Sunday, January 13, 2008

hacking the WGR614v7

Netgear often builds a telnet daemon into their routers, but sometimes it can be a little tricky getting in. I was curious to see if my WGR614v7 has any way to access a command line interface, so I fired up nmap:

$ nmap

Starting Nmap 4.20 ( ) at 2008-01-13 17:42 CST
Interesting ports on
Not shown: 1694 closed ports
23/tcp open telnet
80/tcp open http
8080/tcp open http-proxy

Nmap finished: 1 IP address (1 host up) scanned in 1.355 seconds

All right! Let's try to log in...

$ telnet
Connected to
Escape character is '^]'.
Connection closed by foreign host.

Rats. For some reason we are kicked out as soon as we touch the daemon. A little hunting on the internet provides an explanation. Apparently the telnet daemon is disabled by default, but the Netgear staff have a Windows utility that will send a packet to the router in order to enable the telnet interface. A hacker has somehow reverse-engineered the encryption process and written it into a C program.

$ gcc -o telnetenable md5.c blowfish.c telnetenable.c

Now I use the program to construct the "unlock" packet with the IP and MAC address of my router, and the default username/password "Gearguy/Geardog":

$ ./telnetenable 00AABBCCDDEE Gearguy Geardog > modpkt.pkt

Then I send it to the router with netcat:

$ nc 23 < modpkt.pkt

Now I try to log in again...

$ telnet
Connected to
Escape character is '^]'.
Login: Gearguy
Password: *******

And we're in! "?" gives a list of commands. I'm most interested getting the network statistics from this and putting the results into cacti... but I'll save that for another time! :)


Apparently, the original website that hosted the files and information, is down. I've put the C files up for grabs here:

Good luck!