[ previous ] [ next ] [ threads ]
 From:  "Paul Fournier" <august70 at thefourniers dot net>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Feature Request
 Date:  Sun, 25 Jan 2004 22:14:50 -0500
Actually all anyone who wants to be malicious has to do it telnet to the
device on port 80 (or just try to visit it via a web browser and
unsuccessfully login a couple times)
and try a /GET a couple times and the router returns and error with info
letting the person know
what software is running on it. After a minute or so on the m0n0wall
website, they would have the
user name to login. Granted using strong passwords is still a smart thing to
do, If your not looking at the logs for a couple of days this could give a
user an opportunity to access the router.

error from router returns this.

(null) 400 Bad Request
Server: mini_httpd/1.19 19dec2003
Date: Mon, 26 Jan 2004 02:58:32 GMT
Cache-Control: no-cache,no-store
Content-Type: text/html; charset=%s
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css">
 { font-family: Tahoma, Verdana, Arial, Helvetica, sans-serif; font-size:
 .pgtitle { font-size: 24px; color: #777777; font-weight: bold; }
 .rederr { font-size: 16px; font-weight: bold; color: #CC0000;}
 a { text-decoration: none; }
<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
<p align="center" class="pgtitle">m0n0wall</p>
<p align="center" class="rederr">Access denied.</p>

-----Original Message-----
From: Michael Iedema [mailto:iedemam at pluto dot dsu dot edu]
Sent: Sunday, January 25, 2004 9:34 PM
To: res00vl8 at alltel dot net; m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] Feature Request

> I don't see a problem with the login name being "admin", unless a weak

Agreed.  You are by no means 50% 'in' by knowing the username.  You are
unable to confirm the accuracy of the username without also having a
correct password.

> password is in use. If you have a problem creating strong
> passwords, there's
> plenty of free utilities out there that will create them for you.

FYI: Incase anyone wanted to make their m0n0wall experience complete,
Manuel has a password generator for windows based upon mouse movements.
It's on his other site at http://neon1.net.  It's called mkpasswd and
I've been using it for awhile.  Strong, and has the 'novelty' quality
about it.

--Michael I.

To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch