Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
FastCert Scanning
#1
I've got a friend that I introduced to the Haxorware, but he is totally lost. Actually, I'm lost too. He is trying to follow this post on forocable/sbhacker and is trying to do something with fastcert. He used DHCP Force to find some macs with configs, and found several macs with configd. He then tried to scan with fastcert but he did not know what ranges to scan. He tried to use the hfc ip address (i.e. 10.435.334.456 would be 10.435.330.0 to 10.435.340.0 ) but he always got 0 certs found. He left the key string public, used port 161. He still got 0 certs. Does he need to download his own cert and open it with vultureware?


Question: What i.p. range do i need to use to scan with fastcert? How do i know what range to use?


ISP: Comcast
Location: California
BPI: BPI+ enabled
Reply
#2
The Public string is worthless to open up remote CM's and put them in factory mode and have them send their Certificates
Knowledge=Power
Reply
#3
(19-09-2012, 03:16 AM)ABMJR Wrote: The Public string is worthless to open up remote CM's and put them in factory mode and have them send their Certificates

Got it. So I would need to get the private string eh? Thanks I will search sbhacker and see what I come up with about getting the private string.
(03-09-2012, 03:55 PM)ABMJR Wrote: The Public String is read only and is passed from the ISP side to the Customer side. Again, it is read only

The private String is ISP side only and is never passed to the Customer side.

Private String is Write /Read. Full Control of the Network Elements (CM's)

Quote:Cisco Internetwork Operating System Software (IOS) could allow a remote attacker to obtain the cable-docsis read-write community string to reconfigure the Cisco device. This is caused by a vulnerability in the implementation of DOCSIS (Data Over Cable Service Interface Specification)-compliant standards. By default, the cable-docsis read-write community string is undocumented and enabled.

Again, CISCO IOS Firmware fixed the "flaw" and , again. And undocumented TELNET command.
P.S
I think I found the TELNET command to read the Private String in TELNET after registration.


I read over a post you posted here on this site. This just confused me even further. If the public string is read only, how is it worthless? Maybe i'm thinking of this the wrong way. If something is read only, that means you can make copies of it but not change the original file (just like read only files in usb's). In other words, the public key should allow me to retrieve the certs.


Anyways, I will still look for a way to find the private key. If anyone could point me in the right direction (to getting the private key; I already used the search function on SBHACKER and found nothing) , that would be greatly appreciated
Reply
#4
I think in order to read certain things you have to write certain things. So you may be able to read a limited amount of information from the cm. but with the write string you will be able to change settings which will allow you to read private certificates and such. -just a theory. there is so much secrecy around cm community now days because people want to keep making presentations at defcon and publicizing this info. Look how many people these idiots got arrested...
Reply
#5
(19-09-2012, 06:22 AM)tvictor47 Wrote: I think in order to read certain things you have to write certain things. So you may be able to read a limited amount of information from the cm. but with the write string you will be able to change settings which will allow you to read private certificates and such. -just a theory

Yeah. That makes sense. Thanks.
Reply
#6
Tongue I think I make sense on the other part also..
Reply
#7
(19-09-2012, 06:22 AM)tvictor47 Wrote: I think in order to read certain things you have to write certain things. So you may be able to read a limited amount of information from the cm. but with the write string you will be able to change settings which will allow you to read private certificates and such. -just a theory. there is so much secrecy around cm community now days because people want to keep making presentations at defcon and publicizing this info. Look how many people these idiots got arrested...

Even with the private string you won't be able to read the certs. You need access from the specific IP pool address and probably from the specific mac.
Reply
#8
You can use a pubic sting. Get your modem up and running and dl your config file . Down load vutureware and open your config to find your pubic string. There be limit amount of info on how to do this so im not here to spoon feed you. You must know the correct SNmP Port to scan enter that. Then you much know the tftp sever Ips. They range from citys like this.

10.247.x.x bell garden
10.245.x.x la
10.253.x.x Pico
10.36.x.x Westminster

Put the correct range of the ISP hosted ip per node to scan and you will pull certs from enabled modems.

No one PM me unless you have something to bring to the table.
Reply
#9
something to bring to the table.

[Image: ihwCx.jpg]
__________________________________________________________________________________
******new discord chat linkĀ https://discord.gg/5BQQbsb*******
Reply
#10
(23-09-2012, 11:20 AM)drewmerc Wrote: something to bring to the table.

[Image: ihwCx.jpg]
drewmerc, I guess he asked for it, very funny!
Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)