Haxorware Forums General Modems v
extracting certs via Telnet - on modems that don't respond to Fastcert

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Threaded Mode
extracting certs via Telnet - on modems that don't respond to Fastcert
jofre Offline
Haxorware Enthusiast
***
Posts: 33
Threads: 12
Joined: Jul 2009
Reputation: 0
#1
07-05-2015, 05:02 AM (This post was last modified: 07-05-2015, 11:15 PM by jofre.)
hello, world

has anyone had success extracting certs via Telnet using 'diag readmem' command?

I could find some kind of pvt key using (on SVG1202)

diag readmem -s 1 -n 16384 0x80bd60dc

(but it did not work as expected)


I saw some posts using this address instead

diag readmem -s 4 -n 5838 0x83fa8b80

can it be done?
Find
Reply
drewmerc Offline
Prefect
******
Posts: 3,900
Threads: 19
Joined: Oct 2008
Reputation: 158
#2
07-05-2015, 06:01 AM
read the entire memory then extract with http://www.haxorware.com/forums/showthre...7#pid16207
untested but i done see why it would not work
__________________________________________________________________________________
******new discord chat linkĀ https://discord.gg/5BQQbsb*******
Website Find
Reply
jofre Offline
Haxorware Enthusiast
***
Posts: 33
Threads: 12
Joined: Jul 2009
Reputation: 0
#3
07-05-2015, 03:37 PM (This post was last modified: 07-05-2015, 04:09 PM by jofre.)
thank you

you mean 'extract with CMnOnVol_Extractor', right?

cmnonexp needs a .bin file to work

how can I convert the output - that goes like this below - to a .bin file?

"
Console/system> diag readmem -s 1 -n 16384 0x80bd60dc
80bd60dc: 20 d8 d9 00 00 00 00 00 2d 2d 2d 2d 2d 42 45 47 | .......-----BEG
80bd60ec: 49 4e 20 52 53 41 20 50 52 49 56 41 54 45 20 4b | IN RSA PRIVATE K
80bd60fc: 45 59 2d 2d 2d 2d 2d 0a 4d 49 49 43 57 77 49 42 | EY-----.MIICWwIB
80bd610c: 41 41 4b 42 67 51 43 39 59 43 57 37 52 31 48 64 | AAKBgQC9YCW7R1Hd
80bd611c: 31 55 78 72 57 44 59 78 77 50 6a 39 76 68 52 57 | 1UxrWDYxwPj9vhRW
80bd612c: 6f 57 4c 53 77 31 39 74 73 39 70 57 74 44 2b 69 | oWLSw19ts9pWtD+i
80bd613c: 50 2f 49 78 6d 53 61 5a 0a 34 42 46 30 49 78 70 | P/IxmSaZ.4BF0Ixp
...etc "
Find
Reply
ricktendo Offline
Haxorware Expert
*****
Posts: 270
Threads: 13
Joined: Apr 2014
Reputation: 23
#4
07-05-2015, 05:22 PM
If you can telnet then you can activate factory mode, once you have done this you can use snmp to grab the certs
Find
Reply
jofre Offline
Haxorware Enthusiast
***
Posts: 33
Threads: 12
Joined: Jul 2009
Reputation: 0
#5
07-05-2015, 06:40 PM (This post was last modified: 07-05-2015, 06:50 PM by jofre.)
I must be unaware of the OIDs to achieve this

In old modems - i.e. sb5100 and sb5101 - I can get the certs easily via fastcert

Newer modems will not respond to fastcert although I can access them via telnet

Any ideas on how to find those OIDs?

Using solarwinds SNMP Walk I can get some of the certs but not the pvt key

Maybe the community string for newer modems is different,
But I'd bet on a different OID


Thank you
Find
Reply
geoneo111 Offline
Haxorware Expert
*****
Posts: 303
Threads: 96
Joined: Apr 2012
Reputation: 3
#6
31-08-2016, 01:28 PM
(07-05-2015, 06:01 AM)drewmerc Wrote: read the entire memory then extract with http://www.haxorware.com/forums/showthre...7#pid16207
untested but i done see why it would not work

What is the command to read the entire memory?

diag readmem ?
Find
Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)