Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on). 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous12
Current Page: 2 of 2
Re: Router Hacking Challenge.
Posted by: thrill
Date: February 06, 2008 04:03PM

Quote

Since no-one should be able to see, finger or touch the router.

This also applies to ones girlfriend.

RFC 2549 - IP Over Avian Carriers With QoS

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Router Hacking Challenge.
Posted by: Anonymous User
Date: February 06, 2008 04:03PM

@Gareth && pdp: lol :)

And so it's done. Those guys are handshaking a file transfer over pigeon - kind of early BitHorrent




Edited 2 time(s). Last edit at 02/06/2008 04:06PM by .mario.

Options: ReplyQuote
Re: Router Hacking Challenge.
Posted by: DoctorDan
Date: February 09, 2008 04:32PM

I don't understand. I don't see any form of authentication bypassing in those examples. Mine uses basic authentication which stops CSRFs without knowing the username and password.

-Dan
EDIT: alright, I've found some problematic things with my router for sure. With full access to a person's router, what precisely can be done? I know the basics of what can be done, but I don't have the networking knowledge to extrapolate from there. Without services running on internal machines, how bad does it get? - how specifically do router exploits endanger users?



Edited 1 time(s). Last edit at 02/10/2008 12:12AM by DoctorDan.

Options: ReplyQuote
Re: Router Hacking Challenge.
Posted by: id
Date: February 10, 2008 05:09PM

Depending on the firewall and its capabilities, you can redirect traffic, spoof DNS responses, sniff all traffic, initiate any number of MIM attacks, and of course DOS the use by simply turning off their connection.

-id

Options: ReplyQuote
Re: Router Hacking Challenge.
Posted by: Anonymous User
Date: February 11, 2008 05:07PM

http://www.gnucitizen.org/projects/total-surveillance-made-easy-with-voip-phones/

Luv it - I demand it!

Options: ReplyQuote
Re: Router Hacking Challenge.
Posted by: Malkav
Date: February 12, 2008 02:51AM

and of course, as much of the out-of-box routers nowadays runs on a custom linux (custom as in :"we slap a more or less vanilla kernel with busybox, and a few services) or VxWorks, if one was to develop malware specifically targeting say an ISP broadband router, he could quickly find himself with entire subnets of zombies routers.

great.

Options: ReplyQuote
Re: Router Hacking Challenge.
Posted by: Alex
Date: February 13, 2008 07:06AM

Now it's time to give out all information on turning you router into a sniffer.
Product needed: AVM FRITZ!Box Fon WLAN 7050 or above (7170, etc.).

There's an unlinked page in the webroot called capture.html which you can access without any CSRF protection when there's no set admin password for the router's GUI which seems to be the default setting.

The router will listen to its hostname fritz.box, so there's no need to know an IP-address.

URL to start capturing data: http://fritz.box/cgi-bin/capture_notimeout?start=1&start1=Start

URL to stop capturing data: http://fritz.box/cgi-bin/capture_notimeout?stop=1&stop1=Stop

The browser prompts you to save the download of the capture file which you can directly import into Wireshark. But that's the point, where I've got no solution to send this file to a remote location.
Any ideas to get that working ?

---
~~Patching is for suckers~~

http://www.bitsploit.de

Options: ReplyQuote
Re: Router Hacking Challenge.
Posted by: Tii
Date: February 16, 2008 01:27AM

I'm using a Zyxel Prestige P-660H-D1. I found an authentication bypass vulnerability (A-to-C attacks), I guess. After the login with the user password (default is user), I open another tab in my browser and I paste the URL hxxp://192.168.1.1/rpSys.html so I become admin.

Options: ReplyQuote
2wire pwnage
Posted by: hkm
Date: February 18, 2008 06:49PM

A while ago i told 2wire about a serious vuln that could allow pharming but they did not respond, so i told the ISP and still no answer so i published this CSRF and after people starting loosing money then the H04 page appeared by default on most Mexican routers.

Now the H04 vuln is being actively used for pharming and still no patch anywhere.

There are more vulnerabilities like the "Magic URL" configuration disclosure, that allows you to view the complete router configuration, including DSL password in cleartext.

So we have 3 active vulns (without counting CSRF):
1) CRLF DoS by preth00nker
2) H04 Authentication Bypass
3) "URL Magico" Configuration disclosure by Javier Liendo



Edited 1 time(s). Last edit at 02/19/2008 04:35PM by hkm.

Options: ReplyQuote
Re: Router Hacking Challenge.
Posted by: meathive
Date: February 27, 2008 02:06PM

For my first sla.ckers post, here are my findings on the Linksys WRT54G.

https://kinqpinz.info/lib/wrt54g/

...oO oO oO kinqpinz.info Oo Oo Oo...
---------------------------------------------------------
# angelheaded hipsters
## burning for the ancient heavenly connection
### to the starry dynamo
#### in the machinery of night.

Options: ReplyQuote
Pages: Previous12
Current Page: 2 of 2


Sorry, only registered users may post in this forum.