I'm coming to this forum after a week or so of trying to get into this device. I'm trying to gain access to change the SIP settings to use with my PBoxes account.
What I have tried:
1: telnet and SSH into each open port on both the LAN and WAN physical port over multiple clients.
2: Used LOIC to try to get the system to crash to dump files onto the flash drive.
3: Dictionary/brute attack on the webpanel.
4: Physically trying to short out the RJ45 ports with a screwdriver to induce a system crash.
5: Opened the unit to see if there was a JTAG connector, master reset button, etc.
6: Performed factory reset through GUI - Password 7517517
7: Pushing a bunch of buttons out of frustration to get the system to crash. The device lags with each button press, which will continue to go to that area of the phone after buttons are pressed.
I have a few sources saying that there is a telnet daemon running and that it was as simple as connecting. However, this isn't the case for me.
Here are the ONLY reference links on what others have done / doing that I can find..
Here is how my IRIS3000 is responding to scans and other attempts at accessing telnet/ssh.
Here are the ports Zenmap gave me when using -sV from WAN (192.168.1.120)
21/tcp open tcpwrapped
79/tcp open tcpwrapped
113/tcp open tcpwrapped
513/tcp open tcpwrapped
514/tcp open tcpwrapped
554/tcp open rtsp?
5060/tcp open sip?
8080/tcp open http Mbedthis-Appweb 2.4.0
I've looked up what tcpwrapped meant, and from what I can gather, hosts.allow is set. Does this mean I have to find which "host IP" I need to be to access this device?
Scan from LAN (10.100.4.1)
21/tcp open ftp
79/tcp open finger
113/tcp open auth
513/tcp open login
514/tcp open shell
554/tcp open rtsp
5060/tcp open sip
8080/tcp open http-proxy
This device DOES have a GUI and there is an administrator section, but does not ask for a password when I try to enter, so maybe when it's hilighted you enter the password without prompt.
The device DOES have a USB slot, so when the system crashes, logs and all those goodies are put on the flash drive. I've only gotten it to crash once, and that was accidental.
System Version: 20.6.31
I'm looking for ideas on how to get this to either crash and dump files on the flash drive, let me connect with either SSH or telnet, or just let me in the administration GUI. I'm at a loss and half tempted to solder what I believe is a JTAG connector on and attempt telnet that way.
Edited by on 27-08-11 06:24
Hellbound Hackers is the collective work of the staff and the community and is therefore licensed under the CC BY-NC-SA license.