Friday, June 21, 2013

Western Digital My Net N600 - telnet

For the people who Google brought them here don't want the long story here are the steps to get in:
1) Go in your router's address in your browser
2) Sign in
3) Navagate to http://192.168.1.xxx/telnet.php
   There is no link to this page in the settings so you do have to navigate there manually
4) Turn telnet on, save
5) Open a CLI window and run telnet 192.168.1.xxx
6) Username: Alphanetworks
7) Password: wrgnd16_wd_db600
8) (if the password is not wrgnd16_wd_db600, open the firmware in a hexeditor and use the "signature") 
------------------------------------------
I got a Western Digital's "My Net N600" router that I got for free thanks to Intel. One day I got bored and wanted to play around with it. A couple hours later I finally managed to get in.
Lots of routers support telnet so I tried the command:
~$ telnet 192.168.1.1
Trying 192.168.1.1...
telnet: Unable to connect to remote host: Connection refused
I assumed I had to enable it. Nowhere in the router settings did it mention telnet. I almost gave up, but I found that Western Digital put the source up for everyone to see (they had to, it was GPL). Downloaded the source and found that there is a telnet.php in the base directory, it just looks half broken and no file links to it, but it still works.
~$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
login: root 
Login incorrect
login: admin
Login incorrect
login: telnet
Login incorrect for 3 times
Connection closed by foreign host.
~$ 
What could the username be? I continued to try wd, westerndigital, mynet600, and more. When those didn't work, I did a grep search for telnetd with errors suppressed:
~/Downloads/MyNetN600_GPL_v1.04.16$ grep -R -i -n 'telnetd' * 2>/dev/null
...
templates/aries/wd/pro/rc/init0.S80telnetd.sh:9: telnetd -l /usr/sbin/login -u Alphanetworks:$image_sign -i br0 &
...
~/Downloads/MyNetN600_GPL_v1.04.16$ 
Out of the 161 lines return, I found this command, which starts the telnetd server. I found my username! But it wasn't going to be easy for me. I noticed that the second half (the password) was $image_sign, a variable so I go and open that file to find that $image_sign was the contents of of file:
image_sign=`cat /etc/config/image_sign`
And that file didn't exists! When the firmware is made, the image_sign get generated, and I have no idea what the generated string would be. I consulted some people on some imageboards, one person suggested that "$image_sign should be in plaintext inside the firmware image." I grepped the file for image_sign, but it wasn't there. I couldn't give up because I was so close, so I opened up the firmware in a hex editor and this is what I first saw:
53A3A417 0000001C 00000000 7369676E ^...........sign
61747572 653D7772 676E6431 365F7764 ature=wrgnd16_wd
5F646236 30300000 5EA3A417 00000024 _db600..^......$
Ah ha! so it was saved as "signature", rather than image_sign! got the username password combo of Alphanetworks:wrgnd16_wd_db600, and we are good to go!
~$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
login: Alphanetworks
Password: wrgnd16_wd_db600

BusyBox v1.14.1 (2012-12-14 15:43:34 CST) built-in shell (msh)
Enter 'help' for a list of built-in commands.

# help

Built-in commands:
------------------
        . : break cd continue eval exec exit export help login newgrp
        read readonly set shift times trap umask wait

# uname -a
Linux MyNetN600 2.6.31--LSDK-9.2.0_U8.834-svn4367 #1 Fri Dec 14 15:43:09 CST 2012 mips GNU/Linux
# cat /proc/version
Linux version 2.6.31--LSDK-9.2.0_U8.834-svn4367 (bouble_hung@Zeus) (gcc version 4.3.3 (GCC) ) #1 Fri Dec 14 15:43:09 CST 2012
# exit
Connection closed by foreign host.
tachis@Tachis-LT:~$ 
Apparently a google search for wrgnd16_wd_db600 yields no results so I would have never found it if I didn't use the hex editor
I had fun, and hopefully someone else might be able to log into their router too.

Tuesday, March 12, 2013

Evil Experts-Exchange

Without doubt when I search for a computer related problem, Experts-Exchange pop up. Taunting me with the answer, but asking me to pay to view it.

But that's not evil right? They are providing a service for money. What is particularly evil about whatever website designer made this site is they have the answers display to the search engine bots, so that their pages are more relevant and come up higher in the results. Also the sample text Google provides will usually have almost the answer, trying to pull you in to pay.

There use to be a flaw in their plan. Whenever someone found their site, they would view the cached version by google, and were able to see the "hidden" answers. However, they have pulled the cached version, so that option is not available anymore. So what do we do?

Enter User Agent Switcher. When you visit a site, your browser tells the server which browser you are using to better help the server display it's contents. Well, experts-exchange decide that they are going to display their results to the Google Bot, and by using User Agent Switcher, you can pretend to be the Google Bot. After installing User Agent Switcher, go to tools -> default user agent -> Spiders -> Google Bot 2.1, and visit the site. Scroll down the the bottom the read the results for free. Just remember to switch it back to default when you are finished.