Modem provisioned and telnet enabled

[torro32]

During some testing I discovered that there are some modems on my network that have telnet server enabled and I can telnet into them just fine. They are ISP provisioned and working just fine, brand new D3 modems. And they have telnet enabled.

Can I extract certs via telnet or put them in the factory mode via telnet? What can I do to exploit this?

[drewmerc]

considering i know nothing of d3 modems or there telnet servers, the first thing i'd try is the readmem command
if it works you can take a full dump from the modem

[torro32]

i also know nothing about it. What would be the exact command to wrote?

[ABMJR]

I would try fastcert 1st, as that would do what you would be trying via CLI

[torro32]

Nope, fastcert 0.2 and 0.3 found nothing. Also snmpcertthread found nothing on 23, 161, 162. They are all asking for community string.

There is no community string in the telnet, you just open the session.


In fact access is password protected. It is asking for login name and password. You can open the telnet window but it is asking for login name and password.

[ABMJR]

Interesting...

SNMP has both the "Public" and "Private" strings...Private is read and write, basically full access. Public is read only, used for "polling" or asking the modem for certain responses to queries. Firmware pushed are done with the "Private" string.

[abescalamis]

During some testing I discovered that there are some modems on my network that have telnet server enabled and I can telnet into them just fine. They are ISP provisioned and working just fine, brand new D3 modems. And they have telnet enabled.

Can I extract certs via telnet or put them in the factory mode via telnet? What can I do to exploit this?

Yes you can extract the certs via telnet!!!
it depends in a few things if you can get pass the login and password, or you can change the username an password by snmp then read memory where the certs are!

[SlowGrind6]

You can also read the user name and password though snmp...

[drewmerc]

well on a d2 modem the help command works great so try that in every directory till you find the readmem command then start at 0x0 and continue in 1 byte increments

[torro32]

I can enter login name but I can't enter password. The cursor just stays on one place and not moving at all like I don't type anything and I get invalid login.

Also if I would like to change the password, what do I need to put at the end of the oid?
I just put the new password name and I get "Needs type and value".