I’ve come across various serial-to-ethernet adapters over the years. What’s a serial-to-ethernet adapter? They allow you to plug in some device that communicates information via serial (E.G. RS-232) into an IP network. For example, maybe you have some temperature sensor shares out readings via a serial interface. You hook this sensor into an IP network via a serial-to-ethernet adapter. Voilà, now you can get your readings from your desktop, server, etc.
Recently I’ve crossed paths with some Lantronix serial-to-ethernet adapters.
Some notable things that stand out on these devices:
- Web-based configuration has a blank default username/password
- Telneting to 9999/TCP offers up another means of configuration, again no password is necessary by default.
- 30718/UDP runs a service by which information about the device can be queried, and configuration may be done.
There are many functions available over 30718/UDP. After some some time googling, I discovered a zip file containing documents which detail these functions.
- Node reset (03)
- Firmware version query (F6)
- Response to firmware version query (F7)
- Setup record query (F8)
- Response to setup record query (F9)
- Set configuration – supplying a setup record (FA)
- Response to set configuration (FB)
- Set IP address (FC)
So, the device can be reset, configured, and have its IP address changed all via UDP, huh…
Particularly funny is that response to a setup record query has a field for “telnet config password”. If I’m understanding correctly, if 9999/TCP has a password, you can just look up the password over 30718/UDP.
Scanning for Lantronix Devices
What a scan looks like:
1 2 3 4 5 6 7 8 9
Update – 01/30/2013
Looks like some others stumbled across lantronix and there are metasploit modules! One extracts the telnet password, and one grabs the version from a telnet banner.