DSL Modem MAC Filtering.
Posted 29 March 2008 - 01:48 AM
This is my first post in any forum. If this topic is not appropriate here, then I ask for any advice or even flames for being a noob. Thanks in advance for all responses.
I recently got high-speed DSL from my local phone company. The modem that they provided was made by "Clear Access". This particular modem has a built-in wireless router, and 5 Ethernet ports. The setup for the router was done at the phone company, since my schedule prevented any home installation.
Once I brought the router home and plugged it in, it was all down hill from there. The first kink was getting passed the "Blocked Access" screen that kept coming up when I would enter a URL. This was defeated by pointing my laptop to a specific DNS server.
Once online, I found the last half and the first half of the MAC address was the username and password respectfully. After logging in, I secured my wireless network by changing and disabling the SSID broadcast and enabling WEP (weak I know, but it was what I was comfortable with). Unfortunately, it doesn't support MAC address filtering.
I moved on to the LAN configuration. This came as a huge shock to me. The configuration for my LAN was stored off site. Any changes to be made to my LAN, including open ports and mapping a MAC to a static IP, had to be done through their server. I could understand if it was my local telecom’s servers, but these servers had nothing to do with them. What was worse, the port forwarding wouldn't work with any application, on any of my computers.
I moved to the log screen. It wasn't very informative, but it did have an email field. I sent it to a dummy address and viewed the header. The IP address that sent the message resolved to some company named Jumpline. It claimed to have come from "firstname.lastname@example.org", but the message was CC to "email@example.com". This really made me mad.
I did notice that every function on the router was done through http://192.168.50.1/function.cgi, where function would be log, home. I have been learning Perl for the past few weeks and I decided to write a brute force attack to try every possible combination from /a.cgi to /zzzzz.cgi. After letting it run all night, i woke up the next morning to see mail.cgi. I keyed it in and it took brought up security certificates for "usa.net" and "secure.postoffice.net". WHY WOULD MY ROUTER NEED TO BE LOGGING IN TO THERE? I went back to the log screen and viewed the source. It posted the variables back to itself, so that wasn't any help.
I went to a friend’s house and he happed to have an older Bellsouth DLS modem. I asked if he would mind if I used it in a little experiment. I unplugged the phone cord from my "Clear Access" router. I waited till it gave me the "Setup Connection" button. I clicked through till i got to the PPPoE settings (username, password, vpi, vci).
I plugged in the Bellsouth modem and went to the configuration page (http://192.168.1.254). I had to change the vpi (what ever that is) to "0" and restart the modem. I specified the default DNS server to the modem. I plugged in the phone line, waited about 30 seconds and I was online. I checked my speed to make sure I was still filtered. I'm cruising along at 10-mbps and I can actually open my ports and use my applications.
Now for my questions:
1) How common is this? Has anyone else used an old modem with a new provider? I was told by my telecom that no other modem would work because of MAC filtering, though that cannot be the case.
2) Should I expect any fall out from this? Would my telecom notice or not?
3) Should I return the modem that I'm not using and being charged extra 5 dollars a month for? My pride wants to call the oh so informative tech support and gloat, but I don't want to jeopardize my internet service.
On a final note, I'm new to programming Perl, but I'll be happy to post the brute force script if anyone wants it. I've modified it by changing it to a dictionary attack and I've pointed it towards dodgeit.com's mailboxes. Interesting stuff
Thanks for any and all posts, even flames.
Posted 29 March 2008 - 10:51 PM
I'm reluctant to release their name now. I'm waiting to hear back from their tech support.
Jesus christ. What ISP do you have?
The last questions I had for them were “Does the router allow for any encryption greater than WEP?", and "Does it allow MAC filtering?” I’ve asked these question three times this past week, twice to "associates"?
On a side note, when I call with question concerning my modem, they transfer me to ‘dispatch’. Shockingly, the dispatch associates have been more helpful with my DSL issues than DSL tech support!!!
As soon as I hear back from them, I’ll post more information about them.
what are the first three octets of your devices mac address?
The first three octets are 00:1A:2B. I think that they "resolve" (I’m not sure on the correct term) back to a company called "AyeCom". Also, how secure does this sound?
The router has 4 mac addresses in it:
Dec 31 16:00:20 INFO kmsg <4>wl0: MAC Address: 00:1A:2B:6E:00:03
Dec 31 16:00:20 INFO kmsg <4>usb0: Host MAC Address: 00 1A 2B 6E 00 02
Dec 31 16:00:20 INFO kmsg <4>usb0: MAC Address: 00 1A 2B 6E 00 01
Dec 31 16:00:20 INFO kmsg <4>eth0: MAC Address: 00:1A:2B:6E:00:00
(That was lifted from the is from the first log that i mailed myself.
The last two octets have been changed. I'm sorry guys. I'm paranoid.
As I said before, the username and password is the last six and first six characters of the eth0 mac address. Simply take 3(hex) away from the wireless (wl0) mac and you have the username. Scary!!! Scary!!! Scary!!!
Thank god for the lack of functionality that I mentioned earlier. I guess that must be a safety feature.
BinRev is hosted by the great people at Lunarpages!