hacker:: [[turmio]]
 hacker:: ms

[[/VulnCoord]]  (2013)

We are hacking my actively used DSL-modem so some of the details will be on private side. Sorry about that.

[[/Private]]

== NMAP scans ==

=== LAN-side ===
{{{
$ nmap  -v -sT -p 1-65535 -A 192.168.1.1
...
Nmap scan report for 192.168.1.1
Host is up (0.019s latency).
Not shown: 65525 closed ports
PORT      STATE SERVICE     VERSION
21/tcp    open  tcpwrapped
22/tcp    open  ssh         Dropbear sshd 0.46 (protocol 2.0)
|_ssh-hostkey: 1040 7c:17:56:30:1e:48:96:50:8d:eb:ad:64:c9:93:ed:b4 (RSA)
23/tcp    open  telnet?
80/tcp    open  http        micro_httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 501)
|_http-title: Inteno Residential Gateway
139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
1780/tcp  open  tcpwrapped
30005/tcp open  unknown
44401/tcp open  unknown
49431/tcp open  upnp        Belkin/Linksys wireless router UPnP (Linux 2.4; UPnP 1.0; BRCM400 1.0)
Service Info: OS: Linux; Device: router

Host script results:
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-os-discovery: 
|   OS: Unix (Samba 3.3.4)
|   Name: Unknown\Unknown
|_  System time: 2013-11-07 23:06:46 UTC+0

}}}

=== From Internet ===
{{{
Nmap scan report for x x 
Host is up (0.0097s latency).
Not shown: 55588 filtered ports, 9943 closed ports
PORT   STATE SERVICE    VERSION
21/tcp open  tcpwrapped
|_ftp-anon: ERROR: Script execution failed (use -d to debug)
22/tcp open  tcpwrapped
23/tcp open  telnet?
80/tcp open  http?

}}}


== Shell ==
 * Only one connection is allowed
 * You can get "real" shell instead of fronted by writing ''sh'' to shell

== Infos ==

{{{
# cat cpuinfo
system type             : 96368SV2
processor               : 0
cpu model               : Broadcom4350 V3.1
BogoMIPS                : 399.36
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : no
hardware watchpoint     : no
ASEs implemented        :
shadow register sets    : 1
core                    : 0
VCED exceptions         : not available
VCEI exceptions         : not available

unaligned exceptions            : 5451
}}}

{{{
# iptables -L   
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere            udp dpt:5060 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:5060 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere            udp dpt:5060 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:5060 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

}}}

##content goes here
 description:: Hacking Intenos VDSL -box
 started:: 2013-11-07
----
CategoryProjekti