From Rexploit

Wireless default settings and related vulnerability list

Here you can find a list of default settings and reported vulnerabilities of wireless related soft and hardware. The list is sorted by vendor. The information has been collected from different sources. Securityfocus, Butraq, Manuals etc. Feel free to submit further details.


1st Wave:

Model SSID Settings Comments
Misc 1stWave    

3Com:

Default settings:

Model SSID Credentials Settings Comments
AirConnect 2.4 GHz DS comcomcom      
Misc 3com      

Vulnerabilities:

Date Link
 16-11-2004:  3Com OfficeConnect ADSL Wireless 11g Firewall Router Remote Denial Of Service Vulnerability (http://www.securityfocus.com/bid/11685)
  • A remote denial of service vulnerability affects the 3Com OfficeConnect ADSL Wireless 11g Firewall Router. This issue is due to a failure of the application to handle anomalous network traffic. The problem is reported to present itself when copious amounts of anomalous UDP traffic are targeted at the router. Apparently the router fails to handle the network traffic and crashes. Further information is not available.
 18-10-2004:  3Com OfficeConnect ADSL Wireless 11g Firewall Router Authentication Bypass Vulnerability (http://www.securityfocus.com/bid/11438)
 15-10-2004:  3Com OfficeConnect ADSL Wireless 11g Firewall Router Multiple Unspecified Vulnerabilities (http://www.securityfocus.com/bid/11422)
 13-10-2004:  3Com 3CRADSL72 ADSL Wireless Router Information Disclosure and Authentication Bypass Vulnerabilities (http://www.securityfocus.com/bid/11408)
  • 3Com 3CRADSL72 is reported prone to an information disclosure, and an authentication bypass vulnerability. This issue can allow a remote attacker to disclose sensitive information such as the router name, primary and secondary DNS servers, default gateway. Attackers could also reportedly gain administrative access to the router.If successful, these vulnerabilities can be used to the launch of other attacks against the device and other users on the vulnerable network.
  • Exploit: Open using a browser the URL http://device/app_sta.stm

Accton:

Default settings:

Model SSID Credentials Settings Comments
Misc WLAN   Default Channel: 11
MAC addr: 00:30:F1:XX:XX:XX
 

Acrowave:

Default settings: Unknown

Vulnerabilities:

Date Link
 12-05-2005:  Acrowave AAP-3100AR Wireless Router Authentication Bypass Vulnerability (http://www.securityfocus.com/bid/13613)
  • Acrowave AAP-3100AR routers are susceptible to an authentication bypass vulnerability. This vulnerability allows remote attackers to gain administrative access to affected devices. Due to code reuse, it is likely that other devices are also vulnerable to this issue.
  • Telneting to the device and hitting CTRL+C at either the user name or password prompt. It crashes and restarts, during that reboot it provides to a prompt without entering any username or password.

Addtron:

Default settings:

Model SSID Credentials Settings Comments
Misc WLAN      

Apple:

Default settings:

Model SSID Credentials Settings Comments
Misc english AirPort Network      
Misc german AirPort Netzwerk      

Belkin:

Date Link
 26-08-2002:  Belkin F5D6130 Wireless Network Access Point SNMP Request Denial Of Service Vulnerability (http://www.securityfocus.com/bid/5571)
  • Reportedly, this issue may be exploited by making a sequence of SNMP requests. A valid community name is not required. After a number of SNMP requests are made, the device will fail to respond to further requests. Additionally, all wireless connections will be dropped, and new connections refused. Under some conditions, the device may also fail to respond on the ethernet interface.
  • snmpwalk <ip address> <arbitrary objectID>

Baystack:

Default settings:

Model SSID Credentials Settings Comments
650/660 802.11 DS AP Default SSID admin / <none> Default Channel: 1
MAC addr: 00:20:d8:XX:XX:XX
 

BT:

Date Link
 22-06-2004:  BT Voyager 2000 Wireless ADSL Router SNMP Community String Information Disclosure Vulnerability (http://www.securityfocus.com/bid/10589)
  • BT Voyager 2000 Wireless ADSL Router is reported prone to a sensitive information disclosure vulnerability. It is reported that 'public' SNMP MIB community strings which, are world readable by default contain sensitive information pertaining to the internal protected network. Data collected by exploiting this vulnerability may be used in further attacks against the victim network.
  • snmpwalk -v 1 -c public 192.168.1.1
SNMPv2-MIB::sysDescr.0 = STRING: BT Voyager 2000 Wireless ADSL Router
-snip-
SNMPv2-SMI::transmission.23.2.3.1.5.5.1 = STRING: "name.surname@btbroadband.com"
SNMPv2-SMI::transmission.23.2.3.1.6.0.8 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.5.1 = STRING: "password"
-snip- 

Buffalo:

Date Link
 04-04-2003:  Buffalo WBRG54 Wireless Broadband Router Denial Of Service Vulnerability (http://www.securityfocus.com/bid/7282)
  • A vulnerability has been reported for the WBRG54 device that may result in a denial of service. The vulnerability occurs when a vulnerable device receives numerous ICMP packets. In some cases, this will result in the device behaving unpredictably and denying service.

Cabletron:

Default settings:

Model SSID Credentials Settings Comments
Misc RoamAbout      

Cisco:

Default settings:

Model SSID Credentials Settings Comments
Aironet access-points tsunami      
Some older ones 2      

Compaq:

Default settings:

Model SSID Credentials Settings Comments
Misc Compaq      

Vulnerabilities:

Date Link
 28-01-2002:  Compaq Intel PRO/Wireless 2011B LAN USB Device Driver Information Disclosure Vulnerability (http://www.securityfocus.com/bid/3968)
  • The Compaq Intel PRO/Wireless 2011B LAN USB Device driver may disclose sensitive information to local attackers. The 128-bit WEP (Wired Equivalent Privacy) Key is stored plaintext in the registry and may be viewed by unprivileged local users.

D-Link:

Default settings:

Model SSID Settings Comments
DL-713 802.11 DS WLAN Default Channel: 11
Default IP: DHCP
 
DI-624 AirPlus XtremeG default Default user: admin
Default pass: admin
 
DWL-G730AP default Default IP: 192.168.0.30
Default user: admin
Default pass: no default password
 

Vulnerabilities:

Date Link
 21-12-2001:  D-Link DWL-1000AP Wireless LAN Access Point Plaintext Password Vulnerability (http://www.securityfocus.com/bid/3735)
  • DLink DWL-1000AP is a 11Mbps wireless LAN access point product, which is geared towards home users. It supports WEP, MAC address control and user authentication. An oversight in the design of this product creates a vulnerability which may be exploited by an attacker to hijack the access point.The administrative password is stored in plaintext in the default "public" MIB. Any attacker within range, using a SNMP client, can reveal the administrative password by browsing the "public" MIB.
  • There issue may be exploited with any SNMP client.
 21-12-2001:  D-Link WL-1000AP Wireless LAN Access Point Public Community String Vulnerability (http://www.securityfocus.com/bid/3736)
  • A default read-only SNMP community string entitled "public" exists on the device. This community string is hard-coded into the product and cannot be changed with the configuration interface. As a result, an attacker may use a SNMP client to browse sensitive information contained in the "public" MIB.
  • There issue may be exploited with any SNMP client.

Edimax:

Default settings:

Model SSID Settings Comments
7205APL   Default user: guest
Default pass: 1234
 
AR-6004   Default user: admin
Default pass: 1234
 

Vulnerabilities:

Date Link
 10-06-2004:  Edimax 7205APL 802.11b Wireless Access Point default Backdoor Account Vulnerability (http://www.securityfocus.com/bid/10512)
  • The Edimax 7205APL is reported to contain a default account ("guest"), which reportedly can't be removed. This account has permissions to create settings back-up files ("config.bin"), which include all passwords for the device in clear text.

ELSA:

Default settings:

Model SSID Settings Comments
Lancom Wireless L-11 / Airlancer ELSA    

Gigabyte:

Date Link
 24-02-2004:  Gigabyte Gn-B46B Wireless Router Authentication Bypass Vulnerability (http://www.securityfocus.com/bid/9740)
  • Gigabyte Gn-B46B appliance has been reported prone to an authentication bypass vulnerability. It has been reported that an attacker may save the router HTML menu on a local machine, the attacker may then use this menu to access and configure an accessible router without requiring prior authentication.

Intel:

Default settings:

Model SSID Credentials Settings Comments
Pro/Wireless 101   Default Channel: 3  
Pro/Wireless xlan      
Pro/Wireless intel      
Pro/Wireless 195      

Vulnerabilities:

Date Link
 28-01-2002:  Compaq Intel PRO/Wireless 2011B LAN USB Device Driver Information Disclosure Vulnerability (http://www.securityfocus.com/bid/3968)
  • The Compaq Intel PRO/Wireless 2011B LAN USB Device driver may disclose sensitive information to local attackers. The 128-bit WEP (Wired Equivalent Privacy) Key is stored plaintext in the registry and may be viewed by unprivileged local users.

Linksys:

Default settings:

Model SSID Credentials Settings Comments
WAP-11 linksys   Default Channel: 6
Default WEP key one: 10 11 12 13 14 15
Default WEP key two: 20 21 22 23 24 25
Default WEP key three: 30 31 32 33 34 35
Default WEP key four: 40 41 42 43 44 45
 
WPC-11 Wireless     
Wireless-G VPN Broadband Router linksys-g   Default user: admin
Default pass: admin
 

Vulnerabilities:

Date Link
 07-04-2005:  Linksys WET11 Password Update Remote Authentication Bypass Vulnerability (http://www.securityfocus.com/bid/13051)

Logitech:

Date Link
 15-05-2001:  Logitech Wireless Peripheral Device Man in the Middle Vulnerability (http://www.securityfocus.com/bid/2738)
  • A problem with Logitech wireless mice and keyboards make it possible for a remote users to gain unauthorized access to resources. It is possible for a user with equipment capable of monitoring the frequencies used to communicate between the base receiver and devices to watch the session. Additionally, a user with similar equipment that has been altered may be able to gain control of the session. This problem makes it possible for a remote user to gain console access to an unauthorized system, either by watching keystrokes, or by session hijacking.

Longshine:

Date Link
 06-01-2003:  Longshine Wireless Access Point Devices Information Disclosure Vulnerability (http://www.securityfocus.com/bid/6533)
  • The Longshine LCS-883R-AC-B device will allow tftp connections. An attacker can exploit this vulnerability to connect via tftp to the access point and download the configuration file without any authentication.

Lucent:

Default settings:

Model SSID Credentials Settings Comments
Misc RoamAbout
     

Microsoft:

Default settings:

Model SSID Settings Comments
MN-700 802.11g MSNHOME Default user: admin  
MN-500 802.11b MSNHOME Default user: admin  

Vulnerabilities:

Date Link
 04-12-2002:  Microsoft Windows XP Wireless LAN AP Information Disclosure Vulnerability (http://www.securityfocus.com/bid/6312)
  • An attacker can exploit this vulnerability to set up an AP with the same SSID (Service Set ID) of a previously configured AP. When the vulnerable system recognizes this malicious AP, it will then begin transmission of data. This can be exploited by an attacker to intercept and decrypt any transmissions received from a vulnerable system. Information obtained in this manner may be used to launch further, destructive attacks against a vulnerable system.

Motorola:

Date Link
 23-09-2004:  Motorola WR850G Wireless Router Remote Authentication Bypass Vulnerability (http://www.securityfocus.com/bid/11241)
  • Motorola WR850G wireless router is reported prone to a remote authentication bypass vulnerability. This issue is caused by a design error and may allow an attacker to ultimately take complete control over the device. A remote attacker can gain access to the Web interface of the affected device by periodically attempting to access restricted pages such as the 'ver.asp' script.

Netgear:

Default settings:

Model SSID Settings Comments
Most old ones Wireless Default Channel: 6

Default IP address: 192.168.0.5
Default WEP: Disabled
Default WEP KEY1: 11 11 11 11 11
Default WEP KEY2: 20 21 22 23 24
Default WEP KEY3: 30 31 32 33 34
Default WEP KEY4: 40 41 42 43 44

Default MAC: 00:30:ab:xx:xx:xx
 
Newer accesspoints NETGEAR Default user: admin
Default pass: password
 

Vulnerabilities:

Date Link
 02-11-2004:  NetGear ProSafe Dual Band Wireless VPN Firewall Default SNMP Community String Vulnerability (http://www.securityfocus.com/bid/11580)
  • ProSafe Dual Band Wireless VPN Firewall is reported prone to a vulnerability that can allow remote attackers to gain sensitive information about a network protected by the device. This issue presents itself because the appliance uses a default community string for SNMP.
 03-06-2004:  Netgear WG602 Wireless Access Point Default Backdoor Account Vulnerability (http://www.securityfocus.com/bid/10459)
  • Netgear WG602 reportedly contains a default administrative account (super/superman). This issue can allow a remote attacker to gain administrative access to the device.
 10-12-2003:  NetGear WAB102 Wireless Access Point Password Management Vulnerabilities (http://www.securityfocus.com/bid/9194)
  • It has been reported that NetGear WAB102 Wireless Access Point may be prone to multiple password management issues that could allow an attacker to gain access to a vulnerable unit. An attacker may be able to access the unit by supplying any password containing a space. Another issue causes the password to be reset to the default password of '1234' when the unit loses power and is reset.
 03-04-2003:  Netgear FM114P ProSafe Wireless Router UPnP Information Disclosure Vulnerability (http://www.securityfocus.com/bid/7267)
  • The Netgear FM114P ProSafe Wireless Router is vulnerable to information disclosure. If Remote Access and Universal Plug and Play are both enabled on the WAN interface, a UPnP SOAP request can retrieve the username and password for the WAN interface.
  • The following request will retrieve the username from the FM114P:
POST /upnp/service/WANPPPConnection HTTP/1.1
HOST: 192.168.0.1:80
SOAPACTION: "urn:schemas-upnp-org:service:WANPPPConnection:1#GetUserName"
CONTENT-TYPE: text/xml ; charset="utf-8"
Content-Length: 289
 03-04-2003:  Netgear FM114P ProSafe Wireless Router Rule Bypass Vulnerability (http://www.securityfocus.com/bid/7270)
  • The Netgear FM114P allows certain ports to be blocked, both for external users attempting to enter the local network and for local users connecting to the WAN. If Remote Access and Universal Plug and Play are both enabled on the WAN interface, a UPnP SOAP request can cause a connection to be intitiated through a port that is normally blocked.
 10-02-2003:  Netgear FM114P Wireless Firewall File Disclosure Vulnerability (http://www.securityfocus.com/bid/6807)
  • Netgear FM114P Wireless Firewalls allow directory traversal using escaped character sequences. It is possible for an unauthenticated user to retrieve the firewall's configuration file by escaping from the /upnp/service directory.
  • This vulnerability can be exploited using a web browser. The following proof of concept was provided: http://<ip-or-hostname>:<port>/upnp/service/%2e%2e%2fnetgear.cfg
 10-10-2002:  Netgear FM114P Wireless Firewall TCP Connect Denial of Service Vulnerability (http://www.securityfocus.com/bid/5940)
  • Netgear FM114P Cable/DSL Prosafe 802.11b Wireless Firewall may be vulnerable to a denial of service condition. If an unusually large number of TCP connections are made to the device, it will stop responding and cease to process traffic.
 10-10-2002:  Netgear FM114P Wireless Firewall Information Disclosure Vulnerability (http://www.securityfocus.com/bid/5943)
  • When configured to backup configuration settings, the device will store various information in cleartext. Accessing this file could allow an attacker to obtain sensitive information which could aid the attacker in compromising the web administration interface of the device. It should be noted that the backup option is not enabled by default, but is a common feature used by administrators.

Nortel:

Date Link
 02-03-2004:  Nortel Wireless LAN Access Point 2200 Series Denial Of Service Vulnerability (http://www.securityfocus.com/bid/9787)
  • Nortel Wireless LAN Access Point 2200 series appliances have been reported to be prone to a remote denial of service vulnerability. The issue is reported to present itself when a large network request is handled by one of the Wireless LAN Access Point default administration services. This will reportedly cause the Access Point Appliance Operating service to crash, effectively denying service to legitimate users.
  • POC: http://downloads.securityfocus.com/vulnerabilities/exploits/WLAN-DoS.c


Proxim:

Default settings:

Model SSID Settings Comments
Misc (example AP600)   Default user: <none>
Default password: public
SNMP password: public
 

SMC:

Default settings:

Model SSID Settings Comments
SMC2652W WLAN Default Channel: 11

Default HTTP: user: default pass: WLAN_AP
Default MAC: 00:90:d1:00:b7:6b (00:90:d1:xx:xx:xx)

Console Port: No Password, AT command set
 
SMC 2526W WLAN Default IP: 192.168.0.254

Default MAC: 00:90:d1:00:11:11 (00:90:d1:xx:xx:xx)
Default AP Name: MiniAP
Default Channel: 11

Default Admin Pass: MiniAP
 
SMC 2682W BRIDGE Default Channel: 11

Default Admin pass: WLAN_BRIDGE

Default MAC:00:90:d1:00:b8:9c (00:90:d1:xx:xx:xx)
 
Misc SMC Default Channel: 6
Default MAC: 00:4E:2B:A0:XX:XX
 

Vulnerabilities:

Date Link
 11-06-2003:  SMC Wireless Router Malformed PPTP Packet Denial of Service Vulnerability (http://www.securityfocus.com/bid/7876)
  • A vulnerability has been discovered in the SMC SMC7004VWBR wireless router. The problem is said to occur while processing a sequence of malformed PPTP packets received via the local interface. Successful exploitation of this vulnerability will result in the router no longer responding to internal wireless traffic.

SOHOware:

Default settings:

Model SSID Settings Comments
NetBlaster II Is the mac address of the device (See in ethereal BSSID) Default MAC:00:80:c6:xx:xx:xx
Default Channel:8
 

Symantec:

Date Link
 09-06-2004:  Symantec Gateway Security 360R Wireless VPN Bypass Weakness (http://www.securityfocus.com/bid/10502)
  • Symantec Gateway Security 360R may be prone to a weakness that could allow a remote attacker to establish an insecure wireless connection with an internal computer.

Symbol:

Default settings:

Model SSID Settings Comments
AP41x1 and LA41x1 / LA41x3 101 Default MAC: 00:a0:0f:xx:xx:xx

Default WEP key one: 10 11 12 13 14 15
Default WEP key two: 20 21 22 23 24 25
Default WEP key three: 30 31 32 33 34 35

Default WEP key four: 40 41 42 43 44 45
 

Sweex:

Date Link
 13-05-2004:  Sweex Wireless Broadband Router/Access Point Unauthorized Access Vulnerability (http://www.securityfocus.com/bid/10339)
  • It has been reported that Sweex Wireless Broadband Router/Access Point is prone to a vulnerability that may allow a remote attacker to gain unauthorized access to a vulnerable access point. It has been reported that the access point has a TFTP service running that is enabled by default.Successful exploitation of this issue may allow a remote attacker to gain access to sensitive information that could eventually allow an attacker to completely compromise the access point

TELETRONICS:

Default settings:

Model SSID Settings Comments
Misc any Default Password: 1234
Console Port: No password, AT command set
 

U.S. Robotics:

Default settings:

Model SSID Settings Comments
USR808054 WLAN or USR808054 Default Channel: 6

Default IP address: 192.168.123.254
Default Service: http
Default username: admin

Default password: there is no default password
 
USR8022 WLAN or USR8022 Default IP address: 192.168.123.254  
USR9106 USR9106 Default IP address: 192.168.1.1

Default username: admin

Default password: admin
 

Vulnerabilities:

Date Link
  U.S. Robotics USR808054 Wireless Access Point Web Administration Denial Of Service Vulnerability (http://www.securityfocus.com/bid/10840)
  • The USR808054 wireless access point is reported to contain a denial of service vulnerability in its embedded web server.When malicious requests are received by the device, it will reportedly crash, denying service to legitimate users of the access point. This issue can be exploited by anybody with network connectivity to the administration HTTP server, no authentication is required.
  • Example: perl -e '$a = "GET / " . "A"x250 . "\r\n\r\n" ; print $a' | nc ap 80

WaveLan Family:

Default settings:

Model SSID Settings Comments
Misc WaveLAN Network Default channel: 3  

ZCOMAX:

Default settings:

Model SSID Settings Comments
XWL450 any Default password:1 234
Console Port: No Password, AT command set
 
XWL450 melo Default password:1 234
Console Port: No Password, AT command set
 
XWL450 test Default password:1 234
Console Port: No Password, AT command set
 

Zonet:

Date Link
 23-04-2004:  Zonet Wireless Router NAT Implementation Design Flaw Vulnerability (http://www.securityfocus.com/bid/10225)
  • A vulnerability has been reported to affect the implementation of NAT for the ZSR1104WE model Zonet Wireless Router. NAT for the wireless interface on the ZSR1104WE appliance is reported to modify IP data so that on the internal network, the origin address of forwarded traffic is that of the affected appliance. This issue may render the implementation of access controls on an internal host impossible.

Zyxel:

Default settings:

Model SSID Settings Comments
Prestige 316 Gateway/Natbox/WirelessBridge Wireless Default Channel: 1

Default console pass: 1234
Default telnet pass: 1234

Console Port: Same password for system, ansi/vt100 terminal
 
Zyxel "General AP" ZyXEL Default Channel: 1

Default IP address: 192.168.1.1

Default telnet username/password: admin/1234
Default web username/password: user/1234

Web port: 8080
 

 

Support us by making a donation using the button below. Please contact us using email. For other payment methods.