Odd Observation inside a Netopia Router

Phractal

Please note, the router used in the following text was my own Eircom Netopia Router - the Wireless enabled silvery temperamental piece of sh*t.

Essentially, one day I got bored and was working away online when I thought 'Hmmm. So my router is effectively a little computer. I wonder what a portscan of it looks like?'.

So, I opened Terminal, and fired up 'nmap' on ubuntu - Backtrack 4 variant to be precise.

nmap
nmap -PN 192.168.1.254

And then boom. A load of these open ports appeared!

TELNET (23) was open, and I couldnt RESIST trying to TELNET into the router.

Another idea I have had since was 'well ok, we are inside the router. We can be dickheads from here and wipe it, but can I get into their computer?'.

WiFi exploits have been discussed before, but I was thinking. What about network shares? Effectively, once connected to their WiFi you could access the network shares. Possibly injecting code - not sure about that now - and then rooting the users box, perhaps with a botnet server or similar malicious code.

Just a thought that came to mind.

To make this far simpler, I have simply pasted here the bash history or whatever its called.

root@bt:~# nmap -PN 192.168.1.254

Starting Nmap 5.00 ( http://nmap.org ) at 2010-09-08 18:46 IST
Interesting ports on 192.168.1.254:
Not shown: 992 closed ports
PORT STATE SERVICE
23/tcp open telnet
25/tcp open smtp
80/tcp open http
110/tcp open pop3
1863/tcp open msnp
5050/tcp open mmcc
5190/tcp open aol
50000/tcp open iiimsf
MAC Address: 00:22:10:8F:6B:10 (Motorola CHS)

Nmap done: 1 IP address (1 host up) scanned in 76.27 seconds
root@bt:~# telnet
telnet> open 192.168.1.254
Trying 192.168.1.254...
Connected to 192.168.1.254.
Escape character is '^]'.

Terminal shell v1.0
Copyright ©2008 Motorola, Inc. All rights reserved.
Netopia Model 2247-02 High-Power Wireless DSL Ethernet Managed Switch
Running Netopia SOC OS version 7.8.0 (build r2)
Multimode ADSL Capable
(Admin completed login: Full Read/Write access)

Netopia-2000/146306722576> help
arp to send ARP request
atmping to send ATM OAM loopback
clear to erase all stored configuration information
clear_certificate to clear stored SSL certificate
clear_log to clear stored log data
configure to configure unit's options
diagnose to run self-test
download to download config file
exit to quit this shell
help to get more: "help all" or "help help"
hotspot to set or show hotspot authentication info
install to download and program an image into flash
license to enter an upgrade key to add a feature
log to add a message to the diagnostic log
loglevel to report or change diagnostic log level
netstat to show IP information
nslookup to send DNS query for host
ping to send ICMP Echo request
quit to quit this shell
reset to reset subsystems
restart to restart unit
show to show system information
start to start subsystem
status to show basic status of unit
telnet to telnet to a remote host
traceroute to send traceroute probes
upload to upload config file
view to view configuration summary
wan_type to Set WAN interface type
who to show who is using the shell
? to get help: "help all" or "help help"
wps to issue Wireless Protected Setup commands

Netopia-2000/146306722576> show

Invalid arguments to "show" or bad command.
Try "help show" or "help".

Netopia-2000/146306722576> show help
Use "show" to show system information.
Follow it with:
all-info to display all system information at once
atm to display ATM information (detail with "all")
backup to display Backup interface
bridge followed by:
interfaces to display bridge interfaces (detail with "all")
table to display bridge table
config to display current configuration
crash to display current crash-dump information
dsl to display DSL statistics
daylight-savings to display daylight saving info
diffserv to print out the diffserv stats
dhcp followed by:
server followed by:
leases to display DHCP server lease table *
store to display DHCP server non-volatile storage
agent to display DHCP relay-agent leases
client to display DHCP client leases
dslf followed by:
device-association to display DSLF Device Association
enet to display ethernet statistics (detail with "all")
features to display available features
group-mgmt to display IGMP Snooping Group Addresses
ip followed by:
interfaces to display IP interfaces
routes to display IP route tables
arp to display IP ARP cache
igmp to display IGMP Group Addresses
ipsec to display IPSec Tunnel statistics
firewall to display Firewall statistics
state-insp to display Stateful inspection statistics
lan-discovery to display LAN Discovery table
ipmap to dump IP map table
log to display next segment of the log (or "all")
memory to display memory usage (detail with "all")
ppp to display PPP information *
pppoe to display PPPoE information *
rtsp to display current RTSP session info
security-log to display security log
status to show basic status of unit
summary to show summary of current configuration
wan-users to show WAN users (detail with "all")
wireless to display wireless stats (more with "commands")
vlan to show vlan segments

* More complete help is available for these commands.

Netopia-2000/146306722576>netstat -i

IP interfaces:
Ethernet 100BT: ( up broadcast default rip-send v1 rip-receive v1 )
inet 192.168.1.254 netmask 255.255.255.0 broadcast 192.168.1.255
physical address 00-22-10-8f-6b-10 mtu 1500

PPP over Ethernet vcc1: ( up address-mapping broadcast default admin-disabled )
inet 86.40.217.136 netmask 0.0.0.0 broadcast 255.255.255.255
physical address 00-22-10-8f-6b-12 mtu 1492


Netopia-2000/146306722576>show ipmap
IP NAT used list, total = 8
Key Inside_Address :Port Outside_Address:Port OPort Life Prot
058 192.168.001.002:58540 069.063.176.176:00080 52652 14359 TCP
074 192.168.001.002:33031 080.239.201.057:00080 52531 14342 TCP
191 192.168.001.002:52121 080.239.201.058:00080 52647 14342 TCP
192 192.168.001.002:52122 080.239.201.058:00080 52648 14219 TCP
567 192.168.001.002:46879 209.085.227.091:00080 52478 14276 TCP
655 192.168.001.002:54585 086.043.063.024:00080 52633 14400 TCP
848 192.168.001.254:02958 083.070.093.244:00053 02958 00077 UDP
985 192.168.001.002:40056 066.220.153.019:00080 52456 14342 TCP

Netopia-2000/146306722576>exit

Goodbye.
Connection closed by foreign host.
root@bt:~# exit
(shell gone)

BaconZombie

Have you cracked the unit open and looked for a JTAG or Serial port {prob with no headers} or if it does not have either just unsolder the FLASH and re-solder it to a board that uses the same FLASH and has the ports.

Phractal

I have not opened the device physically YET as I am kinda using it to access the 'net. I am hoping to buy a second one (seen em on Adverts from time to time) to strip out. It has no obvious serial port, but it may be internal or B: there could be a soldering 'place' on the PCB for one but they never put it in.

Been thinking of the potential a malicious attacker has when they open up your Wireless using, say, the aircrack suite. They COULD Telnet to the router and really **** wwith your DCHP leases, totally bollixing you up for a while, or worse, format the entire thing.

Also thought of a malicious code that could be sent 'crypted and binded' (ala skiddie with a RAT) that TELNETS to the router and tells it to ping itself (possibly killing internet connections), or redirect all traffic to X address (for fun, 1227.com or similar, but maliciously, a .php page that can infect ya with ZeuS).

I also have thought of a concept for an automated scanner. it uses the Wifite.py script to crack all wireless in the area, tries connecting and telnetting to the routers, and does X/Y/Z (perhaps sends the IP+router info to an online database or similar). Basically a 'Area router vulnerability scanner'.

Still having ideas here... I have one concept that combines a 'beige box' with a stripped down router router, ASDL line splitter, Zipit Z1 hacked to run Linux and requisite battery pack for anon. connections, perhaps as a seed-block (if you could store enough on it) or, better still, as a SSH server to anonymize your connections to the 'net. Or, as a 'bot' of sorts.

Captain Commie

thank you for all your router details including your ip "86.40.217.136" I will have fun tonight messing with your system

BaconZombie

Did you also look up this GPS location via his MAC and then have a look at his house on Google Street View ?

innovated wrote: »

thank you for all your router details including your ip "86.40.217.136" I will have fun tonight messing with your system

Captain Commie

BaconZombie wrote: »

Did you also look up this GPS location via his MAC and then have a look at his house on Google Street View ?

nah, will pass on that one, too much like hard work, really have though he would have masked external ip addresses.

Phractal

My location is no big secret... Nor is my identity...
And despite the router being mine, it is hooked up to an older 'test box' as I call it. Basically an old piece of **** Dell from 2003 that runs Ubntu. I test things on it from time to time.

What with dynamic IP's and my resetting of router every so often (oh, and that bash history thingy is a few weeks old) I doubt the IP address is still the same.

Anyways... Been thinking. Hijack router, lock users out except your spoofed MAC.

RoadKillTs

thank you for all your router details including your ip "86.40.217.136" I will have fun tonight messing with your system

No you wont because by the time you get home his IP will have changed.

BaconZombie

Just scan 86.40.217.0/24 and filter for his MAC.

RoadKillTs wrote: »

No you wont because by the time you get home his IP will have changed.

Phractal

BaconZombie wrote: »

Just scan 86.40.217.0/24 and filter for his MAC.

Fire away - like I said, test box, rarely if ever turned on, Linux based. Oh and who says that A: I didn't edit the numbers a bit or B: that it was my 'home' router :P

Back on topic, however, any ideas (constructive) on vulnrabilities one can find inside a router?

Oh, for those of you wanting to do some penetration testing or hone your skills, I may have some test servers up this or next weekend in Finland, just gotta confirm that...
PM me if you are interested in them - I know the guy who owns them and he said he would be interested in running them to see if we can get in.

Procasinator

BaconZombie wrote: »

Just scan 86.40.217.0/24 and filter for his MAC.

How would you expect to get the MAC address outside of his LAN to filter it?

Telnet and HTTP are the most common admin interfaces on most routers. More often than not, neither admin interfaces can be accessed outside the network (at least, not directly, there have been some tricks developed, and sometimes configuration allows remote admin).

Once on the network, things do change. Often enough MITM attacks using ARP poisoning is an option on combined devices (wireless, wired switch and modem).

As for network shares, why would you need to get access to the admin interface if you already have access to the network, and can see shares?

wolfric

And mac address gets stripped once it leaves ethernet.

I'm not too sure what the op is talking about to be honest. Telnet is just like any other login. If you got straight in it means there's no username/password. You'd easily be able to get into the router via the web interface.

Http, ssh and telnet are just as secure as each other from your point of view. The only thing about http and telnet is that someone can sniff the traffic if you're connected. (or hijack the session). It's trivial however if there's no password.

You can access windows shares anywhere as long as they're not firewalled. Usually they're open on the local lan but they can easily be accessible to the outside too. Normal windows computer with smb turned on or ubuntu with samba (afaik built in by default). Use psexec (legitimate program to remotely execute programs/commands on windows machines) if the $admin share is open and try weak usernames and passwords. If you download a copy of metasploit, they've got psexec as an exploit (even though it's technically not) but you can add in payloads there.

I suppose if you wanted, you could change the ip of the router, turn off dhcp and leave your own computer on to be dhcp and gateway. Then redirect all the traffic out the router. You could of course arp poison without doing this but it doesn't always take and can trigger ids. Slap on some sslstrip and you have all the passwords and user data.

Leave your computer there, Or simply just redirect random http pages to a web server hosted locally. . Pop up a username and password prompt and make it fail a few times and then back to normal. There really is no end to what you can do...