defconoi
join:2007-04-11
Phoenix, AZ
| Qwest VDSL Modem HACKED
Dont mind the topic, it seems qwest is logging on to our modems to send updates and view our usage. Possibly limit speed and other things. Anyways qwest choice online sends out a Vdsl modem called an N3 etherset that was made by next level communications which is now motorola. I plugged in my etherset/modem and changed my computer ip to 10.0.0.2 and set my gateway to 10.0.0.1 with a mask of 255.255.255.0
Now once connected I nmap -v -v -sS -T5 -A -p 1-65302 10.0.0.1 and look what I found:
Interesting ports on 10.0.0.1:
Not shown: 63257 filtered ports, 2043 closed ports
PORT STATE SERVICE VERSION
23/tcp open telnet?
80/tcp open http (NetPort embedded httpd 1.1)
| HTTP Auth: HTTP Service requires authentication
|_ Auth type: Basic, realm = index.html
|_ HTML title: Site doesn't have a title.
MAC Address: 00:90:DB:09:38:27 (Next Level Communications)
Device type: broadband router|general purpose
Running (JUST GUESSING) : XAVi embedded (89%), Novell NetWare 6.X (86%), Microsoft Windows 2000|XP (86%), Scientific Atlanta embedded (85%)
OS fingerprint not ideal because: Timing level 5 (Insane) used
Aggressive OS guesses: Xavi 7001 DSL modem (89%), Novell NetWare 6.5 Open Enterprise Server (86%), Microsoft Windows 2000 SP4 or Windows XP Professional SP1 (86%), Scientific Atlanta WebSTAR EPC2203 cable modem (85%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint by osscan system #2:
SCAN(V=4.50%D=1/11%OT=23%CT=53%CU=33127%PV=Y%DS=1%G=N%M=0090DB%TM=478848E1%P=i686-pc-linux-gnu)
OPS(O1=%O2=%O3=%O4=%O5=%O6=)
WIN(W1=0%W2=0%W3=0%W4=0%W5=0%W6=0)
ECN(R=Y%DF=Y%T=3C%W=0%O=%CC=N%Q=)
T1(R=Y%DF=Y%T=3C%S=Z%A=S%F=AR%RD=0%Q=)
T2(R=Y%DF=Y%T=3C%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)
T3(R=Y%DF=Y%T=3C%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T4(R=Y%DF=Y%T=3C%W=0%S=A%A=S%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=3C%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=3C%W=0%S=A%A=S%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=3C%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=1E%TOS=0%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=0%RUL=G%RUD=G)
IE(R=Y%DFI=S%T=1E%TOSI=S%CD=Z%SI=S%DLI=S)
Network Distance: 1 hop
Read data files from: /usr/local/share/nmap
OS and Service detection performed. Please report any incorrect results at »insecure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.629 seconds
Raw packets sent: 67047 (2.951MB) | Rcvd: 68584 (3.820MB)
Now I see a telnet server, and I logged in and checked the firmware.
root@ubuntu:~# telnet 10.0.0.1
Trying 10.0.0.1...
Connected to 10.0.0.1.
Escape character is '^]'.
*** Logged on to NLC Bridge Etherset ***
Type close to log out.
Type ? for help.
> ?
Commands available:
close - Close this telnet connection.
version - Print firmware version number.
> version
VERSION: 12.107 Dec 21 2000 15:05:14 /view/data247view
LOADER VER: 12.7
BOOT IMAGE: B
DOWNLOAD GEN: 2
DOWNLOAD VER: 10
DIAGNOSTIC: 00000000
> close
Connection closed by foreign host.
It looks like there isnt much commands available, but... port 80 is still open and has a web server for statistics , logs, remote admin, firmware updates, etc.. Unfortunately I have not cracked the password yet, if anyone has the password for basic http auth on this etherset I would appreciate it just to see exactly what qwest has access to because I do not appreciate unwarranted snooping and I like most humans fear the unknown. So if a qwest employee could give an explaination I would appreciate it. There is enough privacy concerns online with the nsa into everything, and isp's spying on users for profit, I would like to know that my privacy is still intact.
Thankyou,
defcon |
|
colorbars
join:2003-03-20
USA
| Where in all that is any proof that anyone is actually logging into your modem?
The default password is "password" (as 30 seconds on Google should have told you) and if the password has not been changed, the only way you can log in is from the LAN side. |
|
defconoi
join:2007-04-11
Phoenix, AZ | did google tell you the username? |
|
defconoi
join:2007-04-11
Phoenix, AZ | yea, ive been searching google for 6 hrs for a password, havnt found a thing, what may this webserver on the etherset be? |
|
uwsherm
join:2002-08-21
Seattle, WA
| reply to defconoi
said by defconoi  :I plugged in my etherset/modem and changed my computer ip to 10.0.0.2 and set my gateway to 10.0.0.1 with a mask of 255.255.255.0 That's the internal interface, not the one visible to the Internet or Qwest. Those open ports you're seeing are for management of the modem/router from your LAN, not anything evil Qwest might be doing. |
|
