Sunday, January 13, 2008

hacking the WGR614v7

Netgear often builds a telnet daemon into their routers, but sometimes it can be a little tricky getting in. I was curious to see if my WGR614v7 has any way to access a command line interface, so I fired up nmap:

$ nmap 192.168.1.12

Starting Nmap 4.20 ( http://insecure.org ) at 2008-01-13 17:42 CST
Interesting ports on 192.168.1.12:
Not shown: 1694 closed ports
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
8080/tcp open http-proxy

Nmap finished: 1 IP address (1 host up) scanned in 1.355 seconds

All right! Let's try to log in...

$ telnet 192.168.1.12
Trying 192.168.1.12...
Connected to 192.168.1.12.
Escape character is '^]'.
Connection closed by foreign host.

Rats. For some reason we are kicked out as soon as we touch the daemon. A little hunting on the internet provides an explanation. Apparently the telnet daemon is disabled by default, but the Netgear staff have a Windows utility that will send a packet to the router in order to enable the telnet interface. A hacker has somehow reverse-engineered the encryption process and written it into a C program.

$ gcc -o telnetenable md5.c blowfish.c telnetenable.c

Now I use the program to construct the "unlock" packet with the IP and MAC address of my router, and the default username/password "Gearguy/Geardog":

$ ./telnetenable 192.168.1.12 00AABBCCDDEE Gearguy Geardog > modpkt.pkt

Then I send it to the router with netcat:

$ nc 192.168.1.12 23 < modpkt.pkt

Now I try to log in again...

$ telnet 192.168.1.12
Trying 192.168.1.12...
Connected to 192.168.1.12.
Escape character is '^]'.
Login: Gearguy
Password: *******
U12H06400>

And we're in! "?" gives a list of commands. I'm most interested getting the network statistics from this and putting the results into cacti... but I'll save that for another time! :)

--Edit--

Apparently seattlewireless.net, the original website that hosted the files and information, is down. I've put the C files up for grabs here:

http://ktdreyer.googlepages.com/telnetenable.c
http://ktdreyer.googlepages.com/md5.h
http://ktdreyer.googlepages.com/md5.c
http://ktdreyer.googlepages.com/blowfish.h
http://ktdreyer.googlepages.com/blowfish.c

Good luck!