Vulnerability Development mailing list archives
Re: intel equipment
From: kain () EGOTRIP DK (Knud Erik Højgaard)
Date: Sat, 19 Feb 2000 23:01:59 +0100
I was tired when i wrote that other thing..sorry...the idea in my head was disallowing connections from the ip supplying the number of wrong passwords. of course, you could then use wingates or whatever, but anyways it would stop the unlimited number of attempts, since there are only a limited number of insecure wingates out there. On the other hand, an important thing when bruteforcing is speed, and disconnecting the user would slow down the attack considerably. I noticed the Intel router in question was nice enough to let me have two concurrent sessions...i had more thoughts, but im too tired(again). something might pop up later Knud Erik Højgaard At , you wrote:
At 10:06 19-03-00 -0800, you wrote:Knud, AFAIK, all intel switches that have a layer 3 interface come with no default username or password. Also, the snmp community strings are public/private. Sigh.Before you configure them, they have no IP adress and can only be remotely managed immediately after startup by answering their BOOTP requests. As soon as you use the software Intel supplies to configure them, they lock management down to the IP address of the management station. They can also send out SNMP traps when people connect from unauthorized IP addresses or use bad passwords. Somebody had to assign that switch an IP address and password but not set any limits on what IP addresses could manage it. That's not particularly bright. As for whether breaking connections after a fixed number of tries is a good idea, I don't believe it is. It's no harder to write a program to try 1000 passwords on one connection than it is to write one to try one password, disconnect, and repeat. So how would that provide any protection against brute force attacks? DS
Current thread:
- Re: intel equipment Knud Erik Højgaard (Feb 19)
- <Possible follow-ups>
- Re: intel equipment jan bakker (Mar 20)
- Re: intel equipment rpc (Mar 23)