUp !<port|path> -<POrt|PAth>
-----------------------------PORT Service Commands-----------------------------
DIal !<port|path> -<POrt|PAth> ["<dial-string>" ]
HangUp !<port|path> -<POrt|PAth>
--<CR> to continue, Q to quit--
------------------------------FR Service Commands------------------------------
AtmToFr <VPI.VCI address>
FrToAtm <DLCI address>
------------------------------IP Service Commands------------------------------
PING <IP address> [timeout (0-300 seconds)]
TraceRoute <IP Address> [<tos> [SourceRoute]]
SecCheck [!<port>]
IpToDte [!<port>] <PDN type> <IP address>
DteToIp [!<port>] <PDN type> <DTE address>
-----------------------------RDP Service Commands------------------------------
DiscRouteRs [!<port> | <source IP>] [Broadcast] [<timeout (1 - 30 seconds)>]
-----------------------------CLNP Service Commands-----------------------------
OPING <NSAP address> [timeout (1-300 seconds)]
OTraceRoute <NSAP address>
-----------------------------IPX Service Commands------------------------------
NetwarePING &<network>%<host> [timeout (1-300 seconds)]
NetwareTraceRoute &<network>%<host>
NetwareTraceRoute &<network>%<host>
--<CR> to continue, Q to quit--
-----------------------------VIP Service Commands------------------------------
VPing <server addr>(decimal) [timeout (1-300 seconds)]
--------------------------AppleTalk Service Commands---------------------------
APING {<entity-name> | <node-address>} [timeout (1-300 seconds)]
ANameLookup <entity-name> [maxmatch]
----------------------------FIlter Service Commands----------------------------
CHange StationGroup <oldstationgroupname> <newstationgroupname>
---------------------------FireWall Service Commands---------------------------
REStart
TEst
-----------------------------BGP Service Commands------------------------------
SAVEbgp [All]
----------------------------DVMRP Service Commands-----------------------------
MRInfo <target IP> [!<port>] [<timeout (0-120 seconds)>]
MTraceRoute <source> <destination> [G <group>] [H <reports>] [!<port>]
[T <timeout>] [W <gateway>] [R <Resp addr>] [L <Resp ttl>]
[3]1sour_Los Rob#
Menu Command
Ok, so what is this "menu" command we hear about???
[3]1sour_Los Rob#menu ============================= Main menu (Level 1)============================== 1 - SYS ( System Service ) 2 - SCH ( Scheduling / Event-Based Macro Execution Services ) 3 - AuditLog ( AuditLog - Audit Log Service ) 4 - PROFile ( Profile Facility ) 5 - PATH ( Path - Physical Line Configurations ) 6 - PORT ( Port - Logical Networ 7 - BoundaryCN ( Boundary Routing at Central Node Configurations ) 8 - LAPB ( LAPB - Path Configurations ) 9 - PPP ( Point to Point Protocol ) 10 - FR ( Frame Relay - Port Configurations ) 11 - X25 ( X25 - Path Configurations ) 12 - SMDS ( SMDS - Port Configurations ) 13 - XSWitch ( X25 SWitch ) 14 - BRIDGE ( Bridge - Global Bridging Function ) 15 - STP ( Bridge - Spanning Tree Pro 16 - IP ( TCP/IP - Internet Protocol ) 17 - ARP ( TCP/IP - Address Resolution Protocol ) 18 - RDP ( TCP/IP - ICMP Router Discovery Protocol ) 19 - RIPIP ( TCP/IP - Routing Information Protocol ) 20 - OSPF ( TCP/IP - Open Shortest Path First ) 21 - IISIS ( TCP/IP - Integrated IS to IS routing protocol ) --<CR> to continue, Q to quit-- 22 - TCP ( TCP/IP - Transmission Control Protocol ) 23 - UDPHELP ( BOOTP/UDP/IP - Broadcast Helper ) 24 - BOOTPC ( BOOTP - Bootstrap Protocol Client Application ) 25 - SNMP ( TCP/IP - Simple Network Management Protocol ) 26 - CLNP ( OSI - ConnectionLess Network Protocol ) 27 - ESIS ( OSI - ES to IS routing protocol ) 28 - ISIS ( OSI - IS to IS routing protocol ) 29 - LLC2 ( LLC2 - IEEE 802.2 Data Link Control ) 30 - DLSW ( DLSw - Data Link Switching ) 31 - SDLC ( SDLC - SNA Port and CU Configurations ) 32 - SHDlc ( SHDlc - SDLC/HDLC Passthrough ) 33 - DECnet ( DECnet - Routing Protocol ) 34 - IDP ( XNS - Internet Datagram Protocol ) 35 - RIPXNS ( XNS - Routing Information Protocol ) 36 - NLSP ( IPX - NLSP routing protocol ) 37 - IPX ( IPX - Internet Packet Exchange Protocol ) 38 - NRIP ( IPX - Routing Information Protocol ) 39 - SAP ( IPX - Server Advertisement Protocol ) 40 - VIP ( VINES - Internet Protocol ) 41 - AppleTalk ( AppleTalk Routing Protocols ) 42 - FIlter ( Packet Filtering ) 43 - FireWall ( TCP/IP - IP FireWall ) 44 - BGP ( Border Gateway Protocol ) --<CR> to continue, Q to quit-- 45 - MIP ( TCP/IP - Multicast Routing Protocol ) 46 - DVMRP ( TCP/IP - Distance Vector Multicast Routing Protocol ) 47 - MOSPF ( TCP/IP - Multicast Open Shortest Path First ) Select (1-47) ... <CR> to Exit ===>
-? Command
Also, we tried -? as it suggested nicely:
[2]1sour_Los Rob#-? SYS Service ( System Service ) SCH Service ( Scheduling / Event-Based Macro Execution Services ) AuditLog Service ( AuditLog - Audit Log Service ) PROFile Service ( Profile Facility ) PATH Service ( Path - Physical Line Configurations ) PORT Service ( Port - Logical Network Configurations ) BoundaryCN Service ( Boundary Routing at Central Node Configurations ) LAPB Service ( LAPB - Path Configurations ) PPP Service ( Point to Point Protocol ) FR Service ( Frame Relay - Port Configurations ) X25 Service ( X25 - Path Configurations ) SMDS Service ( SMDS - Port Configurations ) XSWitch Service ( X25 SWitch ) BRIDGE Service ( Bridge - Global Bridgi STP Service ( Bridge - Spanning Tree Protocol ) IP Service ( TCP/IP - Internet Protocol ) ARP Service ( TCP/IP - Address Resolution Protocol ) RDP Service ( TCP/IP - ICMP Router Discovery Protocol ) RIPIP Service ( TCP/IP - Routing Information Protocol ) OSPF Service ( TCP/IP - Open Shortest Path First ) IISIS Service ( TCP/IP - Integrated IS to IS routing protocol ) TCP Service ( TCP/IP - Transmission Control Pr UDPHELP Service ( BOOTP/UDP/IP - Broadcast Helper ) BOOTPC Service ( BOOTP - Bootstrap Protocol Client Application ) SNMP Service ( TCP/IP - Simple Network Management Protocol ) CLNP Service ( OSI - ConnectionLess Network Protocol ) ESIS Service ( OSI - ES to IS routing protocol ) ISIS Service ( OSI - IS to IS routing protocol ) LLC2 Service ( LLC2 - IEEE 802.2 Data Link Control ) DLSW Service ( DLSw - Data Link Switching ) SDLC Service ( SDLC - SNA Port and CU Configurations ) SHDlc Service ( SHDlc - SDLC/HDLC Passthrough ) DECnet Service ( DECnet - Routing Protocol ) IDP Service ( XNS - Internet Datagram Protocol ) RIPXNS Service ( XNS - Routing Information Protocol ) NLSP Service ( IPX - NLSP routing protocol ) IPX Service ( IPX - Internet Packet Exchange Protocol ) NRIP Service ( IPX - Routing Information Protocol ) SAP Service ( IPX - Server Advertisement Protocol ) VIP Service ( VINES - Internet Protocol ) AppleTalk Service ( AppleTalk Routing Protocols ) FIlter Service ( Packet Filtering ) FireWall Service ( TCP/IP - IP FireWall ) BGP Service ( Border Gateway Protocol ) MIP Service ( TCP/IP - Multicast Routing Protocol ) DVMRP Service ( TCP/IP - Distance Vector Multicast Routing Protocol ) MOSPF Service ( TCP/IP - Multicast Open Shortest Path First ) --<CR> to continue, Q to quit-- [3]1sour_Los Rob#
Accessing said menus:
Type MENU <menucmd> for options. This is pretty standard across common hardware, nothing special here.
NOTE: The initial options given with MENU are actually just prefixes to command names.
e.g: type menu x25, get some options.. like x25protid. Instead of typing -- menu x25 x25protid you'd type: menu x25proti
In The End
This system was a fun one, especially finding out more about it and the people who used it through social engineering, which I unfortunatly can not provide you with the notes for. However, nobody got hurt and that's the important thing. Oh, and by the way, sorry for the huge list of menu items. Perhaps next time I will try for a different approach.
