Sunday, January 13, 2008

hacking the WGR614v7

Netgear often builds a telnet daemon into their routers, but sometimes it can be a little tricky getting in. I was curious to see if my WGR614v7 has any way to access a command line interface, so I fired up nmap:

$ nmap 192.168.1.12

Starting Nmap 4.20 ( http://insecure.org ) at 2008-01-13 17:42 CST
Interesting ports on 192.168.1.12:
Not shown: 1694 closed ports
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
8080/tcp open http-proxy

Nmap finished: 1 IP address (1 host up) scanned in 1.355 seconds

All right! Let's try to log in...

$ telnet 192.168.1.12
Trying 192.168.1.12...
Connected to 192.168.1.12.
Escape character is '^]'.
Connection closed by foreign host.

Rats. For some reason we are kicked out as soon as we touch the daemon. A little hunting on the internet provides an explanation. Apparently the telnet daemon is disabled by default, but the Netgear staff have a Windows utility that will send a packet to the router in order to enable the telnet interface. A hacker has somehow reverse-engineered the encryption process and written it into a C program.

$ gcc -o telnetenable md5.c blowfish.c telnetenable.c

Now I use the program to construct the "unlock" packet with the IP and MAC address of my router, and the default username/password "Gearguy/Geardog":

$ ./telnetenable 192.168.1.12 00AABBCCDDEE Gearguy Geardog > modpkt.pkt

Then I send it to the router with netcat:

$ nc 192.168.1.12 23 < modpkt.pkt

Now I try to log in again...

$ telnet 192.168.1.12
Trying 192.168.1.12...
Connected to 192.168.1.12.
Escape character is '^]'.
Login: Gearguy
Password: *******
U12H06400>

And we're in! "?" gives a list of commands. I'm most interested getting the network statistics from this and putting the results into cacti... but I'll save that for another time! :)

--Edit--

Apparently seattlewireless.net, the original website that hosted the files and information, is down. I've put the C files up for grabs here:

http://ktdreyer.googlepages.com/telnetenable.c
http://ktdreyer.googlepages.com/md5.h
http://ktdreyer.googlepages.com/md5.c
http://ktdreyer.googlepages.com/blowfish.h
http://ktdreyer.googlepages.com/blowfish.c

Good luck!

5 comments:

Daniel said...

$ gcc -o telnetenable md5.c blowfish.c telnetenable.c

...warnings...

$ ./telnetenable 192.168.0.210 001EFFFFFFFF Gearguy Geardog > pack

$ nc 192.168.0.210 23 < pack

$ telnet 192.168.0.210
Trying 192.168.0.210...
telnet: connect to address 192.168.0.210: Connection refused

$ ???

... I did this thrice, but then I tried it as root, it worked first time. I'm in....

So be root!

slacker said...
This comment has been removed by the author.
Mark said...

Heh, I just noticed the same Telnet port open on my WGR614v7 router. I will have to try building the code and see if I can log in.

Alex said...

My connection keeps timing out when I try telnet after sending the packet.

Unknown said...

If anyone is still interested, there's a Python implementation of telnetenable that's much easier to use.

http://code.google.com/p/netgear-telnetenable/