RE: Pentesting a HP-UX with SMSC

From: Sebastian Muņiz (smuniz_at_elinpar.com)
Date: 06/12/05

  • Next message: Luis H. Gomez-Danes Mejia: "Pentesting a SONUS / SIP Network"
    To: "J. K." <pentest_ml@yahoo.com>, pen-test@securityfocus.com
    Date: Sun, 12 Jun 2005 18:43:00 -0300
    
    

    That's OK J.K... you had work to do ;)
    About SMSs, what you could try is to reset the TCP connection of the ESME to
    the SMSC so when it tries to reconnect, in the first data packet you will
    see the username/password in plain text.
    Good luck !!!!

    -----Mensaje original-----
    De: J. K. [mailto:pentest_ml@yahoo.com]
    Enviado el: Domingo, 12 de Junio de 2005 06:07 p.m.
    Para: pen-test@securityfocus.com
    Asunto: RE: Pentesting a HP-UX with SMSC

    Hello Sebastian,

    yes, I am pretty sure that I am dealing with a SMSC
    server. Beside the CIMD2 banner that it provides, I
    found some hints in the machine I am connecting from
    (a DMZ host I previously took over) that suggest that
    we are talking about SMS traffic (even if it seems to
    be a testing environment: I see no SMSs when sniffing
    the network).

    I tried to fingerprint the server to figure out
    exactly what app is running there, but with no
    success.

    Anyway, I found an established connection between the
    client and this mysterious server app; my next step
    will be to attach gdb to the process owning that
    connection: my hope is that username and password are
    still somewhere in its memory space ;)

    Cheers

    j.k.

    P.s.: sorry for the late reply: in the last 3-4 days I
    focused on another part of the target network ;)

    --- Sebastian Muņiz <smuniz@elinpar.com> wrote:
    > This apps Do install default user/password but
    > depends on the one that you
    > found....
    > You should try to indentify this one but thought
    > SMSC has no tcp port
    > specially assigned to it, it won't help you unless
    > this software version is
    > in the default port (and identifying the version of
    > every SMSC arround
    > should be a very hard work)...
    >
    > If you want to connect to it, you should get an ESME
    > (which is the client
    > that connects to a SMSC in this kind of
    > Client-Server architecture) but the
    > protocol SMPP they use (Short Message Peer To Peer)
    > uses username and
    > password (the password could be blank is the SMSC
    > admin wanted so).
    > Here I sent you a link to a page where you can find
    > the SMPP protocol
    > specification and a ESME client made in java to test
    > against this server of
    > yours.
    >
    http://opensmpp.logica.com/CommonPart/Download/download2.html
    >
    > You could allways try to get the source code for
    > this inplementation (if
    > this is available) and try to find bugs in it but it
    > is a subject for
    > another post ;-)
    >
    > ohh... and i am not aware of any exploit arround for
    > any implementation of
    > this protocol!!! :(
    > But if you get one, let me know :)
    >
    > anyway..... Are you sure it is an SMSC server that
    > you found????
    >
    > Cheers, Sebastian
    >
    > -----Mensaje original-----
    > De: J. K. [mailto:pentest_ml@yahoo.com]
    > Enviado el: Miércoles, 08 de Junio de 2005 11:05
    > a.m.
    > Para: pen-test@securityfocus.com
    > Asunto: Pentesting a HP-UX with SMSC
    >
    >
    > Hello fellow pen-testers,
    >
    > in my current engagement I bumped into a HP-UX
    > (B.11.11) server protected by a firewall (not an
    > internet facing firewall, tho).
    > The only open ports I can connect to are telnet and
    > 9971.
    >
    > Connecting to 9971 I get the following:
    >
    > # telnet x.x.x.x 9971
    > Trying x.x.x.x...
    > Connected to x.x.x.x.
    > Escape character is '^]'.
    > CIMD2-A ConnectionInfo: SessionId = 32551 PortId = 4
    > Time = 050608153449 AccessType = TCPIP_SOCKET PIN =
    > 630777
    >
    > Googling around, I found that this daemon should be
    > a
    > SMSC (Short Message Service Center). I also found
    > that
    > on HP-UX there are a few SMSC apps available (Locus,
    > FEELingK,...)
    >
    > My questions are:
    > 1. Do you know of any vulnerability or attack avenue
    > on this protocol/service ?
    > 2. Do you know if these SMSC apps install some
    > default
    > user whose password I can try to guess ?
    > 3. Any other idea ?
    >
    > Of course I could just fire off Hydra against the
    > telnet server, but I would like to find something
    > less
    > noisy ;)
    >
    > Thanks
    >
    > j.k.
    >
    >
    >
    > __________________________________
    > Discover Yahoo!
    > Have fun online with music videos, cool games, IM
    > and more. Check it out!
    > http://discover.yahoo.com/online.html
    >

                    
    __________________________________
    Yahoo! Mail
    Stay connected, organized, and protected. Take the tour:
    http://tour.mail.yahoo.com/mailtour.html


  • Next message: Luis H. Gomez-Danes Mejia: "Pentesting a SONUS / SIP Network"

    Relevant Pages

    • RE: Pentesting a HP-UX with SMSC
      ... I am pretty sure that I am dealing with a SMSC ... found some hints in the machine I am connecting from ... I tried to fingerprint the server to figure out ... > on HP-UX there are a few SMSC apps available (Locus, ...
      (Pen-Test)
    • Re: Pentesting a SONUS / SIP Network
      ... what you could try is to reset the TCP connection of the ESME to ... I am pretty sure that I am dealing with a SMSC server. ... Do you know if these SMSC apps install some default user whose ...
      (Pen-Test)
    • Pentesting a SONUS / SIP Network
      ... Pentesting a HP-UX with SMSC ... what you could try is to reset the TCP connection of the ESME to ... I tried to fingerprint the server to figure out exactly what app is running ... > SMSC apps available (Locus, ...
      (Pen-Test)
    • Re: Manual startup sever with TCP/IP
      ... I believe smsc has it available for download. ... having read some more i have no NDIS miniport driver ... >> It sounds like you have no real Ethernet connection. ...
      (microsoft.public.windowsce.platbuilder)
    • RE: Pentesting a HP-UX with SMSC
      ... This apps Do install default user/password but depends on the one that you ... You should try to indentify this one but thought SMSC has no tcp port ... Here I sent you a link to a page where you can find the SMPP protocol ... Are you sure it is an SMSC server that you found???? ...
      (Pen-Test)