From: J. K. (pentest_ml@yahoo.com)
Date: Sun Jun 12 2005 - 17:07:11 EDT
Hello Sebastian,
yes, I am pretty sure that I am dealing with a SMSC
server. Beside the CIMD2 banner that it provides, I
found some hints in the machine I am connecting from
(a DMZ host I previously took over) that suggest that
we are talking about SMS traffic (even if it seems to
be a testing environment: I see no SMSs when sniffing
the network).
I tried to fingerprint the server to figure out
exactly what app is running there, but with no
success.
Anyway, I found an established connection between the
client and this mysterious server app; my next step
will be to attach gdb to the process owning that
connection: my hope is that username and password are
still somewhere in its memory space ;)
Cheers
j.k.
P.s.: sorry for the late reply: in the last 3-4 days I
focused on another part of the target network ;)
--- Sebastian Muņiz <smuniz@elinpar.com> wrote:
> This apps Do install default user/password but
> depends on the one that you
> found....
> You should try to indentify this one but thought
> SMSC has no tcp port
> specially assigned to it, it won't help you unless
> this software version is
> in the default port (and identifying the version of
> every SMSC arround
> should be a very hard work)...
>
> If you want to connect to it, you should get an ESME
> (which is the client
> that connects to a SMSC in this kind of
> Client-Server architecture) but the
> protocol SMPP they use (Short Message Peer To Peer)
> uses username and
> password (the password could be blank is the SMSC
> admin wanted so).
> Here I sent you a link to a page where you can find
> the SMPP protocol
> specification and a ESME client made in java to test
> against this server of
> yours.
>
http://opensmpp.logica.com/CommonPart/Download/download2.html
>
> You could allways try to get the source code for
> this inplementation (if
> this is available) and try to find bugs in it but it
> is a subject for
> another post ;-)
>
> ohh... and i am not aware of any exploit arround for
> any implementation of
> this protocol!!! :(
> But if you get one, let me know :)
>
> anyway..... Are you sure it is an SMSC server that
> you found????
>
> Cheers, Sebastian
>
> -----Mensaje original-----
> De: J. K. [mailto:pentest_ml@yahoo.com]
> Enviado el: Miércoles, 08 de Junio de 2005 11:05
> a.m.
> Para: pen-test@securityfocus.com
> Asunto: Pentesting a HP-UX with SMSC
>
>
> Hello fellow pen-testers,
>
> in my current engagement I bumped into a HP-UX
> (B.11.11) server protected by a firewall (not an
> internet facing firewall, tho).
> The only open ports I can connect to are telnet and
> 9971.
>
> Connecting to 9971 I get the following:
>
> # telnet x.x.x.x 9971
> Trying x.x.x.x...
> Connected to x.x.x.x.
> Escape character is '^]'.
> CIMD2-A ConnectionInfo: SessionId = 32551 PortId = 4
> Time = 050608153449 AccessType = TCPIP_SOCKET PIN =
> 630777
>
> Googling around, I found that this daemon should be
> a
> SMSC (Short Message Service Center). I also found
> that
> on HP-UX there are a few SMSC apps available (Locus,
> FEELingK,...)
>
> My questions are:
> 1. Do you know of any vulnerability or attack avenue
> on this protocol/service ?
> 2. Do you know if these SMSC apps install some
> default
> user whose password I can try to guess ?
> 3. Any other idea ?
>
> Of course I could just fire off Hydra against the
> telnet server, but I would like to find something
> less
> noisy ;)
>
> Thanks
>
> j.k.
>
>
>
> __________________________________
> Discover Yahoo!
> Have fun online with music videos, cool games, IM
> and more. Check it out!
> http://discover.yahoo.com/online.html
>
__________________________________
Yahoo! Mail
Stay connected, organized, and protected. Take the tour:
http://tour.mail.yahoo.com/mailtour.html
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:24 EDT