Haxorware Forums
Looking for a nudge in the right direction - Printable Version

+- Haxorware Forums (http://www.haxorware.com/forums)
+-- Forum: General (http://www.haxorware.com/forums/forumdisplay.php?fid=6)
+--- Forum: Modems (http://www.haxorware.com/forums/forumdisplay.php?fid=7)
+--- Thread: Looking for a nudge in the right direction (/showthread.php?tid=3282)



Looking for a nudge in the right direction - poolshark021 - 13-09-2014

Hi,
My haxorware modem went offline a couple years ago with the new cc security, and i gave up and put it away. I have been interested in getting it going lately and am looking for some advice. I am very interested in learning how it works and don't mind reading and studying DOCSIS but I'm not sure where to go. I have also switched ISPs and don't use cc anymore. Here is my telnet log:
Code:
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.09.13 11:02:04 =~=~=~=~=~=~=~=~=~=~=~=
Haxorware integrated telnet daemon

Username: root
Password: ****
Welcome.

CM>
CM> DHCPc:  Sending Discover packet; client id htype=1, value=00:15:9a:d9:51:64
DHCPc:  Received an Offer from DHCP server XX:XX:XX:XX:XX:XX (172.29.255.121); lease client id htype=1, value=XX:XX:XX:XX:XX:XX

CM> runDHCPc:  Timed out waiting for offers for lease with client id htype=1, value=XX:XX:XX:XX:XX:XX
DHCPc:  Sending Request packet; client id htype=1, value=XX:XX:XX:XX:XX:XX
DHCPc:  Received an Ack from DHCP server XX:XX:XX:XX:XX:XX(172.29.255.121); lease client id htype=1, value=XX:XX:XX:XX:XX:XX
Current IP address is default 0.0.0.0.
0x0000f686 [DHCP Client Thread] BcmEcosIpHalIf::ConfigureLeaseImpl:  (IP Stack1 HalIf)
Configuring IP stack 1:
  IP Address = 10.137.232.220 (primary IP address)
   Subnet Mask = 255.255.248.0
   Router = 10.137.232.1
   IsPrimaryInterface = 1

Logging event: DHCP WARNING - Non-critical field invalid in response.
0x0000f6ae [DHCP Server Thread] BcmDhcpServerThread::ThreadMain:  (DHCP Server Thread) Callback request expired:
timerDuration secs = 1
current time secs = 63
elapsed time secs = 1
ARPing for default GW IP = 10.137.232.1
MAC = 00:01:5c:69:de:46
DHCP completed successfully!

DHCP Settings:
                     Client Id = htype=1, value=XX:XX:XX:XX:XX:XX
                         State = Renewing (5)
                  Static Lease = 0
               AutoConfig Mode = IP, Subnet and Router
                           XID = 0x7a7fe81e
               Number of Tries = 0
            Max Discover Tries = 6
             Max Request Tries = 6
          DHCP server MAC addr = 00:01:5c:69:de:46
                   Ignore NAKs = 0
         My offered IP address = 10.137.232.220 (primary IP address)
               (1) Subnet Mask = 255.255.248.0
         (3) Router IP address = 10.137.232.1
   (54) DHCP Server IP address = 172.31.15.244
   (82) Relay Agent IP address = 172.29.255.121
        TFTP Server IP address = 172.31.15.244
         CM Configuration file = 'unknown.bin'
           (2) UTC Time Offset = -28000 seconds
    (4) Time Server IP address = 172.31.15.244
        (6) Domain Name Server = 172.31.15.162; 172.31.15.244
     (7) Log Server IP address = 0.0.0.0
               (51) Lease time = 604800 seconds
               (58) T1 (renew) = 302400 seconds
              (59) T2 (rebind) = 529200 seconds
             Lease is infinite = 0


  CmSnmpAgent::IpAddressAcquiredEvent for SB5102 CM Agent w/ BRCM Factory Support
    IP addr = 10.137.232.220
Starting Time Of Day...
0x0000f71c [CmDocsisIpThread] BcmDocsisTimeOfDayThread::SetTodServerIpAddress:  (Time Of Day Thread) ToD servers:  172.31.15.244
Connecting to ToD server 172.31.15.244...
Sending UDP ToD request to server...
Not logging event ID 2291949724, control  for level 7 is 0.
UTC returned by ToD server 3619609332; UTC offset -28000
Current system time -> Sat Sep 13 07:15:32 2014

System start time -> Sat Sep 13 07:14:29 2014

Starting Tftp of configuration file...
Opening file 'unknown.bin' on 172.31.15.244 for reading...
Resuming SNMP Thread
tftp-enforce bypass is DISABLED
SB5102 CM Agent w/ BRCM Factory Support IpStackEvent: Ip=10.137.232.220, Subnet=255.255.248.0, Gateway=10.137.232.1
  Ip addr is the same, not rebinding.
SB5102 CM Agent w/ BRCM Factory Support IpStackEvent: Ip=10.137.232.220, Subnet=255.255.248.0, Gateway=10.137.232.1
  Ip addr is the same, not rebinding.
Storing received cfg of size 1108 to memory
Tftp read < 512 bytes, we have reached end of file.
Tftp transfer complete!
TFTP Settings:
            Stack Interface = 1
          Server Ip Address = 172.31.15.244
         Server Port Number = 32794
          Total Blocks Read = 3
           Total Bytes Read = 1108

Config file was read!  IP Initialization completed...
MAX CPE per CM is being set to 32
TLV-11[1]: 1.3.6.1.2.1.69.1.2.1.4.1 -> public
TLV-11[2]: 1.3.6.1.2.1.69.1.2.1.5.1 -> 3 (i32)
TLV-11[3]: 1.3.6.1.2.1.69.1.2.1.6.1 -> HEX:40 00
TLV-11[4]: 1.3.6.1.2.1.69.1.2.1.7.1 -> 4 (i32)
Time Of Day completed...
  DefaultSnmpAgentClass::SystemTimeChangeEvent for SB5102 CM Agent w/ BRCM Factory Support
Not logging event ID 2291949524, control  for level 7 is 0.
Not logging event ID 2291949324, control  for level 7 is 0.
SB5102 CM Agent w/ BRCM Factory Support processing TLV-11's
SNMP packet sent to 10.137.232.220:225
  4 TLV-11's OK.
Sending a REG-REQ to the CMTS...
Received a REG-RSP message from the CMTS...
0x0000f942 [CmDocsisCtlThread] BcmCmDocsisCtlThread::RegRspMsgEvent:  (CmDocsisCtlThread) We registered with a DOCSIS 1.0 config file!
Adding DOCSIS 1.0 CoS Settings for SID 0xaf8

Class Of Service Settings:
                        SID = 0xaf8
               Max Us Burst = 3044 bytes
                Max Us Rate = 131072 bits per second
            Max Bucket size = 24288 bits
             Bits In Bucket = 24288
    Last Bucket Update Time = 64810 ms
     Last Bucket Flush Time = 64810 ms
          Packet Delay Time = 0 ms

Global CONCAT has been disabled for all upstream queues (either from NonVol settings or CMTS override).
Fragmentation is ENABLED in DOCSIS 1.0 mode!
0x0000f94c [CmDocsisCtlThread] BcmCmDocsisCtlThread::TestAndApplyRegAckHack:  (CmDocsisCtlThread) DOCSIS 1.0 reg on us phy type 3 channel.  --> perform REG-ACK hack!
Registration complete!
Process CVC
CmDownloadMatchBuffer - length comparison failed
0x0000f9a6 [CmDocsisCtlThread] CmSecureDownload::ProcessConfigFileSpecifiedCvc:  (Secure Software Download) ERROR - Config File manufacturer CVC Subject organizationName does not match the CM's manufacturer name.
0x0000f9a6 [CmDocsisCtlThread] CmSecureDownload::ProcessConfigFileManufAndCosignerCvcs:  (Secure Software Download) ERROR - Reject config file MFG CVC!
0x0000f9a6 [CmDocsisCtlThread] BcmCmDocsisCtlThread::ProcessCVC:  (CmDocsisCtlThread) ERROR - Config file does not include a valid CVC!
DOCSIS CoS/QoS rate shaping enable is now 1
  CmSnmpAgent::CmOperationalEvent for SB5102 CM Agent w/ BRCM Factory Support
CmSnmpAgent operating in 1.0 mode, including docsBpi, excluding docsQos
+++ No DH kickstart profiles or snmpCommunityTable entries installed.
    We will operate in NMACCESS mode.
SB5102 CM Agent w/ BRCM Factory Support setting V1/V2 view to docsisNmAccessView
SB5102 CPE Agent w/ BRCM Factory Support setting V1/V2 view to docsisNmAccessView
0x0000f9a6 [CmDocsisCtlThread] BcmCmDocsisCtlThread::TestAndLaunchBpkm:  (CmDocsisCtlThread) BPKM disabled via provisioned config file setting.
Enabling network access for all CPE ports.

mot_scanList: Writing to Flash!
0x0000f9e2 [CmDocsisCtlThread] BcmDocsisCmHalIf::ConfigOperational:  (DOCSIS CableModem HalIf) Running IGMP in DOCSIS 1.0 mode!
BcmCmDocsisStatusEventCodes::kCmIsOperational
Suspending SNMP Thread
0x0000f9ec [CmDocsisCtlThread] BcmVendorCmApplication::StopDhcpServer:  (VendorExtension CmApp) Shutting down DHCP Server...
0x0000f9ec [CmDocsisCtlThread] BcmStandbySwitchThread::CmIsOperational:  (Motorola Standby Switch Thread) Simulating a press of the standby switch to get the state configured properly.
0x0000f9f6 [IGMP Thread] BcmIgmpThread::Starting Igmp Thread...:  (IGMP Thread)
0x0000fa00 [Motorola Standby Switch Thread] BcmStandbySwitchThread::ThreadMain:  (Motorola Standby Switch Thread) Standby switch was pressed!
0x0000fa00 [Motorola Standby Switch Thread] BcmStandbySwitchThread::ProcessSwitchEvent:  (Motorola Standby Switch Thread) Standby switch disabled in nonvol; ignoring event.
Logging event: Improper Configuration File CVC Format
SB5102 CM Event Log w/ BRCM Factory Support sending deferred async messages...
Done w/ deferred msgs
Not logging event ID 2296948624, control  for level 7 is 0.

CM>

Since my mac is not provisioned I get the unknown.bin config file which fails the CVC check.

First, my subbed modem is an Arris mg5225g which is a modem and router in one. I don't think I can scan for macs, because you're supposed to be connected directly to modem, not behind a router. I tried putting my pc in dmz and scanning but it doesn't seem to work. Is there a way to scan with my equipment, or is that the wrong approach altogether? I was thinking if I could see macs and config files on my network I could play around with those to at least get more information on the security my cmts is running.

I don't know a whole lot about snmp but it seems like that might hold a key for me? Problem is I can't get any information with the unknown.bin config file sent to my modem. I think I would at least need a community string, but where can i get that if its not in the config file?

I keep reading that I need to understand the handshake and learn how to make my cm send what the cmts is wanting to see, but I can't get past this unknown.bin problem.

I really do want to learn more about this and I like to read and understand these things (I basically taught myself c++ just from reading online), I'm just hoping someone can point me in the right direction.


RE: Looking for a nudge in the right direction - coldfusion - 17-09-2014

The snmp public string is actually in the log you posted, but it seems you have bigger issues, log indicates that your modem strings mismatch what the cmts expects, see your spoof settings.

read

http://www.haxorware.com/forums/showthread.php?tid=672

also get yourself Vultureware and open the config you are being served, you can learn a lot from it.


RE: Looking for a nudge in the right direction - poolshark021 - 19-09-2014

I have vultureware and have read this config already, I guess I don't know what I am looking for because I don't see anything useful. How do I know what to spoof if it's not in the config? (see attached screenshot of config file) Also I thought the stealth page in haxor is useless now, how would I change the strings correctly?

Is the community string simply "public"? because I can't see anything else? I thought it was a random string of characters like "gHzrGTb" or something?


RE: Looking for a nudge in the right direction - drewmerc - 19-09-2014

Code:
Process CVC
CmDownloadMatchBuffer - length comparison failed
0x0000f9a6 [CmDocsisCtlThread] CmSecureDownload::ProcessConfigFileSpecifiedCvc:  (Secure Software Download) ERROR - Config File manufacturer CVC Subject organizationName does not match the CM's manufacturer name.
0x0000f9a6 [CmDocsisCtlThread] CmSecureDownload::ProcessConfigFileManufAndCosignerCvcs:  (Secure Software Download) ERROR - Reject config file MFG CVC!
0x0000f9a6 [CmDocsisCtlThread] BcmCmDocsisCtlThread::ProcessCVC:  (CmDocsisCtlThread) ERROR - Config file does not include a valid CVC!

spoofs all wrong you can see the cvc in the config


RE: Looking for a nudge in the right direction - southernyankey1970 - 19-09-2014

coldfusion gave you the "nudge" you requested...