RE: Pentesting a HP-UX with SMSC
From: Sebastian Muņiz (smuniz_at_elinpar.com)
To: "J. K." <email@example.com>, firstname.lastname@example.org Date: Sun, 12 Jun 2005 18:43:00 -0300
That's OK J.K... you had work to do ;)
About SMSs, what you could try is to reset the TCP connection of the ESME to
the SMSC so when it tries to reconnect, in the first data packet you will
see the username/password in plain text.
Good luck !!!!
De: J. K. [mailto:email@example.com]
Enviado el: Domingo, 12 de Junio de 2005 06:07 p.m.
Asunto: RE: Pentesting a HP-UX with SMSC
yes, I am pretty sure that I am dealing with a SMSC
server. Beside the CIMD2 banner that it provides, I
found some hints in the machine I am connecting from
(a DMZ host I previously took over) that suggest that
we are talking about SMS traffic (even if it seems to
be a testing environment: I see no SMSs when sniffing
I tried to fingerprint the server to figure out
exactly what app is running there, but with no
Anyway, I found an established connection between the
client and this mysterious server app; my next step
will be to attach gdb to the process owning that
connection: my hope is that username and password are
still somewhere in its memory space ;)
P.s.: sorry for the late reply: in the last 3-4 days I
focused on another part of the target network ;)
--- Sebastian Muņiz <firstname.lastname@example.org> wrote:
> This apps Do install default user/password but
> depends on the one that you
> You should try to indentify this one but thought
> SMSC has no tcp port
> specially assigned to it, it won't help you unless
> this software version is
> in the default port (and identifying the version of
> every SMSC arround
> should be a very hard work)...
> If you want to connect to it, you should get an ESME
> (which is the client
> that connects to a SMSC in this kind of
> Client-Server architecture) but the
> protocol SMPP they use (Short Message Peer To Peer)
> uses username and
> password (the password could be blank is the SMSC
> admin wanted so).
> Here I sent you a link to a page where you can find
> the SMPP protocol
> specification and a ESME client made in java to test
> against this server of
> You could allways try to get the source code for
> this inplementation (if
> this is available) and try to find bugs in it but it
> is a subject for
> another post ;-)
> ohh... and i am not aware of any exploit arround for
> any implementation of
> this protocol!!! :(
> But if you get one, let me know :)
> anyway..... Are you sure it is an SMSC server that
> you found????
> Cheers, Sebastian
> -----Mensaje original-----
> De: J. K. [mailto:email@example.com]
> Enviado el: Miércoles, 08 de Junio de 2005 11:05
> Para: firstname.lastname@example.org
> Asunto: Pentesting a HP-UX with SMSC
> Hello fellow pen-testers,
> in my current engagement I bumped into a HP-UX
> (B.11.11) server protected by a firewall (not an
> internet facing firewall, tho).
> The only open ports I can connect to are telnet and
> Connecting to 9971 I get the following:
> # telnet x.x.x.x 9971
> Trying x.x.x.x...
> Connected to x.x.x.x.
> Escape character is '^]'.
> CIMD2-A ConnectionInfo: SessionId = 32551 PortId = 4
> Time = 050608153449 AccessType = TCPIP_SOCKET PIN =
> Googling around, I found that this daemon should be
> SMSC (Short Message Service Center). I also found
> on HP-UX there are a few SMSC apps available (Locus,
> My questions are:
> 1. Do you know of any vulnerability or attack avenue
> on this protocol/service ?
> 2. Do you know if these SMSC apps install some
> user whose password I can try to guess ?
> 3. Any other idea ?
> Of course I could just fire off Hydra against the
> telnet server, but I would like to find something
> noisy ;)
> Discover Yahoo!
> Have fun online with music videos, cool games, IM
> and more. Check it out!
Stay connected, organized, and protected. Take the tour: