evan/ewpratten.com
1
Fork 0
Code Actions

re-add pwnlink script

Browse Source
This commit is contained in:
Evan Pratten 2020-08-08 11:12:25 -04:00
parent b4777dfe54
commit 4ad2c11dd4
No known key found for this signature in database
GPG Key ID: 93AC7B3D071356D3
1 changed files with 46 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
_posts/2019-06-27-PWNlink.md Normal file
View File

@ -0,0 +1,46 @@
---
layout: post
title: "I had some fun with a router"
description: "cleartext passwords + external management = death wish"
date: 2019-06-27 17:16:00
categories: projects
tag: projects
---
I was playing around with some D-link routers today and remembered an [ExploitDB Entry](https://www.exploit-db.com/exploits/33520) I read a while ago. Many D-link routers have a great feature that allows remote management and configuration queries. Interestingly, this cannot be disabled, and one of the pages contains a cleartext version of the admin password (yay!).
## How to get yourself an admin password
On any supported router, make an HTTP request to `http://your.router.ip.addr/tools_admin.asp/`. This will return a pretty large XML file containing information about your router's hardware and configuration.
Notice the fact that you did not have to log in. This is due to the fact that this file seems to be used by a remote management service of some sort.
The important thing to note here is that, when parsed with the regex pattern: `name="user_password_tmp" value="(.*)">`, you get a single string. This string is the admin password of the device.
## Supported routers
This is supported by many D-link routers. The ones I know about are:
- DIR-835
- DIR-855L
- DGL-5500
Some routers have this XML file, but it is restricted... By a user without a password. These are:
- DHP-1565
- DIR-652
## PWNlink
Like everything I play with, I made a script to do this all for me (and spent a large amount of time adding colours to the text).
My script is called PWNlink (PWN + D-link), It automatically finds a router on your network by looking for a specific DNS entry created by many D-link routers, then checking your gateway. Next, PWNlink reads you router's `hnap1` config to find it's model number. If supported, the script will read and parse the appropriate configs to give you the admin credentials for your router.
PWNlink can be installed on any *nix computer that has both `python3.7` and `python3-pip` installed. To install PWNlink, run:
```
pip3 install pwnlink
```
Run the script without any arguments for automatic detection, or pass any IP address to use manual detection.
## Disclamier thingy
I don't see much point to these, but I should probably put one anyways.
**Don't be dumb with this script.**
I have only used it on my own (or 5024's) routers, and did not create PWNlink with any malicious intent.