At&t 2wire wifi admin page hack

[DNR]

Not much of a hack - At&t tried to use "security through obscurity" - in the URL.

At a cafe, I was talking to Zake and wanted to switch from my broadband VPN to open wifi to save a few bucks on the phone bill.

I connect to the wifi network - the owner even set a password to use the public network - the phone number of the location (this is common - so try it when presented with a password prompt).

The network was buggy, it failed to connect twice. The third time I connected, got online. then lost internet connection.

The problem is - the network presented me with an error message about 'loss connectivity' (BTW the quick fix I explained to the owner was to 'turn off' network notifications)

http://gateway.2wire.net/xslt?PAGE=HURL00" onclick="window.open(this.href);return false;

I looked at the URL and saw it was being presented by the network device - the router called 'gateway'.

so I simply cut the URL back to

http://gateway.2wire.net/xslt?PAGE=" onclick="window.open(this.href);return false;
(BTW - you can also try http://192.168.1.254.2wire.net/xslt?PAGE=" onclick="window.open(this.href);return false;)

and I was presented with the admin page to change settings and view who is on the network!

"Home Network
Computers:

192.168.1.76

Amy-Js-Ipod

android_445c89da63e8a396

iPhone

RobertPascoe-PC

HP689148

iPhone

Allens-iPhone

android_81ef304fd938a0d3

Zachs-iPod

192.168.1.123

Chris-iPhone-2

DigitalNomad"

You can guess which one was me....

In settings - the system password - you'll need a password "maybe the damn phone number again?" you might be able to dictionary or brute force this page - with no limit.
(funny - it turns out it was the same password he used for the public login)
You have access to upgrade - and options - here I might be able to 'brick and run' - upload malware to the 'gateway' to backdoor myself next time.

with the list of users, you could setup a fake AP, and DOS them off the original network, and log on to your fake network - easy since you can 'spearphish' with a computer name now.

Later...

DNR

[DNR]

trying google dorking


DNR

[DNR]

http://www.supportshots.com/two_wire/md ... XTPAGE=J21" onclick="window.open(this.href);return false;

this is a fake admin console - so you can see what you can get when you succeed with admin priviledges.

After checking out the demo console - I go to the admin page for this cafe's wifi - and be damned - it has a password HINT! WTF!

I hit the hint and it says "phone" --- oh gee, same login as the public network!

Glad to be back...

DNR

[DNR]

While the router/gateway admin console says you can set your own IP range. The default is sadly 192.168.1.254 - parked at the end of the IP range of the standard 'non-public routable IP'. (newbies - 192.168.1.xxx cannot be accessed via the internet - you have to be associated with the network to see this IP range)

So typically that means any 2wire wifi running default -
1. only have to crack password, not user/pass
2. It has a hint feature, that could leak the password choice
3. it does have security for attacks, but traffic related - might be vulnerable to brute forcing/dictionary attack on the console itself. (an experiment would be to use the URL to feed passwords to the console - in effort to pass the 'external traffic logs' ie http://192.168.1.254/2wire.net/xslt?PASS=123456" onclick="window.open(this.href);return false; and so on)
4. Brick and Run is a possibility, as with any device that allows updating of the firmware

without password - you can at least view all the computer's names that are using the network, settings/config of the router and network.
It was noted many android and Iphones were using the network.

This is an example of the fun you can get into when sitting in a cafe peeking at someone's wifi.

Hacking Pays : owner comped my $10 breakfast!

DNR

[computathug]

Great read, you would also be surprised at how many other businesses jump on the free for all bandwagon too that are within distance.