This tutorial covers how to enable a telnet session on certain Netgear routers. The program that we will use is called telnetenable. For more information on this program then use the links below.

Useful Links
http://wiki.openwrt.org/OpenWrtDocs/.../TelnetConsole
http://www.seattlewireless.net/Netge...e8790b0722e370
http://blog.ktdreyer.com/2008/01/hacking-wgr614.html

OK, so lets get onto the fun part.

Testing
Before we can actually run this program we need to make sure that we have a viable candidate. To do this we will run the program Nmap. There are many different variables that you could use with nmap but for our purposes we will just do a quick scan to get some basic information. I will show you two different nmap scans on two different Netgear routers. One router has the telnet port open and the other doesn't have telnet enabled at all.

Viable Candidate
Code:
bt ~ # nmap -A -T4 192.168.1.1

Interesting ports on 192.168.1.1:
Not shown: 1713 closed ports
PORT   STATE SERVICE    VERSION
23/tcp open  telnet?
80/tcp open  tcpwrapped
|  HTTP Auth: HTTP Service requires authentication
|_   Auth type: Basic, realm = WGR614v7
MAC Address: AA:AA:AA:AA:AA:AA (Netgear)
Device type: WAP
Running: Netgear embedded
OS details: Netgear WGR614v7 or WPN824v2 wireless broadband router
Uptime: 5.153 days (since Sat Jul 19 12:19:33 2008)
Network Distance: 1 hop
We can see from the output that the telnet port is open. But if we try to connect to the telnet port we will get the following.
Code:
bt telnet # telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.

Connection closed by foreign host.
We can see that it is open but not enabled. This is where the program I will show comes in handy.

Not a viable candidate
Code:
bt ~ # nmap -A -T4 192.168.0.1

Interesting ports on 192.168.0.1:
Not shown: 1710 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Netgear MR814v2 wireless router http config (IP_SHARER WEB httpd 1.0)
|_ HTML title: Site doesn't have a title.
|  HTTP Auth: HTTP Service requires authentication
|_   Auth type: Basic, realm = MR814v2
MAC Address: XX:XX:XX:XX:XX:XX (Netgear)
Device type: WAP|firewall
Running (JUST GUESSING) : TRENDnet embedded (96%), Netgear embedded (93%)
Aggressive OS guesses: TRENDnet TEW-431BRP wireless broadband router (96%), Netgear FR114P ProSafe VPN firewall (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Device: router
As we can see on this particular router there is no telnet port enabled. From my limited experience from working with Netgear routers it seems most of the older routers, mainly the 802.11b only routers, don't have the telnet port open. Most of the newer 802.11bg routers do have the telnet port open. If you find this not to be the case I would like to hear it.

Obtaining the software
There are probably many ways to obtain this software if you do a quick google search. So I'm providing links to the files needed to compile the program that worked for me.
Compile the program
We will use the gcc compiler to compile the telnetenable program. Make sure that you are running as root or that you compile it with root priviledges.
Code:
bt telnet # gcc -o telnetenable md5.c blowfish.c telnetenable.c
md5.c: In function 'MD5Update':
md5.c:74: warning: incompatible implicit declaration of built-in function 'memmove'
md5.c:77: warning: incompatible implicit declaration of built-in function 'memmove'
md5.c:85: warning: incompatible implicit declaration of built-in function 'memmove'
md5.c:92: warning: incompatible implicit declaration of built-in function 'memmove'
md5.c: In function 'MD5Final':
md5.c:112: warning: incompatible implicit declaration of built-in function 'memset'
md5.c:118: warning: incompatible implicit declaration of built-in function 'memset'
md5.c:128: warning: incompatible implicit declaration of built-in function 'memmove'
md5.c:129: warning: incompatible implicit declaration of built-in function 'memset'
telnetenable.c: In function 'usage':
telnetenable.c:66: warning: incompatible implicit declaration of built-in function 'exit'
telnetenable.c: In function 'EncodeString':
telnetenable.c:94: warning: passing argument 2 of 'Blowfish_Encrypt' from incompatible pointer type
telnetenable.c:94: warning: passing argument 3 of 'Blowfish_Encrypt' from incompatible pointer type
When you look in the directory then you will find the new program called telnetenable.
Code:
bt telnet # ls
blowfish.c  blowfish.h  md5.c  md5.h  telnetenable*  telnetenable.c
We can see that there are many warnings when you compile the program. We can safely ignore those warning messages. One of the comments on one of the links above said that you need to be root to compile and run the program. So, as stated above, I would recommend logging in as root or issuing the command "sudo -s" to obtain root privileges. I'm assuming that you are running as root as BT3 runs best as root.

Opening the connection
The telnetenable program doesn't actually open up and communicate with the router by itself but instead makes a packet that is sent to the router via the netcat program. You can run the program with no variables with it so it will tell us what information we need to provide.
Code:
bt telnet # ./telnetenable

Version:0.1, 2006/06/22
Usage:
./telnetenable <host ip> <host mac> <user name> <password>
From the output we can see that we need to provide the host IP of the router, the MAC address of the router, the default username, and the default password. So lets provide the information that we obtained from the viable candidate. From the viable candidate we can see that the host IP in this case is 192.168.1.1 and the MAC address is AA:AA:AA:AA:AA:AA. When typing in the MAC address the telnetenable program doesn't like the colons, so leave them out. The default username and password is Gearguy and Geardog, respectively, and the packet that we are going to make is called modpkt.pkt. I don't believe the name of the resulting file is important but it is what I found and worked for me. Once the packet is made then we will send the packet to the router via netcat.
Code:
bt telnet # ./telnetenable 192.168.1.1 AAAAAAAAAAAA Gearguy Geardog > modpkt.pkt
bt telnet # nc 192.168.1.1 23 < modpkt.pkt
Logging in
So now that we have sent the packet to the router lets see if it worked. From here just telnet into the router.
Code:
bt telnet # telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
Login: Gearguy
Password: *******
U12H06400>
And if you are successful then you will have a command prompt like the one above. We now have full administrative access to the router. The router has a version of VxWorks on it so the two best commands to use to weave your way around are "help" and "..". The help command will list any directories and/or files in the current directory. The ".." command works just like the "cd .." command does in Linux and allows us to move out of directories. To exit cleanly we need to be in the top level folder and issue the command exit to close our telnet session. An example of help in the top directory will result in the following menu.
Code:
U12H06400> help

Commands are:

bridge         ddns           exit           ftpc           ip
lan            nat            passwd         pot            reboot
save           show           sntp           time           uptime
version        wan            web            wla

 '..'    return to previous directory

U12H06400> exit

Connection closed by foreign host.
And that is how you enable the telnet session in Netgear routers. I tried to provide enough information to clear up any ambiguity, so I apologize for the length of this tutorial. If you find that there are any mistakes then please leave a post and I will either clear up the mistake or try to explain better.

Caveats
1) Every time the router is rebooted or a setting is changed then the telnet session is open but not enabled.
2) If, for some reason, the telnetenable program doesn't work then the telnet port is completely disabled. You need to reboot the router to open the port and then try the telnetenable process again. This is what you will see if you try to telnet into the router after a failed netcat attempt.
Code:
bt ~ # telnet 192.168.1.1
Trying 192.168.1.1...
telnet: connect to address 192.168.1.1: Connection refused
3) I have tried using this program many times on Ubuntu with limited to no success. It worked for me on BT3 for this tutorial with root privileges. So, from my limited experience with the Linux version of this program then YMMV on successfully using it.
4) If all fails then try using the windows version called "telnetEnable.exe"