Router Hacking Fun!

July 19, 2007, 8:14 pm

Router Hacking Fun!

Ok, well in my last post I gave you the little network testing program I wrote, NetTest.exe
Only a simple program, but it's led me on quite an adventure the past few hours!

It started off last night...
I've playing with webservers and the NetTest program, sending them silly requests and seing how they handled it and such.
Part of the usual HTTP1.1 header is the server version, like "Server: Apache/1.0". An interesting one is Google who have their own server software: "Server: GWS/2.1" which I guess is the Google Web Server, version 2.1
Anyway, that's all fun and games but then I realised my router (A Belkin Wireless G - F5D7633-4) has a web interface...But what server does it run?

Here's how the thing went down:

[[Connecting...]]
[[Connected]]
  >> GET / HTTP/1.1
User-Agent: NetTest/1.1
Host: 192.168.2.1:80


  << HTTP/1.1 200 Ok
Server: micro_httpd
Cache-Control: no-cache
Date: Thu, 19 Jul 2007 20:29:15 GMT
Content-Type: text/html
Connection: close

And that was that, "Server: micro_httpd".
Rather nifty eh! I now knew that my router runs Linux and uses micro_httpd to run it's web interface.
But if it runs Linux...what else might it be running apart from a web server?
FTP = Connection refused
Telnet = Connection refused
SSH = Connected!

Wow! My router runs a SSH daemon? Sweet!

[[Connecting...]]
[[Connected]]
SSH-2.0-dropbear_0.36

But that was it, no response to any messages sent...time for puTTY!
However, it wouldn't connect. I tried various methods but it either got a connection refused or timed out.

Enter cygwin!
After downloading, installing packages and making sure I installed the OpenSSH client I set to work once more...

And this time, succes! I got a prompt for a password:

Nick@LAPTOP2 ~
$ ssh admin@192.168.2.1
admin@192.168.2.1's password:

But whats that password? Thanks to Wim I managed to get in with the same as I use on the web interface luckily, and I was in and greeted by the oh-so-helpful ">_"
Typing in "help" gave me the following commands:

?
help
logout
reboot
adsl
atm
brctl
cat
ledctrl
df
dumpcfg
echo
ifconfig
kill
arp
defaultgateway
dhcpserver
dns
lan
passwd
ppp
remoteaccess
restoredefault
route
save
swversion
wan
ping
ps
pwd
siproxd
sntp
sysinfo
tftp
wlctl

Yup, a whole bunch of router-related commands and a couple of basic Linux commands.
Main downside was that there's no "cd" command or "ls" to see what files I could play with.
However:

> sysinfo
Number of processes: 32
  8:47pm  up 9 days, 19:46,
load average: 1 min:0.00, 5 min:0.00, 15 min:0.00
              total         used         free       shared      buffers
  Mem:        14140        13384          756            0          880
 Swap:            0            0            0
Total:        14140        13384          756

32 processes eh? Lets see what I have running:

> ps
  PID  Uid     VmSize Stat Command
    1 admin       272 S   init
    2 admin           SWN [ksoftirqd/0]
    3 admin           SW< [events/0]
    4 admin           SW< [khelper]
    5 admin           SW< [kblockd/0]
    6 admin           SW  [khubd]
   19 admin           SW  [pdflush]
   20 admin           SW  [pdflush]
   21 admin           SW  [kswapd0]
   22 admin           SW< [aio/0]
   27 admin           SW  [mtdblockd]
   39 admin       304 S   -sh
   64 admin       752 S   cfm
  172 admin       156 S   pvc2684d
  227 admin       280 S   syslogd -C -l 3
  231 admin       240 S   klogd
  382 admin       196 S   sntp -s 129.132.2.21 -s 130.149.17.8 -t Greenwich Mea
  385 admin       740 S   telnetd
  386 admin       788 S   sshd
  388 admin       224 S   dhcpd
  393 admin      1008 S   httpd
  397 admin       400 S   pppd -c 0.38.1 -a 0.0.38 -u XXXXXXXXXXXXXXX@tiscali.c
  456 admin       200 S   /bin/dnsprobe
  460 admin       364 S   upnp -L br0 -W ppp_0_38_1 -D
  468 admin       304 S   reaim -e 88.104.196.109
  540 admin       388 S   siproxd --config /var/siproxd/siproxd.conf
  541 admin       388 S   siproxd --config /var/siproxd/siproxd.conf
  542 admin       388 S   siproxd --config /var/siproxd/siproxd.conf
 2082 admin       976 S   sshd
 2083 admin       992 S   sshd
 2088 admin       280 S   sh -c ps
 2089 admin       268 R   ps

Nifty.
And whats that I see? "385 admin 740 S telnetd"? Telnet server?
Yet to explore that one, can't seem to connect to it but will post later if I manage to get it to work.

Back to the commands list, lets see what OS we're running:

> cat --help
BusyBox v1.00 (2006.03.27-10:18+0000) multi-call binary

Usage: cat [-u] [FILE]...

Concatenates FILE(s) and prints them to stdout.

Options:
        -u      ignored since unbuffered i/o is always used

BusyBox it seems. Not looked into this but it seems so heavilly modified by Belkin I doubt I can play much.

I also noticed "df" and "tftp" on the command list:

> df
Filesystem           1k-blocks      Used Available Use% Mounted on
/dev/mtdblock0            1984      1984         0 100% /
tmpfs                      192       124        68  65% /var

We can see how the system is mounted and such. But without "cd" and "ls" I have no way to see what exactly is mounted.
However, tftp...that has ftp in it!
Wikipedia says this for TFTP.
So I got the lowdown on the "tftp" command I had available, but unfortunately I can only output the config file, and not the image

> tftp --help
BusyBox v1.00 (2006.03.27-10:18+0000) multi-call binary

Usage: tftp [OPTION]... tftp_server_ip

Update firmware image and configuration data from OR backup configuration
data to a tftp server.

Options:
-g      Get file. (Update image/configuration data)
-p      Put file. (backup configuration data)
-f      remote file name.
-t      i for image and c for configuration data.

Anyway, after all that, not much more I can do I don't think!
Still, it was a good giggle and if anyone has any ideas on stuff I can do to my router then please comment

by Palmer in General
116 Comments

Page : 1

Palmnet Blog

Router Hacking Fun!