VERSION: 1.0.5
Updated: Tuesday, May 29, 2001 by Xam of wi2600.org cru. yo.
Check wi2600.org/mediawhore/nf0/wireless regularly
./legal disclaimer The information contained within is, of course, for informational and diagnostic purposes only. Any use of this information to intentionaly or unintentionaly cause harm, casualty, loss of propery, life, or other forms of disstress is not endorsed. If in your locale, possesing information of this nature is illegal, then it is your responsibility to obey such regulations. /end legal disclaimer
Early note: -Apple AIRPORT -Cabletron RoamAbout 2.4 GHz DS products (newer 11mbit) -Buffalo/Techworks Airstation 2.4 GHz DS (very new, Harris/Intersil Prism based) -Maxgate UGATE 802.11 bridge/natbox -newer "Orinoco" home access points -Teklogix - so far, they appear to do factory floor automation; with 802.11 ;) -Intel "anypoint" (proprietary HOME-RF crap..but worth keeping tabs on) I'm still working on investigating these...
TOC:
Section 1: The Info, somewhat alphabeticaly
Section 2: Will eventualy contain discussion of various things…
Section 3: Thanks and Credits
$$NEW SECTION!$$
Section 4: Updatez & News
SECTION 1:
Default SSID's for several common 802.11 Access Point and PCMCIA card Products
3com AirConnect 2.4 Ghz DS (newer 11mbit, Harris/Intersil Prism based) Default SSID: comcomcom Notes: No known (yet) telnet/http/tftp/etc management passwords, or states of IP configuration.
Aironet 900Mhz/2.4GHz BR1000/e, BR5200/e and BR4800 Allso known as Aironet 630/640 (for 900 MHz) and Aironet 340 for 2.4 GHz DSSS
Default SSID: 2 (default for all 900 MHz gear, often reused) Default SSID: tsunami (seems to show up randomly)
Console Port: No Default Password Telnet password: No Default Password HTTP management: On by default, No Default Password
NOTES: There is no IP address given to the bridge(s) by default, the user will need to have enabled/setup one. Howver, once you have the MAC of the bridge, rarp'ing the IP address out of it is trival, if it's been assigned one. Allso, if the bridge can be forceably restarted, default settings will allow the bridge to recieve an IP address via BOOTP and/or DCHP. Introducing a rouge server way allow the device to gain a more or less known IP in the case of rarp not working.
BayStack 650/660 802.11 DS AP Default SSID: "Default SSID" Default admin pass: <none> Default Channel: 1 MAC addr: 00:20:d8:XX:XX:XX NOTES: default to the 10 net address, 2 mbit products.
Compaq WL-100 (reportedly allso the WL-200/300/400 devices as well)
Default SSID: Compaq
More info once available.
Dlink DL-713 802.11 DS AP Default SSID: WLAN Default Channel: 11 Default IP address: DHCP-administered Reliable info is scarce, hopefully soon we'll have more ;)
INETL Pro/Wireless 2011 802.11 DSSS Product Families:
PC CARD:
(seen using WLAN Monitor)
Default SSID: 101 Default Channel: 3
(seen using WLAN Info program)
Default SSID: xlan Default Channel: 3
(seen using Wireless LAN Profile Manager)
Default SSID: intel
Access POINT/REPEATER/BRIDGE:
Default SSID: 101, 195
Default AP IP's seen:
157.235.92.238 157.235.92.200 157.235.92.169 157.235.92.104 157.235.92.23
NOTED MAC ADDRESSES:
00:A0:F8:00:C2:34 ..:..:..:..:..:74 ..:..:..:..:..:A0
It seems likely that 00:A0:F8:xx:xx:xx will be a common prefix for some bridges.
NOTES: Documentation seems to indicate that they are SNMP, HTTP, and TELNET manageable. No defualt passwords are known; there probably are none.
LINKSYS Product Families:
LINKSYS WAP-11 802.11 DS AP, reportedly supports repeater mode
Default SSID: linksys
Default Channel: 6
Default WEP key one: 10 11 12 13 14 15
Default WEP key two: 20 21 22 23 24 25
Default WEP key three: 30 31 32 33 34 35
Default WEP key four: 40 41 42 43 44 45
Extended WEP key pattern: 10 11 12 13 14 15 16 17 18 1a 1b 1c ...
20 21 22 23 24 25 26 27 28 2a 2b 2c ...
30 31 32 ... untill the input fields are full
Default SNMP Write: No Authentication
NOTES: This bridge appears to have a default IP address upon first power on. It
appears to get the default of 192.168.1.250 and is configured via two methods:
local USB-connected software (from linksys), or via an SNMP-based (again, custom
linksys software) program. There appears to be no amount of authentication in
front of the bridges configuration, even after initial configuration. Fun!
Intersil-based Chiset. Appears to support diversity antenna systems, features
reverse-polarity TNC (RPTNC) RF connectors. Most likely not Eumitcom-derived.
LINKSYS WPC-11 PCMCIA 802.11b DS 2.4 GHz cards
Default Channel: 3 (win9x driver default)
Default SSID: Wireless or linksys (win9x driver default)
Default Channel: 11 or 6 (winNt4/2k driver default)
Default SSID: Wireless or linksys (winNt4/2k driver default)
NOTES: Card Defaults to "AdHoc" mode, not BSS or 802.11b AdHoc. Current data
has only been tested in win98, nt4, and w2k. See data on Linksys WAP11 for WEP
specifics.
MAXGATE Ugate 3200, 802.11 DS Access Point
Suspected re-use of Eumitcom OEM radio, integrated antenna. No indication of diversity opperation. More info once available.
Netgear 802.11 DS products, ME102 and MA401 Default SSID: Wireless Default Channel: 6 Default IP address: 192.168.0.5 Default WEP: Disabled Default WEP KEY1: 11 11 11 11 11 Default WEP KEY2: 20 21 22 23 24 Default WEP KEY3: 30 31 32 33 34 Default WEP KEY4: 40 41 42 43 44 Default MAC: 00:30:ab:xx:xx:xx NOTES: Harris Intersill/Prism based radio, AP supports antenna diversity, client cards most likely do as well. SNMP over IP is typical management style. No apparent administrativie authentication. No apparent limit on Broadcast- Associations. Have Fun!
SMC Access Point Family
SMC2652W: Single Dipole, non-diversity (OEM radio)
Default SSID: WLAN Defualt Channel: 11 Default HTTP: user: default pass: WLAN_AP Default MAC: 00:90:d1:00:b7:6b (00:90:d1:xx:xx:xx) Console Port: No Password, AT command set
NOTES: There is no IP address associated with this access point, by default… Scanning for the AP with the "AP Utility" will reveal the radio, and then also set the Ip address to something in the network range of the PC running the "AP Utility."
This radio is OEM'ed from a third-party (http://www.eumitcom.com/) and as such has features similar to other devices in common use. Teletronics bridges are allso eumitcom OEM products (http://www.teletronics.com). It goes without saying that exploitation of one particular brand will probably be applicable to ALL products OEM'd from the same vendor.
SMC2526W: Wireless Access Point Dual-Dipole, diversity, (non-oem)
Default SSID: WLAN Defualt IP: 192.168.0.254 Default MAC: 00:90:d1:00:11:11 (00:90:d1:xx:xx:xx) Default AP Name: MiniAP Default Channel: 11 Default Admin Pass: MiniAP
Notes: Can be DHCP client (!) if the user setup the bridge as such, can allso send packets to specified Default Gateway. Mmm, free smurf toy! Uses a SNMP-Ish, IP-transported management application.
SMC2682W EZ-Connect Wireless Bridge, Single Dipole, non-diversity
Default SSID: BRIDGE Defualt Channel: 11 Default Admin pass: WLAN_BRIDGE Default MAC: 00:90:d1:00:b8:9c (00:90:d1:xx:xx:xx)
Notes: This baby supports network-to-network bridging, not only Access Point functions. When you see it, it may be linking some rather important stuff. Apparently, the side of the bridge link opperating as the "master" can allso associate wireless client cards just like a normal AP. However, the "slave" side can't. Defaults to "Bridge Master" ;) Maybe buying one of these would be a "good thing [TM]" ? Bridge seems to be DHCP-aware, if configured to pull an address via this method.
SOHOware NetBlaster II Default SSID: same as MAC address (example: 0080c6fac430) Default MAC: 00:80:c6:xx:xx:xx Default Channel: 8 Notes: Way to go SOHOWARE! Yes! Use the MAC address as the defualt SSID! In fact, go one step further and print the MAC on the base of the AP itself! Anyway, when you see one of these, make sure you revisit the site. It has no hope of filtering broadcast associations, so you'll be able to scan for it with minimal effort. Gogogadget anonymous-internet-access!
Symbol AP41x1 and LA41x1 / LA41x3 802.11 DS Devices
Default SSID: 101 Default MAC: 00:a0:0f:xx:xx:xx Default WEP key one: 10 11 12 13 14 15 Default WEP key two: 20 21 22 23 24 25 Default WEP key three: 30 31 32 33 34 35 Default WEP key four: 40 41 42 43 44 45
Extended WEP key pattern: 10 11 12 13 14 15 16 17 18 1a 1b 1c … 20 21 22 23 24 25 26 27 28 2a 2b 2c … 30 31 32 … untill the input fields are full
Default Admin Pass: unknown as of yet
Notes: Features HTTP and TELNET management, probably has weak/lame default password (if any). No notes on defualt IP address, although RARP is said to be supported by the bridge (i.e. associate & yank the IP from the bridges MAC ;)
TELETRONICS WL-Access Points (1/2 Mbit, and 11 Mbit) Default SSID: any Default Password: 1234 Console port: No password, AT command set NOTES: Funny how this bridge/access point has the same defaults as the ZCOMAX bridge. It's rather apparent that they both utilized the same OEM product from Eumitcom. Configuration Utility is required to modify settings if not using local serial port.
Wave Lan Family:
Default SSID: "WaveLAN Network" Default channel: 3
NOTES: It seems that various incarnations of Wavelan-Based devices are cropping up all over. I've come accross several OEM's which use the Wavelan cards, and even go so far as to support COR/ROR modes of opperation (i.e. the proprietary metod point-to-multipoint and dedicated-links can optionaly opperate in when using Wavelan hardware).
ZCOMAX 1/2 Mbit DS 802.11 Station Bridges/Repeaters/Access point, modle XWL450
Default SSID: any, mello, or Test (all three are mentioned, "any"
seems to be a common default)
Default password: 1234
Console port: No Password, AT command set
NOTES: User must use the ZCOMAX Wireless Lan "software" utility (more raw, non
IP ethernet configuration). No IP address is known to exist on the bridge.
ZCOMAX is the new product name for MAXTECH's wireless products. (as of sometime
in mid 2000)
ZYXEL Prestige 316 Gateway/Natbox/WirelessBridge (DS 802.11 capable)
Default SSID: Wireless Default Channel: 1 (2412 MHz) Default console pass: 1234 Default telnet pass: 1234 Console Port: Same password for system, ansi/vt100 terminal
SECTION 2: Articles from a few people are planned to be here by next revision.
SECTION 3:
well, wow.. here it is at the fourth revision, with more data. I feel like this is actualy going somewhere! Hope the audience is enjoying reading it!
Thanks this time arround, again, to Foofus, Dover, and other #dc-stuff pals.
SECTION 4:
Created in VI. What's EE? What's Pico? What's Emacs?
version 1.0.5 - Added several new things, a few default wep keys, several extra
details regarding setup/configurations for SMC AP's.. Corrected
some linksys info.. Added new info for future bridges/ap's to be
investigated. Oh yes, added Section 4 ;) SHIT'S FINALY IN ALPHA-
BETIC ORDER!
version 1.0.4 - Added new SMC gear, SOHOware, and additionial info for Symbol
gear. Began research of TEKLOGIX gear, and more specificaly,
why it seems to crop up all over the place... Added several
*verified* vendor MAC addresses to a few bridges/AP's...
version 1.0.3 - I forget everything that got changed from the first SSID info
release. I think I just cleaned up some spelling errors. Yah ;)