Penetration Testing mailing list archives
RE: WinPac 2.0
From: Mike Shaw <mshaw () wwisp com>
Date: Fri, 11 Jan 2002 17:07:18 -0600
http://www.cardacc.com/cards.htmTo my knowledge there is no information (location, company code, etc)--at least I've never specified it in ordering the cards nor in the software when we set it up initially. It's just a number. I still don't know if you can request a range or something...might take some social engineering "yeah, company X next door has the 25000 range...can we get 26000 for simplicity?"
A EE buddy of mine works at a Web based surveillance camera company who is moving into the proximity card area. When he gets his hands on that stuff we were going to take a look at how it operates at the hardware level. I think it's similar to the shoplifting alarm deals you see at wal-mart, etc. Wouldn't that be cool to have a fake plant or something that was secretly harvesting proximity card numbers? Or what if you had a little device that would sniff them from a few feet away and then mimic them?
There are some ISO standards (see 14443 on http://www.iso.ch/iso/en/CatalogueListPage.CatalogueList?ICS1=35&ICS2=240&ICS3=15) but I haven't seen where the NC system complies with that or any other standard. I doubt they are smart cards, but I hope they are using some sort of cryptography in the protocol. I wouldn't be surprise if the cards just spit a number out somehow though.
-Mike At 03:59 PM 1/11/2002 -0600, Magnus Ullberg wrote:
Thanks, good info. What I was wondering is whether i could order a card with the same number as another card and get access to what that card has access to. Or if there is aditional info stored on the card (location, unique company code, etc.) to prevent that. The cards here were bought in two different batches, one is in the 26000 range and the other in a much lower range. I dont know if you can specify the range when you order them, but if you can i thought that if i could get the number of the back of a admin card i could gain access to the building. -----Original Message----- From: Mike Shaw [mailto:mshaw () wwisp com] Sent: Friday, January 11, 2002 2:57 PM To: Magnus Ullberg; 'pen-test () securityfocus com' Subject: Re: WinPac 2.0 Interesting that you should mention this, because I just worked with someone who put a system like this in. From what I could tell, the 5 digit number on the card is the only identifier, although I think it's pretty difficult to replicate these cards. I've wondered about collisions, but I guess until you got upwards of 5-10 thousand employees, the chances of a collision/birthday effect are low. It would be interesting to see if you could request a certain number from a distributor. Some further interesting info form the northern site (http://www.nciaccessworld.com): "The default login and password are: Log In = Admin Password = (leave blank) no password If the default login and password are no longer in the software please contact Northern Computers technical support so a technician can instruct you how to send the database to Northern Computers so we can reset it to default for you. " and.... "The defualt passwords for WIN-PAK are: login = SYSTEM password = startup These passwords are case sensitive. " There are also manuals there if you need them. The product is based of an access database, so I can't imagine that snagging the password would be that difficult if it's not a default password. If the workstation is accessible from the network, or it's physically insecure, there may be some leverage there too. -Mike At 11:22 AM 1/11/2002 -0600, Magnus Ullberg wrote: >Anybody have information about Win-Pac 2.0? >It is the system used to control doors and manage proximity cards. >Each card has a 5 digit number on it. Anybody know if that number is the >only thing that identifies the card or if there >is some additional info on the card. > >Thanks, >Magnus Ullberg >Network Coordinator > > >--------------------------------------------------------------------------- - >This list is provided by the SecurityFocus Security Intelligence Alert (SIA) >Service. For more information on SecurityFocus' SIA service which >automatically alerts you to the latest security vulnerabilities please see: >https://alerts.securityfocus.com/
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- WinPac 2.0 Magnus Ullberg (Jan 11)
- Re: WinPac 2.0 Mike Shaw (Jan 11)
- Re: WinPac 2.0 Chuck Fitzpatrick (Jan 11)
- <Possible follow-ups>
- RE: WinPac 2.0 Magnus Ullberg (Jan 11)
- RE: WinPac 2.0 Mike Shaw (Jan 12)