hypnotoad Posted March 22, 2010 Share Posted March 22, 2010 Hey all I have been messing around on my friends network and I noticed that he has a very generic set up. Router: Netgear DG834N Wireless - ESSID: NETGEAR Enc: No IP Range 192.168.0.1/255 Router Login: DEFAULT. I let him know that it was perhaps not the best set up an offered to sort it out for him if he let me have a play around first. He agreed so now I have a question. I browsed to the router at 192.168.0.1 and tried to log in with all the usual admin/password combos and got in on my third try. After a little snooping I figured that I should check the logs: Sat, 2000-01-01 00:00:20 - Initialize LCP. Sat, 2000-01-01 00:00:21 - LCP is allowed to come up. Sat, 2000-01-01 00:00:22 - CHAP authentication success Sat, 2000-01-01 00:00:32 - Send out NTP request to time-g.netgear.com Sat, 2000-01-01 00:01:54 - Send out NTP request to time-h.netgear.com Fri, 2010-03-19 11:13:21 - Receive NTP Reply from time-h.netgear.com Fri, 2010-03-19 11:11:25 - Router start up Mon, 2010-03-22 09:13:21 - Send out NTP request to time-g.netgear.com Mon, 2010-03-22 09:14:23 - Send out NTP request to time-h.netgear.com Mon, 2010-03-22 09:14:24 - Receive NTP Reply from time-h.netgear.com Mon, 2010-03-22 10:20:53 - Administrator login successful - IP:192.168.0.53 This got me thinking about log deletion and covering tracks and how it is done. The only options that the router has are "Refresh","Clear Log" and "Send Log" I figured I could telnet into the router, but by default telnet is disabled. A google seach later and http://192.168.0.1/setup.cgi?todo=debug had enabled telnet. So I telnet(ted?) in to the router: BusyBox v1.00 (2006.10.04-06:55+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. # I type help to see what tools i already have to work with Built-in commands: ------------------- . : alias bg break cd chdir continue eval exec exit export false fg hash help jobs kill let local pwd read readonly return set shift times trap true type ulimit umask unalias unset wait # Now I went hunting for the log files and found them in /var/log there are two files "messages" and "syslog" I figured I would try and cat the "messages" log although cat was not in the list of tools and it worked, I can see the contents of the file which now shows an additional admin login entry from the running telnet session. At this point I am now stumped. Without nano or vi, how do I edit out those login entries? How could I go about adding tools and also enable telnet by default (telnet will turn off upon router reset)? I am using win7 on my netbook for this. I would use backtrack but it doesn't pick up my screen config and i can't be bothered messing with xorg.conf Any advice would be great guys Quote Link to comment Share on other sites More sharing options...
Sparda Posted March 22, 2010 Share Posted March 22, 2010 What happens when you click "Clear Log"? Quote Link to comment Share on other sites More sharing options...
hypnotoad Posted March 22, 2010 Author Share Posted March 22, 2010 the entire log gets cleared... Yes it gets rid of the details but it's a little blunt, I would rather edit the log with a little finesse. Just editing out the entries would be less suspicious don't you think? Quote Link to comment Share on other sites More sharing options...
hypnotoad Posted March 23, 2010 Author Share Posted March 23, 2010 Does anyone have any ideas? Quote Link to comment Share on other sites More sharing options...
digip Posted March 23, 2010 Share Posted March 23, 2010 (edited) you telneted into the router but what about tftp? You could download it, edit it, then reupload it with changes. Would need rwx capabilties on the log though, and even if you can telnet in, you probably only have read capabilities, but I wouldn't know without seeing the output. Have you listed all the files on the router? What kinds of commands are available to you and what kind of shell is it? Edited March 23, 2010 by digip Quote Link to comment Share on other sites More sharing options...
hypnotoad Posted March 26, 2010 Author Share Posted March 26, 2010 I no longer have access to my friends router for testing purposes. He PAID me £50 to secure it for him on the spot yesterday. I offered to do it for free, but he was really insistent on paying me.. who am I to turn down £50 for 5 mins work ;) I will see about getting one of these routers myself to carry on experimenting with this (plus I think there is a way to install a NG version of OpenWRT on it), but for now I would call this a closed topic... Thanks for advice digip Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.