Penetration Testing mailing list archives
Re: [PEN-TEST] Pen-Testing AS/400
From: David Knaack <dknaack () RDTECH COM>
Date: Thu, 14 Dec 2000 12:37:34 -0600
From: "Mike Ahern" <mc_ahern () YAHOO COM>I have found that often AS/400's do not have many security features enabled
OS/400 V4R4 has a little bit of an info leak in the login screen. As you enter usernames and passwords, it will tell you if the account exists or (I think) if it is disabled. Error messages like: CPF1120 - User %s does not exist. CPF1107 - Password not correct for user profile. CPF1118 No password associated with usr %s. (curiously, there is no '-' in that one.) I presume that the 'no password' message means that the account has been disabled in some fasion. As usual, helps the cracker to spend time on existing, enabled accounts. DK
Current thread:
- [PEN-TEST] Pen-Testing AS/400 Enno Rey (Dec 13)
- Re: [PEN-TEST] Pen-Testing AS/400 Eric (Dec 13)
- <Possible follow-ups>
- Re: [PEN-TEST] Pen-Testing AS/400 David Jahne (Dec 13)
- Re: [PEN-TEST] Pen-Testing AS/400 Joe Traietta (Dec 13)
- Re: [PEN-TEST] Pen-Testing AS/400 Walsh, John (Dec 13)
- [PEN-TEST] Pen-Testing AS/400 Mike Ahern (Dec 13)
- Re: [PEN-TEST] Pen-Testing AS/400 Mary Galligan (Dec 15)
- Re: [PEN-TEST] Pen-Testing AS/400 David Knaack (Dec 15)
- Re: [PEN-TEST] Pen-Testing AS/400 Enno Rey (Dec 15)
- [PEN-TEST] Routing Protocol security paper now available NetW3.COM Consulting (Dec 16)
- Re: [PEN-TEST] Routing Protocol security paper now available Arthur Clune (Dec 19)
- Re: [PEN-TEST] Routing Protocol security paper now available Nicolas GREGOIRE (Dec 20)
- Re: [PEN-TEST] Pen-Testing AS/400 Mary Galligan (Dec 15)