Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
ISP with Dynamic Configuration question
Damager Offline
Junior Member
**

Posts: 2
Threads: 1
Joined: Oct 2011
Reputation: 0
#1
ISP with Dynamic Configuration question
Hello,

I have Haxorware (Version 1.1 Revision 39) installed on my modem, however my ISP sends me a dynamic configuration file each time I connect on the internet.

When I am connecting on the internet, the name of the dynamic configuration files are some random garbage (e.g. "HSUBsgvca69834ncxv9873254k")

By doing ip_initialize in the telnet-mode of the modem, I can see the static configuration file (e.g. "folder/...cm").

Me and my friend used cmtsMICcracker and modified it a bit in a distributive manner, so we connected about 30 machines in our laboratory and ran cmtsMICcracker for about 3 weeks.

After that, we finally found out the HMAC-MD5 hash for the original CM file, and now I know the password to it so I can edit stuff with VultureWare DOCSIS Config Editor.

However, each of the dynamic configuration files are not using the same password that the original (static) .CM file is using.

I want to modify some stuff from the CM file and use those modifications. What are the next steps that I can do in order to achieve this? Is there a way to bypass the TFTP registration?

I tried most combinations of using force config file and tftp enforce bypass, but I always get "Neg Or Bad Reg Rsp - Reinitialize MAC..." (in the error log through telnet we have kRejAuthFailureBadHmac)
(This post was last modified: 24-03-2013, 11:35 PM by Damager.)
24-03-2013, 11:19 PM
Find Reply
ABMJR Away
DOCSIS Genius
*****

Posts: 1,505
Threads: 15
Joined: Dec 2009
Reputation: 77
#2
RE: ISP with Dynamic Configuration question
TFTP'ing a different Dynamic config is, for your application, impossible. There is a way for it to be done, but for the sake of keeping this forum safe and related to Haxoreware, lets say its not applicable here.
Knowledge=Power
25-03-2013, 01:33 AM
Find Reply
Damager Offline
Junior Member
**

Posts: 2
Threads: 1
Joined: Oct 2011
Reputation: 0
#3
RE: ISP with Dynamic Configuration question
Can you give us a hint? Or can you send me a pm so that we can have a little chat ion IRC or some other instant messaging service?
25-03-2013, 11:49 PM
Find Reply
SlowGrind6 Offline
Senior Member
****

Posts: 185
Threads: 3
Joined: Feb 2011
Reputation: 12
#4
RE: ISP with Dynamic Configuration question
Forget it! He isn't going to tell you how and neither is anyone else that knows how it can be done.
26-03-2013, 07:44 AM
Find Reply
southernyankey1970 Away
Retired!
*****

Posts: 1,483
Threads: 24
Joined: May 2010
Reputation: 65
#5
RE: ISP with Dynamic Configuration question
NO ONE who CAN do that WILL EVER post it ANYWHERE!!!!!!!!!!!!!!!!

who will that help? maybe a dozen or so testers for a few days or weeks until the ISP's simply enable yet another sec feature to counter it?

You guys are thinking WAYYYY TOO HARD! There are much easier ways....

Your salvation is in the handshake! Yeah, Really! Don't PM me for any clues cuz I will not respond!
(This post was last modified: 26-03-2013, 11:56 PM by southernyankey1970.)
26-03-2013, 11:54 PM
Find Reply
Canis-Major Offline
Banned

Posts: 386
Threads: 21
Joined: May 2015
#6
RE: ISP with Dynamic Configuration question
Actually, since I'm not paid NOT to, then I must admit, I will when I can be arsed Wink Gotta make sure method used is still valid..

Surely if you know the name of the file, it can in fact be downloaded, it's the lack of origional name that get's ya, and I know the name is approx half the size of the dynamic name. I would go as far as suggest trying serial or mac addy as config filename, I would even rattle it down to last 6 digit's..
30-06-2015, 01:40 PM
Find Reply
Canis-Major Offline
Banned

Posts: 386
Threads: 21
Joined: May 2015
#7
RE: ISP with Dynamic Configuration question
In your stb thread I gave you a hint already, it is viewable on docsis 1, which is now used for streaming here, hence max speed is 20mb on the doc 1 network.. from that you should be able to deduce the d2/3 networks.. but if they apply a 'shared secret' per mac address, then it will be fun..

Ps, dynamic name is applied upon sending..
(This post was last modified: 30-06-2015, 02:06 PM by Canis-Major.)
30-06-2015, 02:05 PM
Find Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)