This page has been robot translated, sorry for typos if any. Original content here.



0. Preface:


ADSL technology (asymmetric digital subscriber line) has finally reached the most remote corners of Russia and continues to spread rapidly. More and more users connect to the Internet via an ADSL modem. I will not go into details and describe the operation of this technology, I will say it in my own words: DSL allows you to transmit data over the usual two telephone wires with a much higher speed than a regular DIAL-UP modem (which transmits data in the audio range - surely everyone heard the sound of a regular modem during his work). So DSL (Digital Subscriber Line) is a technology that allows you to transmit a signal at higher frequencies (and therefore speed is higher) on the same pair of wires as a normal low-frequency signal of the audible range. To separate the high-frequency and low-frequency signal, the end equipment is used at both ends of the line - splitters, then the user: one signal goes to a regular phone, the second to the ADSL modem, and on the second side one signal goes to the telephone network (PBX) to the second provider. In general, who is not familiar with ADSL, I recommend reading the theory http://ru.wikipedia.org/wiki/ADSL

Our focus is the ADSL modem. Why break it you ask? Well, firstly, as a rule, NAT is built into it, the firewall and modem itself is already a serious obstacle in the way of the hacker to the victim's computer. For example, you sent trojas by mail or try to get a shell on the victim's computer using 0day-sploita for IE and you don’t get anything, because the victim is behind the NAT and / or Faer. A home network with a common connection to the Internet, because in the home LAN, as a rule, all the balls in the public domain and seized one machine in the network you will easily get access to the rest.
Here we will consider hacking ADSL modems with Ethernet connection to the user's computer (there is also USB - we don’t consider it here).

Like any device connected to the Internet, an ADSL modem has its own IP (it is called external IP, WAN-IP or real IP - as anyone), as well as an internal IP (LAN-IP) for your local computer (this is a gateway to the Internet in TCP / IP protocol properties on your computer).

Everything else is located between these two WAN and LAN interfaces (NAT, router, firewall). Remote control of ADSL settings (i.e., NATʻom, router, firewall) of the modem is available through various protocols (http, ftp, telnet, etc.). Now the most interesting, by default, this remote control for many modems is available from both local and external networks. That is, in other words, the ADSL modem shines with its services both outside the Internet and LAN. Many users (= lamers) don't bother themselves with setting up an ADSL modem to ensure their security and leave in setting up permission to control the modem from outside, i.e. from the Internet, besides, they even forget (or just don’t know) to change the password to log in to the ADSL modem configurator and leave it defalt too (by default)!



1. Preparation.

a) we need any network scanner (to search for the WEB servers of the modem configurator built into the ADSL modem, for example, I use LanScope for these cases - it does not contain anything extra - it is a multi-stream network scanner, monitors the network for available NetBios resources (Samba) , FTP and HTTP, scanning specified IP address ranges. Shows access rights to resources: read, write. The resource scanner searches for the specified resource name, for example, music, video, etc. you can download here the LanScope scanner >
b) minimal knowledge of html and javascript.
c) straight arms and light head.

2. Search for potential victims.

Scan dp-pro on the presence of ADSL modems. How to find out the provider's subnet - easily watch your external IP and choose the same or close range, for example, our WAN IP xxx.xxx.241.20 we take the range xxx.xxx.241.1-xxx.xxx.243.255. After a while in the scanner window we will see web services, ftp, spheres. We are interested in ADSL modem web configurators.



3. Actually breaking himself

We start to poke the browser into each, get to the login page of the login to the configurator (there you will see a banner with a brief info of the ADSL type modem), enter the password to enter. We try the default password of 1234, once a modem, two modems, OPS came up to the third modem (I got one to the lamak).
(note how to break the password to enter the configurator, read the following articles, it has not been reviewed here yet)

My victim was http: //xhh.xxx.241.59: 80
Here is the banner and login page of the ADSL modem configurator web service.




we drive in 1234 in the password field and get here:




Here we are told that the pass by default is 1234 and we should generally change it (well, we will not change it yet, otherwise the lamaquke will have to reset the modem and tinker with its setting), so click the ignore button and get here:




We climb into the modem setup wizard (Wizard Setup)




Login is already visible, the pass is hidden behind the asterisks
This is the html-code of this page.

<html><head>
<meta http-equiv='content-type' content='text/html;charset=iso-8859-1'>
<title>Web Configurator</title>
<SCRIPT src="General.js"></SCRIPT>
<frameset cols="150,*" rows="*" frameborder="NO" border="0" bordercolor="#000000">
<frame src="Panel.html" name="panel" scrolling="NO" noresize frameborder="NO" bordercolor="#000000" marginwidth="0" marginheight="0">

<frameset cols="*" rows="78,*" frameborder="NO" border="0" bordercolor="#000000">

<frame src="Title.html" name="title" scrolling="NO" noresize frameborder="NO" marginwidth="0" marginheight="0">

<frame src="FirstPage.html" name="main" scrolling="AUTO" noresize frameborder="NO" marginwidth="0" marginheight="0">

</frameset></frameset><noframes>
<body>
</body></noframes>
</html>


We see a little interesting and that the page consists of frames. We look at frames, for example this FirstPage.html,




We get back to the first page,
but already on a specific FirstPage.html file, we click again on the Wizard Setup, the line in the browser looks like http: //xxx.xxx.241.59: 80 / wzOthers.html,




click next - now in the browser line the page http: //xxx.xxx.241.59: 80 / wzPPPOE.html,




watch its source, here it is:
<html><head>

<meta http-equiv='content-type' content='text/html;charset=iso-8859-1'>
<title>Web Configurator</title>
<SCRIPT src="General.js"></SCRIPT>

<script language="JavaScript">
<!--

function doPPPoEIPAddr(form)
{
if ( form.radiobutton4[0].checked )
{
form.wzPPPOE_StaticIP.disabled = true;
}
else

{
form.wzPPPOE_StaticIP.disabled = false;
}
}

function PPPoEChkIdleTime(form)
{

if ( form.PPPoE_PPPoEVCKA[0].checked )
{
form.PPPoE_PPPoEVCIdleTime.disabled = false;
}
else
{

form.PPPoE_PPPoEVCIdleTime.disabled = true;
}
}

function PPPoEAOLWordChk(Word)
{
}


// -->
</script></head><body bgcolor="#ffffff" marginwidth="0" marginheight="0" onLoad="top.title.location='Title.html';">
<FORM METHOD="POST" ACTION="/Forms/wzPPPOE_1" name="ISPform">

<table width="100%" border="0" cellspacing="0" cellpadding="0" >
<tr>

<td width="2%">&nbsp;</td><td width="5%"></td><td width="93%">
<div align=left valign=top>
<table border="0" cellspacing="0" cellpadding="0" width="560">

<tr>
<td colspan="4" class="NaviText">
<div align=left> Wizard Setup - ISP Parameters for Internet Access</div></td></tr>

<tr>
<td colspan="4">
<hr class="hrColor">
</td></tr> <tr>

<td colspan="2"> Service Name </td><td colspan="2">
<INPUT TYPE="TEXT" NAME="wzPPPOE_ServiceName" SIZE="30" MAXLENGTH="31" VALUE=""></td></tr> <tr>

<td colspan="2"> User Name </td><td colspan="2"> <INPUT TYPE="TEXT" NAME="wzPPPOE_UserName" SIZE="30" MAXLENGTH="70" VALUE="ll2498" onkeypress="chk_chtNumUserName(event)"></td></tr><tr>

<td colspan="2"> Password </td><td colspan="2">
<INPUT TYPE="PASSWORD" NAME="wzPPPOE_Password" SIZE="30" MAXLENGTH="70" VALUE="bukzajop" onBlur="PPPoEAOLWordChk(this.value)"></td></tr><tr>

<td colspan="4">&nbsp; </td></tr> <tr>
<td colspan="4" class="header2"> IP Address </td></tr><tr>

<td colspan="2"> </td><td colspan="2"> <INPUT TYPE="RADIO" NAME="radiobutton4" VALUE="wzPPPOE_DynIP" CHECKED onClick="doPPPoEIPAddr(this.form);">Obtain an IP Address Automatically </td></tr><tr>

<td colspan="2"> </td><td colspan="2"> <INPUT TYPE="RADIO" NAME="radiobutton4" VALUE="wzPPPOE_RadioStaticIP" onClick="doPPPoEIPAddr(this.form);">Static IP Address </td></tr><tr>

<td width="32"></td><td width="115">&nbsp;</td><td width="24">
</td><td width="479">
<INPUT TYPE="TEXT" NAME="wzPPPOE_StaticIP" SIZE="15" MAXLENGTH="15" VALUE="0.0.0.0" onBlur="checkIPFormat(this)"></td></tr> <tr>

<td colspan="4"></td></tr>
<tr>
<td colspan=4 class="header2">Connection</td></tr> <tr>

<td width="33"></td><td width="119">&nbsp;</td><td colspan="2">
<INPUT TYPE="RADIO" NAME="PPPoE_PPPoEVCKA" VALUE="0" onClick="PPPoEChkIdleTime(this.form);"> Connect on Demand: Max Idle Timeout <INPUT TYPE="TEXT" NAME="PPPoE_PPPoEVCIdleTime" SIZE="5" MAXLENGTH="5" VALUE="0" onkeypress="chk_num(event)">sec</td></tr>

<tr>
<td width="33"></td><td width="119">&nbsp;</td><td colspan="2"> <INPUT TYPE="RADIO" NAME="PPPoE_PPPoEVCKA" VALUE="1" CHECKED onClick="PPPoEChkIdleTime(this.form);"> Nailed-Up Connection</td></tr> <tr>

<td colspan=4 class="header2">&nbsp;</td></tr><tr>
<td colspan=4 class="header2">Network Address Translation</td></tr><tr>

<td colspan="2"></td><td colspan="2"> <SELECT NAME="wzPPPOE_NAT" SIZE="1"><OPTION VALUE=00000000>None
<OPTION VALUE=01000000 SELECTED>SUA Only

<OPTION VALUE=02000000>Full Feature
</SELECT></td></tr> <tr>
<td colspan="4">&nbsp;</td></tr>

<tr align=center valign=middle>
<td colspan="6" height="36">
<hr class="hrColor">
</td></tr> <tr>

<td colspan="4">
<div align=center> <INPUT TYPE="SUBMIT" NAME="wzPPPOEBack" VALUE="Back">&nbsp;&nbsp;&nbsp; <INPUT TYPE="SUBMIT" NAME="wzPPPOENext" VALUE="Next"></div></td></tr>

<tr>
<td colspan="6" height="10">&nbsp;</td></tr> </table></td></tr></table></form><script language="JavaScript">

<!--
doPPPoEIPAddr(document.forms[0]);
PPPoEChkIdleTime(document.forms[0]);
// -->
</script>

</body></html>


Here it is the line where our password sits:

<INPUT TYPE="PASSWORD" NAME="wzPPPOE_Password" SIZE="30" MAXLENGTH="70" VALUE="bukzajop" onBlur="PPPoEAOLWordChk(this.value)"></td></tr><tr>


Here is a screenshot:




It is not hard to guess that this is a pass: "bukzajop" , but no one hides the login from you in the configurator.


4. Conclusion
Well, what can I say, except there are, there are, and will be, lamas, as well as holes in the security settings of ADSL modems too. What for closing the pass from the user with asterisks, if you still get it by looking at the html code of the desired page.
Well, I don’t need to explain what to do in setting up an ADSL modem, for example, packet forwarding (NAT setup) over all protocols and ports from external IP to internal and break (investigate for bugs) services on a computer in a local network, and you can take and switch the modem to bridge mode, thereby making the modem transparent and transfer the external IP to the computer and then scan its computer with security scanners for holes in network services.