Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: 2wire router admin password deny signal

Hybrid View

  1. #1
    Junior Member otkaz's Avatar
    Join Date
    Jan 2010
    Location
    Houston, TX
    Posts
    38

    Default 2wire router admin password deny signal

    I was looking for some input on bruteforcing admin rights on a 2wire router. I'm using the medusa web-form model. Having trouble figuring out what the deny signal is. I'm using wire shark to dissect the responses, but can't find one. I know the correct password as it is my router, so I've logged in with both the correct and incorrect passwords from the web form with wireshark running, but can't find a packet containing any "access denied" or "incorrect password" ect. Has anyone ever bruteforced a 2wire that can lend some advice? I can post the packet captures if needed.

  2. #2
    Member skor78's Avatar
    Join Date
    Jul 2009
    Posts
    140

    Default Re: 2wire router admin password deny signal

    Hi, a little search around the forum will give you plenty of answers, also if you browse trough the threads at the end of this page you'll have a nice surprise.. Or not (considering you might want to change router)..
    محاولة أصعب!..

  3. #3
    Senior Member iproute's Avatar
    Join Date
    Jan 2010
    Location
    Midwest, USA
    Posts
    192

    Default Re: 2wire router admin password deny signal

    No need to brute force 2wire admin passwords. This is a well documented vulnerability of many 2wire models and firmwares. As far as using Hydra or medusa, I'm not sure a 2wire is a good candidate. As you'll be able to see below it handles authentication somewhat strangely.


    Admin Password bypass 2wire

    I have seen this work on equipment deployed within the last 3 months from ISPs. The true danger is that often the wireless settings on 2wire are not altered, and on many of the 2wire DSL modems, the default wireless is WEP. Kinda scary. If one of these things is default, you can break the WEP, use the exploit to break the admin password, and go to http://192.168.1.254/mdc (the management console) and statically configure DNS resolution and redirect whatever page to wherever you'd like. Pretty bad. Everytime I encounter one i assist my client in reconfiguration. Generally I'm coming across the 2wire devices when dropping off a PC i've repaired for a client. Client in this case really means residential.

    And to anyone who reads this, please keep ethics in mind. I do realize there are many 2wires out there in default configurations, however I once saw pure_hate put it best.

    "It's like walking into someone's house, grabbing a beer, and telling the dude standing there in shock that you're gonna have a go with his wife too." Not cool.

  4. #4
    Junior Member otkaz's Avatar
    Join Date
    Jan 2010
    Location
    Houston, TX
    Posts
    38

    Default

    I did search the forums and yes I saw the admin vulnerability "gateway.2wire.net/xslt?PAGE=H04_POST&PASSWORD=admin&PASSWORD _CONF=admin" and no I does not work on my model or the model I had before this one. It has nothing to do with the question I'm asking. That's old news, and was fixed a very long time ago. I know 2wire routers have a lot of vulnerabilities. Thant's why I'm pen testing it.

    Quote Originally Posted by iproute View Post
    No need to brute force 2wire admin passwords. This is a well documented vulnerability of many 2wire models and firmwares. As far as using Hydra or medusa, I'm not sure a 2wire is a good candidate. As you'll be able to see below it handles authentication somewhat strangely.


    Admin Password bypass 2wire

    I have seen this work on equipment deployed within the last 3 months from ISPs. The true danger is that often the wireless settings on 2wire are not altered, and on many of the 2wire DSL modems, the default wireless is WEP. Kinda scary. If one of these things is default, you can break the WEP, use the exploit to break the admin password, and go to http://192.168.1.254/mdc (the management console) and statically configure DNS resolution and redirect whatever page to wherever you'd like. Pretty bad. Everytime I encounter one i assist my client in reconfiguration. Generally I'm coming across the 2wire devices when dropping off a PC i've repaired for a client. Client in this case really means residential.

    And to anyone who reads this, please keep ethics in mind. I do realize there are many 2wires out there in default configurations, however I once saw pure_hate put it best.

    "It's like walking into someone's house, grabbing a beer, and telling the dude standing there in shock that you're gonna have a go with his wife too." Not cool.
    Thanks for the reply, but none of these vulnerabilities work with my router. It has a much newer firmware revision then the ones documented as on that page. I'm trying to test medusa for a reason. 2wire routers by default have a 10 digit all number admin password just as they have for a wep key, but they are not the same number. They are not all vulnerable to these admin hacks any more (at least the ones in my area). I wanted to see at what speed medusa could run on them, so I can figure out how long it would take to try each 10 billion possible default passwords.
    Last edited by Archangel-Amael; 11-29-2010 at 01:07 PM.

  5. #5
    Member skor78's Avatar
    Join Date
    Jul 2009
    Posts
    140

    Default Re: 2wire router admin password deny signal

    Quote Originally Posted by otkaz View Post
    I wanted to see at what speed medusa could run on them, so I can figure out how long it would take to try each 10 billion possible default passwords.
    According to - Online Password Calculator - 500.000 pass per sec. - 6hours.. If you'd pay attention to the threads i told you to read, you'd already had your questions answered..
    Last edited by skor78; 11-28-2010 at 11:00 PM.
    محاولة أصعب!..

  6. #6
    Senior Member iproute's Avatar
    Join Date
    Jan 2010
    Location
    Midwest, USA
    Posts
    192

    Default Re: 2wire router admin password deny signal

    I see. A co-worker of mine wanted to do something similar but using phone numbers.

    I've had the vulnerability work on newer firmwares, sort of. I use the url which overloads 512 chars, and it works to reset the admin password for the session, but will not save the pw you made into the device. Looks almost like it fails too as when you hit next at some point there is an error. Changes you made to the device during the session are saved however.

    I've not tried it on any of the newer routers however. Mostly the ADSL equipment.

  7. #7
    Junior Member otkaz's Avatar
    Join Date
    Jan 2010
    Location
    Houston, TX
    Posts
    38

    Default Re: 2wire router admin password deny signal

    Quote Originally Posted by iproute View Post
    I see. A co-worker of mine wanted to do something similar but using phone numbers.

    I've had the vulnerability work on newer firmwares, sort of. I use the url which overloads 512 chars, and it works to reset the admin password for the session, but will not save the pw you made into the device. Looks almost like it fails too as when you hit next at some point there is an error. Changes you made to the device during the session are saved however.

    I've not tried it on any of the newer routers however. Mostly the ADSL equipment.
    I made a script to generate phone numbers for attempting a wpa crack. Pass this on to him. It might be helpful. I used this site Fone Finder query form to look up the exchange prefixes for my target area codes.(look around on the site there is a way to look up all prefixes in a specified area code or city.) There is only a given amount of exchange prefixes per area code, so the remaining key space is only 4 digits. I wrote a simple perl script to feed pyrit phone numbers. This numbers are for spring, TX just change them to your area.
    Code:
    #!/usr/bin/perl
    ## script to generate all possible phone numbers for a given area code and exchange prefix. 
    @prefix =
    (281203,281210,281288,281292,281296,281297,281298,281323,281350,281353,281355,281362,281363,281364,281367,281419,281465,281466,281528,281541,281602,281651,281681,281719,281791,281801,281825,281863,281882,281907,281967,713389,713992,832292,832403,832442,832447,832585,832636,832642,832797,832813,832928,832967);
    foreach (@prefix) {
    for $num ("0000" .. "9999"){
    print "$_$num\n";}}
    hope this helps your buddy. I wrote a macro to parse the area+exchange from the webpage quickly, but I'm having trouble locating it at the moment. I'll post it later if I find it.
    @skor78 no that doesn't really answer my question. That is just a guess that medusa can run 500,000 passwords a sec. I can do math I don't need a website to tell me how many hours it will take for what ever speed it runs at. I'm curious what speed it will run at and mainly just curious to get it working. I think iproute is right the 2wire routers probably are not going to work with a a stock medusa or hydra due to the way it handles authenticity. I'll look into modifying medusa's web-post.mod. I did notice from the packets I got with wireshark medusa seems to stop communicating with the router prematurely. Probably a lot more research and work then I really have time for right now.
    Thank you both for your input.

  8. #8
    Member skor78's Avatar
    Join Date
    Jul 2009
    Posts
    140

    Default Re: 2wire router admin password deny signal

    otkaz, i'm sorry i couldn't be of more use, apparently you're far more advanced user than me.. Just tried to provide you the tools according to your request, unfortunately i didn't noticed your intention was to check even the possibility of the attack, as well as the possible speed, just thought you wanted to calc the time it would take to attack it.. You have a nice thread here, which i'm sure i'll follow in it's development.. And i'll try to be more humble next time.
    Good luck on your pentesting, and please keep us updated.

    Cheers!
    محاولة أصعب!..

  9. #9
    Junior Member otkaz's Avatar
    Join Date
    Jan 2010
    Location
    Houston, TX
    Posts
    38

    Default Re: 2wire router admin password deny signal

    Quote Originally Posted by skor78 View Post
    otkaz, i'm sorry i couldn't be of more use, apparently you're far more advanced user than me.. Just tried to provide you the tools according to your request, unfortunately i didn't noticed your intention was to check even the possibility of the attack, as well as the possible speed, just thought you wanted to calc the time it would take to attack it.. You have a nice thread here, which i'm sure i'll follow in it's development.. And i'll try to be more humble next time.
    Good luck on your pentesting, and please keep us updated.

    Cheers!
    Well honestly your right. I really don't have any reason to waste time with trying to make this work. I requested my ISP to send me just a plain old adsl modem that I was planning to bridge with a openwrt router for configurability. I was sent this 2wire piece of junk instead and was just fooling around with it while I'm waiting for my replacement. I ran medusa on it for the hell of it, but couldn't get it to work right. I don't give up on things easily, so It became a pointless challenge for me. That pretty much sums it up. Sorry if I was rude in my responses. It just seems like any time I post on this forum I get people telling me I didn't search and pointing me to post that have nothing to do with what I'm really asking. Probably my fault due to the way I ask questions. I wouldn't call myself an advanced user though I have no idea what I'm doing have the time lol

  10. #10
    Member skor78's Avatar
    Join Date
    Jul 2009
    Posts
    140

    Default Re: 2wire router admin password deny signal

    It just seems like any time I post on this forum I get people telling me I didn't search and pointing me to post that have nothing to do with what I'm really asking.
    It's much more common that one might assume.. You weren't rude, and i hope i wasn't too, i just assumed the info you were requesting it was at a much more basic level.. Anyway, there's no point in digressing off-topic, even being cordial to each other, might as well just assume it might get closed for the tiniest reason.

    Happy "hunting"!
    محاولة أصعب!..

Page 1 of 2 12 LastLast

Similar Threads

  1. Hacking Admin Account of Wireless Router
    By Mjolnir in forum Beginners Forum
    Replies: 9
    Last Post: 05-04-2010, 04:47 PM
  2. Router Bruteforce (admin/pass)
    By fossilk1 in forum OLD Newbie Area
    Replies: 8
    Last Post: 02-16-2009, 10:00 PM
  3. 2wire brute force for admin rights
    By decadude in forum OLD Pentesting
    Replies: 5
    Last Post: 02-03-2009, 04:07 PM
  4. 2wire password vulnerability
    By theberries in forum OLD General IT Discussion
    Replies: 6
    Last Post: 02-29-2008, 03:46 AM
  5. Problem connecting to 2wire router
    By Dridhas in forum OLD Newbie Area
    Replies: 2
    Last Post: 10-27-2007, 11:17 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •