More Progress Report
Rahat Mahbub
interface! But, not the usual one.
Going to http://192.168.3.1/ leads me to a user webpage which allows nothing.
But, I later found out about http://192.168.3.1/admin/
Now, that's where all the awesome stuffs are and with a GUI! I was
able to port forward, bridge connection and even get an
IP-passthrough!
There were options to change my Wimax frequencies, certificates etc.
but mostly they looked useless.
However, there was a holy grail like thing and that is, I could update
my firmware. After whole lot of googling, I found a firmware to
download.
Link: http://www.multiupload.com/F0ZVJ25DRD
Couldn't properly open the .img file. (I really need help on this one)
But using notepad++, I got some legible strings at the very end but I
could already read most of them from that maintenance shell thing.
So, my first problem was completely solved.
However, i stumbled upon a very interesting finding here. All the
modem/routers on the web has remote management disabled by default and
that's why I went through the whole big procedure to get the web
interface via the maintenance shell.
Guess what, I was wrong.
All the routers on the web have admin remote management enabled by
default and there's no possible way to disable it. In simple english,
any http://180.234.XXX.XXX/admin/ is enabled and all have the default
password W1m@xm0deM. Shocking, huh?
That's not even the best part, even if the victim know and change that
password via the web interface (given that you know that pass in the
first place, in very rare cases people do) and even in extremely rare
case, you even change the password, I can still change it via the
maintenance shell. And, I am pretty sure absolutely no one knows about
the backdoor other than a handful of people (mostly engineers of my
ISP)
So, I started thinking I got complete access to the router and what can I do?
My first thought was port forward everyone's port 445 and write a
script to automatically attack port 445 with ms08-067 exploit. :-p
But, I felt like I am too old for that and also, who uses Windows XP anymore?
In the past, I have had enough fun with ms08-067 exploit. I had a
small unimportant ISP who provided internet via broadband/DSL and you
just enter this huge LAN network with no portforwarding or public/real
IP. So, basically what I could do was hack into a lot of people's PCs
like that. The best part was, they assigned internet speed using MAC
and via MAC spoofing I had a 5 Mbps speed and I paid only for 128
kbps. Roflmao. 5 Mbps is considered to be an extreme speed in my
country. Enough of that.
Anyways, back to where I was. I have complete access to a router but
what can I do? i googled and googled, watched the defcon video of
hacking into millions of routers but nothing interesting there for me
and went to sleep.
I woke up with a dream of writing a script to automatically change the
DNS of every router using the backdoor and changing the DNS to a fake
one on my PC or a VPS and all of them will lead to fake webpages. :-)
I didn't do or try it yet but that's one of my top priorities right
now. Should be easy and as you know, DNS spoofing like that equals to
no user would ever understand what happened and their extremely
trusted antiviruses won't do them any good either. Who knows I might
even be able to issue fake windows updates like Comodohacker did.
Anyways, too many evil thoughts and drifting too much away from Wimax
hacking. If I could pull that off, it would be awesome to show it to
my ISP or maybe, even at the next defcon or W3C.
So, moving on to my next project progress.
I wanted to know other people's ISP password. The maintenance shell
couldn't even find me a hash so fail on that.
Well, that's what I thought first.
Almost everyone uses the router that I use and it's Sagem Gigaset
SX682 Wimax. However, they also have another router and it's called
Qubee Tower modem
with built-in wifi and they have discontinued that. No manual or
specification on that. I couldn't even find the modem's real name or
manufacturer.
But nmap scan on the subnet, helped find a pattern. All the SX682
routers have port 53,8085 and the infamous port 39 open. (port 8085
gives the http interface) However, on every subnet there would be one
or two, with ports 22 and 80 open. So, I just visited one randomly
with my browser and a router management web interface! I put on the
first username and password that came to my mind and that is,
admin:admin and voila! I got in!
Here's a quick screen grab!
http://img41.imageshack.us/img41/6498/qubeeup6.jpg
And, yeah, i googled and googled but couldn't find any useful info on
the modem. Tried all common passwords on the SSH. But. all failed.
They seem to use a custom version of the modem firmware because the
augerebd is another name for Qubee.
However, I found an awesome tool called routerpassview from nirsoft
which allowed me to see the password for the ISP! Doing the same on my
modem, gave me an output passwordalreadyset.
So, I logged into my.qubee.com.bd portal and with that username and
password and voila, I saw his bills and all his personal info, where
he lives etc. But, I realized that I hit jackpot when I saw that he
uses a 4 Mbps connection! That's awesome.
I thought, Qubee isn't bad after all, they have discontinued these
modems because they have web management enabled by default and there
is no way to change the default password admin:admin ( I am serious!)
So, i quickly changed my username and pass in my router to that,
restarted it and i was happily waiting for a 4 mbps connection BUT I
didn't even get a connection. (Yes, i turned off that guys router,
just to be on the safe side and It was very late at night, I am
pretty sure no one was using the internet so no harm done). Yes, I
didn't even get a connection!! Not even an IP where I get to see the
portal.
I got very very very angry! I remember that when I went to subscribe
to the ISP, the technicians were talking and I eavesdropped and found
that they must note down the mac address. Changed my mac address from
the backdoor shell to that guy's routers mac and still nothing. No
connection at all.
Finally, after a lot of trial and error I realized that although I am
changing the mac and although, also the changed mac was shown on the
web interface, it wasn't really changing. typing "cbe showmacaddress"
that directly communicates to the sequans wimax chipset, always gives
me the default mac address and there's no option to change that.
So about my third project, the only way i can get to use high speed or
other people's internet connectionis by changing the mac and knowing
their username and password. Each set of username and pass has only
one mac address assigned to it.
I am pretty sure, the only way to do that would be by getting root
access and the only way to get root is by tearing it apart and probing
the JTAG. I hate hardware hacking. :'-(
So, my current projects are:
1. Find a way to change the mac and/or get root :)
2. Find a way to get the stored password in my modem because the
discontinued ones would soon vanish. Rooting might just enable me to
do it.
3. Do the whole DNS attack.
And, one more thing. (I miss Steve Jobs)
On the Qubee Tower modem, I couldn't get shell access but just before
writing this article. I tried telnet to the router with login and
pass, admin:admin. And, voila, a backdoor/maintenance shell. Here's a
screen.
http://img265.imageshack.us/img265/5071/qubeeup7.jpg
It's pretty much useless unlike the one on my modem but yes, I am
pretty hopeful that it runs linux. And, yes, the enable command should
let met get to the linux/busybox shell, I assume. I really really need
help in finding the login name and passwords, I tried the common ones
but all failed. I NEED HELP ON THIS!
Feel free to scan 180.234.XXX.XXX and get into other people's routers.
Although, it's moving towards grey/black hat. Black or White, it
doesn't really matter when we are all hackers (By Michael Jackson,
maybe not the hacker part. :-p ) Try some stuffs and you might find
something awesome, that I overlooked or have any thoughts.
And, yeah, Qubee has already breached section 8 clause 3 in their
contract (Yes, I read the whole contract and it was painful) which
states that they will protect the customer info. But, I got access
remember. If not, I saw where a guy lives, saw his phone number email
etc.
A few more things ( A bit important stuff mainly comparing the state
of Clear Wimax and Qubee)
From the defcon video I have gathered that Clear only used the mac
address to authorize and give access to internet. And, they only had
EAP authentication framework. You guys have also suggested them to use
the username and password authentication system.
From the looks of it. Qubee is way more secure. They have 3 options
EAP, EAP-TLS and EAP-TTLS which you can choose from the admin access
of the web interface. It also implements the username and password
system and also the good old MAC address.
And, I have more or less hacked most of it.
Basically, if I can finish up with my current projects. WiMax would be
hacked as good as WEP is hacked as long as there are no new measures
to protect it which I will break again. :-p
If Qubee or the frontiers of Wimax doesn't hire me as their engineer
to fix their junk. I am going to put a civil class action lawsuit
against them ( My Father, my elder sister and basically half of my
family are lawyers :-p ) Just kidding!
P.S. Google rejects me from posting from the main thread page. Can the
owners please fix that?
On Oct 9, 12:23 am, Abdul Baacit Fankorhogo Coulibaly
<maragoretti1...@gmail.com> wrote:
> Really and cool research you're welcome bro we are going to make deep
> founding on that
> keep the good job up
>
> 2011/10/6 Rahat Mahbub <bluedevi...@gmail.com>
>
>
>
>
>
>
>
> > I just got my Wimax modem yesterday. After whole 2 days of hacking
> > with random guesses, I found you guys. Google had been pretty much
> > helpless as all of the firmware is proprietery.
>
> > Here's, what I have found or done.
>
> > The modem is a Gigaset SX682 Wimax manufactured by Sagem.
>
> > The web interface has no default pass but quite a long time back
> > W1m@xm0deM was the default password for the web interface.
> > There is no way to update firmware from the user side, I can't change
> > anything useful from the web interface. The Authentication is done via
> > username and password that you get when you register.***
>
> > I got shell access (yaaay!!!) (hopefully, running linux :-p )
>
> > The default username and password is admin and W1m@xm0deM
>
> >http://imageshack.us/photo/my-images/6/qubeeup1.jpg/
>
> > From the looks of it, it's for maintenance.
>
> > I can spoof mac, change the default DNS and basically do all sorts of
> > crazy stuff.
>
> > The modem runs using sequans chipset.
>
> > Here's the really awesome part. Pictures are louder than words. :-p
>
> >http://imageshack.us/photo/my-images/135/qubeeup2.jpg/
> >http://img839.imageshack.us/img839/7747/qubeeup3.jpg
>
> > It looks like I can sniff, spoof and get all sorts of incredible wimax
> > data using this cbe command, that controls the sequans chipset.
>
> > That isn't even the best part.
>
> > The best thing is, every modem from the company has port 39 and port
> > 53 open to the internet. And, port 39 is the port for that maintenance
> > shell thing. It's nowhere in the crappy 15 page manual (the pages are
> > really tiny, btw). I did some research using my social engineering
> > skills and no one knows about this. Google says the same. I have tried
> > and succeeded in accessing every user's router through that with those
> > default user and pass and using that, I was even able to get the web
> > based interface running and I could access their router config via the
> > interwebs! I am pretty sure it's possible with all of 150,000 users
> > they have!
>
> > Future Projects (Or stuffs, I would appreciate help with)
>
> > 1. Port Forward from the web interface ( I can't port forward for gods
> > sake! The shell allows it but I didn't check it as I speak)
> > 2. Get other people's password. or use other people's internet.
> > (here's a few screenshots of what happens when I have had gotten a web
> > interface of someone's modem via the internet.
> >http://img204.imageshack.us/img204/8538/qubeeup4.jpg.
> > So, I can see the username but not the password.
> > Here's the Mac.
> >http://img713.imageshack.us/img713/6440/qubeeup5.jpg)
> > I can already see the username and mac. Only knowing the password
> > would do the trick. I have looked in the router using the shell, but I
> > can't even find it stored in an encrypted version but it should be
> > there. Or, I might need to get root to get that.
>
> > 3. Most importantly, I need to find a way to use the maximum possible
> > internet speed and get past the download limit. Hopefully, solving my
> > second problem should do that.
>
> > Although, a few of my plans might look very black hat, but i am more
> > of a grey hat. My name is going on Apple's hall of fame for finding a
> > security vulnerability on their website. :) So, I am a certified white
> > hat. :-p
>
> > Anyways, I know I am far from root (assuming it's a linux box) But,
> > not bad for 2 day's work especially with no documentation. Let's hope,
> > tearing apart the modem would get me root.
>
> > Any follow up, help or even you guys being interested would greatly be
> > appreciated. Wimax is fairly new but we all know that it's the next
> > big thing. And, we are the only few hackers at the moment. So, you get
> > it, I would really appreciate any sort of help or reply or you can ask
> > me for any help as well.
>
> > Thanks,
> > Rahat Mahbub
>
> > ***I don't think it's mac based cause I spoofed mac and got internet
> > access with it but again, I am not sure if it worked
>
> > P.S. Datarate limiting didn't work very well for the first few months,
> > when they were released. But, works damn good now! Curse them!
>
> > P.P.S I am from bangladesh and there are 2 WiMax compaies and I am using
> > Qubee!
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "wimax hacking" group.
> > To post to this group, send email to wimax-...@googlegroups.com.
> > To unsubscribe from this group, send email to
> > wimax-hackin...@googlegroups.com.
> > For more options, visit this group at
> >http://groups.google.com/group/wimax-hacking?hl=en.
Rahat Mahbub
it a deserted IP! Looks like qubee is very secure!
Rahat Mahbub
progress report. They do check for mac, I learned the had way though.
On Oct 9, 3:11 am, Rahat Mahbub <bluedevi...@gmail.com> wrote:
> I forgot! OpenVPN on port 53 doesn't work onQubeeeither. They give
Rahat Mahbub
sumon
MD.SAYAD HUSSAIN
hi, i know its a late(very!) reply to your post but I'm stuck exactly where you are. from the modem side qubee is pretty secure (for now),their company server, not so much ;). But getting past the download limit is the holy grail now and not making much progress there.Just wanted to ask if you had any success using the ip pass through mode, having troubles there.SX 682s port forwarding is just "clumsy". Just using the dmz now, a router handles ports now.also did u manage to jtag it?Have fun hacking :)
--
You received this message because you are subscribed to the Google Groups "wimax hacking" group.
To view this discussion on the web visit https://groups.google.com/d/msg/wimax-hacking/-/jtWbzdrtz7MJ.
To post to this group, send email to wimax-...@googlegroups.com.
To unsubscribe from this group, send email to wimax-hackin...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/wimax-hacking?hl=en.
---SHOFI™---
Eraj Khan
.....to leran more mail me at eraj....@gmail.com onLy bangladesh
2012/7/19, MD.SAYAD HUSSAIN <shof...@gmail.com>:
obrielle jade
Eraj Khan
Ahmmasum97
Rahat Mahbub
i liked your post at :techtune: and hear.
you did a good job.
i have a "banglalion " prepaid modem.
CAN YOU GIVE ME A SOLUTION TO FREE USE.
MANY MANY THANKS..........
Ahmmasum97
On Tuesday, December 25, 2012 11:36:32 PM UTC+6, Ahmmasum97 wrote:
HI EVERYONE,
username:admin
passward:admin
hear's the wimax 802.16e gateway's usarname & passward(garnted by me).
in our country its the largest wimax company.
now,can anyone halp me to use "free internet"
by.
Ahmmasum97
plz help me free use internet.
i have same modem.
Munna Khan
hello via apner post ta amer valo lagschi please add me https://www.facebook.com/BdDoller