Login

southernyankey1970 · 20-07-2013, 06:46 PM

(20-07-2013, 12:52 PM)Box3r Wrote: the only reason i said about the PM's because ive seen alot of post's about the Telnet Hack not being posted to the public i didnt really want to break the mold hense the PM's , I thought it was the telnet hack that would help me get onto d1.1 macs Guess Not

I Better Keep Looking Around And Do Some Reading

Forget you ever read that post or any other post about it. Only a few know it and you do not need it anyways. Study the provisioning process at cisco.com and read your bootlogs. There are lots of ways in, just not any EASY ways in. What works for me won't do shit for you and vice versa...that's the secret of D3 security now. It's different in every area now...no more Freetards suckin up all the b/w overhead anymore.

~~dragonlord7791~~ · 20-07-2013, 07:02 PM

blaha blaha telnet hack blah blah

just to drive people crazy and a lot of anal sex

where fuck is it this telnet crap???

~~joejoe402012~~ · 20-07-2013, 07:52 PM

good place to start is http://www.cisco.com/en/US/tech/tk86/tk8...c169.shtml

Box3r · 20-07-2013, 11:50 PM

by the bootlog u mean putty log ? , ill read that page now Big Grin

thank you guys

slave · (This post was last modified: 21-07-2013, 01:15 AM by slave.)

1. there is no any telnet hacks...
2. snmp on isp working as R/W using upper public and lower private pass from the config
3. if isp wants to disable config passwords he can do it and use second private pass from...
4. getting the second private pass is easy no need any tools shuch as dvb-c or atsc docsis sniffer Wink

5. snmp on many isp could be disabled by ICMP filter isp could disable completly ping other devices on its network from 10xxxx range by adding ACL filters into the cmts config
6.there is a way... to bypass icmp filters/firewalls using cable modem by removing ipstacks from it and assigning to NIC network card at this case the docsis vendor must be added/modiffied on NIC card

everything is available by studiyng and testing... network is not such secured as many other crypto devices the reason is everything is keept private and not posted
on public sites is simply everything called as private will stay infinity

ABMJR · 21-07-2013, 03:12 PM

Never make a statement you cant be 100% sure of. @ # 1.

Private String is never in config. Private string is SSH to Network Elements (Field CM's). SNMP is alive and well.

Box3r · 21-07-2013, 05:15 PM

ABMJR is there any chance you could help me get on d1.1 macs ? point me in the right direction

slave · (This post was last modified: 21-07-2013, 08:04 PM by slave.)

(21-07-2013, 03:12 PM)ABMJR Wrote: Never make a statement you cant be 100% sure of. @ # 1.

Private String is never in config. Private string is SSH to Network Elements (Field CM's). SNMP is alive and well.

this about what i wrote here is my and my friend private experience about network
if you sure about what you say then tell me please about what exactly password you talking to be clear... ?
the reason why i asking you is because i know exactly 2rd private password of my isp
at first - maybe in your network there is no private password in config file but on other networks it is... we can write using those pass for example mac to the modem (a pass from the config lowwer) there is another password unique for modem manufacturer and this pass is sent before modem update begin
i have it... and its also easy to read Wink

so clarify please about what exactly password you talking ? to manage the modem over snmp password - modem must know that password first and is this password about what i talking

a private password for controll network elements could be a cmts snmp password there is... public (to watch cmts details) and private (to change cmts details) is this what i discover with some help of some friends

also second thing which i was trying to explain you since 2 months is
my isp have disabled icmp ping on any devices on its network from customer side (this means you cannot ping cmts... you cannot arp you cannot ping second neighbour modems because ICMP is filtered) also if icmp filtered you cannot use any kind of snmp yourself using your hacked modem with ipfilters disabled
there are ACL filters turned on cmts to bypass hackers manipulations on isp network devices
also... my isp use snmp only for update cable modems the rest things is managed via VPN

added:
modems in my network are beetwen isp firewall
how many times i need to tell you that untill you understand me
i am not liar and this what i wrote is just experience this is not story paste from somebody here

slave · (This post was last modified: 22-07-2013, 10:03 AM by slave.)

i forget to add something
those private passwords manufacturer modem type
to use them as for certificates read you need a modem with factory mode on
isp do not need to see private details of certificates only public details are exchanged beetwen cmts so there is no oid writen by manufacturer which allow you to read certs if modem do not have factory mode on

the reason that ISP can overwrite the modem software using manufacturer private pass is.... because there are enterprises oids added to the config by ISP those enteprises oids will allow you to write details to the modem specified in config as enterprise by sending second oid to the modem
is thats how isp update firmware without factory mode on Wink

using enteprise oids detailed in config you can write anything you want to the modem with factory mode off - if previously config have valid permissions added

theoritically you can write some enterprise oid for allow you to read private keys from modem even if is with factory mode off and after sent externall oid will do that job
but how you will pool your patched config to second neighbour modem Smile

i dissasembly sb5101 firmware and look at factory mode stage
there are some calls from uart receiver only.... there are not any externall calls from network port
this means factory mode on cannot be turned on remote by any issuer including isp

also by creating some of enteprise oids into the config you can turn off/on telnet/ssh web on cable modems
is this how isp manage the modems without factory mode on Wink

as for example if you call to isp and say my modem freeze reboot etc... he prepare for you diagnostic config (with enterprise oids included) sent it /reboot or no reboot if config is dynamic and after he can manage it completly as R/W

so basically the ^key^ for open modems can be only specified in config as enterprise
i didnt have enterprise oid for allow you to read certs from the modem... i didnt enter to that stage yet and even doubt i will try to enter... the reason is simply
you cannot pool your config to victim modem config remote Wink

**drewmerc** · 22-07-2013, 09:42 AM

i can only think of 1 reason why you would want d1.1 macs as all d1 macs on our isp, as all are for stb boxes and are little to no use for internet
the 1 reason is simple old d1 exploits should still work in theory (tho to there credit they have done a good job mitigating said attacks using every option available)

Login
Username:
Password:	Lost Password?
	Remember me