Backdoor instructions for Allied Telesyn (Telesis) Switches


  • SPYRO KiD
  • admin[~@t~]spyrozone[~d.t~]net
  • Saturday, May 28th, 2011
  • CopyLEFT (c) 2011++ www.spyrozone.net All Rights Reserved


Tentunya Anda sudah mendengar tentang kabar bocornya instruksi penggunaan backdoor Allied Telesyn akibat dari kelalaian perusahaan. Dokumen tersebut meluas setelah ada kesalahan dalam pengaturan kategori artikel dari “public-internal” menjadi “public global”.

Berikut ini adalah dokumen-dokumen rahasia tersebut. Anda dapat memanfaatkan informasi ini untuk mengexploitasi jaringan di sekitar Anda. Yah.., siapa tau ada yang menggunakan Allied Telesyn ^^” Atau, cari saja target dengan menggunakan jasa SHODAN – Computer Search Engine. Segala penyalahgunaan atas informasi ini sepenuhnya menjadi tanggung jawab Anda.

Selamat menikmati ;)

Layer 3 Backdoor Password

Recovering a lost password on a Router or Rapier

If your password for a router configuration file is lost, the following procedure will return it to the default.

  1. Connect to the router using a RS-232 cable
  2. Connect to the router via HyperTerminal
  3. Settings for HyperTerminal = 9600 – 8 – None – 1   Flow Control = None
  4. Power cycle the router and right away press the s key continuously until you see the login prompt > (Starts up with current release but no configuration).
  5. You will now have to Delete the previous manager password configuration line described below using the internal text editor. The editor is invoked with the command:
    EDIT  filename.cfg     (filename is the name of you config file)
    Delete the line that states:
    set user=manager pass=3af00c6cad11f7ab5db4467b66ce503eff priv=manager
    Save and exit editor by pressing the key sequence of   Ctrl k x
  6. Now, type the command >restart router to reload the original configuration.  The Manager password is now regenerated as “friend”

Password List

PRODUCT SWITCH FIRMWARE CURRENT CODE DEFAULT LOGIN/ PASSWORD BACKDOOR
AT-TS12 Special Function
AT-37XX S20 3.4 N/A manager / hold crtl key & type ati, press return twice
AT-8118, 8124XL (V1), 8126XL S21 1.5 N/A manager / hold crtl key & typle ati, press return twice
AT-8216FXL, 8224XL, 8288XL S24 3.1.0
  • manager
  • friend
manager / hold crtl key & type ati
AT-8316F, 8324 S25 2.0.2 N/A manager / hold crtl key & type ati
AT-9006T, 9006LX/SC, 9006SX/SC S26 2.4 N/A manager / hold ctrl key & type ati
AT-8324SX S29 1.402
  • admin
  • no password
TigerTiger123
AT-PBC18 S31 1.1.4
  • manager
  • friend
manager / hold crtl key & type ati
AT-8124XL (V2) After Oct 2000 S30 1.0.3
  • admin
  • no password
AT-8124XLATS30
S30 1.0.4
  • admin
  • no password
Backdoor Generator (requires MAC address)
AT-80xx S39 3.3.1
  • manager
  • friend
manager / hold ctrl key & type ati
AT-8326GB,8350GB S41 1.1.8
  • manager
  • manager
Backdoor Generator (requires MAC address)
AT-9410GB S45 1.0.9d
  • manager
  • manager
Backdoor Generator (requires MAC address)
AT-8400, 8411, 8412, 8413, 8414 S60 2.1.0
  • manager
  • friend
manager / hold crtl key & type ati
AT-85xx S62 1.4.0
  • manager
  • friend
  • 1.2.0 manager / hold crtl key & type ati
  • 1.4.0 Special Function
AT-94xx S63 1.1.0
  • manager
  • friend
AT-FS7016, FS7024 S67S68 1.0.0
  • n/a
  • friend
no user name / press crtl key & type ati
AT-GS950/16, /24 S79 1.0.0.55
  • manager
  • friend
Backdoor Generator (requires MAC address)
AT-FS750 S80 1.0.0.49
  • manager
  • friend
Backdoor Generator (requires MAC address)
AT-8000/8POE S81 1.0.0
  • manager
  • manager
Backdoor Generator (requires MAC address)
AT-8000S 1.0.0.25
  • manager
  • friend
Backdoor Generator (requires MAC address)
AT-GS950/8 S82 1.01.B47
  • manager
  • friend
Backdoor Generator (requires MAC address)
AT-9000/24 S84 1.1.0.28
  • manager
  • friend
Backdoor Generator (requires MAC address)
Rapier, AR300, AR400, AR700, 86xx, 87xx, 88xx, 89xx, 98xx, 99xx, 2.9.1
  • manager
  • friend
Special Function
iMAP Series – 7100, 7400, 7700, 9100 , 9400, 9700 9.0.2
  • officer
  • officer
Special Function
AR220e
  • root
  • n/a
  • No Backdoor, requires full factory reset
  • firmware < 1.11 = First Aid utility
  • firmware > 1.11 = port 1 and 4 loop on power up
AT-MCM02
  • manager
  • ATI

Download Backdoor Generator

 {Image: www.spyrozone.net_Backdoor_Generators.zip}Password: www.spyrozone.net

Special Function Instruction

PBC18 (S31)

  • Account:        manager
  • Password:       <ctl>ati

Note 1: this password only works on a console port connection.

TS12 (S10)

  1. Power the switch down by pulling the plug
  2. Put the plug back in, and watch the three LEDs (RED, Yellow, Green)  to the right of the console port
  3. RED LED is labeled fault
  4. Yellow LED is labeled master
  5. Green LED is labeled power
  6. On power up you will see the following sequence of the LEDs
                     Sequence 1       Sequence 2             Sequence 3
        RED             ON                ON                     OFF
        Yellow          ON                OFF                    ON
        Green           ON                ON                     ON
  1. Look carefully on power up for the RED LED to be on, and the Yellow LED to be OFF
  2. Start hitting the <enter> key (about 2x a second)
  3. You need to hit the <enter> key on the transition of the RED LED to off and the Yellow LED to ON
  4. The backdoor password is basically hitting the <enter> key on the transition from Sequence 2 to Sequence 3.

FH800 (S48)

Password reset procedure

  1. Set-up a Local RS232 Terminal Session with the AT-FH801 Management Agent Module. The Log-in Screen should appear.   Do not Login.
  2. Remove power from the hub.     If the Master Hub is part of a Stack of FH800 Hubs power down the entire stack and then disconnect the Master Hub from the Stack for the remainder of this procedure.
  3. Reapply power to the master hub and monitor the terminal display screen.
  4. When the “Post” is performing the System DRAM Memory Test, the terminal screen will display various tests.  During the pause at the end of the line that reads:
    “Testing System DRAM’s Address Bus ………”
    and before the DRAM Test completes the test and print the results, type the following character string: g o [Ctrl b] e n g
    NOTE: All Characters are lower case with no spaces. [Ctrlb]means hold the control key down while you press the letter b. You have about 5 seconds to do this.
  5. Wait to the end of the POST Cycle.
  6. If you caught the pause at the right time and entered the proper key sequence, in the lower left-hand corner of the screen you will see a Pro> prompt.
  7. If the screen does not display the Pro> prompt, repeat steps 1 thought 6 until you get it.
  8. At the Pro> prompt enter ER and then Enter
    - The “ER”ase command will clear the configuration data stored in Flash EEPROM. (Do not enter any other key combinations)
  9. Power cycle the master hub as described in steps 2 and 3.   After the POST the Management Agent will load the system software image and allow the user to log in with the factory default setting as either:
          User Name :  “admin”           or      User Name :      “user”
          Password  :  no password               Password  :       no password
  1. The “admin” user needs to log in to the Local Management Agent and restore the network configuration parameters unique to his network.
  2. If the Master Hub was part of a stack, power down the entire stack and reconnect the master hub to the stack. Re-power the stack starting from the top down.

8116

  • Account:               (any alpha numeric sequence)
  • Password:              (no password)

8324SX (S29)

  • Account:                              tiger
  • Password:                             tiger123

8124XL (S30 prior to 104)

  • Account:       AT-8124XL
  • Password:      ATS30

(S30v104)

Run program: 8124pwd.exe, enter MAC address (e.g.: 00 30 84 de 44 6c)

  • Account:       admin
  • Password:      (output from 8124pwd.exe)

3726XL(S20), 8126XL(S21)

  • Account:        manager
  • Password:       <ctl>ati

Note 1: this password only works on a console port connection.
Note 2: you must press return twice after entering the password.

8224 (S24), 8324 (S25), 8024 (S39), 8400 (S60)

  • Account:        manager
  • Password:       <ctl>ati

Note 1: this password only works on a console port connection.
Note 2: switches with Radius enabled must be disconnected from Radius server in order to default to local authentication.

8326GB, 8350GB (S41), 9410GB (S45)
Run program: backdoor.exe, enter MAC address (e.g.: 00 30 84 de 44 6c)

  • Account:       manager
  • Password:      (output from backdoor.exe)

8324SX

  • Account:                               tiger
  • password:                              tiger123

FS7016 (S67), FS7024 (S68)
Password:                   <ctl>ati

8000/8POE

Run program: 8000-8.exe, enter MAC address (e.g.: 00 30 84 de 44 6c)

  • Account:       manager
  • Password:      (output from 8000-8.exe)

9000/24
Run program: 9000.exe, enter MAC address (e.g.: 00 30 84 de 44 6c)

  • Account:        manager
  • Password:       (output from 9000.exe)

FS750

Run program: FS750.exe, enter MAC address (e.g.: 00 30 84 de 44 6c)

  • Account:       manager
  • Password:      (output from FS750.exe)

GS950

Run program: GS950.exe, enter MAC address (e.g.: 00 30 84 de 44 6c)

  • Account:       manager
  • Password:      (output from GS950.exe)

AT-8516F/SC, AT-8524M, AT-8524POE, AT-8550GB, AT-8550SP

  1. Connect to the console port.
  2. Power cycle the switch.
  3. When the following message is displayed, type the letter “s” before the switch counts to zero.
  4. Press <CTRL>B key to go to Boot prompt… 5
  5. When the switch finishes the boot process, press enter. You will be logged on with manager privilege and can change the manager password without entering the old password.
    e.g.:
    #set password manager
    Enter new manager password->*****
    Re-enter manager password ->*****
    #


//E.O.F