Router Hacks

[C0NFUS3D]

I work for a networking company that sets up and manages public wireless hot spots. We use the same type of gateway for every job because it offers a lot of options that we require. How ever, as with most routers, the interface is very limited.

I've built software that monitors and manages these routers from the outside, mainly utilizing CURL in PHP.. but I'm limited to what the router is already capable of doing in it's web based control panel.. I want more.

It appears to have a built in SSH server, which if I could get in to, I could build more customized software features INSIDE. The problem is is that the web based control panel username&passwords do not seem to work for the SSH server. I think the SSH server is more for use by the manufacture?

Does anyone here know anything more about the value point gateway controllers? Specifically the 3550 & 3560 models?

[digip]

If you can download a copy of the firmware usually you cna reverse or unpack the bin files and search for hard coded passwords, backdoors, etc. Search the forums, I think int0x0 linked to a tool for doing just that, but I can't remember the name of it. it basically unpacks router bin files so you can then debug or read data from the firmware without needing the router itself to see the data and extract default passwords. The other option, check the device manufacturer, google for default logins, which are a plenty on google. Work might have already been done for you, just need to refine your search to specific related to the hardware id or device name.

[Goddish]

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_19_ea1/configuration/guide/swauthen.html#wp1024488

See if the section "Setting or Changing a Static Enable Password" is what you were looking for

[digip]

http://www.cisco.com....html#wp1024488

See if the section "Setting or Changing a Static Enable Password" is what you were looking for

I assume hes using one of these, and not a cisco catalyst multilayer switch - http://www.valuepointnet.com/products/controllers/nc3500.html

If it were a Cisco device, he'd need physical access and a serial cable or usb to serial and have to access it on the administration port to actually enable SSH and the Web GUI configruation settings, which wouldn't be on by default. High end Cisco switches and routers need to be setup before they work at all, although switches in most cases work by just plugging them into the network, Cisco switches like the one you linked to still require some configuration if you want to setup port speeds, vlans and trunking, etc, which is all done over a terminal program to even enable the Web interface, if the device is even capable of doing a web GUI. Some are only terminal based to begin with. Once configured, they can then be accessed over telnet or ssh if configured for it.

The one he has is more a consumer based gateway for small businesses.

@c0nfus3d1 Their site lists these as default to user and password both of root - http://www.valuepointnet.com/contfaq.php but not sure if thats for SSH or just the web gui. I would hope they aren't the same.

Who sets them up for you before you roll them out though? Or do they come this way out of the box with SSH enabled? If they all have default passwords for SSH that are the same then I would think that puts all of your customers at risk if anyone guesses the passwords, so at a minimum they should be known and changed to begin with. Check with your boss though or whoever is higher up from you on how they get setup before you install them at locations. Someone should know how they work or what the SSH passwords are on them, because if they come this way out of the box, you essentially have what I consider to be backdoored devices and sitting ducks for attack. Their site didn't offer specifics, but if the web gui password is not root/root, try that on the ssh side, and if it IS root/root on the SSH site, I would consider notifying your boss and having them change the default password if possible. Hopefully they aren't hard coded, unchangeable. That would really suck for all those businesses using those devices.

[C0NFUS3D]

@digip is correct to assume that I am talking about http://www.valuepoin...ers/nc3500.html

The default of root/root is for the web gui. That does not work for SSH. and yes, we change from the default username/password, but no, the new information does not work for ssh access either.. Any username and password combination I have available for the web gui does not work for SSH. And yes, I have full root access to the web gui, it's not that my bosses just don't provide me with proper access..

They come out of the box with SSH enabled and answering on port 22.. There are no settings available in the web gui for SSH, and I don't see any mention of it in the documentation..

They do have a serial port, and now that you mention it, I'll see what I can get when I plug in to it.. but even setting them up, we never use this port. It's all web based configuration, right out of the box..

Edited December 17, 2012 by c0nfus3d1

[digip]

I wonder if it will let you telnet into it over the serial port or SSH in over serial. Does the router have a setup for port forwarding though? If so, port forward SSH to some non existent IP on the subnet or trigger like anything for port 22 goes to port 1 for example. Might be able to subvert/disable it that way if all else fails. I stil think trying the firmware/bin file method might be worth a shot at looking into though.

[C0NFUS3D]

I won't be back in the office until Tuesday to try a serial connection..

But regarding the firmware:

The available firmware I can find is .bin for the older ones and .img for the newer ones. This is definitely my first attempt ever at trying this.. so I am pursuing this option, but looking in to other options in case it does not work out.

I haven't had much luck yet.. Here's what I know so far:

• the FILE command- http://en.wikipedia....i/File_(command) simply outputs that the firmware is a data.file
  
• It's not plain text
  
• It's not packaged with zip or tar
  

I haven't found a program [yet] that can offer any help deciphering this file.. Will keep searching!

Edited December 17, 2012 by c0nfus3d1

[digip]

Search int0x80 on the forums and his posts. I may be wrong, but pretty sure he posted a link to a tool that unpacks bin files from router firmwares.

edit: tool is "binwalk"

Give that a try, see what happens.

Edited December 17, 2012 by digip

[C0NFUS3D]

I thought you meant int0x80 but you said int0x0 at first, so i was like, who's that? lol Thanks digip! You're awesome.

binwalk shows:

binwalk NC3500_1_00_94.bin -v
Scan Time:    Dec 18, 2012 @ 09:55:45
Magic File:   /usr/local/etc/binwalk/magic.binwalk
Signatures:   125
Target File:  NC3500_1_00_94.bin
MD5 Checksum: 85fe894f6720334b33f5ea94b0f2ce6c
DECIMAL    HEX	    DESCRIPTION
-------------------------------------------------------------------------------------------------------
13059	  0x3303	 LZMA compressed data, properties: 0x80, dictionary size: 1610612736 bytes, uncompressed size: 603979776 bytes
14260	  0x37B4	 gzip compressed data, from Unix, last modified: Fri Feb 17 11:15:01 2012, max compression
944128	 0xE6800    gzip compressed data, was "initrd.img", from Unix, last modified: Fri Feb 17 11:17:57 2012, max compression
[/CODE]

I then try the next step mentioned, hoping firmware-mod-kit could help, but it appears to not support this type. I do see mention of some gizp compressed data, so maybe I can extract that?? Might be time to learn a hex editor

[digip]

80 also did a talk on file carving, if you can see the files in hex and know their header identication for hte files, you can tell it to basically extract specific chunks, liek say, the gzip portion of data, to then unzip just those files for example. Not my area of expertise but int0x80 does a lot of file manipulation stuff, did a segment on hak5 about it last season or 2 I believe and may have some talks on youtube about it. Search the forums again for his posts and file carving though, should be some links in the episode section pointing to questions he answered about the topic in the past.

Edited December 18, 2012 by digip

[C0NFUS3D]

Did I mention how awesome you were yet, digip? :) I used Magic Rescue.

sudo magicrescue -r gzip -d ./output/ ./NC3500_1_00_94.bin
[/CODE]

This resulted in [b]./output/0000000E6800-0.initrd.img[/b] being created, which I then mounted to /mnt/tmp and can now see the entire file system from the firmware. :D

[digip]

Thats awesome! Let me know what you find and if there is anything readable, like conf files, which usually have hard coded passwords. I ssupect if you were able to mount it and browse it like a file system, something in there has something related to the SSH port being left open.

[Pwnd2Pwnr]

@digip is correct to assume that I am talking about http://www.valuepoin...ers/nc3500.html

The default of root/root is for the web gui. That does not work for SSH. and yes, we change from the default username/password, but no, the new information does not work for ssh access either.. Any username and password combination I have available for the web gui does not work for SSH. And yes, I have full root access to the web gui, it's not that my bosses just don't provide me with proper access..

You say it like a lot of companies don't change the settings :D ... Hooray for Comcast!

[digip]

You say it like a lot of companies don't change the settings :D ... Hooray for Comcast!

These come out of the box this way and he sets them up, but there is no documentation on the SSH password, so essentially, they ship with SSH open, but no clue what the username or password are. That to me, makes me not want to purchase a product if its known they come this way. Bad enough things like Huawei routers for example, having hard coded backdoors that can't be changed, but most people didn't even know they existed. This device shows an open port, but no info on why, so that to me is kind of scary to roll out, when god only knows, who has access to that info and if its even really SSH enabled or just some tcp bug replying acks to probes.

[C0NFUS3D]

The firmware offered nothing for SSH.. at least nothing I can find. No configuration files, passwords, or anything like that.

The official response I got from Value Point is [and I quote]: "There is not any management interface on SSH, it it just used for manufacturing."

Seeing as we currently don't have an extra gateway laying around for me to really go any further with this- since it'll apparently be more difficult than I thought, I may have to stop here for the moment. :(

Thanks for all your help digip!!