Sign in to follow this  
Followers 0
binary_lulz

remotely IDing router make/model

5 posts in this topic

I was wondering if there was a way to determine how to identify the specific model (not just say, LINKSYS) or a wireless router, and also how generally one logs into one of the remotely (how to get to the password prompt)

0

Share this post


Link to post
Share on other sites

CDP, SNMP, Telnet, Web-Interface; snmp being by far the easiest to use if it's enabled.

All four are commonly used to identify routers (the first being Cisco proprietary) and the last three being used to not only identify but also remotely manage. Nmap and other softwares can attempt host identification based on network heuristics and banner grabbing for example.

Edited by jabzor
0

Share this post


Link to post
Share on other sites

Any admin with an IQ above 4 will be using SNMPv3 if at all, which is encrypted and therefore practically immune.

To log into a router one would generally connect via console, SSH, HTTP, or Telnet. The latter two are not recommended, especially on an insecure network...

You will usually get a password prompt as soon as you connect (or hit enter after connecting via console). If not then the admin is a so-called ID ten T.

Nmap's -O switch is relatively accurate, and is usually the easiest for newbs.

0

Share this post


Link to post
Share on other sites

I was trying to do this today at a customer site.

They say internet is down , so I check out the comm closet and it has a cable modem sitting on top of the rack with its cat5 cable wrapped neatly in a loop , unconnected to anything.

Easy fix , thinks I . Wrong. Connect it , power cycle modem and router, nothing.

Try to go to the router config page on .1 , cant be displayed. Pings fine. Okay.

My company laptop is an XP box, so I load up nirsofts lan scanner. No port 80 open. Thats not right. I check the MAC on the router , and it doesnt match the .1

Telnet is open , but it just gives a banner for the name of the company I'm visiting and password prompt.

Boot up BT2 and and run NMAP , it tells me its a cisco and the version of IOS its running. (Also said BT2 was Ubuntu) o.O

Didnt have time for anything other than that, turns out the router in the closet(rv016) was on a different subnet so was acting as a very expensive switch for another router located elsewhere. Reboot that router and all is good. I love going into places with no Fscking idea of the setup. Next time I'm going to try a couple of things I found after doing some research.

Nmap is your best bet in general , although it doesnt seem to give a make/model , just OS versions. P0f is another I havent tried.

If its on a lan you are connected to its easy.

From > http://lists.sans.org/pipermail/unisog/2007-July/027336.html

# This is a Dlink DI-604

$ echo -e "GET / HTTP/1.0\n" | nc host1 80 | grep -e WWW-Authenticate -e

"Server:"

Server: Embedded HTTP Server 3.52

WWW-Authenticate: Basic realm="DI-604"

Any admin with an IQ above 4 will be using SNMPv3 if at all, which is encrypted and therefore practically immune.

Dont get out much do you?

Almost nobody patches their shit. Seriously. Once or twice a week I run into an XP box with SP1. Its ridiculous.

Heres an account of a guy with some serious skills using SNMP to grab the config file off the router. BTW every public string I've seen has been "public".

http://www.securitypronews.com/2003/1216.html

Found this in the same search, good read.

http://books.google.com/books?id=BZtbozxTo...yu8tkCvfd5wrOdk

0

Share this post


Link to post
Share on other sites
...BTW every public string I've seen has been "public".

You haven't seen our ro and rw strings then. 8-P

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0