Mailing List Archive

Hi John. Here's what I have for an Apple Airport Base Station (Version 1):


On Tue, 7 May 2002, John Lampe wrote:

> 1) if AP has a default web management interface, get me output of
> "GET / HTTP/1.0" (or something similar to fingerprint the AP
> uniquely)


No web interface.


> 2) if AP is managed via snmp what is the a) default community string
> b) SNMP Object ID and c) output of "GET sysdescr" (see script)


No SNMP (that I'm aware of anyway).


> 3) does AP have any other unique features (for instance, SMC AP
> ships with a default ftp server)


It does have a particular utility for MacOS to configure the device over
the network. However, off-hand I'm not certain what the port/protocol for
that is. Honestly, I've never really looked into it much.

Anyway, I did a 65k portscan of the device (both TCP and UDP) and here are
the results - hope it's useful for you:

TCP:
(The 65530 ports scanned but not shown below are in state: closed)
Port State Service
135/tcp open loc-srv
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open listen
5000/tcp open fics

UDP:
(The 65525 ports scanned but not shown below are in state: closed)
Port State Service
123/udp open ntp
135/udp open loc-srv
137/udp open netbios-ns
138/udp open netbios-dgm
445/udp open microsoft-ds
500/udp open isakmp
1026/udp open unknown
1032/udp open iad3
1038/udp open unknown
1900/udp open unknown


~Jay




> Any help greatly appreciated. TIA.
>
> John Lampe
> https://f00dikator.hn.org/
>
> "Knowledge will forever govern ignorance, and a people who mean to be
> their own governors, must arm themselves with the power knowledge
> gives. A popular government without popular information or the means
> of acquiring it, is but a prologue to a farce or a tragedy or perhaps
> both."
> --James Madison
>
>
> -----pgpenvelope information
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
>
> gpg: Signature made Tue May 7 11:28:53 2002 MST using RSA key ID 6A6DDFE5
> gpg: Can't check signature: public key not found
>
> pgpenvelope_decrypt: message processed at Tue May 7 16:45:11 2002
>
> -----end pgpenvelope information
>
>

--
~Jay

----- Original Message -----
From: "Jay" <jay@kinetic.org>
To: "John Lampe" <j_lampe@bellsouth.net>
Cc: "plugins writer" <plugins-writers@list.nessus.org>
Sent: Tuesday, May 07, 2002 7:49 PM
Subject: Re: your mail
That looks like a scan against you Windows XP system (note the tcp port 5000
and udp port 1900, for plug and playround? which, by the way, you should
disable.

that wasn't the ip address o fthe access point, was it? that was for the
laptop on the wireless network, right?

>
> TCP:
> (The 65530 ports scanned but not shown below are in state: closed)
> Port State Service
> 135/tcp open loc-srv
> 139/tcp open netbios-ssn
> 445/tcp open microsoft-ds
> 1025/tcp open listen
> 5000/tcp open fics
>
> UDP:
> (The 65525 ports scanned but not shown below are in state: closed)
> Port State Service
> 123/udp open ntp
> 135/udp open loc-srv
> 137/udp open netbios-ns
> 138/udp open netbios-dgm
> 445/udp open microsoft-ds
> 500/udp open isakmp
> 1026/udp open unknown
> 1032/udp open iad3
> 1038/udp open unknown
> 1900/udp open unknown

--
Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell@secnap.net
http://www.secnap.net

On Wed, 8 May 2002, Michael Scheidell wrote:

> that wasn't the ip address o fthe access point, was it? that was for the
> laptop on the wireless network, right?


DOH! Thanks for bringing that up. I thought the open port count was
awfully high, but I didn't think too much of it before firing off the
email. :) I did, in fact, have the wrong IP address and that port scan I
sent was for a Windows box. Oops - sorry. :)

Here is the *REAL* port scan of the Apple Airport Base Station
(Version 1). I double-checked the IP this time. :)

TCP
--
Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
All 65535 scanned ports on (XXX.XXX.XXX.XXX) are: closed
Nmap run completed -- 1 IP address (1 host up) scanned in 15 seconds
UDP
--
Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Interesting ports on (XXX.XXX.XXX.XXX):
(The 65533 ports scanned but not shown below are in state: closed)
Port State Service
161/udp open snmp
192/udp open osu-nms
Thus, now seeing that output, we can determine that UDP/192 is for Apple's
utility program to configure the device. For UDP/161, which is actually an
SNMP service, the default read-only community string is 'public'. Here is
a partial output of an snmpwalk of the device:
system.sysDescr.0 = Base Station V3.83 SN-PW117B5TH93 V3.73
system.sysObjectID.0 = OID: enterprises.762.2
system.sysUpTime.0 = Timeticks: (43946737) 5 days, 2:04:27.37
system.sysContact.0 = XXXXXXXXXXXXXXXXX
system.sysName.0 = XXXXXXXXXXXXXXXXXXXXXXXX
system.sysLocation.0 =
system.sysServices.0 = 2
interfaces.ifNumber.0 = 3
interfaces.ifTable.ifEntry.ifIndex.1 = 1
interfaces.ifTable.ifEntry.ifIndex.2 = 2
interfaces.ifTable.ifEntry.ifIndex.3 = 3
interfaces.ifTable.ifEntry.ifDescr.1 = AMD PCNetISA
interfaces.ifTable.ifEntry.ifDescr.2 = WaveLAN/IEEE
interfaces.ifTable.ifEntry.ifDescr.3 = V.90 Modem: APPLE VERSION 0007
interfaces.ifTable.ifEntry.ifType.1 = ethernetCsmacd(6)
interfaces.ifTable.ifEntry.ifType.2 = ethernetCsmacd(6)
interfaces.ifTable.ifEntry.ifType.3 = propPointToPointSerial(22)
This device has one 10Mb/s Ethernet interface, one 802.11b interface
(40-bit WEP), and one v.90 modem interface -- all of which seem to be
accurately represented as interfaces 1, 2, and 3 respectively.
Hope this helps, and thanks again Michael for finding my lapse of sanity
with my first posting about this. :)
--
~Jay

----- Original Message -----
From: "John Lampe" <j_lampe@bellsouth.net>
To: "plugins writer" <plugins-writers@list.nessus.org>
Sent: Tuesday, May 07, 2002 2:28 PM


> -----BEGIN PGP SIGNED MESSAGE-----
>
> To all,
> I'm writing nasl to find access points on legacy network segments.
> The code works good at finding SMC and Compaq (all I have to test
> with). If any of you can help me gather information for other
> platforms, I would greatly appreciate it. What I need is

John:

you get any feedback on this?

did Renaud forget to put in in CVS?
--
Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell@secnap.net
http://www.secnap.net

I wrote and submitted...either renaud thought the script sucked, or he
forgot about it ;-)

I've been using for last month or so...works fine at finding Apple, linksys,
SMC, cisco, and compaq APs....I'd be glad to get any further
sigs/packetdumps/whatever for other manufacturers. I'll "resend" to Renaud
when I get the new sigs included.

John Lampe

----- Original Message -----
From: "H D Moore" <hdm@digitaloffense.net>
To: "Michael Scheidell" <scheidell@secnap.net>; "John Lampe"
<j_lampe@bellsouth.net>
Sent: Saturday, June 08, 2002 12:21 PM
Subject: Re: find_ap nasl


Want some help? I have sigs/traffic dumps from quite a few ap's...


On Saturday 08 June 2002 14:01, Michael Scheidell wrote:
> ----- Original Message -----
> From: "John Lampe" <j_lampe@bellsouth.net>
> To: "plugins writer" <plugins-writers@list.nessus.org>
> Sent: Tuesday, May 07, 2002 2:28 PM
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > To all,
> > I'm writing nasl to find access points on legacy network segments.
> > The code works good at finding SMC and Compaq (all I have to test
> > with). If any of you can help me gather information for other
> > platforms, I would greatly appreciate it. What I need is
>
> John:
>
> you get any feedback on this?
>
> did Renaud forget to put in in CVS?

On Tue, Jun 11, 2002 at 09:14:31PM -0700, John Lampe wrote:
> I wrote and submitted...either renaud thought the script sucked, or he
> forgot about it ;-)

I forgot about it, and I commited it.

> I've been using for last month or so...works fine at finding Apple, linksys,
> SMC, cisco, and compaq APs....I'd be glad to get any further
> sigs/packetdumps/whatever for other manufacturers. I'll "resend" to Renaud
> when I get the new sigs included.

Please do.


-- Renaud

On Tuesday 11 June 2002 23:14, John Lampe wrote:
> I wrote and submitted...either renaud thought the script sucked, or he
> forgot about it ;-)
>
> I've been using for last month or so...works fine at finding Apple,
> linksys, SMC, cisco, and compaq APs....I'd be glad to get any further
> sigs/packetdumps/whatever for other manufacturers. I'll "resend" to Renaud
> when I get the new sigs included.

Hmm.. saw the plugin, seems like its trying to be an all-in-one test for an AP
and could benefit from using the KB tree. For instance, have a plugin which
just requests the system.sysDesc.0 from every host (trival to do, I have one
if youre interested), store that value in the KB. Then modify
http_version.nasl to recognize common HTTP responses to access point web
servers. Finally, add snmp_sysDesc.nasl and http_version.nasl as
dependencies, then throw together 4 arrays, split into these groups:

WebPatten[]
WebSystem[]
SnmpPattern[]
SnmpSystem[]

Pull the snmp desc kb entry, iterate through the SnmpPattern list trying to
match, then set the AP type to the corresponding value of SnmpSystem. Do the
same for the web sigs, but use "www/ap-type" keys and just get_kb_item to see
if they exist and match accordingly. This would make the plugin much easier
to expand on and you can always add another detection technique later.

The only thing I am still confused on is the internal of (get|set)_kb_item:

Renaud once said that the plugin process forks everytime get_kb_itme returns a
value and removes that value from subsequent calls (until it returns false).
It would be nice if there was a way to work with the KB without causing any
fork()'s or otherwise jacking with the process...

-HD