DHCP Option 60 spoof needed - Printable Version +- Haxorware Forums (http://www.haxorware.com/forums) +-- Forum: General (http://www.haxorware.com/forums/forumdisplay.php?fid=6) +--- Forum: Modems (http://www.haxorware.com/forums/forumdisplay.php?fid=7) +--- Thread: DHCP Option 60 spoof needed (/showthread.php?tid=606) Pages:
1
2
|
DHCP Option 60 spoof needed - jrgutier - 21-09-2010 I'm seeing something really weird on Charter, and it's duplicatable. Say I have a good NoBPI MAC address, checked by looking at it's tftp config file and seeing if Privacy Enable is set to 1. I clone the address on my sb5101 and disabling BPI, and then bring it up online with a forced NoBPI config. It begins working after a couple of false starts, but then when I re-download the real tftp file, it has changed to a BPI enabled config. Somehow, Charter is detecting that I have a BPI enabled modem, regardless of what MAC address I use, and then configuring the tftp file accordingly. What's interesting is I don't know whats going to happen to the real modem I had cloned, because it probably isn't BPI enabled in the first place. I suspect the modem sends out a DHCP discover that it gives off some indication of its capabilities, specifically option 60, which sends out a string of "docsis#.#" according to the cisco documents I've read. Since Haxorware is based on the SB5101E-2.7.5.0-LTSH firmware, I'm assuming that it still sends a string of "docsis2.0". Haxorware somehow needs to change this option 60 to a "docsis1.0" when BPI is set to disable if this is the case, unless someone knows how to do this manually. RE: DHCP Option 60 spoof needed - drewmerc - 21-09-2010 with bpi disabled the modem should only reply with docsis#.# but the config you are getting could be different based on the spoof you are sending to the ctms try spoofing a docsis1 modem RE: DHCP Option 60 spoof needed - jrgutier - 22-09-2010 Got any DOCSIS 1.0 spoof strings handy? I'm going off http://www.cablelabs.com/cablemodem/downloads/Certified_Products.pdf and am not sure if this is exactly correct. Is there anyway to see exactly what info is being passed to the modem to the CMTS? (21-09-2010, 07:29 AM)drewmerc Wrote: with bpi disabled the modem should only reply with docsis#.# RE: DHCP Option 60 spoof needed - drewmerc - 22-09-2010 this is what i use but then i'm not on same network as you VENDOR: Scientific Atlanta MODEL:WebSTAR DPX100 SW_REV: 1.1.2r1.1.3.1 HW_REV: 2.1 RE: DHCP Option 60 spoof needed - jrgutier - 25-09-2010 I did some testing with that spoof string (and a valid same model mac address) and it still changed the configuration from NoBPI to BPI. As a side-note, I wasn't able to override the HW_REV to 2.1. It always loses the ".2" part and turns to 2 after saving. I'll do some more exact testing later tonight. I wanted to query the TFTP server after every step of a modem's sync-up, and see which step actually prompts the server to change the privacy setting. Is there any way to get a dhcpdump or any other information that the modem sends to the CMTS? Wireshark doesn't start capturing until after the modem is already synced. Also, is there source code to the firmware so I can audit it myself, or is it strictly modified assembly? RE: DHCP Option 60 spoof needed - drewmerc - 25-09-2010 the hardware sting losing part, is normal but i never checked to see if it was a limit of the firmware or if all modems do it beyond watching telnet with a max232 cable theres not much i know of mostley due to the fact i never needed to (at lease with a max cable theres no waiting for the ethernet cable) and source there is none RE: DHCP Option 60 spoof needed - jrgutier - 18-10-2010 Did some testing. I wanted to pinpoint when the CMTS decides to switch to a BPI enabled tftp config file. I polled and md5sumed a tftp config file every second that was verified NoBPI. Plugged in the modem, and traced when the md5sum changed in the other window. My suspicions were correct in thinking that it happened during the DHCP Discover of the modem. What happens is that the DHCP Discover is broadcasted, the a timeout occurs while the file is changed, and when the Discover retry happens, it gets the right config. This is not just exclusive to Haxorware. I also tried all builds of Sigma X2 in my testing, and it's all the same. I really believe that Charter is inspecting our DHCP Discover request's option 60 for which docsis version and features the modem is capable of. Since I'm trying to emulate a DOCSIS 1.0 modem not capable of BPI, this is pretty much a dead giveaway to Charter, and I think that's why my mac is getting banned every day. RE: DHCP Option 60 spoof needed - drewmerc - 19-10-2010 post this on sbhacker cause it's way past me and you may get a better answer RE: DHCP Option 60 spoof needed - jrgutier - 20-10-2010 Ok, thanks. Was hoping to get some input from rajkosto. How do I disassemble the firmware like him? RE: DHCP Option 60 spoof needed - drewmerc - 20-10-2010 i know the answer you'll get same as what he told me, fucking magic |