Hack remote adsl routers

Adsl Routers

Adsl routers are very common now a days as the primary hardware device used to connect to broadband connections. The modems connect to the broadband service using the username/password. Then the pcs connect to this router to form a local area network. The pcs use the router as the primary gateway to connect to the internet. So it is only the router that is directly connected to the internet and not the individual pcs. With a switch it is possible to connect multiple pcs to a single router and all of them share the same internet connection.

Now there routers are like mini computers that have many services running on them. The services are meant for administration and configuration. For example most routers now a days provide web based configuration system through port 80 just like any website. So to configure your router you would open its ip address in your browser.

http://192.168.1.1/

The administration pages are always password protected. However here lies the actual hack. Most routers are pre configured with a default username and password. Manufacturers tend to keep it same across all the makes and models to keep it simple for users. The most common username/password combinations are admin/admin or admin/password.

Moreover users are unaware of the fact that the router is exposed to the outer internet when online. And this makes the router remotely accessible. So if a hacker finds out the ip address, he would also open the ip his browser and get the same administration page. And next the hacker would try the default username/password combination to login, which would work in most cases.

Search for routers

So the first step is to search for such online routers. Now the easiest way to do this is by searching the ip range of your own isp. If you are using a router, then your isp gave a router to other customers as well. So first of all find out your own ip address from ipmango.com. Lets say I found my ip address to be 122.166.106.164. Now I can scan the range of ip address keeping the first 3 octets constant. So the range is 122.166.106.1-255.

There are many tools that can be used for scanning ip ranges. Some of the popular ones are nmap and angry ip scanner. Both of them are free. Angry ip scanner is a gui tool that is easy to use for beginners. It can scan a range of ip address to discover alive hosts and can also scan selected ports on the online hosts.







Here I am going to use nmap, which is a commandline tool. Lets tell nmap to scan for open port 80 in that ip range and fetch the daemon banner for the port 80 service if available. The daemon banner is a quick way to distinguish between various types of adsl routers.

Here is the command with full output.

$ sudo nmap -sS -sV -vv -n -Pn -T5 122.166.106.1-255 -p80 -oG - | grep 'open'
Host: 122.166.106.3 ()  Ports: 80/open/tcp//tcpwrapped///
Host: 122.166.106.4 ()  Ports: 80/open/tcp//http//micro_httpd/
Host: 122.166.106.9 ()  Ports: 80/open/tcp//tcpwrapped///
Host: 122.166.106.19 () Ports: 80/open/tcp//tcpwrapped///
Host: 122.166.106.20 () Ports: 80/open/tcp//http//Fortinet VPN|firewall http config/
Host: 122.166.106.23 () Ports: 80/open/tcp//tcpwrapped///
Host: 122.166.106.31 () Ports: 80/open/tcp//http?///
Host: 122.166.106.33 () Ports: 80/open/tcp//tcpwrapped///
Host: 122.166.106.35 () Ports: 80/open/tcp//http?///
Host: 122.166.106.37 () Ports: 80/open/tcp//http?///
Host: 122.166.106.49 () Ports: 80/open/tcp//http//Gadspot|Avtech AV787 webcam http config/
Host: 122.166.106.52 () Ports: 80/open/tcp//http?///
Host: 122.166.106.53 () Ports: 80/open/tcp//ssl|http//thttpd/
Host: 122.166.106.58 () Ports: 80/open/tcp//http?///
Host: 122.166.106.63 () Ports: 80/open/tcp//tcpwrapped///
Host: 122.166.106.69 () Ports: 80/open/tcp//http//Gadspot|Avtech AV787 webcam http config/
Host: 122.166.106.73 () Ports: 80/open/tcp//http//Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)/
Host: 122.166.106.79 () Ports: 80/open/tcp//http//Apache httpd/
Host: 122.166.106.85 () Ports: 80/open/tcp//http//micro_httpd/
Host: 122.166.106.107 ()        Ports: 80/open/tcp//http?///
Host: 122.166.106.112 ()        Ports: 80/open/tcp//http?///
Host: 122.166.106.115 ()        Ports: 80/open/tcp//tcpwrapped///
Host: 122.166.106.123 ()        Ports: 80/open/tcp//tcpwrapped///
Host: 122.166.106.129 ()        Ports: 80/open/tcp//http//Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)/
Host: 122.166.106.135 ()        Ports: 80/open/tcp//tcpwrapped///
Host: 122.166.106.145 ()        Ports: 80/open/tcp//http//micro_httpd/
Host: 122.166.106.149 ()        Ports: 80/open/tcp//http//Microsoft IIS httpd 6.0/
Host: 122.166.106.167 ()        Ports: 80/open/tcp//tcpwrapped///
Host: 122.166.106.170 ()        Ports: 80/open/tcp//http//Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)/
Host: 122.166.106.186 ()        Ports: 80/open/tcp//http?///
Host: 122.166.106.188 ()        Ports: 80/open/tcp//tcpwrapped///
Host: 122.166.106.193 ()        Ports: 80/open/tcp//tcpwrapped///
Host: 122.166.106.202 ()        Ports: 80/open/tcp//http//Apache httpd 2.2.15 ((CentOS))/
Host: 122.166.106.214 ()        Ports: 80/open/tcp//tcpwrapped///
Host: 122.166.106.224 ()        Ports: 80/open/tcp//http//Allegro RomPager 4.51 UPnP|1.0 (ZyXEL ZyWALL 2)/

You might be surprised to see the number of online hosts. The text that follows after http// is the daemon banner.
The entries which have the text "tcpwrapped" indicate the service is probably not accessible or is being blocked through some access control mechanism.

Now try opening some of these ip addresses in your browser and you should get a login prompt. Try logging into those with the following username/password combinations.

username : admin
password : admin or password

These are the most common default logins for commercial adsl routers. Either of them should work in some of the routers. If the router's default login has been changed by the user, then it wont work.

Exploiting routers

Stealing username/password

Routers can be exploited in many ways. Once the attacker gets inside the router's admin panel, he can play the settings in any way. The username/password for the internet connection are stored in plain text format in the router's configuration pages. The hacker can steal the information from there.

Dns hijacking

An attacker might change the dns servers to hijack all dns queries that originate from the router. For example if you have configure the network settings of your computer to use the router as the dns server, and your isp provides dns servers to the router while establishing a connection, then all dns queries generated from the computers are send to the router, which in turn sends the dns queries to the isp's dns servers.

An attacker can override the settings to save a specific dns server ip and use it instead of the isp provided dns servers. In such a scenario the requests would be send to the malicious dns server configured by the hacker. Now the hacker might have a dns server configured which redirects users to some phishing page or something similar.

Booting the router

Hackers might reboot the router to hamper the internet connectivity of the users. The reboot option is available in the administration panel or even the telnet console.

Dos attack on the router

The hacker might also try somekind of dos attack on the router. This will either crash or hang the router. Now in most cases a hanged router would be difficult to detect. The lights on the router would blink as normal, but internet connectivity would slow down or cease. Users might be think that internet is down from the isp side and may become idle.

Automated scripts can be written in python or C that can craft and carry out such dos attacks very well. This can effectively cause the degradation of internet connectivity for multiple users connected to that isp.

Since the routers are very limited in resouces like memory and cpu, they are weak at handling malicious kind of traffic. For example malformed packets or too many tcp syn packets on a port can cause the router to hang or freeze temporarily or even permanently.

Secure your routers

Now that you know how hackers can target routers to mess up the internet connection or even steal username/passwords, the next best thing to do is to secure your own routers.

1. Change the default username/password - This will make it nearly impossible for a hacker to get in.

2. Disable remote administration - The router should be configurable only from the local network or LAN.

3. Disable WAN ping reply to avoid detection - Configure the router to not reply to ping requests from the wan side (that is the internet).

Following the above steps should secure the router well enough.

Last Updated On : 15th May 2013

Subscribe to get updates delivered to your inbox

6 Comments + Add Comment

  • YES!! its easy to exploit 32500 IP address and SSID and password and access to router user:&password dump example 192.168.1.1/rom-0 when hit web browser its automatic download “rom-0” file and decode the kali linux os its easy to decode router access password. I thing ISP its not protected to client router and easy dns attack by other Black Hat Hacker.

  • normally how can a hacker enter into a ppc connected to that network via this adsl hack and agget access to that pc remotely

  • Please can the hacker use the internet from the router remotely?
    Thanks for your reply.

  • Default config or do it the hard way with rom-0 exploit

  • no open port ,what should i do?

  • This works. Shocking that ISPs don’t secure these properly.

Leave a comment