lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 24 Jan 2008 09:38:21 -0500
From: gmaggro <gmaggro@...ers.com>
To: Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: scada/plc gear

One more device arrived, a Lantronix MSS485-T, an interesting and what 
would appear to be older piece - it also supports IPX and LAT: 
http://www.lantronix.com/device-networking/external-device-servers/mss485-t.html

All kinds of ports open on this thing according to nmap, but a little 
odd... only TCP 23, 79, 513, 514, 2001, 2100, 2101, 3001, 7000, 13001, 
14001.

There's no modbus (502) but I wasn't after that with this particular device.

Mac prefix is 00:80:A3 (Lantronix) and the OS guess is Lantronix MSSlite 
device server.

snmpwalking yields a sysDescr of "Lantronix MSS485 Version 
V3.6/4(000712)", a sysLocation "Micro Serial Server", a sysName 
"MSS_1DF552" and an ifDescr "Lantronix Ethernet 802.3". According to 
snmp it also says it has UDP 13, 37, 53, 123, 137, 161 and 520 open but 
it lies.

A Nessus scan choked this thing up pretty good, and it would appear a 
few aggresive nmap scans with scripting and versioning enabled caused it 
to behave oddly. Oddly meaning some ports going filtered, others 
dropping off, services still up running slow, etc. Perhaps a 
co-incidence, but this device too has a reset button on it :)

I love cracking open the boxes on older gear; it tends to be built of 
alot more discrete parts and glue, instead of single chip solutions. 
Often this results in them being more hackable. Significantly easier to 
rework or piggyback a QFP with a clip than a P/BGA, yes? Backdoor the 
firmware before selling it to the target you want to penetrate... or 
just put it on ebay, have someone buy it, and wait for it to call home 
or spit creds to an IRC channel. I have seen this demonstrated in a 
controlled environment, but I often wonder how feasible it would be in 
real life for a small group of individuals to carry out.

In any case, the main parts are a 68EC000 10MHz CPU, a Nat Semi 
DP83902AVLJ NIC, an AMD flash, some NEC DRAM, and a Lantronix ASIC that 
I cannot seem to dig much up on. This is because the graphics are a 
little strangely printed, but it looks to say "AIM I 0044LHU LANTRONIX 
SAL-10/20MHz 220-170". I'm guessing it's something to do with the serial 
(rs485) protocols, but I'd appreciate being told what it actually is.







_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ