Comments on: Dumping the admin password of the BT Home Hub

By: point

point — Sat, 30 Oct 2010 05:30:34 +0000

Iused three methods so far nothing good I tryed with recovery get serial but then i enter it i got wrong serial number then i use gdi i get 12 numberer and guy dont know what router is so it gonna be long waiting. anu suggestions

By: Ash

Ash — Mon, 23 Aug 2010 00:17:44 +0000

Jakey haha thats just excelent, how did you figer that out lol

By: Homeseer

Homeseer — Fri, 08 Jan 2010 22:09:15 +0000

This is security through obscurity at it’s finest. Gotta love the lottery comment – perhaps if each attempt was the equivalent to purchasing a ticket, but since there’s zero cost to attempt it’s not exactly a robust analogy.

By: Ross

Ross — Fri, 25 Dec 2009 17:08:38 +0000

Please Ignore my previous post. Works perfectly on Winxp and BT3.

By: Ross

Ross — Fri, 25 Dec 2009 16:03:27 +0000

Using BT 3 I get the following (mdap-dump.py is running)

python mdap-send-ant-search.py
File "mdap-send-ant-search.py", line 1

By: Nagi

Nagi — Sun, 20 Dec 2009 02:35:51 +0000

Hi guys, I decided to stop using bthh. So I bought a drytek 2820n router. I was trying to get it to work but failed. At some stage of router installation it asks me for a username and password for WAN1, which, it says, I should had been given by my ISP – BT. Now, I don’t know where to get this details from? Any advice most appreciated.

By: Jakey

Jakey — Wed, 08 Apr 2009 12:20:27 +0000

Just go here and click on “Schedule your BT Home Hub upgrade” and you see your serial: http://pbteu.bt.motive.com/Ele.....adePortal/

Simple!

By: thomas smith

thomas smith — Tue, 24 Mar 2009 17:14:28 +0000

I can still confirm that bt homehubs are very insecure. I went to the router page and noticed that it shows you everyone who has logged on to your network going by computer name and mac address. My computer name kind of gives me away, so i looked at this for getting the admin password.

I can confirm the python scripts do work on windows using the method john smith said, but also confirm Robbies method works as well, and is a lot easier to do. You now have to go here to download the scripts: http://lab.gnucitizen.org/proj.....s-n-dumper

the software version is now 6.2.6H and even though i got the unique ID, I cant log on using it (with CP in front) someone said it prompts you to change it straight away now? I think im stuck or is there anything i can do to get it now?

By: Protect Your Wireless LAN… - Black-Delta.com

Protect Your Wireless LAN… - Black-Delta.com — Tue, 16 Dec 2008 22:05:39 +0000

[...] for your specific router (such as a script to challenge the router and spit a password out as seen here) they would know exactly what they are dealing [...]

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Wed, 05 Nov 2008 22:03:12 +0000

@john smith: cool, nice to see it worked on Win for u. :)

By: john smith

john smith — Mon, 03 Nov 2008 14:33:18 +0000

It worked on python for windows for me. The standard 2.6 installer. I just ran the dump script by double-clicking. Then ran the fetch script by double-clicking. It took a couple of tries for the fetch but worked in the end. Of course, that password is only the admin password until the owner visits the hub’s homepage, whereupon they are required to set a new one immediately.

By: Craig

Craig — Wed, 17 Sep 2008 20:24:24 +0000

No matter, I have used aaron’s way of finding the SN by viewing the SSL certificate.

By: Craig

Craig — Wed, 17 Sep 2008 20:13:01 +0000

I’m attempting to run this on backtrack 3. I’ve run the scripts as you have said yet I get no feedback in Konsole.

bt ~# cd /tmp
bt tmp # python mdap-dump.py &
[1] 6763
bt tmp # python mdap-send-ant-search.py
ANT-SEARCH MDAP/1.1
46
bt tmp #

That is all I get. I’m connect as follows: Windows XP machine (192.168.1.164) > VMWare Bridge > backtrack 3 (192.168.1.78). Does this mean the network is secure?

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Sun, 08 Jun 2008 09:36:40 +0000

@joe: the Python scripts we provided only seem to work in Linux (we tested them on backtrack 2 but should also work on bt3).

If you just want to get the Hub’s serial number prior to authenticating without using the MDAP protocol, then simply check ‘OU’ field of the SSL certificate as mentioned by Aaron on http://www.gnucitizen.org/blog.....-hub-pt-2/

You should be able to examine the Hub’s SSL certificate by accessing: https://api.home/ or https://192.168.1.254

By: Robbie

Robbie — Fri, 06 Jun 2008 11:28:10 +0000

just looking for some reason the home hub im testing has 6.2.6H firmware . It’s a new hub so i presume it must be 1.5 and its had fon opted in. any one else messed with this firmware?

By: Robbie

Robbie — Fri, 06 Jun 2008 10:25:45 +0000

for those on windows an easy way id say is to download http://static.btopenworld.com/.....y_626E.zip when it asks you for a username and password you can see next to the box with the serial number next to it http://i30.tinypic.com/35l82a9.jpg and voila you have the password for the hub

By: joe

joe — Fri, 30 May 2008 20:39:16 +0000

I’m running bthomehub-bb59 firmware version 6.2.6.E. where do i get the programs from to get it to work. will this work on windows xp or backtrack 3

By: Stephen

Stephen — Tue, 27 May 2008 16:14:25 +0000

To confirm from my post near the top – yes I’m on 6.2.6.E on a v1.5

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Tue, 27 May 2008 12:22:12 +0000

After having observed BT's reaction to several Home Hub vulnerabilities published in the past, it's easy to notice BT's PR template. It kind of goes like this:

We do not believe any of our customers have been affected by this attack.

Such security research describes a theoretical attack.

In reality this translates to:

We are not aware of any attack performed in a _mass fashion_ which uses such vulnerabilities. Of course this doesn't mean such vulnerabilities have not been exploited in the wild. We know that most likely they *have* been exploited as they are practical. However, we don't want mainstream users (i.e: non-technical) to know this.

We want the public to think that such attack is not possible in real life, so they do not realize how bad the current state of the security of the Home Hub really is.

By: Dumping the admin password of the BT Home Hub (pt 2) | GNUCITIZEN

Dumping the admin password of the BT Home Hub (pt 2) | GNUCITIZEN — Tue, 27 May 2008 09:12:01 +0000

[...] of the BT Home Hub (pt 2) published: May 27th, 2008 This is just a quick update regarding our previous post which details how to extract the default admin password for the latest firmware of the BT Home Hub [...]