Penetration Testing mailing list archives

Re: [PEN-TEST] Pen-Testing AS/400

From: David Knaack <dknaack () RDTECH COM>
Date: Thu, 14 Dec 2000 12:37:34 -0600

From: "Mike Ahern" <mc_ahern () YAHOO COM>

I have found that often AS/400's do not have many
security features enabled


OS/400 V4R4 has a little bit of an info leak in the
login screen.  As you enter usernames and passwords,
it will tell  you if the account exists or (I think)
if it is disabled.

Error messages like:

CPF1120 - User %s does not exist.

CPF1107 - Password not correct for user profile.

CPF1118 No password associated with usr %s.
(curiously, there is no '-' in that one.)

I presume that the 'no password' message means that
the account has been disabled in some fasion.

As usual, helps the cracker to spend time on
existing, enabled accounts.

DK

Current thread:

[PEN-TEST] Pen-Testing AS/400 Enno Rey (Dec 13)
- Re: [PEN-TEST] Pen-Testing AS/400 Eric (Dec 13)
- <Possible follow-ups>
- Re: [PEN-TEST] Pen-Testing AS/400 David Jahne (Dec 13)
- Re: [PEN-TEST] Pen-Testing AS/400 Joe Traietta (Dec 13)
- Re: [PEN-TEST] Pen-Testing AS/400 Walsh, John (Dec 13)
- [PEN-TEST] Pen-Testing AS/400 Mike Ahern (Dec 13)
  - Re: [PEN-TEST] Pen-Testing AS/400 Mary Galligan (Dec 15)
    - Re: [PEN-TEST] Pen-Testing AS/400 David Knaack (Dec 15)
    - Re: [PEN-TEST] Pen-Testing AS/400 Enno Rey (Dec 15)
    - [PEN-TEST] Routing Protocol security paper now available NetW3.COM Consulting (Dec 16)
    - Re: [PEN-TEST] Routing Protocol security paper now available Arthur Clune (Dec 19)
    - Re: [PEN-TEST] Routing Protocol security paper now available Nicolas GREGOIRE (Dec 20)
- Re: [PEN-TEST] Pen-Testing AS/400 Bias, Harry (Dec 13)
- Re: [PEN-TEST] Pen-Testing AS/400 Al Sparks (Dec 13)
- Re: [PEN-TEST] Pen-Testing AS/400 Mike Ahern (Dec 14)