/Taking Back What Is Already Yours: Router Wars Episode I

Taking Back What Is Already Yours: Router Wars Episode I


I have been living in my current apartment for more than a year now and I noticed I have never inspected my router which was provided by my ISP when I moved in. The only thing I changed in router is the default login password(admin/password) to the web interface. So I decided to take a more detailed look.

It is an Huawei HG253s router and is widely used by Turkcell Superonline customers since it comes with the internet plan. Actually, Turkcell Superonline enforces the use of these modems by not allowing devices whose MAC addresses are different than these pre-registered Huawei routers. It is possible to do a MAC cloning with another router but still you need to buy one of these pre-registered Huawei routers to learn a legit MAC address.

The first thing I did was initiate a fast nmap scan on the router to see if there is open ssh or telnet port.

1
2
3
4
5
6
7
8
9
10
11
12
13
$ nmap -F 192.168.1.1
Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for 192.168.1.1
Host is up (0.0018s latency).
Not shown: 95 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
443/tcp open https
631/tcp open ipp

Nmap done: 1 IP address (1 host up) scanned in 7.24 seconds

We can see that there is an ssh port open. So let’s try to connect with admin user:

1
2
$ ssh admin@192.168.1.1
Unable to negotiate with 192.168.1.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

This is an unexpected response. The router offers legacy diffie-hellman-group1-sha1 key exchange method. According to this openssh page:

OpenSSH supports this method, but does not enable it by default because is weak and within theoretical range of the so-called Logjam attack.

But we can enable it with KexAlgorithms option. So let’s try again:

1
2
$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@192.168.1.1
Unable to negotiate with 192.168.1.1 port 22: no matching cipher found. Their offer: 3des-cbc

Again another legacy offer. Let’s enable the cipher and connect again:

1
2
$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oCiphers=+3des-cbc admin@192.168.1.1
admin@192.168.1.1's password:

Now it asks password but what is it? I tried the default password(superonline) and the password I set to the web interface with no luck. After a little bit search on the internet I found out there is another user called Root(surprise!) goes by R8Ibq_2K15Gna as the default password for my firmware version HG253sC01B039. One more time then:

1
2
3
4
5
6
7
$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oCiphers=+3des-cbc Root@192.168.1.1
Root@192.168.1.1's password:
PTY allocation request failed on channel 0
-------------------------------
-----Welcome to ATP Cli------
-------------------------------
ATP>

It worked but I don’t know what ATP Cli is. Again after a little bit of search on the internet reveals it is some kind of control/test interface that should respond to some commands. I tried some commands but only help returned a response.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
ATP>shell
shell
ATP>sh
sh
ATP>whoami
whoami
ATP>date
date
ATP>help
help
Welcome to ATP command line tool.
If any question, please input "?" at the end of command.

ATP>

We know it is responsive since it returned a response to help command but it is obviously highly restricted. I tried to find my version of the firmware (which is the latest one by the way) to get my hands on this ATP Cli binary but it turned out that neither Huawei nor Turkcell Superonline has published any version of the firmware. It is very unusual. There should be an upgrade mechanism since I know there are routers running older firmware. So I decided to sniff my router’s network.

In order to achieve this, I gathered two USB-ethernet convertors and my debian laptop. I will use bridge-utils and a network sniffer’s favorite tool: Wireshark. To create a bridge, run:

Then bond interfaces to the bridge:

1
brctl addif br0 eth0 eth1

Disable multicast snooping

1
echo 0 > /sys/devices/virtual/net/br0/bridge/multicast_snooping

And run wireshark on eth0 or eth1. Note that both interfaces are in promiscuous mode.

Interesting! After initializing PPPoE session, we can see a DNS query is made for acs.superonline.net and a TLS connection made to that IP address. Due to the nature of TLS connections, it isn’t possible to see the content of the communication but we can assume the router uses TR-069 protocol since ACS most probably stands for Auto Configuration Server which is an element of this specification. And better than that, probably it is used to upgrade firmware thus we may sniff it over the air.

This is the end of first part. In the next part, I’ll try to sniff the communication between acs.superonline.net and my router and also modify it if it’s applicable/necessary.

Original Source