Hack the Hardware

by Sadena Meti

O.K., how many of you out there have hacked a computer?  Most of you.  Now, how many of you have hacked a coffee machine?  Not a whole lot.  Why not?  Because it's a device, not a system.  You can hack all kinds of other "devices" that most people overlook: hubs, routers, printers, and switches.

For those of you who don't know what a hub is or does, I won't take the time to explain to you the world beyond your modem called a network.  Hopefully you know what a multiplexer is, and that's all a hub really is.  A hub is also a bottle-neck, and therefore a point very vulnerable to takedown hacks.  You knock out the hub, and as far as the computers attached to it are concerned, the network is gone.

In my exploits at a certain university, I wrote a quick program to search for computers within subnets.  It was a simple Windows 95 batch program that would recursively call itself and ping every IP in a given subnet, and log the results to text.  For the most part, I paid attention to the tops and bottoms of the subnets (0-15, 240-255) because that is where all the fun stuff is.

One of the problems with hacking hardware is that it is hard to recognize what exactly it is.  Most of the time there aren't any fancy login screens, no help files, no user interface.  Hardware is nasty because no one bothers to use it.  Hell, I've dialed into payphones and switches that have never been logged into.  No one uses them, so no one cares what they look like.  Most of the time all you get is:

Password:

One of the more wonderful exceptions is the 3Com SuperStack II Hub.  Ah, what a wondrous device.  Secure?  That's another story.  You'll know a SuperStack when you see it.  Your first hint will probably be the big login screen with "SuperStack" in huge print.

Now, how to hack it?  Simple.  Access requires a login name and password.  I've found hundreds of these hubs, from local university networks to NASA to the state government of Florida.  And all you need to get in 98 percent of the time are default passwords.  The four defaults are:

Username    Default Password   Access Level

monitor     monitor            Monitor  - This user can view, but not change, all manageable parameters
manager     manager            Manager  - This user can access and change the operational parameters,
                                          but not special/security features
security    security           Security - This user can access and change all manageable parameters
admin       (none)             Admin    - This level is the same as Security

(none) means no password, just hit Enter.

Additional or other possible accounts/usernames/passwords:

Username   Password
tech       tech
debug      synnet
admin      (none)
3comcso    RIP000
adm        (none)
admin      synnet
admin      admin
write      synnet
root       (none)
root       manager
security   (none)
recover    recover
force      force

Now, Monitor level sucks.  Nothing much "useful" you can do there, besides view some statistics.  Manager level is better, as its menu has one important option: reset

Security level has that too, as well as the option to create new users.  Don't.  Besides, the geniuses who administer these puppies sometimes remember to change the Security password, but not Manager.

Click on reset, verify your decision, and boom, the hub cycles down and up, disconnecting all connections.  And the connections won't automatically reset.  To the user, the network appears to have simply disappeared.  A quick reboot and everything's fine.  Just a glitch, right?  So then you reset it again.  And again, and again, and again.

Now, the greatest thing about the 3Com SuperStack II Hubs, and most hubs and network devices in general, is no logging!  No way to know you were there, no way to know what you did, and nothing to stop you from doing a brute-force attack when you find a hub that someone has bothered to set a password on.  Oh the fun.

Some other devices that you may run into are HP Hubs, GatorBoxes, JetDirects, etc.  Almost all of these have remote administration abilities and no passwords.  Some have password options but they are rarely used.  You see, system administrators - you know, the stupid salaried ones who don't realize that freelance has them whipped - don't even know these devices have remote options, so they don't bother securing them.  Saps.  If you don't try to hack yourself, you're doomed to wait until someone else does.

Some further notes...  With the HP Hubs, you often won't get any type of login screen or menu.  If you just get a blinking cursor, press Enter a few times.  If you get a prompt, remember ? and help are your best commands.

With the JetDirect, go into the "Settings", find the Gateway and JetDirect IP, and switch them.  Printer will go insane.

Do not get pompous.  Don't create accounts, don't delete them, don't change passwords or set new ones.  And don't blame me for any trouble you get into for any chaos you cause.  I am in no way, shape or form advocating that you go out and give those narcissistic university network security "experts" the hell they deserve.

And if you run into one named J.S., give him my best.  And yours.
Return to $2600 Index