Categories:
EverythingArchive:
Flattr me:
Thu, 17 Mar 2011
At work, we acquired the above mentioned 24Port switch from Dell. It supports a so called managed mode
(needs to be enabled by poking into a hole on the switch with a paperclip).
Enabling that sets the switch IP to 192.168.2.1/24 – with no way to change that. So far so annoying. Ok, I can configure an alias on my Ethernet to connect to that.
When you do that, don't be impatient, the IP needs ages to come up, but eventually you will be able to ping it.
I was a bit surprised that it actually only supports http on port :80, no https, no ssh, no telnet and no snmp. – But ok, lets log in via http.
The login page is not only a <frameset> (well, it came out 2005, but was that really necessary?), but only works with javascript: – WTF?
Trying to login with the default credentials (user admin, empty password) results in a Error message User name or Password is missing
.
Googling for that error message finds hundreds of hits of people having the same problem, and Dell support always saying the same thing: Clear your browser cache
, or similar unhelpful things. People report different levels of success by using different browsers, but it appears that nobody has a clue what the real problem is.
But I can tell you now. After some debugging I found the problem. It's not even the javascript. That is only there to make your life difficult.
Here is what the login attempt looks like from Firefox:
T 192.168.2.10:51020 -> 192.168.2.1:80 [AP]
POST /tgi/login.tgi HTTP/1.0..Host: 192.168.2.1..User-Agent: Mozilla/5.0 (W
indows; U; Windows NT 5.1; de; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15..
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8..Ac
cept-Language: en,en-us;q=0.7,de;q=0.3..Accept-Encoding: gzip,deflate..Acce
pt-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7..Referer: http://192.168.2.1/log
in11.htm..Cookie: SSID=cd12579c608e40a2ab7df4316d1eec76..Content-Type: appl
ication/x-www-form-urlencoded..Content-Length: 97..Connection: keep-alive..
..
T 192.168.2.10:51020 -> 192.168.2.1:80 [AP]
Username=admin&Password=4d454698e2f95b3664cd7e93c8c064b2&Session=697fb62d41
f125f969b9ae31dc392cc8
which results in your favourite error page:
T 192.168.2.1:80 -> 192.168.2.10:51020 [AP]
HTTP/1.0 200 OK..Set-Cookie: SSID=cd12579c608e40a2ab7df4316d1eec76; path=/.
.Connection: close....<html>..<head>....<title>Error</title>..<link rel="ST
YLESHEET" type="text/css" href="/style.css">..<script type="text/javascript
" src="/globalFunctions.js"></script>..</head>..<body text="#000000" bgcolo
r="#FFFFFF" leftmargin="15">..<script type="text/javascript">Draw_Header(do
cument.title);</script>..<span class="data-area-prompt-text">User name or P
assword is missing</span><br><br>....</body>..</html>......
Getting a little ahead of myself, a successfull login looks like this:
T 192.168.2.10:34456 -> 192.168.2.1:80 [AP]
POST /tgi/login.tgi HTTP/1.0..Host: 192.168.2.1..User-Agent: Mozilla/5.0 (W
indows; U; Windows NT 5.1; de; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15..
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8..Ac
cept-Language: en,en-us;q=0.7,de;q=0.3..Accept-Encoding: gzip,deflate..Acce
pt-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7..Referer: http://192.168.2.1/log
in11.htm..Cookie: SSID=cd12579c608e40a2ab7df4316d1eec76..Content-Type: appl
ication/x-www-form-urlencoded..Content-Length: 97..Connection: keep-alive..
..Username=admin&Password=dbe6d16727e70eb52b299060ef600111&Session=23ceb0d6
04f433579f6737cac5d0b585..
T 192.168.2.1:80 -> 192.168.2.10:34456 [AP]
HTTP/1.0 302 Found..Location: /index.htm..Set-Cookie: SSID=23ceb0d604f43357
9f6737cac5d0b585; path=/..Connection: close....
See the difference? It's all in one TCP packet instead of in two.
That's right. Either the TCP stack, or the HTTP server are _very_ broken.
If you ever need to login to such a switch, here's the minimal version:
#!/bin/sh
(
# Default user, and blank password
user=admin
pass=
# The "session" key is part of the login frame
ssid=`wget -q -O - http://192.168.2.1/login11.htm|sed -n 's/.*Session" value="\(.*\)".*/\1/p'`
# Calculate the "password"
pw=`echo -n ${user}${pass}${ssid}|openssl md5 -hex`
# Send it off to the server
cat << EOM
POST /tgi/login.tgi HTTP/1.0
Host: 192.168.2.1
Referer: http://192.168.2.1/login11.htm
Content-Type: application/x-www-form-urlencoded
Content-Length: 97
Username=${user}&Password=${pw}&Session=${ssid}
EOM
) | while read a ; do
echo $a\\015 # Do "Network-style" newlines
done |cat|nc 192.168.2.1 80
# The second "cat" may be necessary to get it all buffered up correctly
You can now use the resulting cookie to access the web-interface. If you want to use your favourite browser, you can edit your cookie with the help of the CookieSafe or EditCookies extension.
Well, I hope this helps anyone out there, because we most certainly won't use this switch for anything more than a dumb switch for a test network.
TL;DR: Their TCP/HTTP code is broken, and their support doesn't know it.
Have fun.
– Sec
posted at: 10:07 | Category: /tidbits | permanent link to this entry | 9 comments (trackback)
-
"Enabling that sets the switch IP to 192.168.2.1/24 – with no way to change that."
Under windows you can temporarily manually set a static IP in this subnet, then log in to the switch, and then you can change the switch's IP. I'm guessing you meant "...with no way to change that until you log in."
It is actually pretty standard for managed switches to default to a private 192.1268.x.x range. How would you propose the switch be configured by default? DHCP enabled? There's a bunch of reasons why that's not a great idea...
-
It actually seems to be something with newer browsers, I have 3 of these switches and I have not logged into manage them in a long time and only realized that I cannot log into them because I get the same problem, HOWEVER, I found a old live CD for ubuntu 4.10 with an old version of firefox on it and it let me in just fine with no problems. A few people have made mention that almost all newer browsers (that do caching) cannot access this switch. The easiest way I found to get this switch working and configured is to use a legacy copy of firefox portable, version 2 works (6mb download and less than 30 seconds to extract and have running), even under x64 windows boxen, And the switch setting itself to a factory ip, such as 192.168.2.1 is nice, because this is not a serial console managed switch, how the heck would you have quick and easy access to it if it used DHCP !? These switches run nice, mine have been stable and reliable, and for the cost, they do a good job.
But I just came up with a 5 minute work around for all the trouble alot of people went through, even from what it seems that you did here I found a quicker fix than anything anyone else found, even the unhelpful support dell has provided.
I think Dell needs a kick in the butt about the issues though, gigabit is very common and these switches are far still useful to not offer new updates for them.
Also @Olivier These switches are from 2005, I would hope you purchase something new if you working for a company, however as a basic switch, and the minor issues I had to get around to login again, they are very good, given it's a gigabit switch you can pick up for about $55 on ebay, you can't beat it unless you go with off-brand, unmanaged junk. So there's no reason to avoid them if you got half a brain on your shoulders. CLI's are great and all, I have worked with cisco equipment and own quite a bit of it myself, but for what this switch is, and what you can use it for, the management interface is fine. These switches would be great for home users and small business that don't need a top dollar bells and whistles packed switch. And hey, it's not another CLI interface to learn as well, so what's the beef, your not going to see DELL running IOS, so why would you want to learn a whole other set of CLI commands and the like ???? Don't make decisions so fast over a lower end feature, if you want it, go pay top dollar for Cisco. Don't tell people not to buy something because it doesn't have the same setup as a WAY more expensive counterpart. Herpa Derp..
-
I have the same problem with IE9 and FF11 accessing my 2716. It works only by disabling the LinkScanner (surf-shield) feature on AVG Antivirus 2012.
This switch is good but not great. Considering that this is an entry level manageable switch, I think it is still missing a very important feature: being able to backup and restore the configuration. If the manageable mode is disabled by some lunatic person or if the switch dies and must be replaced by another one, then the whole config must be redone manually. Very annoying!
-
The 2724 is an ancient switch, but some of what you said is not accurate. You can most certainly change the IP of the switch, but you have to be on the right subnet to do it. Download the manual and set a quick static IP on your PC to 192.168.2.2 and you'll be able to do it.
The other thing you need to realize, technology has change greatly in the last 6-7 years. For what the 2724 cost then you can buy a Cisco SG200 that will run the socks off it and give you a great deal more flexibility. In the end, you really do get what you pay for.
-
We are also using a Dell Powerconnect 2724 since 2007. I just logged in with Firefox 14.0.1 (Windows 7, x64) without any problems.
The only problems we have with this switch that it sometimes "gets deaf" on some Ethernet ports, so it needs a power reset about once a year.
You have to keep in mind that this switch is a "web managed switch" and not a "managed switch". Several years ago it cost only 10%-20% of a serious managed switch from Cisco. So it has an excellent price/performance ratio.
Today I was just looking around to see if Dell released a firmware which probably solves the occasional port problems but they haven't.
-
Re: Why I would never buy a Dell PowerConnect 2724
Powerconect Owner wrote on Tue, 27 Nov 2012 16:22I have one Powerconnect 2716 and two 2708s running a home network supporting multiple house-mates. The interface to the switches has been unreliable at times but I have discovered that most of the problems were caused by the interface not "liking" having a proxy configured in Firefox. The reason I like these switches and defend them is that they are much cheaper than any other managed or semi-managed device available today. For instance, I recently acquired the second 2708 to expand and I found it on eBay for £20. That is about the price of an unmanaged 100Mb switch from Cisco!
-
I have 5 of them running for about 6 years... Another one in the series "Why I would never buy ..."
About:
Other Blogs:
- sisyphus.de (10d ago)
- XlF's BlogWorld (Jul 12)
- OLLIWOOD (Aug 11)
- J.-Henrik Wist (Jun 11)
Last Tweets:
- @dyfustic kann man otrs dazu bringen gegen ldap zu authentifizieren?
Olivier Bilodeau wrote on Fri, 18 Mar 2011 04:36
Nice investigative piece, I'll try to avoid these switches. What kind of network hardware can brag about being "managed" when they don't support CLI.. seriously!