This page has been robot translated, sorry for typos if any. Original content here.



0. Foreword:


ADSL (asymmetric digital subscriber line) technology has finally reached the most remote corners of Russia and continues to spread rapidly. More and more users connect to the Internet via ADSL modem. I will not go into details and describe the work of this technology, I will say in my own words: DSL allows to transfer data on ordinary two telephone wires with much faster speed than a normal DIAL-UP modem (which transmits data in the audio range - for sure everyone heard the sound of a conventional modem at his work). So, DSL (digital subscriber line) is a technology that allows to transmit the signal at higher frequencies (therefore, the speed is higher) on the same pair of wires as the usual low-frequency signal of the audible range. To separate the high-frequency and low-frequency signals, the final equipment is used at both ends of the line-splitters, then from the user: one signal goes to a regular telephone, the second to the ADSL modem; on the second side also one signal goes to the telephone network (ATS) to the second provider. In general, who is not familiar with ADSL, I recommend reading the theory http://ru.wikipedia.org/wiki/ADSL

Our subject of close attention is the ADSL modem. Why ask him? Well, in the first as a rule NAT is embedded in it, the firewall and modem itself is already a serious obstacle in the way of the hacker to the victim's computer. For example, you mailed a trojan to the mail or try to get the shell on the victim's computer with 0day-flattening for IE and you do not get anything, because the victim is behind NAT and / or Faer. A home network with a general connection to the Internet, because in the home lokalka as a rule all the balls in free access and having captured one machine on the network you will easily get access to the rest.
Here we will consider the hacking of ADSL modems with Ethernet connection to the user's computer (there is also USB - we do not consider it here).

Like any device connected to the Internet, the ADSL modem has its own IP (it is called external IP, WAN-IP or real IP-like to anyone), as well as an internal IP (LAN-IP) for your local (it's a gateway to the Internet in properties of TCP / IP protocol on your computer).

Between these two interfaces WAN and LAN, and everything else is located (NAT, router, firewall). Remote management of ADSL settings (ie NAT, router, firewall) of the modem is available through different protocols (http, ftp, telnet, etc.). Now the most interesting, by default this remote control of many modems is available both from the local store and from the external network. That is, in other words, the ADSL-modem shines with its services both outside the Internet and in the local area. Many users (= lamers) do not particularly bother setting up the ADSL modem to ensure their security and leave in the configuration permission to control the modem from outside, ie from the Internet, in addition, even forget (or just do not know) change the password to log in in the configurator ADSL-modem and leave it also default (by default)!



1. Preparation.

a) we need any network scanner (to find the modem configurator built into the ADSL modem of WEB-servers, for example I use LanScope for these cases-it does not contain anything superfluous-it is a multi-threaded network scanner, monitors the network for available resources of NetBios (Samba) , FTP and HTTP, scanning the specified ranges of IP addresses.It shows the access rights to resources: reading, writing.The resource scanner searches for a given resource name, for example, music, video, etc. You can download here the scanner LanScope >
b) minimum knowledge of html and javascript.
c) straight arms and a bright head.

2. Search for potential victims.

We scan the plug-in for the presence of ADSL modems. How to find the provider's subnet - easily see your external IP and choose the same or similar range, for example our WAN IP xxx.xxx.241.20 we set the range xxx.xxx.241.1-xxx.xxx.243.255. After a while in the scanner window we will see the services web, ftp, balls. We are interested in web-configurators of ADSL-modems.



3. Actually hacking itself

We start poking the browser into each one, we get to the login page of the configurator login (there you will see a banner with a short info such as ADSL modem such and such), enter the password to log in. We try the default password 1234, once the modem, two modems, the OPS on the third modem came up (one lame).
(note how to break the password for entering the configurator read in the next articles, here it is not considered yet)

My victim was http: //ххх.ххх.241.59: 80
Here is the banner and the login page of the ADSL Modem Configurator Web Service




we drive 1234 into the password field and get here:




Then they tell us that the pass is on the silence of 1234 and we should change it (well, we will not change yet, and then the lamak will then have to reset the modem and fiddling with its setting), then click the ignore button and get here:




We climb into the Wizard Setup Wizard




The login is already visible, the pass is hidden behind the asterisks
This is the html-code of this page.

<html><head>
<meta http-equiv='content-type' content='text/html;charset=iso-8859-1'>
<title>Web Configurator</title>
<SCRIPT src="General.js"></SCRIPT>
<frameset cols="150,*" rows="*" frameborder="NO" border="0" bordercolor="#000000">
<frame src="Panel.html" name="panel" scrolling="NO" noresize frameborder="NO" bordercolor="#000000" marginwidth="0" marginheight="0">

<frameset cols="*" rows="78,*" frameborder="NO" border="0" bordercolor="#000000">

<frame src="Title.html" name="title" scrolling="NO" noresize frameborder="NO" marginwidth="0" marginheight="0">

<frame src="FirstPage.html" name="main" scrolling="AUTO" noresize frameborder="NO" marginwidth="0" marginheight="0">

</frameset></frameset><noframes>
<body>
</body></noframes>
</html>


We see little interesting and that the page consists of frames. We look at frames, for example this FirstPage.html,




we get again on the first page,
but already on a specific file FirstPage.html, we click again on the Wizard Setup, the line in the browser has the form http: //ххх.ххх.241.59: 80 / wzOthers.html,




click next - now in the browser line http: //xxx.xxx.241.59: 80 / wzPPPOE.html,




look at its source, here it is:
<html><head>

<meta http-equiv='content-type' content='text/html;charset=iso-8859-1'>
<title>Web Configurator</title>
<SCRIPT src="General.js"></SCRIPT>

<script language="JavaScript">
<!--

function doPPPoEIPAddr(form)
{
if ( form.radiobutton4[0].checked )
{
form.wzPPPOE_StaticIP.disabled = true;
}
else

{
form.wzPPPOE_StaticIP.disabled = false;
}
}

function PPPoEChkIdleTime(form)
{

if ( form.PPPoE_PPPoEVCKA[0].checked )
{
form.PPPoE_PPPoEVCIdleTime.disabled = false;
}
else
{

form.PPPoE_PPPoEVCIdleTime.disabled = true;
}
}

function PPPoEAOLWordChk(Word)
{
}


// -->
</script></head><body bgcolor="#ffffff" marginwidth="0" marginheight="0" onLoad="top.title.location='Title.html';">
<FORM METHOD="POST" ACTION="/Forms/wzPPPOE_1" name="ISPform">

<table width="100%" border="0" cellspacing="0" cellpadding="0" >
<tr>

<td width="2%">&nbsp;</td><td width="5%"></td><td width="93%">
<div align=left valign=top>
<table border="0" cellspacing="0" cellpadding="0" width="560">

<tr>
<td colspan="4" class="NaviText">
<div align=left> Wizard Setup - ISP Parameters for Internet Access</div></td></tr>

<tr>
<td colspan="4">
<hr class="hrColor">
</td></tr> <tr>

<td colspan="2"> Service Name </td><td colspan="2">
<INPUT TYPE="TEXT" NAME="wzPPPOE_ServiceName" SIZE="30" MAXLENGTH="31" VALUE=""></td></tr> <tr>

<td colspan="2"> User Name </td><td colspan="2"> <INPUT TYPE="TEXT" NAME="wzPPPOE_UserName" SIZE="30" MAXLENGTH="70" VALUE="ll2498" onkeypress="chk_chtNumUserName(event)"></td></tr><tr>

<td colspan="2"> Password </td><td colspan="2">
<INPUT TYPE="PASSWORD" NAME="wzPPPOE_Password" SIZE="30" MAXLENGTH="70" VALUE="bukzajop" onBlur="PPPoEAOLWordChk(this.value)"></td></tr><tr>

<td colspan="4">&nbsp; </td></tr> <tr>
<td colspan="4" class="header2"> IP Address </td></tr><tr>

<td colspan="2"> </td><td colspan="2"> <INPUT TYPE="RADIO" NAME="radiobutton4" VALUE="wzPPPOE_DynIP" CHECKED onClick="doPPPoEIPAddr(this.form);">Obtain an IP Address Automatically </td></tr><tr>

<td colspan="2"> </td><td colspan="2"> <INPUT TYPE="RADIO" NAME="radiobutton4" VALUE="wzPPPOE_RadioStaticIP" onClick="doPPPoEIPAddr(this.form);">Static IP Address </td></tr><tr>

<td width="32"></td><td width="115">&nbsp;</td><td width="24">
</td><td width="479">
<INPUT TYPE="TEXT" NAME="wzPPPOE_StaticIP" SIZE="15" MAXLENGTH="15" VALUE="0.0.0.0" onBlur="checkIPFormat(this)"></td></tr> <tr>

<td colspan="4"></td></tr>
<tr>
<td colspan=4 class="header2">Connection</td></tr> <tr>

<td width="33"></td><td width="119">&nbsp;</td><td colspan="2">
<INPUT TYPE="RADIO" NAME="PPPoE_PPPoEVCKA" VALUE="0" onClick="PPPoEChkIdleTime(this.form);"> Connect on Demand: Max Idle Timeout <INPUT TYPE="TEXT" NAME="PPPoE_PPPoEVCIdleTime" SIZE="5" MAXLENGTH="5" VALUE="0" onkeypress="chk_num(event)">sec</td></tr>

<tr>
<td width="33"></td><td width="119">&nbsp;</td><td colspan="2"> <INPUT TYPE="RADIO" NAME="PPPoE_PPPoEVCKA" VALUE="1" CHECKED onClick="PPPoEChkIdleTime(this.form);"> Nailed-Up Connection</td></tr> <tr>

<td colspan=4 class="header2">&nbsp;</td></tr><tr>
<td colspan=4 class="header2">Network Address Translation</td></tr><tr>

<td colspan="2"></td><td colspan="2"> <SELECT NAME="wzPPPOE_NAT" SIZE="1"><OPTION VALUE=00000000>None
<OPTION VALUE=01000000 SELECTED>SUA Only

<OPTION VALUE=02000000>Full Feature
</SELECT></td></tr> <tr>
<td colspan="4">&nbsp;</td></tr>

<tr align=center valign=middle>
<td colspan="6" height="36">
<hr class="hrColor">
</td></tr> <tr>

<td colspan="4">
<div align=center> <INPUT TYPE="SUBMIT" NAME="wzPPPOEBack" VALUE="Back">&nbsp;&nbsp;&nbsp; <INPUT TYPE="SUBMIT" NAME="wzPPPOENext" VALUE="Next"></div></td></tr>

<tr>
<td colspan="6" height="10">&nbsp;</td></tr> </table></td></tr></table></form><script language="JavaScript">

<!--
doPPPoEIPAddr(document.forms[0]);
PPPoEChkIdleTime(document.forms[0]);
// -->
</script>

</body></html>


Here is the line where our password sits:

<INPUT TYPE="PASSWORD" NAME="wzPPPOE_Password" SIZE="30" MAXLENGTH="70" VALUE="bukzajop" onBlur="PPPoEAOLWordChk(this.value)"></td></tr><tr>


Here is a screenshot:




It is not difficult to guess that the pass is: "bukzajop" , well, and no one hides the login from you in the configurator.


4. Conclusion
Well, what can I say, except as there are llamaks, were and will be, and also holes in the security settings of ADSL modems too. Haha to close the pass from yuzvereya asterisks, if it is still mona get it by looking at the html code of the desired page.
Well, I do not need to explain how to configure the ADSL modem, for example, you can make a forwarding of packets (NAT settings) across all protocols and ports from an external IP to an internal one and to break (examine for bugs) services on a computer on a local network, and you can take and switch the modem to bridge mode, thereby making the modem transparent and transfer the external IP to the computer and then scan its computer with security scanners for holes in the network services.