Time Capsule Hackable?

**GoodOmens** · 03-03-2008 07:01 AM

Rworne over at the macos rumors ran nmap against the time capsule and came up with the following results:

Code:

root@mail:~# nmap -v -A 192.168.1.50

Starting Nmap 4.20 ( http://insecure.org ) at 2008-03-02 17:20 PST
Initiating ARP Ping Scan at 17:20
Scanning 192.168.1.50 [1 port]
Completed ARP Ping Scan at 17:20, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:20
Completed Parallel DNS resolution of 1 host. at 17:20, 0.04s elapsed
Initiating SYN Stealth Scan at 17:20
Scanning 192.168.1.50 [1697 ports]
Discovered open port 10000/tcp on 192.168.1.50
Increasing send delay for 192.168.1.50 from 0 to 5 due to 44 out of 145
dropped probes since last increase.
Discovered open port 139/tcp on 192.168.1.50
Discovered open port 445/tcp on 192.168.1.50
Discovered open port 548/tcp on 192.168.1.50
Completed SYN Stealth Scan at 17:20, 17.82s elapsed (1697 total ports)
Initiating Service scan at 17:20
Scanning 4 services on 192.168.1.50
Service scan Timing: About 75.00% done; ETC: 17:22 (0:00:34 remaining)
Completed Service scan at 17:22, 113.53s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.50
Host 192.168.1.50 appears to be up ... good.
Interesting ports on 192.168.1.50:
Not shown: 1693 closed ports
PORT      STATE SERVICE           VERSION
139/tcp   open  tcpwrapped
445/tcp   open  netbios-ssn
548/tcp   open  afpovertcp?
10000/tcp open  snet-sensor-mgmt?
1 service unrecognized despite returning data. If you know the
service/version, please submit the following fingerprint at
http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port548-TCP:V=4.20%I=7%D=3/2%Time=47CB5263%P=x86_64-unknown-linux-gnu%r
SF:(SSLSessionReq,1B2,"\x01\x03\0\0\xff\xff\xecQ\0\0\x01\xa2\0\0\0\0\0\x20
SF:\0\*\x009\0\xa2\x8f\xfb\x0cTime-Capsule\0\0P\0`\0\x93\0\x94\x07AirPort\
SF:0\0\x02\x06AFP3\.2\x06AFP3\.1\x03\tDHCAST128\x04DHX2\x06Recon16F8071GEY
SF:ZQ\0sig-\x04\x08\x02\xc0\xa8\x012\x02\$\x08\x02\xa9\xfe\xb4\xc6\x02\$\x
SF:14\x07\xfe\x80\0\x06\0\0\0\0\x02\x1eR\xff\xfe\xf5\xbe\x01\x02\$\x0e\x04
SF:192\.168\.1\.50\0\0\x0cTime\x20Capsule0\0\x8f\xf8\xcc\x01H\x0c\xb32\(\n
SF:\x8c\xcc\|\x0f\x83\x02\xff\x01\x80\xc3\xc3\x81\x803\xe3\xc1\x80\x0b\xd3
SF:\xc1\x80\x0b\xb1a\x80\x0b\xe0\xe1\x80\x0b\xe1\xe1\x80\x0b\xd1\xe1\xc0\n
SF:\xc0\xe1p\x0bx\xc1\x1c\x0by\xc1\x17\x0b3\xff!\xcb\xff\xc4@\x7f\xff\x02\
SF:x80\x1e\0\x01\xff\xff\xff\xff\x80\0\0\x01\xff\xff\xff\xff\0\x02\x80\0\0
SF:\x02\x80\0\0\x07\xc0\0\0\x04@\0\0\x04@\0\0\x07\xc0\0\0\x05@\0\x0f\xf9\?
SF:\xfc\0\x02\x80\0\x0f\xfc\x7f\xfc0\0\x8f\xf8\xfc\x01\xcf\xfc\xff3\xef\xf
SF:e\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x
SF:ff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\
SF:xff\xff\xff\xff\xff\x7f\xff\xff\xff\x1f\xff\xff\xff\x1f\xff\xff\xff\?\x
SF:ff\xff\xfc\x7f\xff\xff\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\
SF:xff\xff\xff\xff\xff\0\x03\x80\0\0\x03\x80\0\0\x07\xc0\0\0\x07\xc0\0\0\x
SF:07\xc0\0\0\x07\xc0\0\0\x07\xc0\0\xff\xff\xff\xff\?\xfe\xff\xff\xff\xfc\
SF:x7f\xff")%r(WMSRequest,1B2,"\x01\x03\0N\xff\xff\xecQ\0\0\x01\xa2\0\0\0\
SF:0\0\x20\0\*\x009\0\xa2\x8f\xfb\x0cTime-Capsule\0\0P\0`\0\x93\0\x94\x07A
SF:irPort\0\0\x02\x06AFP3\.2\x06AFP3\.1\x03\tDHCAST128\x04DHX2\x06Recon16F
SF:8071GEYZQ\0sig-\x04\x08\x02\xc0\xa8\x012\x02\$\x08\x02\xa9\xfe\xb4\xc6\
SF:x02\$\x14\x07\xfe\x80\0\x06\0\0\0\0\x02\x1eR\xff\xfe\xf5\xbe\x01\x02\$\
SF:x0e\x04192\.168\.1\.50\0\0\x0cTime\x20Capsule0\0\x8f\xf8\xcc\x01H\x0c\x
SF:b32\(\n\x8c\xcc\|\x0f\x83\x02\xff\x01\x80\xc3\xc3\x81\x803\xe3\xc1\x80\
SF:x0b\xd3\xc1\x80\x0b\xb1a\x80\x0b\xe0\xe1\x80\x0b\xe1\xe1\x80\x0b\xd1\xe
SF:1\xc0\n\xc0\xe1p\x0bx\xc1\x1c\x0by\xc1\x17\x0b3\xff!\xcb\xff\xc4@\x7f\x
SF:ff\x02\x80\x1e\0\x01\xff\xff\xff\xff\x80\0\0\x01\xff\xff\xff\xff\0\x02\
SF:x80\0\0\x02\x80\0\0\x07\xc0\0\0\x04@\0\0\x04@\0\0\x07\xc0\0\0\x05@\0\x0
SF:f\xf9\?\xfc\0\x02\x80\0\x0f\xfc\x7f\xfc0\0\x8f\xf8\xfc\x01\xcf\xfc\xff3
SF:\xef\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf
SF:f\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x
SF:ff\xff\xff\xff\xff\xff\xff\x7f\xff\xff\xff\x1f\xff\xff\xff\x1f\xff\xff\
SF:xff\?\xff\xff\xfc\x7f\xff\xff\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\x
SF:ff\xff\xff\xff\xff\xff\xff\0\x03\x80\0\0\x03\x80\0\0\x07\xc0\0\0\x07\xc
SF:0\0\0\x07\xc0\0\0\x07\xc0\0\0\x07\xc0\0\xff\xff\xff\xff\?\xfe\xff\xff\x
SF:ff\xfc\x7f\xff");
MAC Address: 00:1E:52:F5:XX:XX (Unknown)
Device type: general purpose
Running: NetBSD
OS details: NetBSD 4.99.4 (x86)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=211 (Good luck!)
IPID Sequence Generation: Incremental

OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 132.799 seconds
               Raw packets sent: 1786 (79.296KB) | Rcvd: 1714 (79.208KB)

Note some interesting results:

OS is NetBSD 4.99
processor is x86 based ....

I wonder if we can hack this to do more stuff?

**Rello** · 03-13-2008 01:10 PM

Hi,

I wanted to give this thread a little bump.

I am not deep enough into this topic but remember the efforts that went into the buffalo linkstations. Features like the media servers to be executed would be a real +++ for the time capsule...