Ap hack test DL-624 x-trem G
So you crack a wep key like million of other users .... its fun , i guess, but now what?
heres what, lets push this a little further shall we, so i use nesus to scan our new find home (192.168.0.1)
well imagine that :
rrac 5678/tcp open
http 80/tcp open
tftp 69/udp open <--- w00t
general /icmp
general udp
Domain 53/udp
domain 53/tcp
general /tcp
now doesn't seems like much but for a tiny little AP box it is. Now the question is ,what are we going to do to with this?
so most of this is pretty useless or i haven't find out what to use it for or how to take advantage of it but the TFTP is nice so lets try
bt~ # tftp 192.168.0.1
tftp>mode
Using netascii mode to transfer file.
tftp>verbose
Verbose mode on.
tftp> get admin.img 192.168.0.100 (thats me)
getting from 192.168.0.1:admin.img to 192.168.0.100 [netascii]
Error code 1: file not found
tftp>
Ok so didn't get lucky, got and error on the file requested. But if u haven't notice by now we were able to request a file via tftp without even putting a login /pwd
now this also work with uploading ur own file or whatever to the AP without login in.
Anyway still working on trying to get a file list from my ap see what i can d/l haven't got any luck yet so if any of you have any output on this feel free to reply
here a few more thing u can try
192.168.0.1/natlist.txt
192.168.0.1/public.js
192.168.0.1/chklst.txt
download dbgout.txt with tftp
thats it for now if u know more let me know
Don't you have to put the full path of the file in your command....
tftp> get admin.img 192.168.0.100
and make it...
tftp> get C:\Documents and Settings\Xploitz\My Documents\admin.img 192.168.0.100
No???
Sorry...but I'm without my BT2 right now so I'm kinda shooting in the dark here. I could be completely wrong. I'm waiting on a HD caddy for my laptop from E-bay.
[CENTER][FONT=Book Antiqua][SIZE=5][B][COLOR=blue][FONT=Courier New][COLOR=red]--=[/COLOR][/FONT]Xploitz[FONT=Courier New][COLOR=red]=--[/COLOR][/FONT][/COLOR][/B][/SIZE][/FONT][FONT=Courier New][COLOR=Black][SIZE=6][B] ®[/B][/SIZE][/COLOR][/FONT][/CENTER]
[CENTER][SIZE=4][B]Remote-Exploit.orgs Master Tutorialist.[/B][/SIZE][SIZE=6][B]™
[/B][/SIZE]
[URL="http://forums.remote-exploit.org/showthread.php?t=9063"][B]VIDEO: Volume #1 "E-Z No Client WEP Cracking Tutorial"[/B]
[/URL]
[URL="http://forums.remote-exploit.org/showthread.php?t=7872"][B]VIDEO: Volume #2 "E-Z No Client Korek Chopchop Attack Tutorial"[/B]
[/URL]
[URL="http://forums.remote-exploit.org/showthread.php?t=8230"][B]VIDEO: Volume #3 "E-Z WPA/WPA2 Cracking Tutorial"[/B][/URL]
[URL="http://forums.remote-exploit.org/showthread.php?t=8041"][B]VIDEO: Volume #4 "E-Z Cracking WPA/WPA2 With Airolib-ng Databases"[/B][/URL]
[/CENTER]
without specifying the loc it seem to put everything in my /root folder plus we're not attacking a client box we going after the AP itself so no such thing as c:/etcetc
anyway to get a full list of avail file from the AP it selft .
HHmm...perhaps this will get you started...
connect host-name [ port ] (port is optional....)
mode transfer-mode
Since IPv6 addresses already contain ":"s, the host should
be enclosed in square brackets when an IPv6 address is used.
Otherwise, the first occurrence of a colon will be inter-
preted as the separator between the host and the filename.
For example,
[1080::8:800:200c:417A]:myfile
Files may be written only if they already exist and are
publicly writable.
get filename
get remotename localname
get filename1 filename2 filename3 ... filenameN
Get a file or set of files (three or more) from the
specified remote sources. source can be in one of two
forms: a filename on the remote host if the host has
already been specified, or a string of the form:
host:filename
to specify both a host and filename at the same time.
If the latter form is used, the last host specified
becomes the default for future transfers. See the put
command regarding specifying a host.
I don't know if this helps you or not..but its all I could find on "Google" for ya.
More is here...
Code:http://www.scit.wlv.ac.uk/cgi-bin/mansec?1+tftp
[CENTER][FONT=Book Antiqua][SIZE=5][B][COLOR=blue][FONT=Courier New][COLOR=red]--=[/COLOR][/FONT]Xploitz[FONT=Courier New][COLOR=red]=--[/COLOR][/FONT][/COLOR][/B][/SIZE][/FONT][FONT=Courier New][COLOR=Black][SIZE=6][B] ®[/B][/SIZE][/COLOR][/FONT][/CENTER]
[CENTER][SIZE=4][B]Remote-Exploit.orgs Master Tutorialist.[/B][/SIZE][SIZE=6][B]™
[/B][/SIZE]
[URL="http://forums.remote-exploit.org/showthread.php?t=9063"][B]VIDEO: Volume #1 "E-Z No Client WEP Cracking Tutorial"[/B]
[/URL]
[URL="http://forums.remote-exploit.org/showthread.php?t=7872"][B]VIDEO: Volume #2 "E-Z No Client Korek Chopchop Attack Tutorial"[/B]
[/URL]
[URL="http://forums.remote-exploit.org/showthread.php?t=8230"][B]VIDEO: Volume #3 "E-Z WPA/WPA2 Cracking Tutorial"[/B][/URL]
[URL="http://forums.remote-exploit.org/showthread.php?t=8041"][B]VIDEO: Volume #4 "E-Z Cracking WPA/WPA2 With Airolib-ng Databases"[/B][/URL]
[/CENTER]
thk, yeah google been sorda useless in this case ... damn u google, i may just have to back up my Access point firmware and try to put it apart, to have a full file list of what could be done to it.
The ultimate goal is once u have access to network is to rip the AP admin pwd. Once u control the AP u own the place.
i got some response with some cgi [default value] from the browser.
slowly making progress.
here's what i got so far if anyone is interested.
most of them get a 403 but its a working process
/tools_ddns.cgi (ddnsEnable [1] ddnsEnable [0] ddns_server [] ddns_host [] ddns_user [] ddns_pass [] )
/h_dhcp.cgi (edit_row [-1] del_row [-1] dhcpsvr [1] dhcpsvr [0] start_ip4 [100] end_ip4 [199] lease [] revdhcp [1] revdhcp [0] name [] static_ip4 [] mac1 [] mac2 [] mac3 [] mac4 [] mac5 [] mac6 [] dhcp [] clone [Clone] )
/st_device.cgi (release [DHCP Release] renew [DHCP Renew] )
/tools_misc.cgi (hEnable [0] hEnable [1] upnp [1] upnp [0] game [1] game [0] pptp_pt [1] pptp_pt [0] ipsec_pt [1] ipsec_pt [0] multicast_pt [1] multicast_pt [0] wanspd [1] wanspd [0] wanspd [2] )
/load.cgi (file [] load [Load] )
/tools_time.cgi (time_type [0] ntp [] interval [] time_type [1] year [] mon [] day [] set [Computer Clock] hour [] min [] sec [] tzone [] daylight [1] daylight [0] s_month [] s_week [] e_month [] e_week [] )
/ping.cgi (ip [] ping [Ping] )
/h_wan_dhcp.cgi (connType [0] connType [1] connType [2] otherType [] connType [3] connType [5] connType [4] host [go **** urself] mac1 [00] mac2 [13] mac3 [46] mac4 [a3] mac5 [27] mac6 [17] clone [Clone MAC Address] dns1 [0.0.0.0] dns2 [0.0.0.0] mtu [1500] )
/restore.cgi (restore [Restore] )
/restart.cgi (restart [Reboot] )
and other problem is the tftp connection doesn't have a DIR or listing of available files. (this should be solve soon) .
than again just for the record those may not work on all manufacturer those test are perform on a DL-624 x-trem G route. I may just plug my DL-514 and Netgear one after seen if i can find anything. anyway ill keep working on it.
Be patient the universe didn't get created over night (altho ther is a theory about a big bang)
did you ever get any farther on this?
This is interesting but since it's a 192.168.x.x address an attacker would have to be on your network to execute any attack. Assuming you've properly secured your AP it should be exceedingly difficult for someone else to become part of your network, especially since this device offers LEAP & Radius.
You could download and unpack the firmware from D-Link to see what files are there, though that might be considered reverse engineering and could result in your violating the DMCA or some License with D-Link. (IIRC D-Link likes to use ARJ compression for it's Firmware)
It might be intersting to know if you can get NATLIST.TXT or CHKLST.TXT via tftp.
I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.
I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.
Still working on it , withinthe next week or so i should have the full diclo ready to post, stay tune
Posting Permissions
