Note : This hack works on most of newly ADSL, ADSL2+, ADSL2+M routers.
In this article we are going to hack into router to learn more about it. You might not know that this small and innocent looking modem is actually a “Linux CPU”. Lets get into it. First do a nmap scan of this modem. Here is a quick example
The http port is open and that is why we are able to access the administration page fromhttp://192.168.1.1/
But apart from http the telnet port is also open. So why not try connecting to it.
In this article we are going to hack into router to learn more about it. You might not know that this small and innocent looking modem is actually a “Linux CPU”. Lets get into it. First do a nmap scan of this modem. Here is a quick example
The http port is open and that is why we are able to access the administration page fromhttp://192.168.1.1/
But apart from http the telnet port is also open. So why not try connecting to it.
$ telnet 192.168.1.1 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. SemIndia Systems ADSL Router Login: admin Password: > Wow! we are able to login into the telnet daemon of our router using the default username/password of admin/admin. What next… type in the help command and hit enter. It will list the supported commands somewhat like this
> help ? help logout reboot adsl atm brctl cat df dumpcfg echo ifconfig kill arp defaultgateway dhcpserver dns lan passwd ppp remoteaccess restoredefault route save swversion wan serialnum lan6 dhcp6c dns6 defaultgateway6 route6 ping ps pwd sntp sysinfo tftp >
Some of these are the common terminal commands on linux. ps, pwd, ping, cat etc. So lets see the current working directory using pwd.
> pwd / >
Listing directories
So we are in the root directory of the filesystem. The ls command is not available. So we have to use another trick to list the directories. And the trick is echo *
> echo * bin dev etc images lib linuxrc mnt proc sbin usr var webs >
/etc/passwd file
You might next want to see the password file /etc/passwd. The cat command is available and can be used for this.
> cat /etc/passwd admin:7wfiFif6nh6VA:0:0:Administrator:/:/bin/sh support:MVMCoQ0jGR4Yo:0:0:Technical Support:/:/bin/sh user:MrYImHrIkIxRI:0:0:Normal User:/:/bin/sh nobody:685CCPc3VWsbs:0:0:nobody for ftp:/:/bin/sh >
Thats a linux password file.
Blogger Comment