Jump to content


Photo
* * * * * 1 votes

Telnet Router Hack

Started by reilus , Jul 11 2008 10:45 PM

  • Please log in to reply
14 replies to this topic

#1 reilus

reilus

    H4x0r

  • Members
  • 38 posts
  • Location:Undisclosed Location, guarded by a mind clouding spell from those who are not Sirius

Posted 11 July 2008 - 10:45 PM

I tried ssh 192.168.0.1 --> connection refused
then I tried telnet 192.168.0.1 --> Escape character is '^]'.
Connection closed by foreign host.

It seems we have a reaction. What do I do now?

#2 WhatChout

WhatChout

    Dangerous free thinker

  • Members
  • 814 posts

Posted 12 July 2008 - 12:41 AM

I tried ssh 192.168.0.1 --> connection refused
then I tried telnet 192.168.0.1 --> Escape character is '^]'.
Connection closed by foreign host.

It seems we have a reaction. What do I do now?

Ask your friend for a password.

#3 Adamantine

Adamantine

    H4x0r

  • Members
  • 33 posts

Posted 12 July 2008 - 12:41 AM

Most consumer routers have a "remote management" option in the menus somewhere. This option normally allows entering the router through a browser by default on port 8080. As far as I know consumer routers don't support telneting, but I think dd-wrt might. Try enabling that feature and see if you can telnet into the router then.

#4 LUCKY_FUCKIN_CHARMS

LUCKY_FUCKIN_CHARMS

    TCP/IP....PI/MP

  • Members
  • 1,493 posts
  • Gender:Male
  • Location:Las Vegas

Posted 12 July 2008 - 12:52 AM

heres some routers you can telnet into. most of them even have the default user pass of admin admin set. you should be able to sh and play around in busybox. iirc these are out of india. theres a shit ton more too, i think i found these from some jackoff in irc that i scanned and kept resetting.



122.167.85.1 21;23;80 N/A N/A
122.167.85.2 N/A N/A
122.167.85.3 21;23;80 N/A N/A
122.167.85.4 21;23;80 N/A N/A
122.167.85.5 21;23;80 N/A N/A
122.167.85.6 N/A N/A
122.167.85.7 N/A N/A
122.167.85.8 21;23;80 N/A N/A
122.167.85.9 21;23;80 N/A N/A
122.167.85.10 21;23;80 N/A N/A
122.167.85.11 21;23;80 N/A N/A
122.167.85.12 21;23;80 N/A N/A
122.167.85.13 N/A N/A
122.167.85.14 21;23;80 N/A N/A
122.167.85.15 21;23;80 N/A N/A
122.167.85.16 N/A N/A
122.167.85.17 21;23;80 N/A N/A
122.167.85.18 21;23;80 N/A N/A
122.167.85.19 21;23;80 N/A N/A
122.167.85.20 21;23;80 N/A N/A
122.167.85.21 21;23;80 N/A N/A
122.167.85.22 21;23;80 N/A N/A
122.167.85.23 21;23;80 N/A N/A
122.167.85.24 N/A N/A
122.167.85.25 21;23;80 N/A N/A
122.167.85.26 21;23;80 N/A N/A
122.167.85.27 21;23;80 N/A N/A
122.167.85.28 21;23;80 N/A N/A
122.167.85.29 21;23;80 N/A N/A
122.167.85.30 21;23;80 N/A N/A
122.167.85.31 21;23;80 N/A N/A
122.167.85.32 21;23;80 N/A N/A
122.167.85.33 21;23;80 N/A N/A
122.167.85.34 21;23;80 N/A N/A
122.167.85.35 21;23;80 N/A N/A
122.167.85.36 21;23;80 N/A N/A
122.167.85.37 21;23;80 N/A N/A
122.167.85.38 21;23;80 N/A N/A
122.167.85.39 21;23;80 N/A N/A
122.167.85.40 21;23;80 N/A N/A
122.167.85.41 21;23;80 N/A N/A
122.167.85.42 21;23;80 N/A N/A
122.167.85.43 N/A N/A
122.167.85.44 21;23;80 N/A N/A
122.167.85.45 21;23;80 N/A N/A
122.167.85.46 21;23;80 N/A N/A
122.167.85.47 21;23;80 N/A N/A
122.167.85.48 23;53;80 N/A N/A
122.167.85.49 21;23;80 N/A N/A
122.167.85.50 21;23;80 N/A N/A
122.167.85.51 21;23;80 N/A N/A
122.167.85.52 21;23;80 N/A N/A
122.167.85.53 21;23;80 N/A N/A
122.167.85.54 21;23;80 N/A N/A
122.167.85.55 21;23;80 N/A N/A
122.167.85.56 21;23;80 N/A N/A
122.167.85.57 21;23;80 N/A N/A
122.167.85.58 80 N/A N/A
122.167.85.59 21;23;80 N/A N/A
122.167.85.60 21;23;80 N/A N/A
122.167.85.61 N/A N/A
122.167.85.62 21;23;80;443 N/A N/A
122.167.85.63 21;23;80 N/A N/A
122.167.85.64 21 N/A N/A
122.167.85.65 21;23;80 N/A N/A
122.167.85.66 21;23;80 N/A N/A
122.167.85.67 21;23;80 N/A N/A
122.167.85.68 21;23;80 N/A N/A
122.167.85.69 21;23;80 N/A N/A
122.167.85.70 21;23;80 N/A N/A
122.167.85.71 21;23;80 N/A N/A
122.167.85.72 21;23;80 N/A N/A
122.167.85.73 N/A N/A
122.167.85.74 21;23;80 N/A N/A
122.167.85.75 21;23;80 N/A N/A
122.167.85.76 21;23;80 N/A N/A
122.167.85.77 21;23;80 N/A N/A
122.167.85.78 21;23;80 N/A N/A
122.167.85.79 N/A N/A
122.167.85.80 N/A N/A
122.167.85.81 N/A N/A
122.167.85.82 21;23;80 N/A N/A
122.167.85.83 21;23;80 N/A N/A
122.167.85.84 N/A N/A
122.167.85.85 21;23;80 N/A N/A
122.167.85.86 21;23;80 N/A N/A
122.167.85.87 21;23;80 N/A N/A
122.167.85.88 21;23;80 N/A N/A
122.167.85.89 21;23;80 N/A N/A
122.167.85.90 21;23;80 N/A N/A
122.167.85.91 21;23;80 N/A N/A
122.167.85.92 21;23;80 N/A N/A
122.167.85.93 21;23;80 N/A N/A
122.167.85.94 21;23;80 N/A N/A
122.167.85.95 21;23;80 N/A N/A
122.167.85.96 21;23;80 N/A N/A
122.167.85.97 N/A N/A
122.167.85.98 21;23;80 N/A N/A
122.167.85.99 21;23;80 N/A N/A
122.167.85.100 21;23;80 N/A N/A
122.167.85.101 21;23;80 N/A N/A
122.167.85.102 21;23;80 N/A N/A
122.167.85.103 21;23;80 N/A N/A
122.167.85.104 21;23;80 N/A N/A
122.167.85.105 21;23;80 N/A N/A
122.167.85.106 21;23;80 N/A N/A
122.167.85.107 21;23;80 N/A N/A
122.167.85.108 21;23;80 N/A N/A
122.167.85.109 21;23;80 N/A N/A
122.167.85.110 21;23;80 N/A N/A
122.167.85.111 N/A N/A
122.167.85.112 21;23;80 N/A N/A
122.167.85.113 21;23;80 N/A N/A
122.167.85.114 21;23;80 N/A N/A
122.167.85.115 21;23;80 N/A N/A
122.167.85.116 N/A N/A
122.167.85.117 21;23;80 N/A N/A
122.167.85.118 N/A N/A
122.167.85.119 N/A N/A
122.167.85.120 21;23;80 N/A N/A
122.167.85.121 21;23;80 N/A N/A
122.167.85.122 N/A N/A
122.167.85.123 N/A N/A
122.167.85.124 21;23;80 N/A N/A
122.167.85.125 21;23;80 N/A N/A
122.167.85.126 21;23;80 N/A N/A
122.167.85.127 21;23;80 N/A N/A
122.167.85.128 21;23;80 N/A N/A
122.167.85.129 21;23;80 N/A N/A
122.167.85.130 21;23;80 N/A N/A
122.167.85.131 21;23;80 N/A N/A
122.167.85.132 21;23;80 N/A N/A
122.167.85.133 21;23;80 N/A N/A
122.167.85.134 21;23;80 N/A N/A
122.167.85.135 N/A N/A
122.167.85.136 21;23;80 N/A N/A
122.167.85.137 N/A N/A
122.167.85.138 21;23;80 N/A N/A
122.167.85.139 21;23;80 N/A N/A
122.167.85.140 21;23;80 N/A N/A
122.167.85.141 21;23;80 N/A N/A
122.167.85.142 21;23;80 N/A N/A
122.167.85.143 21;23;80 N/A N/A
122.167.85.144 N/A N/A
122.167.85.145 21;23;80 N/A N/A
122.167.85.146 21;23;80 N/A N/A
122.167.85.147 21;23;80 N/A N/A
122.167.85.148 23;80 N/A N/A
122.167.85.149 N/A N/A
122.167.85.150 N/A N/A
122.167.85.151 21;23;80 N/A N/A
122.167.85.152 21;23;80 N/A N/A
122.167.85.153 21;23;80 N/A N/A
122.167.85.154 21;23;80 N/A N/A
122.167.85.155 21;23;80 N/A N/A
122.167.85.156 21;23;80 N/A N/A
122.167.85.157 21;23;80 N/A N/A
122.167.85.158 N/A N/A
122.167.85.159 21;23;80 N/A N/A
122.167.85.160 21;23;80 N/A N/A
122.167.85.161 21;23;80 N/A N/A
122.167.85.162 21;23;80 N/A N/A
122.167.85.163 N/A N/A
122.167.85.164 21;23;80 N/A N/A
122.167.85.165 21 N/A N/A
122.167.85.166 21;23;80 N/A N/A
122.167.85.167 21;23;80 N/A N/A
122.167.85.168 N/A N/A
122.167.85.169 21;23;80 N/A N/A
122.167.85.170 21;23;80 N/A N/A
122.167.85.171 N/A N/A
122.167.85.172 21;23;80 N/A N/A
122.167.85.173 21;23;80 N/A N/A
122.167.85.174 21;23;80 N/A N/A
122.167.85.175 21;23;80 N/A N/A
122.167.85.176 21;23;80 N/A N/A
122.167.85.177 N/A N/A
122.167.85.178 N/A N/A
122.167.85.179 21;23;80 N/A N/A
122.167.85.180 21;23;80 N/A N/A
122.167.85.181 21;23;80 N/A N/A
122.167.85.182 21;23;80 N/A N/A
122.167.85.183 21;23;80 N/A N/A
122.167.85.184 21;23;80 N/A N/A
122.167.85.185 21;23;80 N/A N/A
122.167.85.186 21;23;80 N/A N/A
122.167.85.187 23;80 N/A N/A
122.167.85.188 21;23;80 N/A N/A
122.167.85.189 21;23;80 N/A N/A
122.167.85.190 21;23;80;443 N/A N/A
122.167.85.191 21;23;80 N/A N/A
122.167.85.192 21;23;80 N/A N/A
122.167.85.193 21;23;80 N/A N/A
122.167.85.194 21;23;80 N/A N/A
122.167.85.195 21;23;80 N/A N/A
122.167.85.196 N/A N/A
122.167.85.197 21;23;80 N/A N/A
122.167.85.198 21;23;80 N/A N/A
122.167.85.199 21;23;80 N/A N/A
122.167.85.200 21;23;80;443 N/A N/A
122.167.85.201 21;23;80 N/A N/A
122.167.85.202 21;23;80 N/A N/A
122.167.85.203 21;23;80 N/A N/A
122.167.85.204 21;23;80 N/A N/A
122.167.85.205 21;23;80 N/A N/A
122.167.85.206 21;23;80 N/A N/A
122.167.85.207 N/A N/A
122.167.85.208 N/A N/A
122.167.85.209 21;23;80 N/A N/A
122.167.85.210 21;23;80 N/A N/A
122.167.85.211 21;23;80 N/A N/A
122.167.85.212 21;23;80 N/A N/A
122.167.85.213 21;23;80 N/A N/A
122.167.85.214 21;23;80 N/A N/A
122.167.85.215 N/A N/A
122.167.85.216 21;23;80 N/A N/A
122.167.85.217 21;23;80 N/A N/A
122.167.85.218 21;23;80 N/A N/A
122.167.85.219 21;23;80 N/A N/A
122.167.85.220 N/A N/A
122.167.85.221 21;23;80 N/A N/A
122.167.85.222 N/A N/A
122.167.85.223 21;23;80 N/A N/A
122.167.85.224 N/A N/A
122.167.85.225 21;23;80 N/A N/A
122.167.85.226 21;23;80 N/A N/A
122.167.85.227 21;23;80 N/A N/A
122.167.85.228 21;23;80 N/A N/A
122.167.85.229 21;23;80 N/A N/A
122.167.85.230 21;23;80 N/A N/A
122.167.85.231 21;23;80 N/A N/A
122.167.85.232 21;23;80 N/A N/A
122.167.85.233 N/A N/A
122.167.85.234 21;23;80 N/A N/A
122.167.85.235 21;23;80 N/A N/A
122.167.85.236 21;23;80 N/A N/A
122.167.85.237 21;23;80 N/A N/A
122.167.85.238 21;23;80 N/A N/A
122.167.85.239 N/A N/A
122.167.85.240 21;23;80 N/A N/A
122.167.85.241 N/A N/A
122.167.85.242 21;23;80 N/A N/A
122.167.85.243 21;23;80 N/A N/A
122.167.85.244 N/A N/A
122.167.85.245 21;23;80 N/A N/A
122.167.85.246 N/A N/A
122.167.85.247 21;23;80 N/A N/A
122.167.85.248 N/A N/A
122.167.85.249 N/A N/A
122.167.85.250 21;23;80 N/A N/A
122.167.85.251 21;23;80 N/A N/A
122.167.85.252 21;23;80 N/A N/A
122.167.85.253 21;23;80 N/A N/A
122.167.85.254 21;23;80 N/A N/A
122.167.85.255 21;23;80 N/A N/A
122.167.86.0 21;23;80 N/A N/A
122.167.86.1 N/A N/A
122.167.86.2 21;23;80 N/A N/A
122.167.86.3 21;23;80 N/A N/A
122.167.86.4 21;23;80 N/A N/A
122.167.86.5 21;23;80 N/A N/A
122.167.86.6 N/A N/A
122.167.86.7 21;23;80 N/A N/A
122.167.86.8 21;23;80 N/A N/A
122.167.86.9 21;23;80 N/A N/A
122.167.86.10 21;23;80 N/A N/A
122.167.86.11 21;23;80 N/A N/A
122.167.86.12 21;23;80 N/A N/A
122.167.86.13 21;23;80 N/A N/A
122.167.86.14 N/A N/A
122.167.86.15 21;23;80 N/A N/A
122.167.86.16 21;23;80 N/A N/A
122.167.86.17 21;23;80 N/A N/A
122.167.86.18 N/A N/A
122.167.86.19 N/A N/A
122.167.86.20 21;23;80 N/A N/A
122.167.86.21 21;23;80 N/A N/A
122.167.86.22 N/A N/A
122.167.86.23 21;23;80 N/A N/A
122.167.86.24 N/A N/A
122.167.86.25 21;23;80 N/A N/A
122.167.86.26 N/A N/A
122.167.86.27 N/A N/A
122.167.86.28 21 N/A N/A
122.167.86.29 21;23;80 N/A N/A
122.167.86.30 21;23;80 N/A N/A
122.167.86.31 N/A N/A
122.167.86.32 21;23;80 N/A N/A
122.167.86.33 N/A N/A
122.167.86.34 21;23;80 N/A N/A
122.167.86.35 21;23;80 N/A N/A
122.167.86.36 21;23;80 N/A N/A
122.167.86.37 21;23;80 N/A N/A
122.167.86.38 N/A N/A
122.167.86.39 21;23;80 N/A N/A
122.167.86.40 21;23;80 N/A N/A
122.167.86.41 N/A N/A
122.167.86.42 N/A N/A
122.167.86.43 21;110;119 N/A N/A
122.167.86.44 N/A N/A
122.167.86.45 21;23;80 N/A N/A
122.167.86.46 21;23;80 N/A N/A
122.167.86.47 21;23;80 N/A N/A
122.167.86.48 21;23;80 N/A N/A
122.167.86.49 N/A N/A
122.167.86.50 N/A N/A
122.167.86.51 21;23;80 N/A N/A
122.167.86.52 N/A N/A
122.167.86.53 21;23;80 N/A N/A
122.167.86.54 21;23;80 N/A N/A
122.167.86.55 21;23;80 N/A N/A
122.167.86.56 21;23;80 N/A N/A
122.167.86.57 21;23;80 N/A N/A
122.167.86.58 21;23;80 N/A N/A
122.167.86.59 21;23;80 N/A N/A
122.167.86.60 N/A N/A
122.167.86.61 21;23;80 N/A N/A
122.167.86.62 21;23;80 N/A N/A
122.167.86.63 21;23;80 N/A N/A
122.167.86.64 21;23;80 N/A N/A
122.167.86.65 21;23;80 N/A N/A
122.167.86.66 21;23;80 N/A N/A
122.167.86.67 21;23;80 N/A N/A
122.167.86.68 21;23;80 N/A N/A
122.167.86.69 21;23;80 N/A N/A
122.167.86.70 21;23;80 N/A N/A
122.167.86.71 21;23;80 N/A N/A
122.167.86.72 N/A N/A
122.167.86.73 21;23;80 N/A N/A
122.167.86.74 21;23;80 N/A N/A
122.167.86.75 21;23;80 N/A N/A
122.167.86.76 21;23;80 N/A N/A
122.167.86.77 21;23;80 N/A N/A
122.167.86.78 21;23;80 N/A N/A
122.167.86.79 21;23;80 N/A N/A
122.167.86.80 21;23;80 N/A N/A
122.167.86.81 21;23;80 N/A N/A
122.167.86.82 21;23;80 N/A N/A
122.167.86.83 21;23;80 N/A N/A
122.167.86.84 21;23;80 N/A N/A
122.167.86.85 N/A N/A
122.167.86.86 21;23;80 N/A N/A
122.167.86.87 21;23;80 N/A N/A
122.167.86.88 21;23;80 N/A N/A
122.167.86.89 21;23;80 N/A N/A
122.167.86.90 21;23;80 N/A N/A
122.167.86.91 21;23;80 N/A N/A
122.167.86.92 21;23;80 N/A N/A
122.167.86.93 21;23;80 N/A N/A
122.167.86.94 21;23;80 N/A N/A
122.167.86.95 21;23;80 N/A N/A
122.167.86.96 N/A N/A
122.167.86.97 21;23;80 N/A N/A
122.167.86.98 N/A

#5 SUB-S0NIX

SUB-S0NIX

    !Pee-Wee Pimpin!

  • Members
  • 1,381 posts

Posted 12 July 2008 - 01:44 AM

Thats pretty crazy how all those are open. Pretty much sequential.

Something I thought was interesting is if you dump the config it shows some kinda of passwords, but I dont know if there encrypted or encoded. Hopefully encoded, would be easier to figure them out. There seems to be three different passwords that are stored. Sys, spt, and user. If someone can crack the system password I bet its default for every other DSL Router made by the same manufactuer. I really dont know how to go about figuring out how to crack such hashes, ( if they even are hashes ). Interesting none the less. I really dont see much you could do with these dsl routers. Would be interesting to know how to Disable the encodePassword field and see what results one would get.

> dumpcfg
<psitree>
<SystemInfo>
<protocol autoScan="enable" igmpSnp ="disable" igmpMode ="disable" macFilterPoli
cy="forward" encodePassword="enable"/>
<sysLog state="disable" displayLevel="ERR" logLevel="DEBUG" option="local" serve
rIP="0.0.0.0" serverPort="514"/>
<sysUserName value="admin"/>
<sysPassword value="bmlnZ2Vya2lsbGVy"/>
<sptPassword value="c3VwcG9ydHVzZXI="/>
<usrPassword value="bm9ybWFsdXNlcg=="/>
<tr69c state="enable" upgradesManaged="0" upgradeAvailable="0" informEnbl="1" in
formTime="0" informInterval="129600" acsURL="http://rms.airtelbroadband.in:8103/
ACS-server/ACS" acsUser="airtelacs" acsPwd="nxp-pass" parameterKey="12345" connR
eqURL="http://www.broadcom.com/acs" connReqUser="admin" connReqPwd="admin" kickU
RL="http://www.broadcom.com/acs" provisioningCode="12345"/>
</SystemInfo>
<AtmCfg>
<initCfg structureId="2" threadPriority="25" freeCellQSize="10" freePktQSize="20
0" freePktQBufSize="1600" freePktQBufOffset="32" rxCellQSize="10" rxPktQSize="20
0" txFifoPriority="64" aal5MaxSduLen="64" aal2MaxSduLen="0"/>
</AtmCfg>
<AtmCfgTd>
<td1 cat="UBR" PCR="0" SCR="0" MBS="0"/>
</AtmCfgTd>
<SecCfg>
<srvCtrlList ftp="enable" http="enable" icmp="enable" ssh="wan" telnet="enable"
tftp="enable"/>
</SecCfg>
<Lan>
<entry9999 address="1.1.1.1" mask="255.255.255.0" dhcpServer="disable" leasedTim
e="0" startAddr="0.0.0.0" endAddr="0.0.0.0" instanceId="1509949443"/>
<entry1 address="192.168.1.1" mask="255.255.255.0" dhcpServer="enable" leasedTim
e="24" startAddr="192.168.1.2" endAddr="192.168.1.254" instanceId="1509949441"/>
</Lan>
<AtmCfgVcc>
<vccId9999 vpi="0" vci="65534" tdId="0" aalType="AAL2" adminStatus="down" encap=
"unknown" qos="disable" instanceId="1509949442"/>
<vccId1 vpi="1" vci="32" tdId="1" aalType="AAL5" adminStatus="up" encap="llc" qo
s="disable" instanceId="1509949441"/>
</AtmCfgVcc>
<ADSL>
<settings G.Dmt="enable" G.lite="enable" T1.413="enable" ADSL2="enable" AnnexL="
enable" ADSL2plus="enable" AnnexM="disable" pair="inner" bitswap="enable" SRA="d
isable"/>
</ADSL>
<pppsrv_1_32>
<ppp_conId1 userName="08051150384_kk" password="MTIzNDU2" serviceName="airtel" i
dleTimeout="0" ipExt="disable" auth="auto" useStaticIpAddr="0" localIpAddr="255.
255.255.255" Debug="disable"/>
</pppsrv_1_32>
<wan_1_32>
<entry1 vccId="1" conId="1" name="airtel" protocol="PPPOE" encap="LLC" firewall=
"enable" nat="enable" igmp="disable" vlanId="-1" service="enable" instanceId="15
09949442"/>
</wan_1_32>
<RouteCfg>
</RouteCfg>
<SNTPCfg/>
<ToDCfg/>
<EngDbgCfg/>
</psitree>

#6 SUB-S0NIX

SUB-S0NIX

    !Pee-Wee Pimpin!

  • Members
  • 1,381 posts

Posted 12 July 2008 - 02:15 AM

Hmm been thinking about this for a while, does any one think its possible to perform a MITM attack on a router?
Could be possible with a router that supports VPN. Not really sure if its possible with a regular router though. Any ideas?

Edit

Quick idea =

One could poision a victims router with an attackers own DNS server adress that forwards all request to a transparent proxy server that could possibly then forward all traffic to the proper address. Just a thought. :huh: Any expert opinions?

Edited by SUB-S0NIX, 12 July 2008 - 02:50 AM.

#7 WhatChout

WhatChout

    Dangerous free thinker

  • Members
  • 814 posts

Posted 12 July 2008 - 02:54 AM

Hmm been thinking about this for a while, but does any one think its possible to perform a MITM attack on a router?
Could be possible with a router that supports VPN. Not really sure if its possible with a regular router though. Any ideas?

Edit

Quick idea =

One could poision a victims router with an attackers own DNS server adress that forwards all request to a transparent proxy server that could possibly then forward all traffic to the proper address. Just a thought. :huh: Any expert opinions?

Assuming that it was based on Linux, you could install MITM attack software (dnsspoof, ettercap) assuming that packages were available for that router distro and there was enough space.

#8 reilus

reilus

    H4x0r

  • Members
  • 38 posts
  • Location:Undisclosed Location, guarded by a mind clouding spell from those who are not Sirius

Posted 12 July 2008 - 03:13 AM

wow, thats quite a list of routers.. thanx :)

I guess my friend's router is securish.....

#9 Adamantine

Adamantine

    H4x0r

  • Members
  • 33 posts

Posted 12 July 2008 - 07:35 AM

I'm not sure how, but if you were able to modify it there is a version of the zlob trojan that does change the dns info inside the router. Since most people just open the box and plug it in they don't change the authentication info, so this newer variant uses the common login/pass combos to get into the router and change the dns to a malware dns server.

#10 reilus

reilus

    H4x0r

  • Members
  • 38 posts
  • Location:Undisclosed Location, guarded by a mind clouding spell from those who are not Sirius

Posted 12 July 2008 - 06:43 PM

I'm not sure how, but if you were able to modify it there is a version of the zlob trojan that does change the dns info inside the router. Since most people just open the box and plug it in they don't change the authentication info, so this newer variant uses the common login/pass combos to get into the router and change the dns to a malware dns server.


that is quite an attack...

#11 Adamantine

Adamantine

    H4x0r

  • Members
  • 33 posts

Posted 12 July 2008 - 10:20 PM

Found an article on it for your reading enjoyment: http://blog.washingt...s_wirele_1.html

#12 SUB-S0NIX

SUB-S0NIX

    !Pee-Wee Pimpin!

  • Members
  • 1,381 posts

Posted 13 July 2008 - 01:26 AM

I thought it was a old virus. Seems pretty new according to the link. Pretty interesting none the less. I truly believe routers are going to the next wave of security risk in the future. Just the other day I was thinking about custom router firmware such as OpenWRT and the possibilities of one configuring there own firmware and creating a network of botnets using routers. One could probably even leave the original HTML configuration pages to configure the router and the owner will be none the wiser.


As for transparent proxy software any one have any good suggestions to simulate such an attack on my own personal LAN.

#13 DeadlyCypher

DeadlyCypher

    HACK THE PLANET!

  • Members
  • 64 posts

Posted 13 July 2008 - 02:36 AM

Interesting find!

It seems as though different firmwares have different management softwares. One has this:

ug@outlawserv:~$ telnet 122.167.85.**
Trying 122.167.85.**...
Connected to 122.167.85.**.
Escape character is '^]'.
BCM96338 ADSL Router
Login: admin
Password:

Note: If you have problem with Backspace key, please make sure you configure your terminal emulator settings. For instance, from HyperTerminal you would need to use File->Properties->Setting->Back Space key sends.


   Main Menu

1.  ADSL Link State
2.  LAN
3.  WAN
4.  DNS Server
5.  Route Setup
6.  NAT
7.  Firewall
8.  Quality Of Service
9.  Management
10. Passwords
11. Diag
12. Reset to Default
13. Save and Reboot
14. Exit
 ->

While the other (more fun if you ask me! It's an actual shell. You can get into sh) version has:

ug@outlawserv:~$ telnet 122.167.85.**
Trying 122.167.85.**...
Connected to 122.167.85.**.
Escape character is '^]'.
BCM96338 ADSL Router
Login: admin
Password:
>

There are other accounts on the routers too, besides "admin"...

admin:7HZXTmnj/97TM:0:0:Administrator:/:/bin/sh
support:e1BZJJQSKd3C.:0:0:Technical Support:/:/bin/sh
user:pHtw2aK/GuydM:0:0:Normal User:/:/bin/sh
nobody:QXZx61KdaYegc:0:0:nobody for ftp:/:/bin/sh

edit: Oh, and look at the services this thing has...

tcpmux		  1/tcp						   # TCP port service multiplexer
echo			7/tcp
echo			7/udp
discard		 9/tcp		   sink null
discard		 9/udp		   sink null
systat		  11/tcp		  users
daytime		 13/tcp
daytime		 13/udp
netstat		 15/tcp
qotd			17/tcp		  quote
msp			 18/tcp						  # message send protocol
msp			 18/udp						  # message send protocol
chargen		 19/tcp		  ttytst source
chargen		 19/udp		  ttytst source
ftp-data		20/tcp
ftp			 21/tcp
fsp			 21/udp		  fspd
ssh			 22/tcp						  # SSH Remote Login Protocol
ssh			 22/udp						  # SSH Remote Login Protocol
telnet		  23/tcp
smtp			25/tcp		  mail
time			37/tcp		  timserver
time			37/udp		  timserver
rlp			 39/udp		  resource		# resource location
nameserver	  42/tcp		  name			# IEN 116
whois		   43/tcp		  nicname
re-mail-ck	  50/tcp						  # Remote Mail Checking Protocol
re-mail-ck	  50/udp						  # Remote Mail Checking Protocol
domain		  53/tcp		  nameserver	  # name-domain server
domain		  53/udp		  nameserver
mtp			 57/tcp						  # deprecated
bootps		  67/tcp						  # BOOTP server
bootps		  67/udp
bootpc		  68/tcp						  # BOOTP client
bootpc		  68/udp
tftp			69/udp
gopher		  70/tcp						  # Internet Gopher
gopher		  70/udp
rje			 77/tcp		  netrjs
finger		  79/tcp
www			 80/tcp		  http			# WorldWideWeb HTTP
www			 80/udp						  # HyperText Transfer Protocol
link			87/tcp		  ttylink
kerberos		88/tcp		  kerberos5 krb5  # Kerberos v5
kerberos		88/udp		  kerberos5 krb5  # Kerberos v5
supdup		  95/tcp
hostnames	   101/tcp		 hostname		# usually from sri-nic
iso-tsap		102/tcp		 tsap			# part of ISODE.
csnet-ns		105/tcp		 cso-ns		  # also used by CSO name server
csnet-ns		105/udp		 cso-ns
sunrpc		  111/tcp		 portmapper	  # RPC 4.0 portmapper TCP
sunrpc		  111/udp		 portmapper	  # RPC 4.0 portmapper UDP
auth			113/tcp		 authentication tap ident
sftp			115/tcp
uucp-path	   117/tcp
nntp			119/tcp		 readnews untp   # USENET News Transfer Protocol
ntp			 123/tcp
ntp			 123/udp						 # Network Time Protocol
netbios-ns	  137/tcp						 # NETBIOS Name Service
netbios-ns	  137/udp
netbios-dgm	 138/tcp						 # NETBIOS Datagram Service
netbios-dgm	 138/udp
netbios-ssn	 139/tcp						 # NETBIOS session service
netbios-ssn	 139/udp
snmp			161/udp						 # Simple Net Mgmt Proto
snmp-trap	   162/udp		 snmptrap		# Traps for SNMP
bgp			 179/tcp						 # Border Gateway Proto.
bgp			 179/udp
smux			199/tcp						 # SNMP Unix Multiplexer
smux			199/udp
rpc2portmap	 369/tcp
rpc2portmap	 369/udp						 # Coda portmapper
codaauth2	   370/tcp
codaauth2	   370/udp						 # Coda authentication server
ulistserv	   372/tcp						 # UNIX Listserv
ulistserv	   372/udp
https		   443/tcp						 # MCom
https		   443/udp						 # MCom
exec			512/tcp
biff			512/udp		 comsat
login		   513/tcp
who			 513/udp		 whod
shell		   514/tcp		 cmd			 # no passwords used
syslog		  514/udp
printer		 515/tcp		 spooler		 # line printer spooler
talk			517/udp
ntalk		   518/udp
route		   520/udp		 router routed   # RIP
timed		   525/udp		 timeserver
tempo		   526/tcp		 newdate
courier		 530/tcp		 rpc
conference	  531/tcp		 chat
netnews		 532/tcp		 readnews
netwall		 533/udp						 # -for emergency broadcasts
uucp			540/tcp		 uucpd		   # uucp daemon
afpovertcp	  548/tcp						 # AFP over TCP
afpovertcp	  548/udp						 # AFP over TCP
remotefs		556/tcp		 rfs_server rfs  # Brunhoff remote filesystem
klogin		  543/tcp						 # Kerberized `rlogin' (v5)
kshell		  544/tcp		 krcmd		   # Kerberized `rsh' (v5)
kerberos-adm	749/tcp						 # Kerberos `kadmin' (v5)
webster		 765/tcp						 # Network dictionary
webster		 765/udp
ingreslock	  1524/tcp
ingreslock	  1524/udp
prospero-np	 1525/tcp						# Prospero non-privileged
prospero-np	 1525/udp
datametrics	 1645/tcp		old-radius	  # datametrics / old radius entrydatametrics	 1645/udp		old-radius	  # datametrics / old radius entrysa-msg-port	 1646/tcp		old-radacct	 # sa-msg-port / old radacct entry
sa-msg-port	 1646/udp		old-radacct	 # sa-msg-port / old radacct entry
radius		  1812/tcp						# Radius
radius		  1812/udp						# Radius
radacct		 1813/tcp						# Radius Accounting
radacct		 1813/udp						# Radius Accounting
cvspserver	  2401/tcp						# CVS client/server operations
cvspserver	  2401/udp						# CVS client/server operations
venus		   2430/tcp						# codacon port
venus		   2430/udp						# Venus callback/wbc interface
venus-se		2431/tcp						# tcp side effects
venus-se		2431/udp						# udp sftp side effect
codasrv		 2432/tcp						# not used
codasrv		 2432/udp						# server port
codasrv-se	  2433/tcp						# tcp side effects
codasrv-se	  2433/udp						# udp sftp side effect
mysql		   3306/tcp						# MySQL
mysql		   3306/udp						# MySQL
rfe			 5002/tcp						# Radio Free Ethernet
rfe			 5002/udp						# Actually uses UDP only
cfengine		5308/tcp						# CFengine
cfengine		5308/udp						# CFengine
bbs			 7000/tcp						# BBS service
kerberos4	   750/udp		 kerberos-iv kdc # Kerberos (server) udp
kerberos4	   750/tcp		 kerberos-iv kdc # Kerberos (server) tcp
kerberos_master 751/udp						 # Kerberos authentication
kerberos_master 751/tcp						 # Kerberos authentication
passwd_server   752/udp						 # Kerberos passwd server
krb_prop		754/tcp						 # Kerberos slave propagation
krbupdate	   760/tcp		 kreg			# Kerberos registration
kpasswd		 761/tcp		 kpwd			# Kerberos "passwd"
kpop			1109/tcp						# Pop with Kerberos
knetd		   2053/tcp						# Kerberos de-multiplexor
zephyr-srv	  2102/udp						# Zephyr server
zephyr-clt	  2103/udp						# Zephyr serv-hm connection
zephyr-hm	   2104/udp						# Zephyr hostmanager
eklogin		 2105/tcp						# Kerberos encrypted rlogin
snews		   563/tcp						 # NNTP over SSL
ssl-ldap		636/tcp						 # LDAP over SSL
rsync		   873/tcp						 # rsync
rsync		   873/udp						 # rsync
socks		   1080/tcp						# socks proxy server
socks		   1080/udp						# socks proxy server
icp			 3130/tcp						# Internet Cache Protocol (Squid)
icp			 3130/udp						# Internet Cache Protocol (Squid)
noclog		  5354/tcp						# noclogd with TCP (nocol)
noclog		  5354/udp						# noclogd with UDP (nocol)
hostmon		 5355/tcp						# hostmon uses TCP (nocol)
hostmon		 5355/udp						# hostmon uses TCP (nocol)
webcache		8080/tcp						# WWW caching service
webcache		8080/udp						# WWW caching service
tproxy		  8081/tcp						# Transparent Proxy
tproxy		  8081/udp						# Transparent Proxy

Pwnt, pwnt, pwnt ;)

Edited by DeadlyCypher, 13 July 2008 - 10:59 AM.

#14 operat0r

operat0r

    Dangerous free thinker

  • Members
  • 793 posts
  • Location:ops

Posted 15 July 2008 - 11:13 PM

sounds like you need to start from the beginning .. check out metasploit or nessus .. if you can MITM that is always good

#15 Remix

Remix

    SUP3R 31337

  • Members
  • 173 posts
  • Location:New York

Posted 16 July 2008 - 08:25 AM

I Since most people just open the box and plug it in they don't change the authentication info, so this newer variant uses the common login/pass combos to get into the router and change the dns to a malware dns server.


I feel like this Used to be the case however, these days I have been finding this scenario to be less prevalent. As it is 2008; more people are becoming computer savvy. If they don't know about any of this stuff then they usually will hire somebody to come set it up for them.
Back to Nubie HQ


BinRev is hosted by the great people at Lunarpages!

  1. Binary Revolution Forums
  2. General
  3. Nubie HQ
  4. Privacy Policy
  5. Forum rules! ·