neowhitehat Posted September 13, 2008 Posted September 13, 2008 hey i have a WRT54G router and i was tying to see if wireshark would work on it. i set it to promiscuous mode but was only getting packets from my laptop. any way i tryed to telnet in to the router to turn the promiscuous mode on in the router but it wouldn't accept a connection. i m using the official firmware version v8.00.0 and the web configuration is working. i was wondering if there was a way to enable telnet without putting a custom firmware on the router. any one. plz help. Quote
Sparda Posted September 13, 2008 Posted September 13, 2008 Wait wait wait... you want to see all traffic the router processes,... so you ran wireshark locally on your laptop? Quote
digip Posted September 13, 2008 Posted September 13, 2008 To see any traffic on the router you need to be between the router and its connections. Connecting to it does nothing but if you can flash your own firmware, you can load something to watch the traffic directly from the router. I don't know of any consumer router that lets you watch packets by default. Quote
neowhitehat Posted September 14, 2008 Author Posted September 14, 2008 Wait wait wait... you want to see all traffic the router processes,... so you ran wireshark locally on your laptop? yes. because i think one of my computers has some spyware or a virus that i cant find. my VS cantfind it either. and i know its a old computer (2001 dell 1.4 ghz intel P4) but its running even slower than usuial so i know that all routers (both IT professional and home users) can be sent in promiscuous mode so that all the traffic is braudcasted through out the network. ( i have a little networking education) but for the life of me i cant figgure out how to do it with this router. Quote
neowhitehat Posted September 14, 2008 Author Posted September 14, 2008 To see any traffic on the router you need to be between the router and its connections. Connecting to it does nothing but if you can flash your own firmware, you can load something to watch the traffic directly from the router. I don't know of any consumer router that lets you watch packets by default. the thing is they are capeiable of doing it most venders do hide the promiscuous mode for the HTML front end. so most of the time you have to telnet in and enable it manuly. but for some reason you cant even do that with the linksys firmware. telnet that it. i did do an nmap of the router to see what surveces are avaiable and it says that telnet is runnign but the port is closed. i also did look at linksys' site and it said that the router did support telnet but didnt say how to open the port so you can login. even my networking professer said that that the WRT54G does support telnet and was supprised that linksys didnt have any documentation on how to open the port. now im sure that some were out on the interwebs there is an answer. but im tring here first to see if any one has done it already. or atleast knows how. my brother needs the dell for school work (hes a senior in highschool this year and has alot of papers due most over 500 pages) and short of the easy way to get rid of a malware prog (for all the noobs who might be reading this that would be formating the harddrive and reinstalling the OS) which would take time out for my brother's work ( about 6 hours total form formating and reinstalling the os and all the programs he needs) and its his last year in highschool and im almost never home because of my work schedual ( im a home care nurse and i travle with my laptop allday and rarely get to see him except on the weekends.) not to mention im the computer geek of the neighborhood so even on the weekends i rarely get to rest. but still. if it can get this done i can use the firewall to block the port and he can get his reasurch done. thanks in advance and sorry about the "doubble" posting. i just realy wanted to answer the other guys post sepirately Quote
Sparda Posted September 14, 2008 Posted September 14, 2008 yes. because i think one of my computers has some spyware or a virus that i cant find. my VS cantfind it either. and i know its a old computer (2001 dell 1.4 ghz intel P4) but its running even slower than usuial so i know that all routers (both IT professional and home users) can be sent in promiscuous mode so that all the traffic is braudcasted through out the network. ( i have a little networking education) but for the life of me i cant figgure out how to do it with this router. I don't know of and dought any consumer grate routers or switches can do that. Many managed switches and routers can however. You can set this up if you have a router you can install DDWRT or OpenWRT on using iptables (apparently). Also, just reinstall Windows. Quote
Swathe Posted September 14, 2008 Posted September 14, 2008 Wow I've never heard of a normal everyday router that has telnet blocked. Quote
Sparda Posted September 14, 2008 Posted September 14, 2008 Wow I've never heard of a normal everyday router that has telnet blocked. Except any of then that are 'secure' by default. Quote
Emeryth Posted September 14, 2008 Posted September 14, 2008 It seems to me that the simplest answer would be to install wireshark on the compromised PC, I don't think the virus could hide from it. And why can't you just block all of the ports you aren't using? If you insist on sniffing on the network, you could try a man-in-the-middle attack using ettercap. I have only had experience with a 'hacked' WRT54G, but I don't think you can do much without uploading your own firmware, as was already said. Quote
digip Posted September 14, 2008 Posted September 14, 2008 Wow I've never heard of a normal everyday router that has telnet blocked. It's not that the router blocks Telnet for his pc, he wants to Telnet into the router, and not all routers have that enabled or capability even. Most just have an HTTP front end for consumer routers that lets you do minimal configurations, like set up port forwards, DMZ, etc. Custom firmware will allow him to logon to the router and monitor packets at the router level, so he can see what packets comes in and out of the router by way of the machine in question. If monitoring packets on the router is becuase you suspect the router is the problem, then I would just reflash the routers firmware and reset the password, as someone could have changed the DNS in the router to do whatever they want. If monitoring packets on a specific machine is what you want, install wireshark on THAT machine, not another one on the network. If monitoring packets on the machine itself can't be done(and I don't know why it couldn't) then I would set up another pc with two nic cards and make it a router between the bad machine and the internet so you can sit there and just watch all the traffic coming from the questionable machine. Otherwise, flash your routers firmware and do it from the router, but what is preventing you from doing it on the machine in question?? Install wireshark on the machine in question and start it up, then just watch what it does after connecting online. Don't surf with it, don't do anything for a while, just enable the internet and let it go. If no packets are sent or received, you should be good. Then, go to something like google or a site you logon to. See if you can capture your packets for the login to a site, like hak5. Then just sit and watch what it does for a while after logging in. Again, just sit and monitor it for a while. (You will see some traffic for other places when on hak5 because people host images for their avatars on other sites, etc, so don't get nervous if you see this at first) Do not try to monitor from some other machine on the network -- it's not going to be able to capture packets on a seperate machine without either doing a MITM attack or something under windows. Windows isn't going to be able to see all the packets in a wifi environment by default, and a switched ethernet connection is not going to work at all, just cause problems with the network. If both the mahcines use wireless, then do the MITM trick under windows, or have one machine running Linux(Not the one in question, obviously) and put it's card into monitor mode and run something like Airodump + wireshark to see all the traffic on your network. Problem with this is, that you will see stuff from other wireless networks around your home, so you need to know what your nic's MAC address is to filter out anthing you don't need. The other thing is, maybe the machine is just starting to go. Something component wise is beginning to fail or die soon. Quote
Swathe Posted September 15, 2008 Posted September 15, 2008 I agree, custom firmware is definitely a good option. Quote
neowhitehat Posted September 15, 2008 Author Posted September 15, 2008 It seems to me that the simplest answer would be to install wireshark on the compromised PC, I don't think the virus could hide from it. And why can't you just block all of the ports you aren't using? If you insist on sniffing on the network, you could try a man-in-the-middle attack using ettercap. I have only had experience with a 'hacked' WRT54G, but I don't think you can do much without uploading your own firmware, as was already said. (slaps forhead) why didnt i think of installing wireshark on the dell. (stupid stupid stupid stupid ) also im just doing this as a temp fix until my brother is finnished with his paper then iam going to reinstall windows. Then just sit and watch what it does for a while after logging in. Again, just sit and monitor it for a while. (You will see some traffic for other places when on hak5 because people host images for their avatars on other sites, etc, so don't get nervous if you see this at first) i know. ive done this for my office becaues some one was using busniess bandwidth for personal use and i needed to see who what when, ect. and i hated to do that but well you know. it took me forever to seach through the packets. well cain and able came in handy. (one perk was that i got a 1TB external hard drive out of the deal.) and im going to install ddwrt ASAP because i also think someone is stealing bandwidth from me. thanks for all the help. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.