Hi Backtrack users,

I have a 2wire 2701HG-G router (router+modem) and I am trying to have access to the advanced management panel. Let me explain.

This router comes from my ISP (and I bought it, not rented). There is a basic administration panel that I have access to where I can forward ports, setup my WiFi, remote access and more. This panel is available at my gateway address through HTTP.

There's also another administration panel (more advanced) allowing me to bridge connections, increase WiFi signal power, blocking websites and even more. This panel is available at a hidden URL ( http://192.168.1.254/mdc ), but it requires a password (serial number according to the label). I tried the one on my box and it isn't working. 2wire have a couple of keys on their site, but I tried them all. Not working.

Also, I found that my router is accessible remotely by default. This option can only be turned on from the "advanced" panel. It's available through SSL, port 50001. The protection there is an .htaccess.

Code:
root@azerox:~/hydra/dico# nmap ********* --version-all -PN

Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-06 00:22 EST
Interesting ports on ************* (***************):
Not shown: 999 filtered ports
PORT      STATE SERVICE
50001/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 75.22 seconds
I'm a bit pissed off to have all these functions unavailable. I read a lot on the Internet, and nobody seems to have accessed this "advanced" panel. The only way to do so (that I found) is to flash the firmware using a firmware from another company (since the 2701HG-G is not available on the Internet). The bad thing about that is that the firmware isn't for this exact model, leaving some functions behind and probably making the router a bit unstable in some cases.

There's also a couple of exploit to reset the password available online, but I tried them all. I also read this post ( http://www.backtrack-linux.org/forum...ny-signal.html ) and it didn't gave me much information.

I contacted the tech support of my ISP (Bell Canada) and they don't want to help me out. They told me they don't have this information, but they sure do. They can reboot remotely any router they sold, and the only way the could is through this "backdoor".

The only ways I see to break in is by:


The good thing about cracking the HTTP form is that I only have to find the password, so only 1 field to have good. The bad thing is that the router reply after a request is really slow.

The good thing about cracking the .htaccess is that it's kind of fast (3000 tries per minute). The bad thing is that if I have the wrong login, I have to start all over again. I guessed the login to be admin or root.

The password list I am using is the "RockYou" one on this site: http://www.skullsecurity.org/wiki/index.php/Passwords.

I also thought about doing a "MITM" attack, by connecting myself between my router and the phone line, sniffing the path and asking them through tech support to reboot my router.

| ROUTER | -------- | MY PC | ----- | PHONE LINE | ----- | ISP|

When they send the request, I would intercept it. Since it's SSL 128-bit, I guess it's impossible to decode any information out of it, but still, just saying in case.

Any other idea to simplify this task?

I am running hydra right now. If you have any idea, please, reply!

Code:
hydra -S -s 50001 -l admin -P english.txt MY_IP_ADDRESS https-head / -v -V -t 30 -o match.txt
Thanks a lot!