Hacking into the BSNL Router using Andriod |
Hacking into the BSNL Router using Andriod
Author: Rishabh Dangwal 
See Also
Recently I was at home, playing with my BSNL router. For those who don't know what BSNL is, its the AT & T of India, known for very bad customer support :)
In this article, I will walk you through step by step illustrations on how to hack into your local router and explore it inside out. Though I am using my BSNL router here but steps and method will be similar for your modem/router as well.
Router Configuration
BSNL router is manufactured by SemIndia and distributed by ITI. It follows the tracks of using firmware of different routers (Broadcom to be specific, BCM6338 stands for Broadcom router firmware version 96338, deployed in US robotics ones and some other popular routers). Mine is DNA-A211-1, one of most popular ones in India.
Hacking Router with Android
I didn't had a PC (trashed due to burnt ram), so I have to do everything on my Android. Though the screenshots are small, it is great to see that you can hack anywhere at any time using Android mobile.

To start with, I telnet into my router with my credentials and I am greeted with welcome screen as shown in screen below,
Once you are in, first step will be to figure out what are the services it has to offer, so I typed the usual 'help' and found following commands. 
I started with basic command, "swversion" to get the version. Then with some hunting, I came to know that "sh" command runs over my router, ran it and voila, familiar interface of busybox snaps in.  
Great, now thats worth something. For those who don't know hat busybox is, its a multicall binary. My android has it too. Seeing the version made me tick, it was running an older version of busybox.

Then I tried ls command, but it didn't work, hence tried "echo *" and it showed up everything as seen below  
Next comes the magic command "cat /etc/passwd" and there we go again. 
After that, I went on exploring other directories. Got into CVS and found information regarding CVS and pserver, note worthy one is the credentials of pserver. 
Not much of an interest though as they are of a private LAN. On googling, I found out that account belonged to XYZ (name changed for privacy), employee at SIEMIndia.

Next, I moved on to /etc directory, 
lots of directories here, as a rule of thumb I opened default.cfg 
Generic stuff, but what caught my eye was this line,  
ppp_conId1 userName="multiplay" password="kIMa1bXVsdGlwbGF51AG" 
This might come in handy (use your creativity :)).

But then I thought that why not to access the router from web interface. Logged in to it and then went to "management" and downloaded the backupsettings.conf file,
On opening, it was like as shown below,  
I was not able to find the above credentials in it, hence I came to a conclusion that they must be somewhat for internal purposes.

Moving on, I thought why not to try to create an arbitrary file . Tried following command  
echo 'rishrockz' >> rdx 
But it failed. It was not easy to figure out the writable directory as I was not able to determine the file permissions since this version of busybox doesn't has ls or stat command.

Finally little bit of exploring found that /var is writable. Tried creating a file again, it succeeded ! 
Well, there is lot more to explore, this is just tip of iceberg! Next time I am be thinking of going to compile programs ( and copying over them using echo (once I get a PC), I have got some nice ideas and will be hacking with them.

In the mean time, for those who are wondering what this machine has, here is the bootup log. 
This article is published "as is" without any warranty, written truely for educational purposes. Neither the author nor SecurityXploded is responsible for misuse of the knowledge presented in this article.
In this article, you have learnt how to hack into your own router and explore it from inside out. Here are few take away from this article,
  • Code can be run over the router, but files must be copied using echo (-ne with append option) or tftp. Since busybox is there, we can easily insert a kernel module to be run.
  • The webs directory has a lot of html files, maybe manipulated for possible XSS attacks
  • Private CVS information of Siemindia pserver left out in device :) Bad practice, wrong guy can use it in insider attack to steal the code as they are often tied up with loose credentials !  
See Also