More Powerlink2 Information

Forum about Visonic products like Powermax Plus and Powermax Pro

Moderators: Rene, Willem4ever

Post Reply
manno
Starting Member
Starting Member
Posts: 16
Joined: Tue Sep 20, 2011 4:11 am

More Powerlink2 Information

Post by manno »

Hello,

I stumbled across this board while doing some research on attempting to hack the Powerlink2 module. I wanted to submit some bits of info that I have found while probing the module. Has anyone else had any luck trying to get into the Powerlink2?


Possibly this board: http://foxlx.acmesystems.it/

It seems that root, admin and visonic are valid users (via telnet) but haven't tried enough passwords yet.

nmap results:

PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
80/tcp open http
443/tcp open https
2530/tcp open unknown
2531/tcp open unknown
2812/tcp open unknown
6310/tcp open unknown
7520/tcp open unknown
8082/tcp open blackice-alerts
8083/tcp open unknown
8084/tcp open unknown

Device type: specialized

Code: Select all

Running: Linux 2.6.X
OS details: Linux 2.6.12 on FOX embedded development board
OS Fingerprint:
OS:SCAN(V=4.20%D=9/19%OT=22%CT=1%CU=37235%PV=Y%DS=1%G=Y%M=00126C%TM=4E77C1F
OS:4%P=i686-redhat-linux-gnu)SEQ(SP=CF%GCD=1%ISR=D3%TI=Z%II=I%TS=7)OPS(O1=M
OS:5B4ST11NW1%O2=M5B4ST11NW1%O3=M5B4NNT11NW1%O4=M5B4ST11NW1%O5=M5B4ST11NW1%
OS:O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(R=Y%
OS:DF=Y%T=40%W=16D0%O=M5B4NNSNW1%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=
OS:0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW1%RD=0%Q=)
OS:T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S
OS:+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=
OS:Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%TOS=C0%IPL=164%UN=0
OS:%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G)IE(R=Y%DFI=N%T=40%TOSI=S%CD=S%S
OS:I=S%DLI=S)

Code: Select all

22/tcp   open  ssh              Dropbear sshd 0.52 (protocol 2.0)
23/tcp   open  skype            Skype VoIP data channel
80/tcp   open  http             Apache httpd 1.3.31 ((Unix) PHP/4.3.9 mod_ssl/2.8.20 OpenSSL/0.9.7e)
443/tcp  open  http             Apache httpd 1.3.31 ((Unix) PHP/4.3.9 mod_ssl/2.8.20 OpenSSL/0.9.7e)
2530/tcp open  http             Apache httpd 1.3.31 ((Unix) PHP/4.3.9 mod_ssl/2.8.20 OpenSSL/0.9.7e)
2531/tcp open  http             Apache httpd 1.3.31 ((Unix) PHP/4.3.9 mod_ssl/2.8.20 OpenSSL/0.9.7e)
2812/tcp open  http             monit httpd 5.1.1
6310/tcp open  unknown
7520/tcp open  http             Apache httpd 1.3.31 ((Unix) PHP/4.3.9 mod_ssl/2.8.20 OpenSSL/0.9.7e)
8082/tcp open  blackice-alerts?
8083/tcp open  unknown
8084/tcp open  unknown
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at h
ttp://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8082-TCP:V=4.20%I=7%D=9/19%Time=4E77C256%P=i686-redhat-linux-gnu%r(
SF:GetRequest,215,"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-type:\x20te
SF:xt/html\r\nConnection:\x20close\r\nDate:\x20Wed,\x2026\x20Jan\x202000\x
SF:2009:50:43\x20UTC\r\nServer:\x20Xmlrpc-c_Abyss/1\.21\.0\r\n\r\n<HTML><H
SF:EAD><TITLE>Error\x20404</TITLE></HEAD><BODY><H1>Error\x20404</H1><P>Thi
SF:s\x20XML-RPC\x20For\x20C/C\+\+\x20Abyss\x20XML-RPC\x20server\x20respond
SF:s\x20to\x20only\x20one\x20URI\x20path\.\x20\x20I\x20don't\x20know\x20wh
SF:at\x20URI\x20path\x20that\x20is,\x20but\x20it's\x20not\x20the\x20one\x2
SF:0you\x20requested:\x20'/'\.\x20\x20\(Typically,\x20it's\x20'/RPC2'\)</P
SF:><p><HR><b><i><a\x20href=\"http://xmlrpc-c\.sourceforge\.net\">ABYSS\x2
SF:0Web\x20Server\x20for\x20XML-RPC\x20For\x20C/C\+\+</a></i></b>\x20versi
SF:on\x201\.21\.0<br></p></BODY></HTML>")%r(FourOhFourRequest,230,"HTTP/1\
SF:.1\x20404\x20Not\x20Found\r\nContent-type:\x20text/html\r\nConnection:\
SF:x20close\r\nDate:\x20Wed,\x2026\x20Jan\x202000\x2009:50:43\x20UTC\r\nSe
SF:rver:\x20Xmlrpc-c_Abyss/1\.21\.0\r\n\r\n<HTML><HEAD><TITLE>Error\x20404
SF:</TITLE></HEAD><BODY><H1>Error\x20404</H1><P>This\x20XML-RPC\x20For\x20
SF:C/C\+\+\x20Abyss\x20XML-RPC\x20server\x20responds\x20to\x20only\x20one\
SF:x20URI\x20path\.\x20\x20I\x20don't\x20know\x20what\x20URI\x20path\x20th
SF:at\x20is,\x20but\x20it's\x20not\x20the\x20one\x20you\x20requested:\x20'
SF:/nice\x20ports,/Trinity\.txt\.bak'\.\x20\x20\(Typically,\x20it's\x20'/R
SF:PC2'\)</P><p><HR><b><i><a\x20href=\"http://xmlrpc-c\.sourceforge\.net\"
SF:>ABYSS\x20Web\x20Server\x20for\x20XML-RPC\x20For\x20C/C\+\+</a></i></b>
SF:\x20version\x201\.21\.0<br></p></BODY></HTML>")%r(HTTPOptions,215,"HTTP
SF:/1\.1\x20404\x20Not\x20Found\r\nContent-type:\x20text/html\r\nConnectio
SF:n:\x20close\r\nDate:\x20Wed,\x2026\x20Jan\x202000\x2009:50:48\x20UTC\r\
SF:nServer:\x20Xmlrpc-c_Abyss/1\.21\.0\r\n\r\n<HTML><HEAD><TITLE>Error\x20
SF:404</TITLE></HEAD><BODY><H1>Error\x20404</H1><P>This\x20XML-RPC\x20For\
SF:x20C/C\+\+\x20Abyss\x20XML-RPC\x20server\x20responds\x20to\x20only\x20o
SF:ne\x20URI\x20path\.\x20\x20I\x20don't\x20know\x20what\x20URI\x20path\x2
SF:0that\x20is,\x20but\x20it's\x20not\x20the\x20one\x20you\x20requested:\x
SF:20'/'\.\x20\x20\(Typically,\x20it's\x20'/RPC2'\)</P><p><HR><b><i><a\x20
SF:href=\"http://xmlrpc-c\.sourceforge\.net\">ABYSS\x20Web\x20Server\x20fo
SF:r\x20XML-RPC\x20For\x20C/C\+\+</a></i></b>\x20version\x201\.21\.0<br></
SF:p></BODY></HTML>");
Top
Mfr
Starting Member
Starting Member
Posts: 24
Joined: Tue Sep 20, 2011 10:54 pm

Re: More Powerlink2 Information

Post by Mfr »

Hi,

I have not been able to logon using any of the passwords found on the internet. Maybe someone with an IP-camera and IP-sniffer software can find a way in.

On port 8082 I get following message:

Error 404

This XML-RPC For C/C++ Abyss XML-RPC server responds to only one URI path. I don't know what URI path that is, but it's not the one you requested: '/POST'. (Typically, it's '/RPC2')

ABYSS Web Server for XML-RPC For C/C++ version 1.21.0


On this website http://xmlrpc-c.sourceforge.net/ more info can be on the used RPC server found on this port.
Top
manno
Starting Member
Starting Member
Posts: 16
Joined: Tue Sep 20, 2011 4:11 am

Re: More Powerlink2 Information

Post by manno »

I don't even think sniffing the network would help. It appears that they possibly took away ftp transfers between IP-cams and the Powerlink module. I bet that there's a pre-shared ssh key setup between the cams and the module and all done via encrypted transfers. Not sure on this since I do not have a IP-cam. Might be time to get one. ;)

I did setup network sniffing for several days between the module and my router to see if the module was sending any data to home base. No traces of any remote IPs being sent or received in the logs. This is good News to me IMO.

My next task is to setup netcat on a local linux box and put that IP into the IP RCVR setting in the powermax to see what kind of data gets sent. It'll be interesting to see what happens.
Top
Mfr
Starting Member
Starting Member
Posts: 24
Joined: Tue Sep 20, 2011 10:54 pm

Re: More Powerlink2 Information

Post by Mfr »

Still no user/pass found on the internet. On a Spanish site they have a somewhat more information on open ports (scroll to bottom of page).

http://blogs.itpro.es/oscarmarin

Mark
Top
Post Reply

Return to “Visonic Alarm systems”