evan/ewpratten.com
1
Fork 0
Code Actions
ewpratten.com/_site/blog/2019/06/27/pwnlink.html

169 lines
7.0 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<head>
<title>Evan Pratten</title>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no" />
<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css"
integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T" crossorigin="anonymous">
<link rel="stylesheet" href="/assets/css/main.css">
<link rel="stylesheet" href="/assets/css/github-syntax.css">
<link href="https://fonts.googleapis.com/css?family=IBM+Plex+Mono:400,400i|IBM+Plex+Sans:100,100i,400,400i,700,700i" rel="stylesheet">
</head>
<body>
<div class="site-ctr">
<!-- Navbar -->
<nav class="navbar navbar-dark sticky-top bg-dark navbar-expand-lg">
<!-- Navbar content -->
<!-- <div class="container"> -->
<a class="navbar-brand" href="/">Evan Pratten</a>
<button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarNavAltMarkup"
aria-controls="navbarNavAltMarkup" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse" id="navbarNavAltMarkup">
<div class="navbar-nav ml-auto">
<a class="nav-item nav-link" href="/blog">Blog</a>
<a class="nav-item nav-link" href="/projects">Projects</a>
<!-- <a class="nav-item nav-link" href="/documentation">Documentation</a> -->
<a class="nav-item nav-link" href="/about">About</a>
</div>
<!-- </div> -->
</div>
</nav>
<!-- <div style="height:5vh"></div> -->
<!-- Header -->
<!-- <div class="header">
<div class="container">
<div class="content">
</div>
</div>
<div class="header-gap"></div>
</div> -->
<div class="reactive-bg">
<div class="post container">
<h1>I had some fun with a router</h1>
<h4>cleartext passwords + external management = death wish</h4>
<hr>
<p><em>2019-06-27 13:16:00 -0400</em></p>
<br>
<p>I was playing around with some D-link routers today and remembered an <a href="https://www.exploit-db.com/exploits/33520">ExploitDB Entry</a> I read a while ago. Many D-link routers have a great feature that allows remote management and configuration queries. Interestingly, this cannot be disabled, and one of the pages contains a cleartext version of the admin password (yay!).</p>
<h2 id="how-to-get-yourself-an-admin-password">How to get yourself an admin password</h2>
<p>On any supported router, make an HTTP request to <code class="highlighter-rouge">http://your.router.ip.addr/tools_admin.asp/</code>. This will return a pretty large XML file containing information about your routers hardware and configuration.</p>
<p>Notice the fact that you did not have to log in. This is due to the fact that this file seems to be used by a remote management service of some sort.</p>
<p>The important thing to note here is that, when parsed with the regex pattern: <code class="highlighter-rouge">name="user_password_tmp" value="(.*)"&gt;</code>, you get a single string. This string is the admin password of the device.</p>
<h2 id="supported-routers">Supported routers</h2>
<p>This is supported by many D-link routers. The ones I know about are:</p>
<ul>
<li>DIR-835</li>
<li>DIR-855L</li>
<li>DGL-5500</li>
</ul>
<p>Some routers have this XML file, but it is restricted… By a user without a password. These are:</p>
<ul>
<li>DHP-1565</li>
<li>DIR-652</li>
</ul>
<h2 id="pwnlink">PWNlink</h2>
<p>Like everything I play with, I made a script to do this all for me (and spent a large amount of time adding colours to the text).</p>
<p>My script is called PWNlink (PWN + D-link), It automatically finds a router on your network by looking for a specific DNS entry created by many D-link routers, then checking your gateway. Next, PWNlink reads you routers <code class="highlighter-rouge">hnap1</code> config to find its model number. If supported, the script will read and parse the appropriate configs to give you the admin credentials for your router.</p>
<p>PWNlink can be installed on any *nix computer that has both <code class="highlighter-rouge">python3.7</code> and <code class="highlighter-rouge">python3-pip</code> installed. To install PWNlink, run:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pip3 install pwnlink
</code></pre></div></div>
<p>Run the script without any arguments for automatic detection, or pass any IP address to use manual detection.</p>
<h2 id="disclamier-thingy">Disclamier thingy</h2>
<p>I dont see much point to these, but I should probably put one anyways.</p>
<p><strong>Dont be dumb with this script.</strong></p>
<p>I have only used it on my own (or 5024s) routers, and did not create PWNlink with any malicious intent.</p>
</div>
</div>
</div>
<div class="container">
<hr>
</div>
<nav class="navbar navbar-expand-lg ">
<!-- Navbar content -->
<div class="container">
<span class="navbar-text">
Site design by: <a href="https://retrylife.ca">Evan Pratten</a> |
This site was last updated at: 2019-08-21 12:48:55 -0400
</span>
</div>
</nav>
<script src="https://code.jquery.com/jquery-3.3.1.slim.min.js"
integrity="sha384-q8i/X+965DzO0rT7abK41JStQIAqVgRVzpbzo5smXKp4YfRvH+8abtTE1Pi6jizo"
crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js"
integrity="sha384-UO2eT0CpHqdSJQ6hJty5KVphtPhzWj9WO1clHTMGa3JDZwrnQq4sF86dIHNDz0W1"
crossorigin="anonymous"></script>
<script src="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js"
integrity="sha384-JjSmVgyd0p3pXB1rRibZUAYoIIy6OrQ6VrjIEaFf/nJGzIxFDsf4x0xIM+B07jRM"
crossorigin="anonymous"></script>
<!-- Offsets for links -->
<script>
(function ($, window) {
var adjustAnchor = function () {
var $anchor = $(':target'),
fixedElementHeight = 100;
if ($anchor.length > 0) {
window.scrollTo(0, $anchor.offset().top - fixedElementHeight);
}
};
$(window).on('hashchange load', function () {
adjustAnchor();
});
})(jQuery, window);
</script>
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-74118570-2"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag() { dataLayer.push(arguments); }
gtag('js', new Date());
gtag('config', 'UA-74118570-2');
</script>
<!-- particles -->
<script src="/assets/js/particles.min.js"></script>
<script>
particlesJS.load('particles-js', '/assets/js/particles.json', function () {
console.log('callback - particles.js config loaded');
});
</script>
</body>
View Git Blame Copy Permalink