Find Medion NAS-Servers on the web

Thanks to SHODAN (please also visit Johns website at www.shodanhq.com and don’t forget to contribute his work) it is quite easy to locate MEDION NAS-Servers on the web.

This is also a very good example on how to use NetworkToolbox in combination with SHODAN.

  • Step 1. (spy your device)

First, given that you own such a MEDION-NAS Server (but any oder device with Web-Interface can be used as well), just open the Socket tool in NetworkToolbox, type in the IP of this box, select port 80 and tap on connect.

  • Step 2. (locate uncommon and unique strings)

Next, tap on the HEAD command on the command-bar at the top, then press OK to confirm the host (the NAS accepts any host)
Then, you will see what the NAS Server returns such as:

HTTP/1.0 301 Moved Permanently
Date: Sun, 01 Sep 2013 07:16:42 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8o mod_wsgi/2.4 Python/2.6.2
Location: http ://XXX.XXX.XXX.XXX/cmd,/ck6fup6/register_main/redirectHome

The interesting thing here is the ck6fup6/register part which is quite uncommon.

  • Step 3. (search by using SHODAN)

Now, you can enter this part or pattern as search term in the SHODAN tool. SHODAN will find many MEDION-NAS Servers mostly in Europe of course. Not sure if some of them still use the default credentials which can be found in the manual, which is available on the web. It’s admin and 1234.

Today’s data update will add the aforementioned pattern as SHODAN search term (the list that appears when tapping the ? button) and also, this information has been added to the “How to” section in the Resources tab.

Stay tuned,

Marcus

P.S. I am already working on some improvements for NetworkToolbox. Especially the Network- and Portscan deserves some improvements.


Lavabit died

Unfortunately, one of the best (maybe only) secure mail service closed their doors.

Ladar Levison, the Owner and Operator of Lavabit was put under pressure by US Government to disclose users data. He decided against it and closes his service. He deserves our greatest respect although the end of lavabit is sad.

You can still read his clear statement on his website at lavabit.com.

He leaves no doubt about the security of data residing on US servers and networks.

This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States, Ladar said.

So, don’t trust the evil, like I used to say.

Stay tuned,

Marcus


BIG WARNING TO ALL USERS OF ASUS ROUTERS

This is a warning for a severe security issue with many Asus Routers.

Almost all RT-Axx and RT-Nxx routers and probably more have a directory traversal issue.

By just adding the parameter /tmp/lighttpd/permissions to the IP address or url of the router, the password file can be downloaded which contains all usernames and passwords of all users, including the administrator.

Even more worse, it is possible to execute any executable on the router or even upload or modify additional executable or files.

Asus is aware about this since June. There is no update available yet and even not a warning on their website.

This issue is so severe because those routers are quite easy to find e.g. by using the included shodan tool and by searching for asuscomm.com which is the suffix of the dynamic domain which will be created by Asus AiCloud service.

More worse and even another implementation flaw of Asus, by searching for this term, hackers will automatically know the first part of the dynamic dns entry (the part in front of asuscomm.com) which means that all routers that are being found by shodan can still be compromised even if the IP address has been changed meanwhile.

As there is no security update available yet, ALL those routers and ALL FILES in Asus AiCloud can be accessed as if there would be no password protection at all.
A single Search for such routers in Chicago returned 171 AiCloud devices and Berlin 130.

Scary!

Recommendations:

– Ideally, replace all Asus devices

If that’s not feasible :

– Switch off all AiCloud services (there are actually three) on your router
– Disable all UPnP services (which is even good for all other situations)
– Disable remote access
– Change all username and passwords

Stay tuned,

Marcus


Be carefull if you use a Ruckus device

If you are using a Ruckus Wireless router, doublecheck if you really have changed your default password as this router can be maintained from the internet and that can’t be switched off.

A quick search for Ruckus with the shodan tool reveals that many of those routers are installed worldwide and very likely, most of them will use the default username super and password sp-admin.

Affected devices are:

ZoneFlex 7731 802.11n Wireless Bridge
ZoneFlex 2942 802.11g Access Point
ZoneFlex 2741 802.11g Outdoor Access Point
ZoneFlex 7942 802.11n Access Point
ZoneFlex 7962 Dual Band 802.11n Access Point
ZoneFlex 7762 Dual Band 802.11n Outdoor Access Point
ZoneFlex 7762-S Dual Band 802.11n Outdoor Sector Access Point
ZoneFlex 7343 2.4GHz 802.11n Smart Wi-Fi Access Point
ZoneFlex 7363 Dual Band 802.11n Smart Wi-Fi Access Point

which all use the same pre defined username and password.

Moreover, the following devices even have an empty username and password:

ZoneDirector 1000
ZoneDirector 1100
ZoneDirector 3000

The default username and password will be added to the default password list of this app with the next data update.

Kind regards,

Marcus


Unbelievable but true! Backdoor in HP’s Backup solution

Not only that we users have to live with poor quality soft- and hardware that makes it easy for hackers to break into our systems. On top of that, soft- and hardware vendors implement their own backdoors to our systems.

It’s hard to believe but often true. Just recently a backdoor in HP’s storage system StoreOnce was revealed. It will probably remain HP’s secret why they spent resources in implementing such backdoors rather than increasing usability and security.

Maybe it was kind of preemptive obedience for those guys from NSA or GCHQ or just a brain fart of the head of HPs development department, who knows. Definitely it was not to the advantage of us users. If you ask HP to recover a lost admin password, they claim there is no way for doing so and just suggests a re-install. HP seems to be resistant to learning as they can look back to a long history of revealed backdoors in their systems.

So what can we do? Again, don’t trust the evil. Take into account that such backdoors exist. Think twice what kind of data you like to store (or I should better say share) on your systems.
Even if there is an update, backdoors may still exist. For HP StoreOnce storage system there even is no update available more than one month after the backdoor was exposed.

If you own a StoreOnce system, try to use the SSH client included in my app and connect to the IP of your StoreOnce system. The backdoor credentials are:

Username: HPSupport
Password: badg3r5

Yes, the password is ‘ badg3r5’. Unbelievable, isn’t it?