Jump to content

2wire


russianhampster

Recommended Posts

I have a 2wire wireless (thanks, at&t) and when I tried to forward various ports, I had to log in at what felt like every other screen.

No big deal, I know the password. And if I forget the password, it is written down on a handy little sticker on the bottom of the device.

Aside from writing it down somewhere else and/or having it reset remotely by the ISP, there must be SOME way to recover it.

I am aware they do not use default passwords for this sort of thing on this particular family of devices...which kind of bums me out...but that's another topic...

So...I know 99% of you will have the urge to tell me why I shouldn't bother with this. You're right, now go flame someone else.

Anyone who wants to figure out a way, feel free to join in. I'm not overly concerned on the time table, as I have already written down / memorized the password to my own router, and AT&T is always happy to reset it remotely for me.

This is more for fun then anything else constructive or useful, and just a good old fashioned hacker urge to grab a beer and attempt the impossible. Again.

Link to comment
Share on other sites

I can think of MITM style tactics to trick someone into typing the password on a bogus router login page... but other than that this will be a toughy.

How does the router store the password? Is it hashed? What OS is the router running?

having it reset remotely by the ISP

How is the ISP remotely resetting it?

Link to comment
Share on other sites

I can think of MITM style tactics to trick someone into typing the password on a bogus router login page... but other than that this will be a toughy.

How does the router store the password? Is it hashed? What OS is the router running?

How is the ISP remotely resetting it?

I've never seen that before, can an ISP really have control over your router! I thought only the end users, could access the router NOT the ISP.

Link to comment
Share on other sites

I've never seen that before, can an ISP really have control over your router! I thought only the end users, could access the router NOT the ISP.

If I am not mistaken, the 2wire devices that they provide are all in one modem/router/wifi routers?

Link to comment
Share on other sites

I've never seen that before, can an ISP really have control over your router! I thought only the end users, could access the router NOT the ISP.

From memory you’re like me, in Australia our ISP’s are too lazy or too stupid to offer this level of support.

Most entry level and cheaper routers have a remote access option, eg you can access the management interface from the WAN interface, some routers like Billion also have an option to only allow this from a set subnet or for a set time period after a reboot.

The 2wire seems to be the chosen replacement for ISP that used to punish customers with the Thompson range.

They also use a “default” password, which is normally set by the ISP and is mostly a mangulation of the mac address, serial number (also used for default WPA key)or the users account name or number, or just a random 8 to 10 character string, and this seems to vary between ISP’s, a bit like the Thompson’s.

The password maybe be stored in the flash RAM somewhere, and I would hope it is encrypted, but I have been proven wrong, I also have a suspicion that the ROM on these are modified for the ISP, so the default password could be hard coded.

I also believe the 2wire doesn’t run a linux variation or something that can easily hacked or modded, so unless there is diag feature, which I doubt as these are cheaply mass produced and are a throw away, rather than repair item, you may be out of luck.

Unless you are handy with a soldering iron and know how to dump the ROM contents, or you could try a factory reset, but that would lose or your settings etc.

Link to comment
Share on other sites

From memory you’re like me, in Australia our ISP’s are too lazy or too stupid to offer this level of support.

Most entry level and cheaper routers have a remote access option, eg you can access the management interface from the WAN interface, some routers like Billion also have an option to only allow this from a set subnet or for a set time period after a reboot.

The 2wire seems to be the chosen replacement for ISP that used to punish customers with the Thompson range.

They also use a “default” password, which is normally set by the ISP and is mostly a mangulation of the mac address, serial number (also used for default WPA key)or the users account name or number, or just a random 8 to 10 character string, and this seems to vary between ISP’s, a bit like the Thompson’s.

The password maybe be stored in the flash RAM somewhere, and I would hope it is encrypted, but I have been proven wrong, I also have a suspicion that the ROM on these are modified for the ISP, so the default password could be hard coded.

I also believe the 2wire doesn’t run a linux variation or something that can easily hacked or modded, so unless there is diag feature, which I doubt as these are cheaply mass produced and are a throw away, rather than repair item, you may be out of luck.

Unless you are handy with a soldering iron and know how to dump the ROM contents, or you could try a factory reset, but that would lose or your settings etc.

Oh Yes you are right, my cisco router has an option that allows remote WAN management. By default, it's turned off and I hate the idea of having a third party managing it for me. I rather manage all my IT gears myself. I'm also from Australia, by the way.

Link to comment
Share on other sites

I was just coming on here to talk about 2Wire's router. And how sad the default security is. I was home for memorial day, and my mom has the 2Wire router. It's a newer one, and is huge in size. I asked her for the pass to connect and got a surprise.

The default WiFi pass for WPA is a 10 digit number. I doubt very few users change this, since 2Wire seems to assure their users it's secure 'out of the box'. That is very untrue. I decided to have some fun and made quick python script to create a list of all 10 digit numbers (Yes it's a large file.. 99GB). It takes about 12 minutes on my older core i3 laptop to write the file. Then with pyrit I finished it off.

Pyrit took a bit, but it was cracked by the time the weekend was over. With some beefed up hardware this would have taken a few hours.

Needless to say her new pass is a long string of numbers, special chars, upper and lower case.

So to all 2Wire router owners, CHANGE YOUR DEFAULT PASS (although that should be obvious for anyone on here).

HINT: The default password to the router config page was also a 10 digit number....

Anyways here is my sad python code for the number generator:

i=0
f=open('2WireDic', 'a')

while i < 10000000000:
    i+=1

    sNum = str(i)

    while (len(sNum) < 10):
        sNum = '0' + sNum


    f.write(sNum + '\n')

f.close()

Edited by bazju
Link to comment
Share on other sites

I'm sad I didn't have more time with the 2Wire router. Seems to me like they are one big security failure.

I am happy to report that a scan of WASH didn't detect WPS enabled. But I didn't mess with that too much after seeing how easy it would be to brute force the PSK.

Link to comment
Share on other sites

  • 3 weeks later...

I was just coming on here to talk about 2Wire's router. And how sad the default security is. I was home for memorial day, and my mom has the 2Wire router. It's a newer one, and is huge in size. I asked her for the pass to connect and got a surprise.

The default WiFi pass for WPA is a 10 digit number. I doubt very few users change this, since 2Wire seems to assure their users it's secure 'out of the box'. That is very untrue. I decided to have some fun and made quick python script to create a list of all 10 digit numbers (Yes it's a large file.. 99GB). It takes about 12 minutes on my older core i3 laptop to write the file. Then with pyrit I finished it off.

Pyrit took a bit, but it was cracked by the time the weekend was over. With some beefed up hardware this would have taken a few hours.

Needless to say her new pass is a long string of numbers, special chars, upper and lower case.

So to all 2Wire router owners, CHANGE YOUR DEFAULT PASS (although that should be obvious for anyone on here).

HINT: The default password to the router config page was also a 10 digit number....

Anyways here is my sad python code for the number generator:

i=0
f=open('2WireDic', 'a')

while i < 10000000000:
    i+=1

    sNum = str(i)

    while (len(sNum) < 10):
        sNum = '0' + sNum


    f.write(sNum + '\n')

f.close()

Nice Job, if you think that is bad security, the old ones were the same way but with 64bit WEP....That took a whole 2 minutes to crack with aircrack back in the day. There was options to set it for WEP, 64 bit only, numbers only. You knew it was a 2wire by the SSID and just let her rip, I was in every 2wire on the block. Thanks for the info, I didn't realize the new ones were 10 digit WPA. Did you capture the handshake and then run your script against it, or just a strait brute force to the box?

Ech3l0n

Link to comment
Share on other sites

  • 1 month later...

i appologize for a bit of a necro as my first post on the new forums but this section doesnt seem active to a point where it will cause much distress, in any case i just wanted to point out for anyone else looking to do similar that we KNOW that the default is 10 digits, so you can generate the numbers in a shorter time, with a shorter file, reducing everything by about 10%

i=0

f=open('2WireDic', 'a')

i = 999999999

while i < 10000000000:

i+=1

sNum = str(i)

while (len(sNum) < 10):

sNum = '0' + sNum

f.write(sNum + '\n')

f.close()

Link to comment
Share on other sites

  • 5 months later...

Hey, thanks for new code ;)

I haven't actually run it, but wouldn't this miss all the numbers below 999999999? Meaning... 0000000001-9999999999. Since i starts at 999999999 and counts up you will miss them. The second 'while' statement will never run because all numbers will already have a length of 10.

Edited by bazju
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...