Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
ISP with Dynamic Configuration question
#1
Hello,

I have Haxorware (Version 1.1 Revision 39) installed on my modem, however my ISP sends me a dynamic configuration file each time I connect on the internet.

When I am connecting on the internet, the name of the dynamic configuration files are some random garbage (e.g. "HSUBsgvca69834ncxv9873254k")

By doing ip_initialize in the telnet-mode of the modem, I can see the static configuration file (e.g. "folder/...cm").

Me and my friend used cmtsMICcracker and modified it a bit in a distributive manner, so we connected about 30 machines in our laboratory and ran cmtsMICcracker for about 3 weeks.

After that, we finally found out the HMAC-MD5 hash for the original CM file, and now I know the password to it so I can edit stuff with VultureWare DOCSIS Config Editor.

However, each of the dynamic configuration files are not using the same password that the original (static) .CM file is using.

I want to modify some stuff from the CM file and use those modifications. What are the next steps that I can do in order to achieve this? Is there a way to bypass the TFTP registration?

I tried most combinations of using force config file and tftp enforce bypass, but I always get "Neg Or Bad Reg Rsp - Reinitialize MAC..." (in the error log through telnet we have kRejAuthFailureBadHmac)
Reply
#2
TFTP'ing a different Dynamic config is, for your application, impossible. There is a way for it to be done, but for the sake of keeping this forum safe and related to Haxoreware, lets say its not applicable here.
Knowledge=Power
Reply
#3
Can you give us a hint? Or can you send me a pm so that we can have a little chat ion IRC or some other instant messaging service?
Reply
#4
Forget it! He isn't going to tell you how and neither is anyone else that knows how it can be done.
Reply
#5
NO ONE who CAN do that WILL EVER post it ANYWHERE!!!!!!!!!!!!!!!!

who will that help? maybe a dozen or so testers for a few days or weeks until the ISP's simply enable yet another sec feature to counter it?

You guys are thinking WAYYYY TOO HARD! There are much easier ways....

Your salvation is in the handshake! Yeah, Really! Don't PM me for any clues cuz I will not respond!
Reply
#6
Actually, since I'm not paid NOT to, then I must admit, I will when I can be arsed Wink Gotta make sure method used is still valid..

Surely if you know the name of the file, it can in fact be downloaded, it's the lack of origional name that get's ya, and I know the name is approx half the size of the dynamic name. I would go as far as suggest trying serial or mac addy as config filename, I would even rattle it down to last 6 digit's..
Reply
#7
In your stb thread I gave you a hint already, it is viewable on docsis 1, which is now used for streaming here, hence max speed is 20mb on the doc 1 network.. from that you should be able to deduce the d2/3 networks.. but if they apply a 'shared secret' per mac address, then it will be fun..

Ps, dynamic name is applied upon sending..
Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)