lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <10e6de610805270639x7f770637q6a108f5c87405dd9@mail.gmail.com>
Date: Tue, 27 May 2008 14:39:08 +0100
From: "Adrian Pastor" <ap@...citizen.org>
To: bugtraq@...urityfocus.com
Subject: Re: MDAP ANTs PWNAGE: dumping the admin password of the BT Home Hub

UPDATED:

The BT Home Hub's serial number - which is the default admin password
- can also be found on UPnP description XML files. Note that no
password is required to access such files, as they're used for UPnP
(authentication-less) operations. Note: UPnP is enabled by default on
the BT Home Hub.

More information can be found on:
http://www.gnucitizen.org/blog/dumping-the-admin-password-of-the-bt-home-hub-pt-2/

On Wed, May 21, 2008 at 10:43 PM, Adrian Pastor <ap@...citizen.org> wrote:
> http://www.gnucitizen.org/blog/dumping-the-admin-password-of-the-bt-home-hub/
>
> We're back with more security attacks against the BT Home Hub (most
> popular wireless DSL router in the UK)!
>
> BT added a new security feature on the latest version [1] of the BT
> Home Hub firmware (6.2.6.E at time of writing) which changes the
> default admin password from 'admin' to the serial number of the
> router. From BT Support and Advice [2] site:
>
> "Firmware 6.2.6.E introduces the following improvements: Change
> default Hub Manager access password from 'admin' to your unique Hub
> serial number"
>
> Well, it turns out that you can get the serial number of the Home Hub
> by simply sending a Multi Directory Access Protocol (MDAP) multicast
> request in the network where BT Home Hub is located. Yes, you must
> already be part of the LAN where the Home Hub is present, either via
> ethernet or via Wi-Fi. However, at GNUCITIZEN, we have demonstrated
> [3] trivial ways to predict the WEP encryption key of the Home Hub if
> you know what you are doing.
>
> In summary, there are two ways to break into a BT Home Hub Wi-Fi network:
>
> - arp replays injection plus weak IVs cracking. This attack is
> typically launched using airodump-ng + aireplay-ng + aircrack-ng (I
> highly recommend using Backtrack 2 plus the Alfa USB AWUS036S Wi-Fi
> adaptor for this attack)
> - Predict the Home Hub's default WEP key by bruteforcing a list of
> potential candidates which are derived from the SSID (the SSID can be
> obtained by anyone of course)
>
> As promised in CONFidence [4], we're releasing the full details
> including PoC scripts:
> http://www.gnucitizen.org/blog/dumping-the-admin-password-of-the-bt-home-hub/
>
> In summary, there are currently about 3 million BT Home Hub routers in
> the UK whose default WEP key AND admin password can be easily
> predicted.
>
>
> ABOUT GNUCITIZEN
>
> GNUCITIZEN is a Cutting Edge, Ethical Hacker Outfit, Information Think
> Tank, which primarily deals with all aspects of the art of hacking.
> Our work has been featured in established magazines and information
> portals, such as Wired, Eweek, The Register, PC Week, IDG, BBC and
> many others. The members of the GNUCITIZEN group are well known and
> well established experts in the Information Security, Black Public
> Relations (PR) Industries and Hacker Circles with widely recognized
> experience in the government and corporate sectors and the open source
> community.
>
>
> REFERENCES
>
> [1] "What is the latest version of BT Home Hub firmware?"
> http://snipurl.com/29w9o
>
> [2] "What changes are included in the latest BT Home Hub firmware?"
> http://snipurl.com/29oo4
>
> [3] "Default key algorithm in Thomson and BT Home Hub routers"
> http://www.gnucitizen.org/blog/default-key-algorithm-in-thomson-and-bt-home-hub-routers/
>
> [4] "Cracking into embedded devices and beyond! - CONFidence, Krakow 2008"
> http://www.gnucitizen.org/projects/confidence-2008/Cracking%20into%20embedded%20devices%20-%20CONFidence%202K8.pdf
>

-- 
Adrian 'pagvac' Pastor | Security Consultant and White Hat Hacker | GNUCITIZEN
gnucitizen.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ