ZyXEL Gateways Vulnerability Research (Part 2)
Here is the second version of the ZyXEL routers penetration testing paper. This second part of the paper is also fully practical just like the first one. No theory whatsoever, but rather real juicy attacks which is what we pentesters/whitehats are interested in (after all we need to be aware of what the bad guys can do)!
Unlike the first part of the paper, this one focuses more on attack techniques rather than newly-discovered vulnerabilities. A significant percentage of the content is dedicated to methods that allow attackers extract all types of passwords stored in the target router. For instance, we discuss extracting the admin password from a proprietary-format/non-human-readable config file (thanks to Kender Arg for his help with this). We also show how to phish the admin password via dynamic DNS poisoning! We also discuss a geek project that allows you to turn the ZyXEL Prestige P-660HW-T1 into a wardriving tool without having to install any additional tools on the router by using an expect script.
There are many more goodies such as attack scripts. Some of them were created to attempt to compromise a ZyXEL Prestige router (i.e.: password cracker), while others would be used after the target router has been compromised (i.e.: ping-sweeping script). Keep in mind that the scripts were only tested on ZyXEL P-660HW-T1 and provided for demonstration purposes only. Most likely, such scripts need to be modified to work on other models, although I have the suspicion that the password cracker script will work on most ZyXEL Prestige routers and perhaps ZyXEL ZyWALL firewalls.
I believe (or at least hope) that password hackers/pentesters and researchers interested in embedded devices security will learn something from this paper and hopefully be inspired to do more research in this fascinating area which I believe will be huge in the future (embedded devices security that is). Even if you are not the owner of a ZyXEL router I still recommend you to take a look at the paper, as many of the attacks featured can be applied to just any embedded device out there.
Also remember that ZyXEL Prestige routers are fairly popular in continental Europe and Latin America where they’re shipped by big ISPs such as Telefonica.