Sign in to follow this  
Followers 0
reilus

Telnet Router Hack

14 posts in this topic

I tried ssh 192.168.0.1 --> connection refused

then I tried telnet 192.168.0.1 --> Escape character is '^]'.

Connection closed by foreign host.

It seems we have a reaction. What do I do now?

0

Share this post


Link to post
Share on other sites
I tried ssh 192.168.0.1 --> connection refused

then I tried telnet 192.168.0.1 --> Escape character is '^]'.

Connection closed by foreign host.

It seems we have a reaction. What do I do now?

Ask your friend for a password.

0

Share this post


Link to post
Share on other sites

Most consumer routers have a "remote management" option in the menus somewhere. This option normally allows entering the router through a browser by default on port 8080. As far as I know consumer routers don't support telneting, but I think dd-wrt might. Try enabling that feature and see if you can telnet into the router then.

0

Share this post


Link to post
Share on other sites

Thats pretty crazy how all those are open. Pretty much sequential.

Something I thought was interesting is if you dump the config it shows some kinda of passwords, but I dont know if there encrypted or encoded. Hopefully encoded, would be easier to figure them out. There seems to be three different passwords that are stored. Sys, spt, and user. If someone can crack the system password I bet its default for every other DSL Router made by the same manufactuer. I really dont know how to go about figuring out how to crack such hashes, ( if they even are hashes ). Interesting none the less. I really dont see much you could do with these dsl routers. Would be interesting to know how to Disable the encodePassword field and see what results one would get.

> dumpcfg

<psitree>

<SystemInfo>

<protocol autoScan="enable" igmpSnp ="disable" igmpMode ="disable" macFilterPoli

cy="forward" encodePassword="enable"/>

<sysLog state="disable" displayLevel="ERR" logLevel="DEBUG" option="local" serve

rIP="0.0.0.0" serverPort="514"/>

<sysUserName value="admin"/>

<sysPassword value="bmlnZ2Vya2lsbGVy"/>

<sptPassword value="c3VwcG9ydHVzZXI="/>

<usrPassword value="bm9ybWFsdXNlcg=="/>

<tr69c state="enable" upgradesManaged="0" upgradeAvailable="0" informEnbl="1" in

formTime="0" informInterval="129600" acsURL="http://rms.airtelbroadband.in:8103/

ACS-server/ACS" acsUser="airtelacs" acsPwd="nxp-pass" parameterKey="12345" connR

eqURL="http://www.broadcom.com/acs" connReqUser="admin" connReqPwd="admin" kickU

RL="http://www.broadcom.com/acs" provisioningCode="12345"/>

</SystemInfo>

<AtmCfg>

<initCfg structureId="2" threadPriority="25" freeCellQSize="10" freePktQSize="20

0" freePktQBufSize="1600" freePktQBufOffset="32" rxCellQSize="10" rxPktQSize="20

0" txFifoPriority="64" aal5MaxSduLen="64" aal2MaxSduLen="0"/>

</AtmCfg>

<AtmCfgTd>

<td1 cat="UBR" PCR="0" SCR="0" MBS="0"/>

</AtmCfgTd>

<SecCfg>

<srvCtrlList ftp="enable" http="enable" icmp="enable" ssh="wan" telnet="enable"

tftp="enable"/>

</SecCfg>

<Lan>

<entry9999 address="1.1.1.1" mask="255.255.255.0" dhcpServer="disable" leasedTim

e="0" startAddr="0.0.0.0" endAddr="0.0.0.0" instanceId="1509949443"/>

<entry1 address="192.168.1.1" mask="255.255.255.0" dhcpServer="enable" leasedTim

e="24" startAddr="192.168.1.2" endAddr="192.168.1.254" instanceId="1509949441"/>

</Lan>

<AtmCfgVcc>

<vccId9999 vpi="0" vci="65534" tdId="0" aalType="AAL2" adminStatus="down" encap=

"unknown" qos="disable" instanceId="1509949442"/>

<vccId1 vpi="1" vci="32" tdId="1" aalType="AAL5" adminStatus="up" encap="llc" qo

s="disable" instanceId="1509949441"/>

</AtmCfgVcc>

<ADSL>

<settings G.Dmt="enable" G.lite="enable" T1.413="enable" ADSL2="enable" AnnexL="

enable" ADSL2plus="enable" AnnexM="disable" pair="inner" bitswap="enable" SRA="d

isable"/>

</ADSL>

<pppsrv_1_32>

<ppp_conId1 userName="08051150384_kk" password="MTIzNDU2" serviceName="airtel" i

dleTimeout="0" ipExt="disable" auth="auto" useStaticIpAddr="0" localIpAddr="255.

255.255.255" Debug="disable"/>

</pppsrv_1_32>

<wan_1_32>

<entry1 vccId="1" conId="1" name="airtel" protocol="PPPOE" encap="LLC" firewall=

"enable" nat="enable" igmp="disable" vlanId="-1" service="enable" instanceId="15

09949442"/>

</wan_1_32>

<RouteCfg>

</RouteCfg>

<SNTPCfg/>

<ToDCfg/>

<EngDbgCfg/>

</psitree>

0

Share this post


Link to post
Share on other sites

Hmm been thinking about this for a while, does any one think its possible to perform a MITM attack on a router?

Could be possible with a router that supports VPN. Not really sure if its possible with a regular router though. Any ideas?

Edit

Quick idea =

One could poision a victims router with an attackers own DNS server adress that forwards all request to a transparent proxy server that could possibly then forward all traffic to the proper address. Just a thought. :huh: Any expert opinions?

Edited by SUB-S0NIX
0

Share this post


Link to post
Share on other sites
Hmm been thinking about this for a while, but does any one think its possible to perform a MITM attack on a router?

Could be possible with a router that supports VPN. Not really sure if its possible with a regular router though. Any ideas?

Edit

Quick idea =

One could poision a victims router with an attackers own DNS server adress that forwards all request to a transparent proxy server that could possibly then forward all traffic to the proper address. Just a thought. :huh: Any expert opinions?

Assuming that it was based on Linux, you could install MITM attack software (dnsspoof, ettercap) assuming that packages were available for that router distro and there was enough space.

0

Share this post


Link to post
Share on other sites

wow, thats quite a list of routers.. thanx :)

I guess my friend's router is securish.....

0

Share this post


Link to post
Share on other sites

I'm not sure how, but if you were able to modify it there is a version of the zlob trojan that does change the dns info inside the router. Since most people just open the box and plug it in they don't change the authentication info, so this newer variant uses the common login/pass combos to get into the router and change the dns to a malware dns server.

0

Share this post


Link to post
Share on other sites
I'm not sure how, but if you were able to modify it there is a version of the zlob trojan that does change the dns info inside the router. Since most people just open the box and plug it in they don't change the authentication info, so this newer variant uses the common login/pass combos to get into the router and change the dns to a malware dns server.

that is quite an attack...

0

Share this post


Link to post
Share on other sites

I thought it was a old virus. Seems pretty new according to the link. Pretty interesting none the less. I truly believe routers are going to the next wave of security risk in the future. Just the other day I was thinking about custom router firmware such as OpenWRT and the possibilities of one configuring there own firmware and creating a network of botnets using routers. One could probably even leave the original HTML configuration pages to configure the router and the owner will be none the wiser.

As for transparent proxy software any one have any good suggestions to simulate such an attack on my own personal LAN.

0

Share this post


Link to post
Share on other sites

Interesting find!

It seems as though different firmwares have different management softwares. One has this:

ug@outlawserv:~$ telnet 122.167.85.**
Trying 122.167.85.**...
Connected to 122.167.85.**.
Escape character is '^]'.
BCM96338 ADSL Router
Login: admin
Password:

Note: If you have problem with Backspace key, please make sure you configure your terminal emulator settings. For instance, from HyperTerminal you would need to use File->Properties->Setting->Back Space key sends.


Main Menu

1. ADSL Link State
2. LAN
3. WAN
4. DNS Server
5. Route Setup
6. NAT
7. Firewall
8. Quality Of Service
9. Management
10. Passwords
11. Diag
12. Reset to Default
13. Save and Reboot
14. Exit
->

While the other (more fun if you ask me! It's an actual shell. You can get into sh) version has:

ug@outlawserv:~$ telnet 122.167.85.**
Trying 122.167.85.**...
Connected to 122.167.85.**.
Escape character is '^]'.
BCM96338 ADSL Router
Login: admin
Password:
>

There are other accounts on the routers too, besides "admin"...

admin:7HZXTmnj/97TM:0:0:Administrator:/:/bin/sh
support:e1BZJJQSKd3C.:0:0:Technical Support:/:/bin/sh
user:pHtw2aK/GuydM:0:0:Normal User:/:/bin/sh
nobody:QXZx61KdaYegc:0:0:nobody for ftp:/:/bin/sh

edit: Oh, and look at the services this thing has...

tcpmux		  1/tcp						   # TCP port service multiplexer
echo 7/tcp
echo 7/udp
discard 9/tcp sink null
discard 9/udp sink null
systat 11/tcp users
daytime 13/tcp
daytime 13/udp
netstat 15/tcp
qotd 17/tcp quote
msp 18/tcp # message send protocol
msp 18/udp # message send protocol
chargen 19/tcp ttytst source
chargen 19/udp ttytst source
ftp-data 20/tcp
ftp 21/tcp
fsp 21/udp fspd
ssh 22/tcp # SSH Remote Login Protocol
ssh 22/udp # SSH Remote Login Protocol
telnet 23/tcp
smtp 25/tcp mail
time 37/tcp timserver
time 37/udp timserver
rlp 39/udp resource # resource location
nameserver 42/tcp name # IEN 116
whois 43/tcp nicname
re-mail-ck 50/tcp # Remote Mail Checking Protocol
re-mail-ck 50/udp # Remote Mail Checking Protocol
domain 53/tcp nameserver # name-domain server
domain 53/udp nameserver
mtp 57/tcp # deprecated
bootps 67/tcp # BOOTP server
bootps 67/udp
bootpc 68/tcp # BOOTP client
bootpc 68/udp
tftp 69/udp
gopher 70/tcp # Internet Gopher
gopher 70/udp
rje 77/tcp netrjs
finger 79/tcp
www 80/tcp http # WorldWideWeb HTTP
www 80/udp # HyperText Transfer Protocol
link 87/tcp ttylink
kerberos 88/tcp kerberos5 krb5 # Kerberos v5
kerberos 88/udp kerberos5 krb5 # Kerberos v5
supdup 95/tcp
hostnames 101/tcp hostname # usually from sri-nic
iso-tsap 102/tcp tsap # part of ISODE.
csnet-ns 105/tcp cso-ns # also used by CSO name server
csnet-ns 105/udp cso-ns
sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCP
sunrpc 111/udp portmapper # RPC 4.0 portmapper UDP
auth 113/tcp authentication tap ident
sftp 115/tcp
uucp-path 117/tcp
nntp 119/tcp readnews untp # USENET News Transfer Protocol
ntp 123/tcp
ntp 123/udp # Network Time Protocol
netbios-ns 137/tcp # NETBIOS Name Service
netbios-ns 137/udp
netbios-dgm 138/tcp # NETBIOS Datagram Service
netbios-dgm 138/udp
netbios-ssn 139/tcp # NETBIOS session service
netbios-ssn 139/udp
snmp 161/udp # Simple Net Mgmt Proto
snmp-trap 162/udp snmptrap # Traps for SNMP
bgp 179/tcp # Border Gateway Proto.
bgp 179/udp
smux 199/tcp # SNMP Unix Multiplexer
smux 199/udp
rpc2portmap 369/tcp
rpc2portmap 369/udp # Coda portmapper
codaauth2 370/tcp
codaauth2 370/udp # Coda authentication server
ulistserv 372/tcp # UNIX Listserv
ulistserv 372/udp
https 443/tcp # MCom
https 443/udp # MCom
exec 512/tcp
biff 512/udp comsat
login 513/tcp
who 513/udp whod
shell 514/tcp cmd # no passwords used
syslog 514/udp
printer 515/tcp spooler # line printer spooler
talk 517/udp
ntalk 518/udp
route 520/udp router routed # RIP
timed 525/udp timeserver
tempo 526/tcp newdate
courier 530/tcp rpc
conference 531/tcp chat
netnews 532/tcp readnews
netwall 533/udp # -for emergency broadcasts
uucp 540/tcp uucpd # uucp daemon
afpovertcp 548/tcp # AFP over TCP
afpovertcp 548/udp # AFP over TCP
remotefs 556/tcp rfs_server rfs # Brunhoff remote filesystem
klogin 543/tcp # Kerberized `rlogin' (v5)
kshell 544/tcp krcmd # Kerberized `rsh' (v5)
kerberos-adm 749/tcp # Kerberos `kadmin' (v5)
webster 765/tcp # Network dictionary
webster 765/udp
ingreslock 1524/tcp
ingreslock 1524/udp
prospero-np 1525/tcp # Prospero non-privileged
prospero-np 1525/udp
datametrics 1645/tcp old-radius # datametrics / old radius entrydatametrics 1645/udp old-radius # datametrics / old radius entrysa-msg-port 1646/tcp old-radacct # sa-msg-port / old radacct entry
sa-msg-port 1646/udp old-radacct # sa-msg-port / old radacct entry
radius 1812/tcp # Radius
radius 1812/udp # Radius
radacct 1813/tcp # Radius Accounting
radacct 1813/udp # Radius Accounting
cvspserver 2401/tcp # CVS client/server operations
cvspserver 2401/udp # CVS client/server operations
venus 2430/tcp # codacon port
venus 2430/udp # Venus callback/wbc interface
venus-se 2431/tcp # tcp side effects
venus-se 2431/udp # udp sftp side effect
codasrv 2432/tcp # not used
codasrv 2432/udp # server port
codasrv-se 2433/tcp # tcp side effects
codasrv-se 2433/udp # udp sftp side effect
mysql 3306/tcp # MySQL
mysql 3306/udp # MySQL
rfe 5002/tcp # Radio Free Ethernet
rfe 5002/udp # Actually uses UDP only
cfengine 5308/tcp # CFengine
cfengine 5308/udp # CFengine
bbs 7000/tcp # BBS service
kerberos4 750/udp kerberos-iv kdc # Kerberos (server) udp
kerberos4 750/tcp kerberos-iv kdc # Kerberos (server) tcp
kerberos_master 751/udp # Kerberos authentication
kerberos_master 751/tcp # Kerberos authentication
passwd_server 752/udp # Kerberos passwd server
krb_prop 754/tcp # Kerberos slave propagation
krbupdate 760/tcp kreg # Kerberos registration
kpasswd 761/tcp kpwd # Kerberos "passwd"
kpop 1109/tcp # Pop with Kerberos
knetd 2053/tcp # Kerberos de-multiplexor
zephyr-srv 2102/udp # Zephyr server
zephyr-clt 2103/udp # Zephyr serv-hm connection
zephyr-hm 2104/udp # Zephyr hostmanager
eklogin 2105/tcp # Kerberos encrypted rlogin
snews 563/tcp # NNTP over SSL
ssl-ldap 636/tcp # LDAP over SSL
rsync 873/tcp # rsync
rsync 873/udp # rsync
socks 1080/tcp # socks proxy server
socks 1080/udp # socks proxy server
icp 3130/tcp # Internet Cache Protocol (Squid)
icp 3130/udp # Internet Cache Protocol (Squid)
noclog 5354/tcp # noclogd with TCP (nocol)
noclog 5354/udp # noclogd with UDP (nocol)
hostmon 5355/tcp # hostmon uses TCP (nocol)
hostmon 5355/udp # hostmon uses TCP (nocol)
webcache 8080/tcp # WWW caching service
webcache 8080/udp # WWW caching service
tproxy 8081/tcp # Transparent Proxy
tproxy 8081/udp # Transparent Proxy

Pwnt, pwnt, pwnt ;)

Edited by DeadlyCypher
0

Share this post


Link to post
Share on other sites

sounds like you need to start from the beginning .. check out metasploit or nessus .. if you can MITM that is always good

0

Share this post


Link to post
Share on other sites
I Since most people just open the box and plug it in they don't change the authentication info, so this newer variant uses the common login/pass combos to get into the router and change the dns to a malware dns server.

I feel like this Used to be the case however, these days I have been finding this scenario to be less prevalent. As it is 2008; more people are becoming computer savvy. If they don't know about any of this stuff then they usually will hire somebody to come set it up for them.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0