Comments on: Dumping the admin password of the BT Home Hub (pt 2)

By: Andy

Andy — Mon, 15 Feb 2010 16:59:34 +0000

You can still get the serial. Go to https://api.home View the cert like said, but it’s simply the OU- organizational unit above serial number. Add CP to that string, and that’s the serial.

By: pwn-a-cycle

pwn-a-cycle — Fri, 30 Oct 2009 15:59:54 +0000

the link is http://www.josephn.net/downloa.....h_recovery

@fLaMePr0oF – seems you accidently appended a ).. to the url

By: fLaMePr0oF

fLaMePr0oF — Sun, 02 Aug 2009 03:49:40 +0000

Another method for getting the serial number of any BTHH is to download and run the latest BT Home Hub Recovery Tool 6.2.2.6 (can get it here: http://www.josephn.net/downloa.....h_recovery)… When the tool tries to access the HH and asks for authentication, the serial number will be displayed above the user/pass input fields.

(LoL @ BT for changing password to serial to improve security when serial can be accessed SO easily!)

By: Martin

Martin — Tue, 16 Jun 2009 10:01:46 +0000

Gary, that was perfect. I couldn’t get the other methods to work as I didn’t realise you had to add on the CP to the start of what was returned.

By: Gary

Gary — Sat, 15 Nov 2008 19:13:38 +0000

You can also get the Serial Number by visiting this page: http://pbteu.bt.motive.com/Ele.....adePortal/ and clicking on “Schedule your BT Home Hub upgrade”

or follow the link direct: http://pbteu.bt.motive.com/Ele.....hedule.jsp

This has to be done while connected to a HomeHub.

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Sat, 31 May 2008 08:33:19 +0000

We got a winner :) I can confirm this works on the BT Home Hub v1, firmware 6.2.6.E. Good catch Aaron! Any other ideas on how to obtain the Hub’s S/N and therefore the default admin password? The more techniques the merrier!

btw, the troubleshooting page – which doesn’t require a password to be seen – *used to* include the S/N but BT removed such info in the latest firmware: https://api.home/cgi/b/bttroubleshooting/

By: Stephen

Stephen — Fri, 30 May 2008 16:28:10 +0000

I can verify that the OU of the SSL certificate gives the serial number on 6.2.6.E on my HH v1.5

Just point your browser to https://api.home/ and click examine certificate when prompted ;)

By: Aaron

Aaron — Thu, 29 May 2008 18:41:45 +0000

You can dump the serial number of the HomeHub 6.2.6.E by connecting to the HTTPS port and examining the SSL Certificate… the default OU of the certificate issuer is the serial number of the device…

Hence, the pwndhub I am currently using has just dished out this after I ran a Nessus scan on it…

OU = 0641EHJRR
O = THOMSON
CN = BT Home Hub

Please verify this works for others…

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Wed, 28 May 2008 22:51:58 +0000

The serial number disclosure reported in this post was originally tested on a BT Home Hub running firmware version 6.2.2.6. However, it appears that BT has replaced such information with the Hub’s MAC address in the latest firmware (6.2.6.E at time of writing).

Since only the latest firmware uses the Hub’s serial number as the default admin password, the reported serial number disclosure via UPnP XML description files is NOT exploitable.

Nevertheless, the MDAP attack described in our previous post has been verified on the latest firmware and has been confirmed by several users both, on the BT Home Hub v1, and v1.5.

By: rishi

rishi — Wed, 28 May 2008 13:32:43 +0000

Have any flaws been found in the H firmware? Thanks!

By: Stephen

Stephen — Tue, 27 May 2008 16:24:47 +0000

Ok. Reading it in detail the upnp/IGD.xml file contains the following:

Device not enabled: UPNP-IGD

So at least it seems to be off. However the dslf/IGD.xml looks like it still offers services – does this mean that even turning off UPnP that one could still utilise the dslf stuff to pwn it?

By: pdp

pdp — Tue, 27 May 2008 16:21:13 +0000

even when you switch off UPnP the IGD description may still be present.

By: Stephen

Stephen — Tue, 27 May 2008 16:19:22 +0000

Apologies for three posts in a row but I just checked and UPnP is definitely switched off on my HH (I immediately disabled it on reading your initial HH posts some months ago).

Should these files still be available even when UPnP is off? Because they are…

By: Stephen

Stephen — Tue, 27 May 2008 16:15:19 +0000

Just to add that I’m on 6.2.6.E (forgot to mention that)

By: Stephen

Stephen — Tue, 27 May 2008 16:10:21 +0000

On my HH v15 the serialnumber field has the MAC address in it

By: MJW

MJW — Tue, 27 May 2008 13:48:59 +0000

I’m on 6.2.6.E and I’ve checked the IGD.xml file, the Serial Number field shows my MAC code not the serial number. Is this a change in 6.2.6.E?