Printable View
Have you tried to telnet into the router or connect with a browser and use the default log in. I set a small network up for a friend of mine a while ago The router (netgear) he has, has still got the default log in,ie Admin/password. Password being the password.
I have had to go back to carryout a bit of maintainance a few times and he still has not changed the password and iv'e told him he should.
Not much help i'm afraid but you never no.
Jinxy
Unless he has the remote administration enabled (which should show as an open port right) this will not work. (Unless you are on the internal network)Quote:
Originally posted here by jinxy
Have you tried to telnet into the router or connect with a browser and use the default log in. I set a small network up for a friend of mine a while ago The router (netgear) he has, has still got the default log in,ie Admin/password. Password being the password.
I have had to go back to carryout a bit of maintainance a few times and he still has not changed the password and iv'e told him he should.
Not much help i'm afraid but you never no.
Jinxy
Hmm....good point jarrod. That brings up an Idea....if the router has wireless potential...simple wardriving would allow some sort of access to further penetrate the target.
If you really really want to go through all the trouble of getting in...another Idea is to physically access his/her Internet Cable (Cable or DSL?), install a physical keylogger or traffic monitor in between or a wireless hotspot for that matter...and continue from there, very unlikely that someone would go through all that trouble to access his PC.
I'd also take into consideration Jarrod's DOS idea. So far he hasn't had any luck with the few tools he's used to even scratch the surface of my network. We'll let you know if he gets anywhere :D
CXGJarrod.
You are quite correct. And i don't suppose remote admin will be enabled by default.
Still i thought it was worth a shot.
Have a look at this link: http://www.securitytracker.com/alert...r/1006463.html
Jinxy
A bit off topic but I thought I'd add this. In the NetGear RP114, this is a known flaw (NetGear knows this and doesn't think this is a serious security issue). The specific issue is that you can access the router from external using the internal private addressing scheme. I also think (IIRC) you can also access it externally by default using outside addressing (Big reason why that router is no longer located near an external address for me and why the default pass was changed immediately upon purchasing -- but how many people have purchased this and never done it!?). Personally, I think this is an issue but hey.. might be just me. :DQuote:
Unless he has the remote administration enabled (which should show as an open port right) this will not work. (Unless you are on the internal network)
All the commercial grade, (read: (l)user grade), routers I have come across have remote admin turned off by default.... A smart move IMO.... ;) So remote admin is not possible without an exploit of the router itself.... which is possible. You need to determine the firmware version and router type itself. I read recently, (here on AO so do a search), that the latest version of NMap has signatures for several of the common commercial grade routers. I know that linksys' default admin password is admin and D-Link's is 1234 - I'm sure you can come up with others if you google it. If you can breach it with the available exploits and gain admin then it is yours.
It did interest me to note the level of frustration you have when presented with a router. Sucks doesn't it? But what you are really saying is that a wide open box is fun for you, you can compromise it, or at least have a good go at it. But if someone spends the $40-60 to put the router in the way or a software firewall you are somewhat "castrated". You demonstrate perfectly the reason why people who don't understand their OS and how it exposes them can mitigate many issues with the simple expenditure of a small amount of money rather then their precious time to learn. This goes back to the rather long and heated thread that was closed, (where I got the "last word" :p), where placing any kind of "obfuscator" between a non-technical person's box and the public network was questioned.
Your post, whether you intended it or not, proves both yours and my position that it is, in fact, a good thing...... ;)
What I meant by that was he has to allout 80 OUT because he wouldn't be able to access web pages (unless he us using a proxy through port 1080 or 8080, etc)... You are thinking port forwarding... which is IN...Quote:
Originally posted here by pooh sun tzu
But the reason they usually allow them out are because they are running the actual services. I don't think a trojan could bind on the same port if another service is being used. I taught him well enough, so we WON'T open a port he isn't using.
I'll look into a writing a quick script that will alter his router from his personal computer, and then have it kill itself after one usage, and keep it nonmorphing. Shouldn't be too difficult, when I can figure out his router information that is.
Similar to how trojans connect to an IRC server on port 6667, join themselves to a room (most of the time hidden) and wait for instructions...
They connect out from their PC and into a server.
It doens't actually open up port 6667 on the compromised host...
It really creates somewhat of a tunnel.
A thing wich could be interesting to lookup is firewalking (and the tool firewalk). Nice pdf about it: http://ducer.w00nf.org/trash/securit...s/firewalk.pdf. Someone asked me to write a tut on it, but I don't have the time atm. Very short, it's a method to determine the ACL's on the firewall/router, by messing with the TTL of the packets.
Nope, his linksys (i think so far) has it turned off by default.Quote:
Have you tried to telnet into the router or connect with a browser and use the default log in.
He lives in WA, I live in UT. Not a possibility.Quote:
simple wardriving would allow some sort of access to further penetrate the target.
Unless the DoS is directly tied to a exploitation so I can bypass the router, it won't do me any good. I'm here to penetrate, not go scripty on him :) However, if it is a DoS that does give actual exploitation (like old CISCO routers that reset the password/uid if they received too many 1m pings within a certain period, or the semi old CISCO's that would buzz the admin during a DoS via wireless pager with a new login and password that was randomized, thus transmitting it to my pager).. then tell me how it works.Quote:
I'd also take into consideration Jarrod's DOS idea.
As I said in my first post :) already running nmap checksQuote:
NMap has signatures
It isn't that at all, actually. Even on a totally locked down box like my old winxp test I at least had a chance of zero day penetration testing, or dumb luck with perhaps stack smashing. With a router in place, that limits the activity I can preform to near null. Thus my frustration :) I -know- I can do security penetration, but because of my limited knowledge on routers I feel like I'm fresh out of the tutorial section when it comes to router penetration. I do see your point though, and agree (again) that having even a simple firewall/router in place can deter MUCH more attacks than trusting on internal security alone.Quote:
But what you are really saying is that a wide open box is fun for you, you can compromise it, or at least have a good go at it.
Brilliant, simply amazing. I never looked at it that way and will imediatally begin researching what ports he may keep open on the OUT for programs or services. One thing that would hinder that though is port differences. His source port may end up being 1051 to access websites, as only the server is required to use port 80 on that connection. It would have to be an outgoing port (service) that sticks to one usage, rather than a program which randomizes. (like my grsecurity patch)Quote:
What I meant by that was he has to allout 80 OUT because he wouldn't be able to access web pages (unless he us using a proxy through port 1080 or 8080, etc
Thanks a ton for that link neel, I'll look in to it right away. Thanks everyone for all your help and keep it coming!
Not to step on any toes, but alot of these suggestions are considered loud. According to hacking exposed 4th edition.
PS: Word on the street, little linksys 4P routers are getting blown through even by the skiddies(hearsay). I dumped mine back two febs ago.