EnGenius's SNMP implementation is... special. Running snmpwalk ends up actually changing a setting, and the private community string and SNMPv3 keys are available by walking the public community.
Conversation
Notices
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 26-Dec-2024 01:38:32 JST 
Ryan Castellucci :nonbinary_flag:
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 26-Dec-2024 01:47:44 JST
Ryan Castellucci :nonbinary_flag:
Meanwhile, it has a neat little service that fingerprints the DHCP request options to determine the client OS, and I'm wondering where they got the signatures from.
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 26-Dec-2024 01:59:28 JST
Ryan Castellucci :nonbinary_flag:
Oh, it also spills the WPA-PSKs and basically every other credential except the admin password, but it doesn't even matter because it seems like you can just root the sucker with read-write snmp.
-
Embed this notice
morb (morb@mastodon.social)'s status on Thursday, 26-Dec-2024 02:15:13 JST 
morb
@ryanc wow what a horror show
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 26-Dec-2024 02:15:13 JST
Ryan Castellucci :nonbinary_flag:
@morb I need to patch their snmp daemon to just return poop emoji for things it shouldn't spill.
-
Embed this notice
Koos van den Hout (khoos@infosec.exchange)'s status on Thursday, 26-Dec-2024 04:48:07 JST 
Koos van den Hout
@ryanc just put WIN98 in the right DHCP field
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 26-Dec-2024 08:22:28 JST
Ryan Castellucci :nonbinary_flag:
@KHoos I have somewhere else I'd like to put WIN98. :bloblewd:
-
Embed this notice
All GNU social JP content and data are available under the