Re: news story and router passwords

[Talisker <Talisker () NETWORKINTRUSION CO UK>]

Hi All
I've just had this passed to me and it seemed relevant
http://www.solarwinds.net/Tools/Professional+/
It's a network discovery/management tool but it also includes a bruteforce
SNMP community name tester which is nice (in a sad geeky kinda way)

Andy
http://www.networkintrusion.co.uk Talisker's comprehensive IDS & Scanner
List
                    '''
                 (0 0)
  ----oOO----(_)----------
  | The geek shall        |
  |  Inherit the earth     |
  -----------------oOO----
               |__|__|
                  || ||
              ooO Ooo


The opinions contained within this transmission are entirely my own, and do
not necessarily reflect those of my employer.





----- Original Message -----
From: "Mark Teicher" <mark.teicher () NETWORKICE COM>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Sunday, October 15, 2000 6:05 PM
Subject: Re: news story and router passwords


> On an Ascend box: Once can use SNMP (sysReset object) to reset an Ascend
> Router from an SNMP Manager.  After the Reset command is issue, the Ascend
> will attempt to confirm the request before the unit is reset.  In my
> example, two SNMP_Set requests are sent, the first one is received and the
> second one is the confirmation (2nd request).  Information held in the
> Ascend Events Group is erase and its values are intialized when the Ascend
> router is reset by software.  The SNMP object (sysAbsoluteStartUpTime is
> the time in second since January 1, 1990) and is not modified.  One can
> reset this value to 0 in order to reset back to factory defaults.
> Very similiar if one send an 'fclear' which basically returns an Ascend
box
> to its factory set defaults.
>
> But as I stated before, I know very little about SNMP and it's
capabilities..
> /mark
>
> At 06:49 PM 10/14/00 -0600, Richard Johnson wrote:
> > At 11:10 -0600 on 10/12/2000, Vachon, Scott wrote:
> > > > Frankly speaking I'd suppose that they just did not back up their
> config
> > > :)
> > > > (because it looks like they even did not use access-lists etc.)
> > >
> > > > From reading the article is sounds as if a simple script kiddie found
an
> > > easy and unprotected target. Where these fools too simple-minded to
> > > physically remove the stricken (and apparently blocking) gear from the
> > > network and rework it ?
> >
> >
> > This is apparently more difficult with an Ascend router that uses SNMP
only
> > for configuration (no console access?), and apparently has no 'lobotomy'
> > switch for at least temporarily resetting to known default password or
> > configuration.
> >
> > Still, 11 days to arrange replacement hardware is a bit severe for a
> > provider only half an hour away from the Denver metro area.  At least now
> > they know they can hit a number of locals up for emergency loaners in the
> > future.
> >
> >
> > Richard