Comments on: Hacking The Interwebs

By: RSA Conference: Web Page Can Take Over Your Router «

RSA Conference: Web Page Can Take Over Your Router « — Fri, 04 Jul 2008 23:23:11 +0000

[...] for some time how their default passwords can be misused by attackers. Three months ago, hackers showed how a similar attack could be launched, exploiting a flaw in the way Universal Plug-and-Play works [...]

By: CoffeeAddict » Flash voor al uw hacktivisme…

CoffeeAddict » Flash voor al uw hacktivisme… — Fri, 04 Jul 2008 09:50:08 +0000

[...] Kwam via via hier terecht. [...]

By: pdp

pdp — Sat, 28 Jun 2008 21:13:54 +0000

looks like an interesting read… but I cannot read Spanish, just yet.

By: josman

josman — Sat, 28 Jun 2008 21:10:57 +0000

Hello blog very interesting. This week I found another talk about where things very interesting. Here I leave the address:
http://informaniaticos.blogspot.com/

By: pdp

pdp — Tue, 27 May 2008 06:55:34 +0000

all you need is a database of endpoints. that’s all. you don’t even need to fingerprint.

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Mon, 26 May 2008 19:55:04 +0000

@nanard: how hard is it to setup a DB of most common UPnP port number/UPnP SOAP URL combinations?

Home routers can be fingerprinted using JavaScript among other methods, so this attack is trivial to mount once you have a decent database.

By: nanard

nanard — Mon, 26 May 2008 16:46:54 +0000

You are right when you say that 99% of the home routers can be found by probin 192.168.0.1, 192.168.0.254, 192.168.1.1 and 192.168.1.254. But that won’t give you neither the port nor the Path for the request. There is NO standard port for UPnP HTTP SOAP. (I’m not talking about SSDP). And different vendors do use differents ports (for example : 2468, 5440, 6688). Also the path is almost always different depending on the router vendor. The Linksys WRT54G (fw v2.02.7) does prefix the URL used with the device UUID. You just cannot guess that ? : /uuid:000625d7-caf9-0006-25d7-caf90232011c/WANPPPConnection:1

linksys rocks :)

By: jimbo

jimbo — Mon, 21 Apr 2008 15:53:50 +0000

Sorry but this is nothing new, it was mentioned at the last brumcon

By: Requisiti minimi » Blog Archive » PortMap 1.0

Requisiti minimi » Blog Archive » PortMap 1.0 — Wed, 16 Apr 2008 14:19:13 +0000

[...] di questo protocollo, perché se da una parte semplifica la vita, dall’altra apre la strada a diverse vulnerabilità, soprattutto se nel router viene lasciata la possibilità di accedere da amministratore tramite la [...]

By: Inseguridad en UPnP. » Vida Casi Digital

Inseguridad en UPnP. » Vida Casi Digital — Fri, 11 Apr 2008 20:19:11 +0000

[...] Hacking The Interwebs: http://www.gnucitizen.org/blog.....interwebs/ [...]

By: B Onward Srl » Blog Archive » Con un sito ti cracco il router

B Onward Srl » Blog Archive » Con un sito ti cracco il router — Wed, 09 Apr 2008 20:36:33 +0000

[...] remota da parte del malintenzionato. Una tattica simile a quella circolata qualche mese fa, diretta verso la funzionalità UPnP, che autorevoli fonti da tempo suggeriscono di [...]

By: Con un sito ti cracco il router | FDS

Con un sito ti cracco il router | FDS — Wed, 09 Apr 2008 17:57:03 +0000

[...] tattica simile a quella circolata qualche mese fa, diretta verso la funzionalità UPnP, che autorevoli fonti da tempo suggeriscono di [...]

By: Il ReteGiornale» Informatica » Con un sito ti cracco il router

Il ReteGiornale» Informatica » Con un sito ti cracco il router — Wed, 09 Apr 2008 01:02:07 +0000

[...] remota da parte del malintenzionato. Una tattica simile a quella circolata qualche mese fa, diretta verso la funzionalità UPnP, che autorevoli fonti da tempo suggeriscono di [...]

By: Web page can take over your router | ::Tech Cry::

Web page can take over your router | ::Tech Cry:: — Tue, 08 Apr 2008 02:21:06 +0000

By: Web page can take over your router | InfoWorld | News | 2008-04-07 | By Robert McMillan, IDG News Service

Mon, 07 Apr 2008 23:59:34 +0000

By: pdp

pdp — Sat, 15 Mar 2008 16:47:40 +0000

Ken,

keep also in mind that even if you choose a different IP address from the default one, your router still can be discovered by name. Most of the time it is simply called home. In the case of BT home hub it is know as api. Therefore, request to api or home will result to requests to your router no matter what the IP address is.

By: Ken Jackson

Ken Jackson — Sat, 15 Mar 2008 16:11:31 +0000

@pdp: “Home routers are located on 192.168.0.1, 192.168.1.1, 192.168.0.254 or 192.168.1.254 and this is the case with %99.9 if not %100 of all cases.”

Years ago, when I first setup my home router, I chose an IP network range that was different than any of those. I reasoned it would be more secure if I denied an attacker a default.

But I never really knew of any attack that I was protecting myself from–until now. Thanks for the article.

By: pdp

pdp — Sat, 08 Mar 2008 10:44:57 +0000

if UPnP is enables and it supports interesting methods such as SetDnsServer, etc then it is almost certain that someone can own them. Keep in mind though that some devices show that this method is supported although when used it is evident that it hasn’t been implemented.

By: ionstorm

ionstorm — Sat, 08 Mar 2008 05:28:46 +0000

excellent article, I have something to contribute although I am not familiar with upnp very much but I have found some interesting things with ferret on my lan:
It seems all new 2WIRE Home Gateways have upnp enabled when you enable remote access to admin your router via your web browser, I have found all these files:

http://ubuntu-debs.googlecode......xml.tar.gz
via: http://qwestcustomer-ip-address/upnp/*

I have reason to believe all these companies customers are effected: http://2wire.com/index.php?p=2

While I was taking a look at these xml files it looks like people can take full control of all these 2WIRE modems which hundreds of thousands of people use, including AT&T/qwest customers. I may be completely wrong. With access to xml files with commands to change passwords and modify firewall rulesets like I have found with my own router is scary lol.

Let me know what you think of these files, can someone take full control over these routers?

By: pdp

pdp — Sat, 01 Mar 2008 21:41:15 +0000

this is very interesting and quite unfortunate. you have to investigate to see what are the damages.