From: Sebastian Muņiz (smuniz@elinpar.com)
Date: Fri Jun 10 2005 - 11:05:05 EDT
This apps Do install default user/password but depends on the one that you
found....
You should try to indentify this one but thought SMSC has no tcp port
specially assigned to it, it won't help you unless this software version is
in the default port (and identifying the version of every SMSC arround
should be a very hard work)...
If you want to connect to it, you should get an ESME (which is the client
that connects to a SMSC in this kind of Client-Server architecture) but the
protocol SMPP they use (Short Message Peer To Peer) uses username and
password (the password could be blank is the SMSC admin wanted so).
Here I sent you a link to a page where you can find the SMPP protocol
specification and a ESME client made in java to test against this server of
yours.
http://opensmpp.logica.com/CommonPart/Download/download2.html
You could allways try to get the source code for this inplementation (if
this is available) and try to find bugs in it but it is a subject for
another post ;-)
ohh... and i am not aware of any exploit arround for any implementation of
this protocol!!! :(
But if you get one, let me know :)
anyway..... Are you sure it is an SMSC server that you found????
Cheers, Sebastian
-----Mensaje original-----
De: J. K. [mailto:pentest_ml@yahoo.com]
Enviado el: Miércoles, 08 de Junio de 2005 11:05 a.m.
Para: pen-test@securityfocus.com
Asunto: Pentesting a HP-UX with SMSC
Hello fellow pen-testers,
in my current engagement I bumped into a HP-UX
(B.11.11) server protected by a firewall (not an
internet facing firewall, tho).
The only open ports I can connect to are telnet and
9971.
Connecting to 9971 I get the following:
# telnet x.x.x.x 9971
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
CIMD2-A ConnectionInfo: SessionId = 32551 PortId = 4
Time = 050608153449 AccessType = TCPIP_SOCKET PIN =
630777
Googling around, I found that this daemon should be a
SMSC (Short Message Service Center). I also found that
on HP-UX there are a few SMSC apps available (Locus,
FEELingK,...)
My questions are:
1. Do you know of any vulnerability or attack avenue
on this protocol/service ?
2. Do you know if these SMSC apps install some default
user whose password I can try to guess ?
3. Any other idea ?
Of course I could just fire off Hydra against the
telnet server, but I would like to find something less
noisy ;)
Thanks
j.k.
__________________________________
Discover Yahoo!
Have fun online with music videos, cool games, IM and more. Check it out!
http://discover.yahoo.com/online.html
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:24 EDT