|
| DOCSIS Cable modem vulnerability door 0dissi - views |
// eenmalig leuk artikel om kabelmodems te foppen
1) Pre-ramble
Hi,
I've been sitting on this for a while debating morally
weither or not I should post it. After being lied to by multiple
cable internet companies, told that I'm stupid by cable modem
vendors, and having my access turned off for complaining about
broken DNS i've decided that it's time to post.
2) legal stuff
This is theft of service, you will be probably get caught, don't
do it if you value your cable internet service.
This document is only to be redistributed/copied with the original
text included (including credit to myself).
3) explanation
Companies are out to make money, they hire people with book knowledge,
and stupid things like this happen. (Hi AT&T, your DNS is _still_ broken
even after it was fixed for 2 weeks)
Basicly it's a simple ARP caching thing, it's easy to fix in the modems
and somewhat easy to obscure at the ISP. I'm sure *someone* must have
done this besides me, but from all my searches on the web I've seen
nothing but 'it's impossible' messages, the only people I know that
can do it are people I showed how. I'm sure i'm going to upset those
people by posting this, oh well.
4) Let's get started
Cable modems known to work with this:
3Com Sharkfin (all models)
Motorola (all models)
Toshiba PCX1100
Cisco (?)
Modems that probably don't work:
RCA DCM235
3Com CMX (USR)
First, you need the following:
An operating system with
1) A tftp server,
2) snmp software (I used ucd-snmp),
3) a DOCSIS config file generator such as this one:
http://docsis.sourceforge.net/
5) Go go go.
a) determine the address of the modems TFTP server, some modems
are nice enough to give this info to you on their web interface,
others via SNMP, i've been told that a lot of providers use the
same address as their DHCP servers. Most modems use
as their interface address, try to snmpwalk it with the coax
disconnected after rebooting (some retain their config information,
but reset the community strings). (AT&T/MediaOne has 'public'
enabled for the ro string.. go from there)
b) determine the name of the configuration file, use the same methods
as above, or see below if you're running a semi intelligent tftp server.
You need to generate a DOCSIS config file for your modem to use, read
the documentation and examples from the docsis config file program
mentioned above.
c) set the address of your chosen machine to the address of the
tftp server, start pinging the address of the cable modem
( usually), this will cause the modem to put
you in its arp tables when you reboot it (reboot it now)
d) the modem will (hopefully) connect to your machine and start
(trying) to download the configuration file, if you couldn't determine
what it was named earlier this is where the smart tftp server comes in,
it should tell you what file name the modem attempted to grab.
e) You're done, easy wasn't it?
Happy surfing.
--
Matthew S. Hallacy FUBAR, LART, BOFH Certified
http://techmonkeys.org/~poptix GPG public key 0x01938203 |
| © Com-crime.net - de mening van de auteur hoeft niet overeen te komen met die van de redactie |
| Reakties (13) | ik snap t niet kan iemand t in het nederlands vertalen en iets duidelijker [:10:28]
ik snap t niet kan iemand t in het nederlands vertalen en iets duidelijker | odis [:39:49]
pak anders een woordenboekie erbij en vertaal alles maar. | Jantje [:22:58]
He is er geen simpelere manier dan deze want ik ben zo lui als een schildpad :)
| [:19:05]
| [:21:12]
| [:14:18]
| [:30:16]
| [:19:28]
| [:19:27]
| [:43:24]
| [:43:24]
| Me <br> NOT [:15:15]
Schildpadden zijn niet lui maar gewoon langzaam. | Cyber [:11:22]
1e reactie: Als je dit niet kunt ontcijferen, raad ik je aan er niet aan te beginnen, geld voor iedereen. Als je Engels zo slecht is dat je dit niet begrijpt, begrijp je het in het nederlands ook niet..... |
|
