+- Haxorware Forums (http://www.haxorware.com/forums)
+-- Forum: General (http://www.haxorware.com/forums/forumdisplay.php?fid=6)
+--- Forum: Modems (http://www.haxorware.com/forums/forumdisplay.php?fid=7)
+--- Thread: Modem provisioned and telnet enabled (/showthread.php?tid=1896)
Pages:
1
2
Modem provisioned and telnet enabled - torro32 - 23-08-2012
During some testing I discovered that there are some modems on my network that have telnet server enabled and I can telnet into them just fine. They are ISP provisioned and working just fine, brand new D3 modems. And they have telnet enabled.
Can I extract certs via telnet or put them in the factory mode via telnet? What can I do to exploit this?
RE: Modem provisioned and telnet enabled - drewmerc - 23-08-2012
considering i know nothing of d3 modems or there telnet servers, the first thing i'd try is the readmem command
if it works you can take a full dump from the modem
RE: Modem provisioned and telnet enabled - torro32 - 23-08-2012
i also know nothing about it. What would be the exact command to wrote?
RE: Modem provisioned and telnet enabled - ABMJR - 23-08-2012
I would try fastcert 1st, as that would do what you would be trying via CLI
RE: Modem provisioned and telnet enabled - torro32 - 23-08-2012
Nope, fastcert 0.2 and 0.3 found nothing. Also snmpcertthread found nothing on 23, 161, 162. They are all asking for community string.
There is no community string in the telnet, you just open the session.
In fact access is password protected. It is asking for login name and password. You can open the telnet window but it is asking for login name and password.
RE: Modem provisioned and telnet enabled - ABMJR - 23-08-2012
Interesting...
SNMP has both the "Public" and "Private" strings...Private is read and write, basically full access. Public is read only, used for "polling" or asking the modem for certain responses to queries. Firmware pushed are done with the "Private" string.
RE: Modem provisioned and telnet enabled - abescalamis - 23-08-2012
(23-08-2012, 10:52 AM)torro32 Wrote: During some testing I discovered that there are some modems on my network that have telnet server enabled and I can telnet into them just fine. They are ISP provisioned and working just fine, brand new D3 modems. And they have telnet enabled.
Can I extract certs via telnet or put them in the factory mode via telnet? What can I do to exploit this?
Yes you can extract the certs via telnet!!!
it depends in a few things if you can get pass the login and password, or you can change the username an password by snmp then read memory where the certs are!
RE: Modem provisioned and telnet enabled - SlowGrind6 - 23-08-2012
You can also read the user name and password though snmp...
RE: Modem provisioned and telnet enabled - drewmerc - 23-08-2012
well on a d2 modem the help command works great so try that in every directory till you find the readmem command then start at 0x0 and continue in 1 byte increments
RE: Modem provisioned and telnet enabled - torro32 - 23-08-2012
I can enter login name but I can't enter password. The cursor just stays on one place and not moving at all like I don't type anything and I get invalid login.
Also if I would like to change the password, what do I need to put at the end of the oid?
I just put the new password name and I get "Needs type and value".