3/26/2021 0 Comments Zxhn H108N Password
The prompt will change to CLI which is similar to Cisco routers, so I try for help.I was playing around with the ZXHN H108N (ZTE) for quite a while now, and to be honest, I have a lot to talk about here, but in this article, the topic is hacking ZXHN H108N router to access the shell, using the Telnet connection.Note: part two can be found here: ZXHN H108N Router Web-Shell and Secrets.
Note: Telnet port must be open for this scenario to work, usually port 23 is open for LAN connections, and filteredclose for WAN connection, also it is worth to mention that all the scripts below can run on both LinuxUnix, and Windows machines. Access Points (Wireless Home Routers) as you may already know provide lots of services, such as DHCP, DNS, Wireless connection, Firewall, and so on, these services must run on top of an OS, which is usually Linux, in fact I dont know of an AP that runs on something different (if you disagree, please comment it down), the scenario here will describe my story step-by-step on how I managed to get root access to the OS, so this is not a tutorial, this is my story, my personal experience. ![]() The information provided here is for educational purpose only, and you are not allowed to use any of these techniques to attack or even probe others, which if done, by-low this can be considered a crime. This tutorial was written in June 2014, and posted somewhere else (including on my old blog), I reviewed everything and fixed some errors, I also created new scripts and hosted them online for public use. Scanning for Open Ports So, first thing to do is to scan the ports, detect the OS and get any other information available, for that I usually use nmap, but first let us see my connection information (as proper information gathering should be), please note that I am on a Linux machine, nevertheless I will explain how to get the same results on Windows machine when applicable. First, get the IP address using ifconfig command: Getting the Machine IP Address. So, our targetgateway is on 192.168.1.1 (not the case always, so it is always a good idea to check), under Windows machine, to get the same results, as you may already know, you can use the ipconfig command (one command to reveal both the IP and Gateway addresses): Getting the Gateway Address on a Windows Machine. All the above is basic stuff Port scanning: Port Scanning Using nmap tool. I used a fast scan (-F option) for no reason really well maybe just to make it faster, but a proper information gathering should check all ports (TCP and UDP). Zxhn H108N Install It FirstThe -O flag is for OS detection (for more information about nmap command, please visit: ) As we can see in the results above, the OS is Linux 2.6.9-30 and there are three ports opened, one of them is port 23tcp telnet, whenever I see telnet available I think to myself This should be fun and it was Gaining Access The next thing is to try and connect to the router using a Telnet client (if you are on Windows you should install it first by going to Control Panel Programs and Features Turn Windows feature on or off, anyway, here is the result from my first attempt to connect: Connecting to the AP using Telnet. We need the username and password to access the CLI (Command Line Interface), I just tried couple of random usernames, and I discovered that I had 3 attempts before the connection is closed by the host. ![]() As for the password I tried couple of known passwords such as toor, root, admin, admin123 etc. CLI, Testing the Password Manually to Capture the Error Message. I could go on for hoursdaysweeks but I want to access the shell and I wanted NOW And yes, I am impatient, sorry about that I guess Hacking ZXHN H108N Router by Brute-Force So, what do we have so far IP address (gateway: 192.168.1.1) Telnet access (TCP23) Username: root Bad password message. I need the password, with a cup of coffee with crme, and no sugar please After I got over my depression which took me a while, I decided to write my own script (in Python) to crack the password. I guess) his name is Swami Chinmayananda, once said: reaching the ideal is not the goal. Important to know that I edited the wordlist file to have only low characters, 3 to 6 characters long and doesnt have a repeated character more than twice. Note: the script is dirty, I know that, and I dont really care, all I want is the password, if you dont like it, have a banana, but please dont fire back on me in the comments section, because sigh, I am too old, and too tired, believe me, you dont want to read my medical history, the medieval period of European history has less events than my medical history. Bingo The password is public, note that I cheated in the above test, because the original run took me over 10 hours and I forgot to take a snapshot so yes, that happened OK, time to test: Access to the CLI. Explanation: Connect to 192.168.1.1:23 (telnet). Enter the user name and password ( rootpublic ).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |