Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Enabling Telnet Console on Certain Netgear Routers

  1. #1
    Member
    Join Date
    Jan 2010
    Posts
    140

    Default Enabling Telnet Console on Certain Netgear Routers

    This tutorial covers how to enable a telnet session on certain Netgear routers. The program that we will use is called telnetenable. For more information on this program then use the links below.

    Useful Links
    http://wiki.openwrt.org/OpenWrtDocs/.../TelnetConsole
    http://www.seattlewireless.net/Netge...e8790b0722e370
    http://blog.ktdreyer.com/2008/01/hacking-wgr614.html

    OK, so lets get onto the fun part.

    Testing
    Before we can actually run this program we need to make sure that we have a viable candidate. To do this we will run the program Nmap. There are many different variables that you could use with nmap but for our purposes we will just do a quick scan to get some basic information. I will show you two different nmap scans on two different Netgear routers. One router has the telnet port open and the other doesn't have telnet enabled at all.

    Viable Candidate
    Code:
    bt ~ # nmap -A -T4 192.168.1.1
    
    Interesting ports on 192.168.1.1:
    Not shown: 1713 closed ports
    PORT   STATE SERVICE    VERSION
    23/tcp open  telnet?
    80/tcp open  tcpwrapped
    |  HTTP Auth: HTTP Service requires authentication
    |_   Auth type: Basic, realm = WGR614v7
    MAC Address: AA:AA:AA:AA:AA:AA (Netgear)
    Device type: WAP
    Running: Netgear embedded
    OS details: Netgear WGR614v7 or WPN824v2 wireless broadband router
    Uptime: 5.153 days (since Sat Jul 19 12:19:33 2008)
    Network Distance: 1 hop
    We can see from the output that the telnet port is open. But if we try to connect to the telnet port we will get the following.
    Code:
    bt telnet # telnet 192.168.1.1
    Trying 192.168.1.1...
    Connected to 192.168.1.1.
    Escape character is '^]'.
    
    Connection closed by foreign host.
    We can see that it is open but not enabled. This is where the program I will show comes in handy.

    Not a viable candidate
    Code:
    bt ~ # nmap -A -T4 192.168.0.1
    
    Interesting ports on 192.168.0.1:
    Not shown: 1710 closed ports
    PORT   STATE SERVICE VERSION
    80/tcp open  http    Netgear MR814v2 wireless router http config (IP_SHARER WEB httpd 1.0)
    |_ HTML title: Site doesn't have a title.
    |  HTTP Auth: HTTP Service requires authentication
    |_   Auth type: Basic, realm = MR814v2
    MAC Address: XX:XX:XX:XX:XX:XX (Netgear)
    Device type: WAP|firewall
    Running (JUST GUESSING) : TRENDnet embedded (96%), Netgear embedded (93%)
    Aggressive OS guesses: TRENDnet TEW-431BRP wireless broadband router (96%), Netgear FR114P ProSafe VPN firewall (93%)
    No exact OS matches for host (test conditions non-ideal).
    Network Distance: 1 hop
    Service Info: Device: router
    As we can see on this particular router there is no telnet port enabled. From my limited experience from working with Netgear routers it seems most of the older routers, mainly the 802.11b only routers, don't have the telnet port open. Most of the newer 802.11bg routers do have the telnet port open. If you find this not to be the case I would like to hear it.

    Obtaining the software
    There are probably many ways to obtain this software if you do a quick google search. So I'm providing links to the files needed to compile the program that worked for me.
    Compile the program
    We will use the gcc compiler to compile the telnetenable program. Make sure that you are running as root or that you compile it with root priviledges.
    Code:
    bt telnet # gcc -o telnetenable md5.c blowfish.c telnetenable.c
    md5.c: In function 'MD5Update':
    md5.c:74: warning: incompatible implicit declaration of built-in function 'memmove'
    md5.c:77: warning: incompatible implicit declaration of built-in function 'memmove'
    md5.c:85: warning: incompatible implicit declaration of built-in function 'memmove'
    md5.c:92: warning: incompatible implicit declaration of built-in function 'memmove'
    md5.c: In function 'MD5Final':
    md5.c:112: warning: incompatible implicit declaration of built-in function 'memset'
    md5.c:118: warning: incompatible implicit declaration of built-in function 'memset'
    md5.c:128: warning: incompatible implicit declaration of built-in function 'memmove'
    md5.c:129: warning: incompatible implicit declaration of built-in function 'memset'
    telnetenable.c: In function 'usage':
    telnetenable.c:66: warning: incompatible implicit declaration of built-in function 'exit'
    telnetenable.c: In function 'EncodeString':
    telnetenable.c:94: warning: passing argument 2 of 'Blowfish_Encrypt' from incompatible pointer type
    telnetenable.c:94: warning: passing argument 3 of 'Blowfish_Encrypt' from incompatible pointer type
    When you look in the directory then you will find the new program called telnetenable.
    Code:
    bt telnet # ls
    blowfish.c  blowfish.h  md5.c  md5.h  telnetenable*  telnetenable.c
    We can see that there are many warnings when you compile the program. We can safely ignore those warning messages. One of the comments on one of the links above said that you need to be root to compile and run the program. So, as stated above, I would recommend logging in as root or issuing the command "sudo -s" to obtain root privileges. I'm assuming that you are running as root as BT3 runs best as root.

    Opening the connection
    The telnetenable program doesn't actually open up and communicate with the router by itself but instead makes a packet that is sent to the router via the netcat program. You can run the program with no variables with it so it will tell us what information we need to provide.
    Code:
    bt telnet # ./telnetenable
    
    Version:0.1, 2006/06/22
    Usage:
    ./telnetenable <host ip> <host mac> <user name> <password>
    From the output we can see that we need to provide the host IP of the router, the MAC address of the router, the default username, and the default password. So lets provide the information that we obtained from the viable candidate. From the viable candidate we can see that the host IP in this case is 192.168.1.1 and the MAC address is AA:AA:AA:AA:AA:AA. When typing in the MAC address the telnetenable program doesn't like the colons, so leave them out. The default username and password is Gearguy and Geardog, respectively, and the packet that we are going to make is called modpkt.pkt. I don't believe the name of the resulting file is important but it is what I found and worked for me. Once the packet is made then we will send the packet to the router via netcat.
    Code:
    bt telnet # ./telnetenable 192.168.1.1 AAAAAAAAAAAA Gearguy Geardog > modpkt.pkt
    bt telnet # nc 192.168.1.1 23 < modpkt.pkt
    Logging in
    So now that we have sent the packet to the router lets see if it worked. From here just telnet into the router.
    Code:
    bt telnet # telnet 192.168.1.1
    Trying 192.168.1.1...
    Connected to 192.168.1.1.
    Escape character is '^]'.
    Login: Gearguy
    Password: *******
    U12H06400>
    And if you are successful then you will have a command prompt like the one above. We now have full administrative access to the router. The router has a version of VxWorks on it so the two best commands to use to weave your way around are "help" and "..". The help command will list any directories and/or files in the current directory. The ".." command works just like the "cd .." command does in Linux and allows us to move out of directories. To exit cleanly we need to be in the top level folder and issue the command exit to close our telnet session. An example of help in the top directory will result in the following menu.
    Code:
    U12H06400> help
    
    Commands are:
    
    bridge         ddns           exit           ftpc           ip
    lan            nat            passwd         pot            reboot
    save           show           sntp           time           uptime
    version        wan            web            wla
    
     '..'    return to previous directory
    
    U12H06400> exit
    
    Connection closed by foreign host.
    And that is how you enable the telnet session in Netgear routers. I tried to provide enough information to clear up any ambiguity, so I apologize for the length of this tutorial. If you find that there are any mistakes then please leave a post and I will either clear up the mistake or try to explain better.

    Caveats
    1) Every time the router is rebooted or a setting is changed then the telnet session is open but not enabled.
    2) If, for some reason, the telnetenable program doesn't work then the telnet port is completely disabled. You need to reboot the router to open the port and then try the telnetenable process again. This is what you will see if you try to telnet into the router after a failed netcat attempt.
    Code:
    bt ~ # telnet 192.168.1.1
    Trying 192.168.1.1...
    telnet: connect to address 192.168.1.1: Connection refused
    3) I have tried using this program many times on Ubuntu with limited to no success. It worked for me on BT3 for this tutorial with root privileges. So, from my limited experience with the Linux version of this program then YMMV on successfully using it.
    4) If all fails then try using the windows version called "telnetEnable.exe"

  2. #2
    Member PeppersGhost's Avatar
    Join Date
    Jan 2008
    Posts
    204

    Default

    You put some nice effort into this larryhaja. Good job. Thanks.
    <EeePc 1000HA BT4/W7 USB boot Alfa500 GPS BlueTooth>

  3. #3
    Just burned his ISO
    Join Date
    Jul 2008
    Posts
    13

    Default

    hi...
    How to telnet bt3? I mean from other pc to bt3. If using ubuntu i just installed telnetd, xinetd from command line apt-get install (XXXXX). But how about on bt3? what i need install to my bt3 and configuration? Can you help me and guide i be able telnet to bt3?

    Note: using telnet from bt3 to other pc it's working fine. I just want to know how do i telnet from other pc to bt3? Thanks.

  4. #4
    Member
    Join Date
    Jun 2008
    Posts
    101

    Default

    Quote Originally Posted by sheikh76 View Post
    hi...
    How to telnet bt3? I mean from other pc to bt3. If using ubuntu i just installed telnetd, xinetd from command line apt-get install (XXXXX). But how about on bt3? what i need install to my bt3 and configuration? Can you help me and guide i be able telnet to bt3?

    Note: using telnet from bt3 to other pc it's working fine. I just want to know how do i telnet from other pc to bt3? Thanks.
    Have you try looking for the same programs in slackware.com or better yet why not use the ssh service already included in BT3.

  5. #5
    Just burned his ISO
    Join Date
    Jul 2008
    Posts
    13

    Default

    Thanks for reply... so i need to use putty to connect bt3? how about other way? If using putty connect from local IP it's no problem, but how to connect if from WAN? I have been setting my router (Dynamic DNS) in D-link. Anything i need configure out to my bt3? I hope you can help me on this.

  6. #6
    Member
    Join Date
    Jun 2008
    Posts
    101

    Default

    Quote Originally Posted by sheikh76 View Post
    Thanks for reply... so i need to use putty to connect bt3? how about other way? If using putty connect from local IP it's no problem, but how to connect if from WAN? I have been setting my router (Dynamic DNS) in D-link. Anything i need configure out to my bt3? I hope you can help me on this.
    SSHD opens port 22 in BT3 and that all you need to access it locally. Now for WAN, you must open that same port in the router's firewall and point it to the local IP of the BT3 workstation. After that you can obtain a Secure Shell from your public IP address!

  7. #7
    Just burned his ISO
    Join Date
    Jul 2008
    Posts
    13

    Default

    Thanks... Okay that mean i need open port in my router port 22?
    How about other way or via command line to telnet beside putty?
    D-Link512 can do like (Enabling Telnet Console on Certain Netgear Routers)?

  8. #8
    Member
    Join Date
    Jun 2008
    Posts
    101

    Default

    Quote Originally Posted by sheikh76 View Post
    D-Link512 can do like (Enabling Telnet Console on Certain Netgear Routers)?
    I actually flashed both of my Linksys routers with dd-wrt which allows me to do all kind funky stuff with them (including telnet, ssh...) You should check their site and see if your router is supported...

  9. #9
    Just burned his ISO
    Join Date
    Jul 2008
    Posts
    13

    Default

    how to ftp bt3?

    C:\>ftp 192.168.0.178
    Connected to 192.168.0.178.
    Connection closed by remote host.

    C:\>

  10. #10
    fastboi
    Guest

    Default

    i followed step-by-step but still after telnet ip, it closes on me.

    Trying 10.0.0.1...
    Connected to 10.0.0.1.
    Escape character is '^]'.
    Connection closed by foreign host.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •