Vulnerability Development mailing list archives

Re: default password list (3Com switches)

From: tymm () COE MISSOURI EDU (Tymm Twillman)
Date: Mon, 10 Jul 2000 20:56:19 -0500


Well, this is one of those "documented but not all that often read"
dealies.  It's right there in the manual.

However the other obnoxious thing that those who don't read the manual
also don't find out is that by default these switches will use DHCP to get
an IP address and default route.  So, yeah, those who think of
switches as a drop-in-and-ignore solution, they're leaving themselves open
to some nice DOS attacks (Hey, let's shut down all the ports on this here
switch...) and other fun games.

Anyhow, at least in my opinion, any networking hardware that has an RS232
port should be plugged into and poked at a bit before being thrown into
production.  Generally first thing I do with stuff like this is disable
dhcp/external network access to management features and set up a serial
concentrator on a secure host for management.

Much more fun, btw, is Alteons, which also DHCP, where folks don't change
the password ("admin") and leave the web config util running.  point and
click your way to some real fun -- of course there's also a nice CLI
w/telnet access.

-Tymm

On Mon, 10 Jul 2000, Luis Pinto wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


      I think these havent showed up, so here they are:

Default passwords for 3com Superstack Switch II  (1100 and 3300, possibly
others):

Monitor access level:
username: monitor
password: monitor

manager access level:
username: manager
password: manager

Security access level:
username: admin
password: <no password>

or:
username: security
password: security


      My apologies if it is not new...

                                         Regards,
                                        Luis Pinto
- --------------------------------------------------------------------------
 http://student.dei.uc.pt/~lmpinto    ICQ #15663369    Finger for PGP key
- --------------------------------------------------------------------------
Writing about music is like dancing about architecture.
                -- Frank Zappa

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOWoQvYfF8HgH+Y51EQKLbQCfZgbD3RT323bLtjyCBSEkJXId6oQAoPpp
A3vy804VHSHYPVkv4ianecbO
=HD1u
-----END PGP SIGNATURE-----

Current thread:

Re: default password list (BIOS Master Passwords) Nathan Einwechter (Jul 04)
- Re: default password list (BIOS Master Passwords) Bluefish (Jul 05)
- About the format bugs thread... TeeSPy (Jul 09)
  - Re: About the format bugs thread... Bluefish (Jul 11)
- Re: default password list (3Com switches) Luis Pinto (Jul 10)
  - Re: default password list (3Com switches) Tymm Twillman (Jul 10)
  - (no subject) C.O.Too (Jul 13)
- <Possible follow-ups>
- Re: default password list (BIOS Master Passwords) appie k. (Jul 05)