This page has been robot translated, sorry for typos if any. Original content here.



0. Foreword:


ADSL technology (asymmetric digital subscriber line) has finally reached the most remote corners of Russia and continues to spread rapidly. More and more users are connecting to the Internet through an ADSL modem. I will not go into details and describe the operation of this technology, I will say in my own words this way: DSL allows you to transfer data over ordinary two telephone wires at a much higher speed than a regular DIAL-UP modem (which transmits data in the audio range - for sure everyone heard the sound of a regular modem at his work). So DSL (digital subscriber line) is a technology that allows you to transmit a signal at higher frequencies (therefore, a higher speed) on the same pair of wires as a normal low-frequency signal in the audible range. To separate the high-frequency and low-frequency signals, the terminal equipment is used at both ends of the line - splitters, then the user: one signal goes to a regular telephone, the second to an ADSL modem, on the second side also one signal goes to the telephone network (PBX) of the second provider. In general, who is not familiar with ADSL, I recommend reading the theory http://ru.wikipedia.org/wiki/ADSL

Our focus is the ADSL modem. Why break it, you ask? Well, firstly, as a rule, NAT is built into it, the firewall and the modem itself are already a serious obstacle to the hacker’s path to the victim’s computer. For example, did you send a trojan by mail or try to get a shell on the victim’s computer using the 0day-split for IE and nothing works for you, since the victim is behind NAT and (or) Fire. And home networks with a common Internet connection, because in a home LAN, as a rule, all the balls are freely available and having captured one machine on the network, it will be easy for you to access the rest.
Here we will consider the hacking of ADSL modems with Ethernet connection to the user's computer (there is also USB - we will not consider it here).

Like any device connected to the Internet, the ADSL modem has its own IP (it is called an external IP, WAN-IP or real IP - like anyone else), as well as an internal IP (LAN-IP) for your LAN (this is the Internet gateway to TCP / IP protocol properties on your computer).

Between these two WAN and LAN interfaces, and everything else is located (NAT, router, firewall). Remote control of the ADSL settings (i.e. NAT, router, firewall) of the modem is available through different protocols (http, ftp, telnet, etc.). Now the most interesting thing, by default, this remote control for many modems is available both from LAN and from the external network. That is, in other words, the ADSL modem shines with its services both to the Internet and to LAN. Many users (= lamers) do not particularly bother with configuring the ADSL modem to ensure their safety and leave the setting to control the modem from outside, that is, from the Internet, in addition, they even forget (or simply do not know) to change the login password to the configurator of the ADSL modem and leave it default too (by default)!



1. Preparation.

a) we need any network scanner (for searching the WEB-servers of the modem’s configurator WEB-servers embedded in the ADSL modem, for example, for this I use LanScope - it does not contain anything superfluous - this is a multi-threaded network scanner, monitors the network for available NetBios resources (Samba) , FTP and HTTP, scanning the specified ranges of IP addresses. Shows the access rights to the resources: read, write. The resource scanner searches for a given resource name, for example, music, video, etc. You can download here the LanScope scanner >
b) minimal knowledge of html and javascript.
c) straight arms and a bright head.

2. Search for potential victims.

We are scanning for the presence of ADSL modems. How to find out the provider’s subnet - easily look at your external IP and select the same or close range, for example, our WAN IP ххх.ххх.241.20 we take the range ххх.ххх.241.1-ххх.ххх.243.255. After a while, in the scanner window we will see web, ftp services, balls. We are interested in the web configurators of ADSL modems.



3. Actually hacking

We start poking at each browser, we get to the authorization page for entering the configurator (there you will see a banner with a brief info like ADSL modem such and such), enter the password to enter. We try the default password of 1234, once a modem, two modems, the OPS came up to the third modem (one got into the lamak).
(see how to break the password for entering the configurator in the following articles, it has not yet been reviewed)

My victim was http: //xxxx.xxx.241.59: 80
Here is the banner and login page for the ADSL modem configurator Web service




drive 1234 into the password field and get here:




Here we are told that the pass is by default 1234 and it would be necessary to actually change it (well, we won’t change it yet, otherwise the lamak will have to reset the modem and tinker with its settings), click on the ignore button and get here:




We climb into the wizard Setup modem (Wizard Setup)




The login is already visible, the pass is hidden behind the asterisks
This is the html code of this page.

<html><head>
<meta http-equiv='content-type' content='text/html;charset=iso-8859-1'>
<title>Web Configurator</title>
<SCRIPT src="General.js"></SCRIPT>
<frameset cols="150,*" rows="*" frameborder="NO" border="0" bordercolor="#000000">
<frame src="Panel.html" name="panel" scrolling="NO" noresize frameborder="NO" bordercolor="#000000" marginwidth="0" marginheight="0">

<frameset cols="*" rows="78,*" frameborder="NO" border="0" bordercolor="#000000">

<frame src="Title.html" name="title" scrolling="NO" noresize frameborder="NO" marginwidth="0" marginheight="0">

<frame src="FirstPage.html" name="main" scrolling="AUTO" noresize frameborder="NO" marginwidth="0" marginheight="0">

</frameset></frameset><noframes>
<body>
</body></noframes>
</html>


We see little interesting and that the page consists of frames. Take a look at the frames, for example this FirstPage.html,




we get back to the first page,
but already on the specific FirstPage.html file, click again on the Wizard Setup, the line in the browser looks like http: //xxxx.xxx.241.59: 80 / wzOthers.html,




click next - now in the browser line the page is http: //xxx.xxx.241.59: 80 / wzPPPOE.html,




We look at its source, here it is:
<html><head>

<meta http-equiv='content-type' content='text/html;charset=iso-8859-1'>
<title>Web Configurator</title>
<SCRIPT src="General.js"></SCRIPT>

<script language="JavaScript">
<!--

function doPPPoEIPAddr(form)
{
if ( form.radiobutton4[0].checked )
{
form.wzPPPOE_StaticIP.disabled = true;
}
else

{
form.wzPPPOE_StaticIP.disabled = false;
}
}

function PPPoEChkIdleTime(form)
{

if ( form.PPPoE_PPPoEVCKA[0].checked )
{
form.PPPoE_PPPoEVCIdleTime.disabled = false;
}
else
{

form.PPPoE_PPPoEVCIdleTime.disabled = true;
}
}

function PPPoEAOLWordChk(Word)
{
}


// -->
</script></head><body bgcolor="#ffffff" marginwidth="0" marginheight="0" onLoad="top.title.location='Title.html';">
<FORM METHOD="POST" ACTION="/Forms/wzPPPOE_1" name="ISPform">

<table width="100%" border="0" cellspacing="0" cellpadding="0" >
<tr>

<td width="2%">&nbsp;</td><td width="5%"></td><td width="93%">
<div align=left valign=top>
<table border="0" cellspacing="0" cellpadding="0" width="560">

<tr>
<td colspan="4" class="NaviText">
<div align=left> Wizard Setup - ISP Parameters for Internet Access</div></td></tr>

<tr>
<td colspan="4">
<hr class="hrColor">
</td></tr> <tr>

<td colspan="2"> Service Name </td><td colspan="2">
<INPUT TYPE="TEXT" NAME="wzPPPOE_ServiceName" SIZE="30" MAXLENGTH="31" VALUE=""></td></tr> <tr>

<td colspan="2"> User Name </td><td colspan="2"> <INPUT TYPE="TEXT" NAME="wzPPPOE_UserName" SIZE="30" MAXLENGTH="70" VALUE="ll2498" onkeypress="chk_chtNumUserName(event)"></td></tr><tr>

<td colspan="2"> Password </td><td colspan="2">
<INPUT TYPE="PASSWORD" NAME="wzPPPOE_Password" SIZE="30" MAXLENGTH="70" VALUE="bukzajop" onBlur="PPPoEAOLWordChk(this.value)"></td></tr><tr>

<td colspan="4">&nbsp; </td></tr> <tr>
<td colspan="4" class="header2"> IP Address </td></tr><tr>

<td colspan="2"> </td><td colspan="2"> <INPUT TYPE="RADIO" NAME="radiobutton4" VALUE="wzPPPOE_DynIP" CHECKED onClick="doPPPoEIPAddr(this.form);">Obtain an IP Address Automatically </td></tr><tr>

<td colspan="2"> </td><td colspan="2"> <INPUT TYPE="RADIO" NAME="radiobutton4" VALUE="wzPPPOE_RadioStaticIP" onClick="doPPPoEIPAddr(this.form);">Static IP Address </td></tr><tr>

<td width="32"></td><td width="115">&nbsp;</td><td width="24">
</td><td width="479">
<INPUT TYPE="TEXT" NAME="wzPPPOE_StaticIP" SIZE="15" MAXLENGTH="15" VALUE="0.0.0.0" onBlur="checkIPFormat(this)"></td></tr> <tr>

<td colspan="4"></td></tr>
<tr>
<td colspan=4 class="header2">Connection</td></tr> <tr>

<td width="33"></td><td width="119">&nbsp;</td><td colspan="2">
<INPUT TYPE="RADIO" NAME="PPPoE_PPPoEVCKA" VALUE="0" onClick="PPPoEChkIdleTime(this.form);"> Connect on Demand: Max Idle Timeout <INPUT TYPE="TEXT" NAME="PPPoE_PPPoEVCIdleTime" SIZE="5" MAXLENGTH="5" VALUE="0" onkeypress="chk_num(event)">sec</td></tr>

<tr>
<td width="33"></td><td width="119">&nbsp;</td><td colspan="2"> <INPUT TYPE="RADIO" NAME="PPPoE_PPPoEVCKA" VALUE="1" CHECKED onClick="PPPoEChkIdleTime(this.form);"> Nailed-Up Connection</td></tr> <tr>

<td colspan=4 class="header2">&nbsp;</td></tr><tr>
<td colspan=4 class="header2">Network Address Translation</td></tr><tr>

<td colspan="2"></td><td colspan="2"> <SELECT NAME="wzPPPOE_NAT" SIZE="1"><OPTION VALUE=00000000>None
<OPTION VALUE=01000000 SELECTED>SUA Only

<OPTION VALUE=02000000>Full Feature
</SELECT></td></tr> <tr>
<td colspan="4">&nbsp;</td></tr>

<tr align=center valign=middle>
<td colspan="6" height="36">
<hr class="hrColor">
</td></tr> <tr>

<td colspan="4">
<div align=center> <INPUT TYPE="SUBMIT" NAME="wzPPPOEBack" VALUE="Back">&nbsp;&nbsp;&nbsp; <INPUT TYPE="SUBMIT" NAME="wzPPPOENext" VALUE="Next"></div></td></tr>

<tr>
<td colspan="6" height="10">&nbsp;</td></tr> </table></td></tr></table></form><script language="JavaScript">

<!--
doPPPoEIPAddr(document.forms[0]);
PPPoEChkIdleTime(document.forms[0]);
// -->
</script>

</body></html>


Here is the line where our password is:

<INPUT TYPE="PASSWORD" NAME="wzPPPOE_Password" SIZE="30" MAXLENGTH="70" VALUE="bukzajop" onBlur="PPPoEAOLWordChk(this.value)"></td></tr><tr>


Here is a screenshot:




It is easy to guess what the pass is: "bukzajop" , well, no one hides the login from you in the configurator.


4. Conclusion
Well, what can I say, except there are, there were, and will be, and there are security holes in the settings of ADSL modems, too. Haha, close the pass from the user with asterisks, if you still get it, look the html code of the desired page.
Well, I don’t need to explain what to do in the ADSL modem setup, for example, you can do for example packet forwarding (NAT setup) for all protocols and ports from an external IP to an internal IP and break (examine for bugs) services on a computer on the local network, and you can take and switch the modem to bridge mode, thereby making the modem transparent and transfer the external IP to the user's computer and then scan its computer with security scanners for holes in network services.