1 files changed, 195 insertions, 0 deletions
diff --git a/informationals/teso-i0017.txt b/informationals/teso-i0017.txt
new file mode 100644
index 0000000..40c621a
--- /dev/null
+++ b/informationals/teso-i0017.txt
@@ -0,0 +1,195 @@
+0017 2000/02/25  Information on how to exploit Lancity cablemodems
+==== TESO Informational =======================================================
+This piece of information is to be kept confidential.
+===============================================================================
+Description ..........: Cablemodems from Lancity are funny.
+Date .................: 2000/02/25 00:00
+Author ...............: zap
+Publicity level ......: unknown
+Affected .............: LCPet10, probably the whole product-family
+Type of entity .......: 
+Type of discovery ....: 
+Severity/Importance ..: medium, since not usable by script-kiddies
+Found by .............: zap
+Prelude =======================================================================
+Lancity Cablemodems are very popular amongst cablenet-providers.
+At least in Austria they are used almost everywhere.
+When I started investigating the ugly thing under my desk I found it very hard
+to gain ANY information about these modems, nowadays sold by Nortel Networks.
+I've been in my town's cablenet for about a year which is operated by not very
+competent persons, so this information might not be of any or limited use
+in professionally administrated environments.
+Basics ========================================================================
+The modem uses the very primitive "Internet Boot Protocol" (RFC951, bootpd(8))
+for gaining basic network information like IP-address, netmask, bootserver and
+so on.
+From the bootserver it downloads it's configuration-file (RFC1533) via TFTP 
+(RFC783, tftp(1), tftpd(8)) which contains a MD5-digest generated from a 
+64-byte key. It might also download a upgrade-file after that.
+This generally happens on power-up, although I have found my pet reconfiguring
+itself after a while occasionally.
+The configuration-file contains information about Tx/Rx-frequencies, bandwidth,
+SNMP-manager-IP's, client-IP's/MAC's, SNMP-community-names and so on.
+After the modem is up & running it accepts SNMP-commands from IP's listed as
+managers.
+Let's party ...
+1. SNMP-managing your modem ===================================================
+Since the SNMP used doesn't use another authentication than the IP-address and
+the SNMP-community-name (which is often something like 'private'), it's easy
+to modify and read some interesting values, where most of them are related to
+filters. Some networks allow IP only so it's not possible to use other
+protocols such as IPX (lots of games) - this behaviour can be changed.
+Note that it's generally a good idea to disconnect the modem from the rest of
+the net while doing this because the manager is very often a Windows-box which
+are known to start crying upon a IP-conflict - causing a perceived IP-conflict
+would be like calling your provider and telling him that you're having fun with
+your modem.
+However if you're sure nothing will happen you can also change the settings
+of other modems.
+Finding a manager-IP is quite easy (at least in my case, I'm not sure if it's
+the same everywhere), just watch the network-traffic: If there is some host
+which is periodically pinging modems it is a manager.
+Use it's IP (and eventually MAC) to SN-manage your modem.
+IMHO this should work in most of the cases, let's get to something
+really interesting:
+2. Configuring your modem from ground-up ======================================
+As I said, the configuration-files contains a MD5-digest.
+I have found some providers using the default-key that comes with the lc-modems
+(including my provider), so I assume that this is a fact (let me know if I'm
+wrong). I have tried to change my modem's key once and I didn't succeed -
+maybe it ain't possible at all? (not likely)
+If you're able to produce a valid config-file for your modem you can do magic
+things like expanding your modem's bandwidth to 10mbit, increasing your net-
+work priority and so on.
+Let's assume you've got your modems "secret" key for now.
+You'll need a config-file (no matter if cleartext or binary, since you can 
+decode the binaries) used in your network.
+Attempt to tftp to the manager and request files like 1.cfg, 1.md5, test.md5
+and so on; Be creative.
+The file-naming depends on your provider, but they most likely use some
+file-name which is somehow related to your ip, your name, your modem's ip or
+something. You don't actually need _your_ configuration, any would do.
+Some also run quite braindead TFTP-daemons, try to request ../autoexec.bat
+for example - if this works you might be able to retrieve other useful
+information (as for example the non-standard key!).
+Another way would be to try sniffing TFTP-requests from your or other modems
+to find out filenames, try unplugging the network-side while your modem is
+booting (check the leds) and see if it sends the request to your side.
+If your modem requests a file like '212.md5' chances are big that you'll be
+able to request '212.cfg' from the manager's tftpd (although you don't
+necessarily need the cleartext-file).
+Once you got the needed information, download the modem's update-file from the
+manager (if mentioned in the cfg) via TFTP, build a valid config-file, encode it
+and try to feed it to your modem:
+Configure a bootpd-server (see bootpd(8)), edit your bootptab (see bootptab(5)),
+set up your tftpd and copy the needed files there.
+The bootptab-entry for my modem looked like this:
+mypet:ht=ether:ha=0000CA066166:bf=mypet.md5:ip=10.10.0.15:sm=255.0.0.0:to=3600:sa=10.0.0.58
+ha: ethernet-address, you'll get this by watching the network-traffic
+bf: md5-encoded bootfile
+ip: your modem's ip (use the ip your provider gave your modem!!)
+sm: subnet-mask
+to: timeout
+sa: tftp-server to be used (your box!)
+I noticed that my modem always prepended the bootfile-name with a '/', so the
+tftpd-server didn't serve the file the modem wanted, however a small hack to
+tftpd made this work.
+Once you get this running (watch the LEDs) you've won. You can modify the
+modem's behaviour to your wishes.
+Once again, DON'T CHANGE your modem's or your ip-address. Even if you've got
+dumb administrators they will catch you someday (I can tell from experience).
+Another good idea is NOT to open your modem (=breaking the seal) cause even
+if they get suspicious and want the modem back they won't be able to prove that
+you've manipulated the modem.
+Pretty wild, but let's push it a little further...
+3. Making your modem half-promicious ==========================================
+This one is quite tricky.
+It's very important that your modem forwards any data with any MAC&IP-address
+from your side to the network - this can be easily done by reconfiguring your
+modem (set MaxNodes > 1, ClientEnetAddr & ClientIpAddr to all 0's).
+I might have used a special sniff-configuration where the gateway and my box
+were the only allowed clients - I can't clearly remember this, you'll have to
+try both variations.
+Ok, this is how it's done:
+- Power-off the modem
+- Start sending some data (I think I used ICMP-pings) with the *SAME* MAC
+  and IP as the gateway (or the host you want to sniff) has
+- Power-on the modem
+- Configure it as described in 2.
+- Stop sending data after a while
+I remember that the timing was very vital to perform this correctly! If it
+works you'll immediately see LOTS of network-traffic.
+My theory on how this works:
+The modem communicates with a so-called Head-End-Controller (read the Lancity-
+docs) and it tells the controller which IP and MAC (I think the MAC is
+essential) it's client(s) has. The controller routes all the stuff for this MAC
+to your segment, where your modem will again route it thankfully to you.
+This is why I call it "half-promicious" - you'll only get the stuff that other
+clients send to the gateway, not the other direction.
+However one way of the traffic is enough to sniff. Simply patch tcpdump a
+little to log anything you've ever wanted to know about your neighbours.
+In a earlier state of investigation I found out that sending faked ARP-queries
+(you, with the same MAC & IP as the gateway, want to know the MAC of some dummy
+host) made the modem route stuff on the cable destinating to the gateway
+to you. The disadvantage is that you'll only get stuff which is on your segment
+only and this might be very little interesting data.
+Appendix ======================================================================
+This document might be slightly inaccurate, but it all worked for me.
+I'm very curious about feedback, corrections and clarifications.
+The needed files (cfg-file-en/decoder, snmp-vars-documentation, general lcpet-
+documentation, patched tftpd, default-key, sample-cfg's etc.) should be
+available as teso-lancity-x.x.tar.gz in teso's internal file-area.
+Have fun.
+===============================================================================

diff --git a/informationals/teso-i0017.txt b/informationals/teso-i0017.txt new file mode 100644 index 0000000..40c621a --- /dev/null +++ b/informationals/teso-i0017.txt
@@ -0,0 +1,195 @@
	1	0017 2000/02/25 Information on how to exploit Lancity cablemodems
	2
	3	==== TESO Informational =======================================================
	4	This piece of information is to be kept confidential.
	5	===============================================================================
	6
	7	Description ..........: Cablemodems from Lancity are funny.
	8	Date .................: 2000/02/25 00:00
	9	Author ...............: zap
	10	Publicity level ......: unknown
	11	Affected .............: LCPet10, probably the whole product-family
	12	Type of entity .......:
	13	Type of discovery ....:
	14	Severity/Importance ..: medium, since not usable by script-kiddies
	15	Found by .............: zap
	16
	17	Prelude =======================================================================
	18
	19	Lancity Cablemodems are very popular amongst cablenet-providers.
	20	At least in Austria they are used almost everywhere.
	21
	22	When I started investigating the ugly thing under my desk I found it very hard
	23	to gain ANY information about these modems, nowadays sold by Nortel Networks.
	24
	25	I've been in my town's cablenet for about a year which is operated by not very
	26	competent persons, so this information might not be of any or limited use
	27	in professionally administrated environments.
	28
	29	Basics ========================================================================
	30
	31	The modem uses the very primitive "Internet Boot Protocol" (RFC951, bootpd(8))
	32	for gaining basic network information like IP-address, netmask, bootserver and
	33	so on.
	34
	35	From the bootserver it downloads it's configuration-file (RFC1533) via TFTP
	36	(RFC783, tftp(1), tftpd(8)) which contains a MD5-digest generated from a
	37	64-byte key. It might also download a upgrade-file after that.
	38
	39	This generally happens on power-up, although I have found my pet reconfiguring
	40	itself after a while occasionally.
	41
	42	The configuration-file contains information about Tx/Rx-frequencies, bandwidth,
	43	SNMP-manager-IP's, client-IP's/MAC's, SNMP-community-names and so on.
	44
	45	After the modem is up & running it accepts SNMP-commands from IP's listed as
	46	managers.
	47
	48	Let's party ...
	49
	50	1. SNMP-managing your modem ===================================================
	51
	52	Since the SNMP used doesn't use another authentication than the IP-address and
	53	the SNMP-community-name (which is often something like 'private'), it's easy
	54	to modify and read some interesting values, where most of them are related to
	55	filters. Some networks allow IP only so it's not possible to use other
	56	protocols such as IPX (lots of games) - this behaviour can be changed.
	57
	58	Note that it's generally a good idea to disconnect the modem from the rest of
	59	the net while doing this because the manager is very often a Windows-box which
	60	are known to start crying upon a IP-conflict - causing a perceived IP-conflict
	61	would be like calling your provider and telling him that you're having fun with
	62	your modem.
	63
	64	However if you're sure nothing will happen you can also change the settings
	65	of other modems.
	66
	67	Finding a manager-IP is quite easy (at least in my case, I'm not sure if it's
	68	the same everywhere), just watch the network-traffic: If there is some host
	69	which is periodically pinging modems it is a manager.
	70	Use it's IP (and eventually MAC) to SN-manage your modem.
	71
	72	IMHO this should work in most of the cases, let's get to something
	73	really interesting:
	74
	75	2. Configuring your modem from ground-up ======================================
	76
	77	As I said, the configuration-files contains a MD5-digest.
	78	I have found some providers using the default-key that comes with the lc-modems
	79	(including my provider), so I assume that this is a fact (let me know if I'm
	80	wrong). I have tried to change my modem's key once and I didn't succeed -
	81	maybe it ain't possible at all? (not likely)
	82
	83	If you're able to produce a valid config-file for your modem you can do magic
	84	things like expanding your modem's bandwidth to 10mbit, increasing your net-
	85	work priority and so on.
	86
	87	Let's assume you've got your modems "secret" key for now.
	88
	89	You'll need a config-file (no matter if cleartext or binary, since you can
	90	decode the binaries) used in your network.
	91
	92	Attempt to tftp to the manager and request files like 1.cfg, 1.md5, test.md5
	93	and so on; Be creative.
	94	The file-naming depends on your provider, but they most likely use some
	95	file-name which is somehow related to your ip, your name, your modem's ip or
	96	something. You don't actually need _your_ configuration, any would do.
	97	Some also run quite braindead TFTP-daemons, try to request ../autoexec.bat
	98	for example - if this works you might be able to retrieve other useful
	99	information (as for example the non-standard key!).
	100
	101	Another way would be to try sniffing TFTP-requests from your or other modems
	102	to find out filenames, try unplugging the network-side while your modem is
	103	booting (check the leds) and see if it sends the request to your side.
	104
	105	If your modem requests a file like '212.md5' chances are big that you'll be
	106	able to request '212.cfg' from the manager's tftpd (although you don't
	107	necessarily need the cleartext-file).
	108
	109	Once you got the needed information, download the modem's update-file from the
	110	manager (if mentioned in the cfg) via TFTP, build a valid config-file, encode it
	111	and try to feed it to your modem:
	112
	113	Configure a bootpd-server (see bootpd(8)), edit your bootptab (see bootptab(5)),
	114	set up your tftpd and copy the needed files there.
	115
	116	The bootptab-entry for my modem looked like this:
	117
	118	mypet:ht=ether:ha=0000CA066166:bf=mypet.md5:ip=10.10.0.15:sm=255.0.0.0:to=3600:sa=10.0.0.58
	119
	120	ha: ethernet-address, you'll get this by watching the network-traffic
	121	bf: md5-encoded bootfile
	122	ip: your modem's ip (use the ip your provider gave your modem!!)
	123	sm: subnet-mask
	124	to: timeout
	125	sa: tftp-server to be used (your box!)
	126
	127	I noticed that my modem always prepended the bootfile-name with a '/', so the
	128	tftpd-server didn't serve the file the modem wanted, however a small hack to
	129	tftpd made this work.
	130
	131	Once you get this running (watch the LEDs) you've won. You can modify the
	132	modem's behaviour to your wishes.
	133
	134	Once again, DON'T CHANGE your modem's or your ip-address. Even if you've got
	135	dumb administrators they will catch you someday (I can tell from experience).
	136	Another good idea is NOT to open your modem (=breaking the seal) cause even
	137	if they get suspicious and want the modem back they won't be able to prove that
	138	you've manipulated the modem.
	139
	140	Pretty wild, but let's push it a little further...
	141
	142	3. Making your modem half-promicious ==========================================
	143
	144	This one is quite tricky.
	145	It's very important that your modem forwards any data with any MAC&IP-address
	146	from your side to the network - this can be easily done by reconfiguring your
	147	modem (set MaxNodes > 1, ClientEnetAddr & ClientIpAddr to all 0's).
	148	I might have used a special sniff-configuration where the gateway and my box
	149	were the only allowed clients - I can't clearly remember this, you'll have to
	150	try both variations.
	151
	152	Ok, this is how it's done:
	153
	154	- Power-off the modem
	155
	156	- Start sending some data (I think I used ICMP-pings) with the SAME MAC
	157	and IP as the gateway (or the host you want to sniff) has
	158
	159	- Power-on the modem
	160
	161	- Configure it as described in 2.
	162
	163	- Stop sending data after a while
	164
	165	I remember that the timing was very vital to perform this correctly! If it
	166	works you'll immediately see LOTS of network-traffic.
	167
	168	My theory on how this works:
	169	The modem communicates with a so-called Head-End-Controller (read the Lancity-
	170	docs) and it tells the controller which IP and MAC (I think the MAC is
	171	essential) it's client(s) has. The controller routes all the stuff for this MAC
	172	to your segment, where your modem will again route it thankfully to you.
	173
	174	This is why I call it "half-promicious" - you'll only get the stuff that other
	175	clients send to the gateway, not the other direction.
	176	However one way of the traffic is enough to sniff. Simply patch tcpdump a
	177	little to log anything you've ever wanted to know about your neighbours.
	178
	179	In a earlier state of investigation I found out that sending faked ARP-queries
	180	(you, with the same MAC & IP as the gateway, want to know the MAC of some dummy
	181	host) made the modem route stuff on the cable destinating to the gateway
	182	to you. The disadvantage is that you'll only get stuff which is on your segment
	183	only and this might be very little interesting data.
	184
	185	Appendix ======================================================================
	186
	187	This document might be slightly inaccurate, but it all worked for me.
	188	I'm very curious about feedback, corrections and clarifications.
	189	The needed files (cfg-file-en/decoder, snmp-vars-documentation, general lcpet-
	190	documentation, patched tftpd, default-key, sample-cfg's etc.) should be
	191	available as teso-lancity-x.x.tar.gz in teso's internal file-area.
	192
	193	Have fun.
	194
	195	===============================================================================