Autor
Todos los routers de Orange usan los mismos usuarios y contraseñas por defecto mediante conexion telnet, así que una vez hemos accedido al interior del router, podemos obtener esta información, y darnos permisos de superuser.
La version original y la version actual del router Livebox2.
Citar
(version(4.0.21.3.3.1.32.1.1.1.6))
(external_version(FAST3yyy_691252))
(release(Jan 14 2010))
(distribution(LIC=/filer1_vol7/dev_projets3/rg_ultimate/dev/daniel/mini/OSP/4.3.23_691252/lastcheckout/license/jpkg_fast3202.lic DIST=FAST3202_SP_LBV2ULT))
(version(4.0.21.3.3.1.32.1.1.1.6))
(external_version(FAST3yyy_69127A))
(release(Apr 26 2011))
(distribution(LIC=/filer1_vol7/dev_projets3/rg_ultimate/dev/daniel/mini/OSP/4.3.48_BIS_691272/lastcheckout/license/jpkg_fast3202.lic DIST=FAST3202_SP_LBV2ULT))
(external_version(FAST3yyy_691252))
(release(Jan 14 2010))
(distribution(LIC=/filer1_vol7/dev_projets3/rg_ultimate/dev/daniel/mini/OSP/4.3.23_691252/lastcheckout/license/jpkg_fast3202.lic DIST=FAST3202_SP_LBV2ULT))
(version(4.0.21.3.3.1.32.1.1.1.6))
(external_version(FAST3yyy_69127A))
(release(Apr 26 2011))
(distribution(LIC=/filer1_vol7/dev_projets3/rg_ultimate/dev/daniel/mini/OSP/4.3.48_BIS_691272/lastcheckout/license/jpkg_fast3202.lic DIST=FAST3202_SP_LBV2ULT))
Que conseguimos con esto: control total del router.
¿Y para que servirá esto?
Vamos a ver un poquito la ayuda que ofrece el router:
Citar
[root @ home]$ help all
Command Category terminal - Commands to control Livebox execution
exit Exit sub menu
ls List sub menu contents
home Go back to home directory
die Exit from Livebox and return ret
ps Print Livebox's tasks
entity_close Close an entity
Command Category igmp - IGMP Proxy related commands
igmp_status Print IGMP subscription of device
igmp_reset Clear all IGMP subscriptions
Command Category dns_route - Dyncamic Routing according to DNS replies
dyn_route_print Print Dynamic Routes
dyn_route_del Delete Dynamic Routes
Command Category pvc - PVC scan related commands
pvc_scan Scan predefined vpi.vci to determine PPP protocol
pvc_scan_restart Restart PVC scan
pvc_scan_status Display PVC scan status
Command Category rg_conf - Read and write Livebox configuration data
rg_conf_print Print Livebox configuration
rg_conf_set Set Livebox configuration path to value
rg_conf_set_obscure Set Livebox configuration path to an obscured value
rg_conf_del Delete subtree from Livebox configuration
rg_conf_ram_set Set Livebox dynamic configuration
rg_conf_ram_print Print Livebox dynamic configuration
rg_conf_ram_del Delete subtree from Livebox dynamic configuration
reconf Reconfigure the system according to the current Livebox configuration
Command Category ffs - Flash file system
ffs_mount Mount FFS device
ffs_umount Unmount FFS device
ffs_format Format FFS device
Command Category mii - MII Low level control
mii_dev_link_status_get Get Link Status for all device ports using MII
mii_phy_reg_get Get PHY MII register value
mii_phy_reg_set Set PHY MII register value
mii_eth_reg_get Get Ethernet MII register value
mii_eth_reg_set Set Ethernet MII register value
Command Category FT wlan commands - FT wlan commands
wlan wlan
Command Category FT commands - FT commands
save Save configurating to flash
flash_chksum Display all flash sections checksums
Command Category FT adsl commands - FT adsl commands
adsl adsl
Command Category FT atm commands - FT atm commands
atm atm
Command Category FT sndcp commands - FT sndcp commands
sndcp sndcp
Command Category bluetooth_ssi - API for communication between OpenRG & Bluetooth hcid
ssi_bluetooth_acl_check
ssi_bluetooth_device_connected
ssi_ctp_tl_connected
ssi_ctp_tl_disconnected
Command Category rmt_mng - Remote Management Commands
rmt_mng_enable
rmt_mng_login
rmt_mng_add_user
Command Category firewall - Control and display Firewall and NAT data
fw_restart Stop and start Firewall & NAT
fw_start Start Firewall & NAT
fw_stop Stop Firewall & NAT
fw_filter Turn Firewall packet inspection on/off
mac_cache_dump Dump MAC cache data
fw_dump Dispaly Firewall data
fw_variable Display variables of the firewall rules
fw_trace Trace packet traversal via the Firewall ruleset
Command Category cmd - Commands related to the Command module
help Commands Help
Command Category tasks - API for Livebox tasks
host Resolve host by name
bridge_info Print bridge information
vlan_add Add VLAN interface
Command Category debug - Debug Livebox
sys_ioctl issue openrg ioctl
etask_list_dump Dump back trace of all etasks
meminfo Print memory information
Command Category log - Contorols Livebox logging behaviour
cat_log Prints or deletes contents of log to console
log_lev_on Redirect rg_error output equal to or higher than level to the
current console.
log_lev_off Stop rg_error redirection to the current console
Command Category terminal - Commands to contorol Livebox execution
exit Exit sub menu
ls List sub menu contents
home Go back to home directory
die Exit from Livebox and return ret
ps Print Livebox's tasks
entity_close Close an entity
Command Category main_task - main_task commands
reboot Reboot the system
rg_ifconfig List Livebox Network Devices
cat Print file contents to console
shell Spawn busybox shell in foreground
restore_default Restore default configuration
erase Restore default configuration
exec Execute program
print_main_wan Print the name of the current main wan device
route Print route table
ver Display version information
date Print the current UTC and local time
version Display version information for installation
show Display version information for production
Command Category flash - Flash and loader related commands
flash_commit Save Livebox configuration to flash
flash_erase Erase a given section in the flash
load Load and burn image
loadapp Load and burn image app1 or app2
boot Boot the system
flash_layout Print the flash layout and content
flash_dump Dump the flash content
lock Lock mtd region
unlock Unlock mtd region
bset Configure bootloader
ifconfig Configure network interface
ping Test network connectivity
Returned 0
Command Category terminal - Commands to control Livebox execution
exit Exit sub menu
ls List sub menu contents
home Go back to home directory
die Exit from Livebox and return ret
ps Print Livebox's tasks
entity_close Close an entity
Command Category igmp - IGMP Proxy related commands
igmp_status Print IGMP subscription of device
igmp_reset Clear all IGMP subscriptions
Command Category dns_route - Dyncamic Routing according to DNS replies
dyn_route_print Print Dynamic Routes
dyn_route_del Delete Dynamic Routes
Command Category pvc - PVC scan related commands
pvc_scan Scan predefined vpi.vci to determine PPP protocol
pvc_scan_restart Restart PVC scan
pvc_scan_status Display PVC scan status
Command Category rg_conf - Read and write Livebox configuration data
rg_conf_print Print Livebox configuration
rg_conf_set Set Livebox configuration path to value
rg_conf_set_obscure Set Livebox configuration path to an obscured value
rg_conf_del Delete subtree from Livebox configuration
rg_conf_ram_set Set Livebox dynamic configuration
rg_conf_ram_print Print Livebox dynamic configuration
rg_conf_ram_del Delete subtree from Livebox dynamic configuration
reconf Reconfigure the system according to the current Livebox configuration
Command Category ffs - Flash file system
ffs_mount Mount FFS device
ffs_umount Unmount FFS device
ffs_format Format FFS device
Command Category mii - MII Low level control
mii_dev_link_status_get Get Link Status for all device ports using MII
mii_phy_reg_get Get PHY MII register value
mii_phy_reg_set Set PHY MII register value
mii_eth_reg_get Get Ethernet MII register value
mii_eth_reg_set Set Ethernet MII register value
Command Category FT wlan commands - FT wlan commands
wlan wlan
Command Category FT commands - FT commands
save Save configurating to flash
flash_chksum Display all flash sections checksums
Command Category FT adsl commands - FT adsl commands
adsl adsl
Command Category FT atm commands - FT atm commands
atm atm
Command Category FT sndcp commands - FT sndcp commands
sndcp sndcp
Command Category bluetooth_ssi - API for communication between OpenRG & Bluetooth hcid
ssi_bluetooth_acl_check
ssi_bluetooth_device_connected
ssi_ctp_tl_connected
ssi_ctp_tl_disconnected
Command Category rmt_mng - Remote Management Commands
rmt_mng_enable
rmt_mng_login
rmt_mng_add_user
Command Category firewall - Control and display Firewall and NAT data
fw_restart Stop and start Firewall & NAT
fw_start Start Firewall & NAT
fw_stop Stop Firewall & NAT
fw_filter Turn Firewall packet inspection on/off
mac_cache_dump Dump MAC cache data
fw_dump Dispaly Firewall data
fw_variable Display variables of the firewall rules
fw_trace Trace packet traversal via the Firewall ruleset
Command Category cmd - Commands related to the Command module
help Commands Help
Command Category tasks - API for Livebox tasks
host Resolve host by name
bridge_info Print bridge information
vlan_add Add VLAN interface
Command Category debug - Debug Livebox
sys_ioctl issue openrg ioctl
etask_list_dump Dump back trace of all etasks
meminfo Print memory information
Command Category log - Contorols Livebox logging behaviour
cat_log Prints or deletes contents of log to console
log_lev_on Redirect rg_error output equal to or higher than level to the
current console.
log_lev_off Stop rg_error redirection to the current console
Command Category terminal - Commands to contorol Livebox execution
exit Exit sub menu
ls List sub menu contents
home Go back to home directory
die Exit from Livebox and return ret
ps Print Livebox's tasks
entity_close Close an entity
Command Category main_task - main_task commands
reboot Reboot the system
rg_ifconfig List Livebox Network Devices
cat Print file contents to console
shell Spawn busybox shell in foreground
restore_default Restore default configuration
erase Restore default configuration
exec Execute program
print_main_wan Print the name of the current main wan device
route Print route table
ver Display version information
date Print the current UTC and local time
version Display version information for installation
show Display version information for production
Command Category flash - Flash and loader related commands
flash_commit Save Livebox configuration to flash
flash_erase Erase a given section in the flash
load Load and burn image
loadapp Load and burn image app1 or app2
boot Boot the system
flash_layout Print the flash layout and content
flash_dump Dump the flash content
lock Lock mtd region
unlock Unlock mtd region
bset Configure bootloader
ifconfig Configure network interface
ping Test network connectivity
Returned 0
Como podemos ver esta es toda la información de las opciones de configuración del router.
Busquemos la clave wifi por defecto: Clave Wifi ( a fuego en el boot )
Citar
[root @ home]$ flash_dump -s BOOT | -r 0x00018350 -l 0x00000020
00018350: 00 32 35 44 43 34 43 43 ** ** ** ** ** ** ** ** |.25DC4CC********|
00018360: ** ** ** ** ** ** ** ** ** ** ** 00 00 00 00 00 |***********.....|
00018350: 00 32 35 44 43 34 43 43 ** ** ** ** ** ** ** ** |.25DC4CC********|
00018360: ** ** ** ** ** ** ** ** ** ** ** 00 00 00 00 00 |***********.....|
También se encuentra en el interior del router el archivo, el cual es el que carga a fuego, siempre que se resetea el router.
Citar
/etc # cat wsc_config.txt
#######################################################
# VAP 1 config section
#######################################################
# Simple Config Configuration File
# Lines that start with # are treated as comments
# Each line should not exceed 80 characters
# Format: TYPE=value
#
START_OF_VAP_CONFIG_1
# Configured Mode: 1=Unconfigured AP, 2=Client, 3=Registrar,
# 4=AP with Proxy, 5 = AP with Proxy and Registrar
CONFIGURED_MODE=5
# Is the standalone Registrar (mode 3) wireless-enabled
# Yes: 1, No:0
REGISTRAR_WIRELESS=1
# Should UPnP be used (for modes 1 and 3)
# Yes: 1, No:0
USE_UPNP=0
UUID=0x00269*****************
VERSION=0x10
DEVICE_NAME=Livebox2-4***
# Primary Device Categories: Please refer to the SC spec for
# values for the following types
PRI_DEV_CATEGORY=6
PRI_DEV_OUI=0x50f204
PRI_DEV_SUB_CATEGORY=1
# MAC Address of the local device, 6 byte value
MAC_ADDRESS=0x0026*******
MANUFACTURER=Sagem
MODEL_NAME=Livebox2
MODEL_NUMBER=Livebox2
SERIAL_NUMBER=LK101*****
# Config Methods: bitwise OR of values
CONFIG_METHODS=0x188
# Auth type flags: bitwise OR of values
AUTH_TYPE_FLAGS=0x20
# Encr type flags: bitwise OR of values
ENCR_TYPE_FLAGS=0x8
CONN_TYPE_FLAGS=0x1
RF_BAND=1
OS_VER=0x80000000
FEATURE_ID=0x80000000
# SSID:
# For unconfigured client: What it should connect to when
# starting EAP-WSC
# Example: SSID=WscSecureAP
# For unconfigured AP: Initial broadcast SSID
# Example: SSID=WscNewAP
# For Registrar: SSID that the supplicant must connect to when
# starting EAP-WSC
# Example: SSID=WscNewAP
# For AP with Registrar: Broadcast SSID
# Example: SSID=WscSecureAP
SSID=Orange-xxxx
# Key Mgmt for Supplicant (Client, Registrar):
# Unconfigured, doing WSC: WPA-EAP IEEE8021X
# Configured after WSC (will be done by the s/w): WPA-PSK
# Key Mgmt for Hostapd (AP, AP with Registrar):
# Unconfigured, doing WSC: WPA-EAP
# Configured after WSC (will be done by the s/w): WPA-PSK
# Configured, plus Registrar: WPA-EAP WPA-PSK
KEY_MGMT=WPA-EAP WPA-PSK
# Are we using a USB key to transfer PIN/Credential?
# Yes: 1, No:0
USB_KEY=0
# Is the Network Key set?
# Yes: 0xValue or passphrase, No: comment out line
# NW_KEY=0x000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F
# NW_KEY=passphrase
NW_KEY=25DC4CC**************
# DBG_LEVEL bit mask: 0:ERR, 1:INFO, 2:REG, 3:UPNP, 4:MC, 16:DBG
DBG_LEVEL=7
END_OF_VAP_CONFIG_1
#OTHER_NETWORK_CONF ssid config filenames, separate by spaces
OTHER_NETWORK_CONF=(null)END_OF_CONFIG
#######################################################
# VAP 1 config section
#######################################################
# Simple Config Configuration File
# Lines that start with # are treated as comments
# Each line should not exceed 80 characters
# Format: TYPE=value
#
START_OF_VAP_CONFIG_1
# Configured Mode: 1=Unconfigured AP, 2=Client, 3=Registrar,
# 4=AP with Proxy, 5 = AP with Proxy and Registrar
CONFIGURED_MODE=5
# Is the standalone Registrar (mode 3) wireless-enabled
# Yes: 1, No:0
REGISTRAR_WIRELESS=1
# Should UPnP be used (for modes 1 and 3)
# Yes: 1, No:0
USE_UPNP=0
UUID=0x00269*****************
VERSION=0x10
DEVICE_NAME=Livebox2-4***
# Primary Device Categories: Please refer to the SC spec for
# values for the following types
PRI_DEV_CATEGORY=6
PRI_DEV_OUI=0x50f204
PRI_DEV_SUB_CATEGORY=1
# MAC Address of the local device, 6 byte value
MAC_ADDRESS=0x0026*******
MANUFACTURER=Sagem
MODEL_NAME=Livebox2
MODEL_NUMBER=Livebox2
SERIAL_NUMBER=LK101*****
# Config Methods: bitwise OR of values
CONFIG_METHODS=0x188
# Auth type flags: bitwise OR of values
AUTH_TYPE_FLAGS=0x20
# Encr type flags: bitwise OR of values
ENCR_TYPE_FLAGS=0x8
CONN_TYPE_FLAGS=0x1
RF_BAND=1
OS_VER=0x80000000
FEATURE_ID=0x80000000
# SSID:
# For unconfigured client: What it should connect to when
# starting EAP-WSC
# Example: SSID=WscSecureAP
# For unconfigured AP: Initial broadcast SSID
# Example: SSID=WscNewAP
# For Registrar: SSID that the supplicant must connect to when
# starting EAP-WSC
# Example: SSID=WscNewAP
# For AP with Registrar: Broadcast SSID
# Example: SSID=WscSecureAP
SSID=Orange-xxxx
# Key Mgmt for Supplicant (Client, Registrar):
# Unconfigured, doing WSC: WPA-EAP IEEE8021X
# Configured after WSC (will be done by the s/w): WPA-PSK
# Key Mgmt for Hostapd (AP, AP with Registrar):
# Unconfigured, doing WSC: WPA-EAP
# Configured after WSC (will be done by the s/w): WPA-PSK
# Configured, plus Registrar: WPA-EAP WPA-PSK
KEY_MGMT=WPA-EAP WPA-PSK
# Are we using a USB key to transfer PIN/Credential?
# Yes: 1, No:0
USB_KEY=0
# Is the Network Key set?
# Yes: 0xValue or passphrase, No: comment out line
# NW_KEY=0x000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F
# NW_KEY=passphrase
NW_KEY=25DC4CC**************
# DBG_LEVEL bit mask: 0:ERR, 1:INFO, 2:REG, 3:UPNP, 4:MC, 16:DBG
DBG_LEVEL=7
END_OF_VAP_CONFIG_1
#OTHER_NETWORK_CONF ssid config filenames, separate by spaces
OTHER_NETWORK_CONF=(null)END_OF_CONFIG
Bloques de la flash.
Citar
[root @ home]$ flash_layout
Flash layout:
Section 00 Type BOOT Range 0x00000000-0x000A0000 MaxSize 0x000A0000
No more information.
Section 01 Type AUTOCONF Range 0x000A0000-0x000C0000 MaxSize 0x00020000
No more information.
Section 02 Type USER Range 0x000C0000-0x000E0000 MaxSize 0x00020000
No more information.
Section 03 Type SCRATCH PAD Range 0x000E0000-0x00100000 MaxSize 0x0001FF6C
Uninitialized.
Section 04 Type USER Range 0x00100000-0x00120000 MaxSize 0x00020000
No more information.
Section 05 Type FACTORY Range 0x00120000-0x00140000 MaxSize 0x0001FF6C
Size 0x000004D3 Name 'FACTORY'
Checksum 0x00010B81 Counter 0x00000001 Start Offset 0x00000000
Section 06 Type LAYOUT Range 0x00140000-0x00160000 MaxSize 0x0001FF6C
Uninitialized.
Section 07 Type CONF Range 0x00160000-0x00180000 MaxSize 0x0001FF6C
Size 0x00003AA3 Name 'rg_conf'
Checksum 0x001CF184 Counter 0x00000049 Start Offset 0x00000000
Section 08 Type CONF Range 0x00180000-0x001A0000 MaxSize 0x0001FF6C
Size 0x000038CE Name 'rg_conf'
Checksum 0x001BF4EC Counter 0x00000046 Start Offset 0x00000000
Section 09 Type JFFS Range 0x001A0000-0x00240000 MaxSize 0x000A0000
No more information.
Section 10 Type RECOVERY Range 0x00240000-0x00580000 MaxSize 0x00340000
No more information.
Section 11 Type IMAGE Range 0x00580000-0x01000000 MaxSize 0x00A80000
No more information.
Total 12 sections found.
Returned 0
Flash layout:
Section 00 Type BOOT Range 0x00000000-0x000A0000 MaxSize 0x000A0000
No more information.
Section 01 Type AUTOCONF Range 0x000A0000-0x000C0000 MaxSize 0x00020000
No more information.
Section 02 Type USER Range 0x000C0000-0x000E0000 MaxSize 0x00020000
No more information.
Section 03 Type SCRATCH PAD Range 0x000E0000-0x00100000 MaxSize 0x0001FF6C
Uninitialized.
Section 04 Type USER Range 0x00100000-0x00120000 MaxSize 0x00020000
No more information.
Section 05 Type FACTORY Range 0x00120000-0x00140000 MaxSize 0x0001FF6C
Size 0x000004D3 Name 'FACTORY'
Checksum 0x00010B81 Counter 0x00000001 Start Offset 0x00000000
Section 06 Type LAYOUT Range 0x00140000-0x00160000 MaxSize 0x0001FF6C
Uninitialized.
Section 07 Type CONF Range 0x00160000-0x00180000 MaxSize 0x0001FF6C
Size 0x00003AA3 Name 'rg_conf'
Checksum 0x001CF184 Counter 0x00000049 Start Offset 0x00000000
Section 08 Type CONF Range 0x00180000-0x001A0000 MaxSize 0x0001FF6C
Size 0x000038CE Name 'rg_conf'
Checksum 0x001BF4EC Counter 0x00000046 Start Offset 0x00000000
Section 09 Type JFFS Range 0x001A0000-0x00240000 MaxSize 0x000A0000
No more information.
Section 10 Type RECOVERY Range 0x00240000-0x00580000 MaxSize 0x00340000
No more information.
Section 11 Type IMAGE Range 0x00580000-0x01000000 MaxSize 0x00A80000
No more information.
Total 12 sections found.
Returned 0
Shell del Livebox.
Citar
[root @ home]$ shell
BusyBox v1.01 (2005.09.07-07:38+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
/ # ls
automate dsp home mnt sys var
bin etc hsdpa proc tmp
dev fstab lib sbin usr
/ # help
Built-in commands:
-------------------
. : alias bg break cd chdir continue eval exec exit export false
fg hash help jobs kill let local pwd read readonly return set
shift times trap true type ulimit umask unalias unset wait
BusyBox v1.01 (2005.09.07-07:38+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
/ # ls
automate dsp home mnt sys var
bin etc hsdpa proc tmp
dev fstab lib sbin usr
/ # help
Built-in commands:
-------------------
. : alias bg break cd chdir continue eval exec exit export false
fg hash help jobs kill let local pwd read readonly return set
shift times trap true type ulimit umask unalias unset wait
Desbloqueo de paginas ocultas del router que proporcionan muchas más opciones de las que nos da originalmente Orange.
Activación de todos los parametros de la configuración de las paginas.
Citar
(pages
(hsiab(1))
(livezoom(1))
(visio(1))
(community(1))
(fax(1))
(telephone(1))
(tv(1))
(vpn(1))
(backuprestore(1))
(licence(1))
(log(1))
(lockunlock(1))
)
(hsiab(1))
(livezoom(1))
(visio(1))
(community(1))
(fax(1))
(telephone(1))
(tv(1))
(vpn(1))
(backuprestore(1))
(licence(1))
(log(1))
(lockunlock(1))
)
Activación de todos los parametros de la configuración de las redes.
Citar
(network
(ftth(1))
(adsl(1))
(3g(1))
(pppoe(1))
(pppoa(1))
(dhcp(1))
(ftlock(1))
(h323(1))
(sip(1))
(tvrouted(1))
)
(ftth(1))
(adsl(1))
(3g(1))
(pppoe(1))
(pppoa(1))
(dhcp(1))
(ftlock(1))
(h323(1))
(sip(1))
(tvrouted(1))
)
Activación de todos los parametros de la configuración de los servicios.
Citar
(services
(rtcphone(1))
(universal_phone(1))
(multitv(1))
(professionnal(1))
(residential(1))
(testvoip(1))
(wifipushbutton(1))
(wifiwps(1))
(wpspushbutton(1))
(msgwaiting(1))
)
(rtcphone(1))
(universal_phone(1))
(multitv(1))
(professionnal(1))
(residential(1))
(testvoip(1))
(wifipushbutton(1))
(wifiwps(1))
(wpspushbutton(1))
(msgwaiting(1))
)
Activación de todos los parametros de la configuración del test.
Citar
(test
(fmdev(1))
(sipdev(1))
)
(fmdev(1))
(sipdev(1))
)
Configuración de ADSL:
Grabar y restaurar:
VPN:
LOG:
FAX:
COMUNIDAD LIVEBOX:
HOTSPOT:
LIVEZOOM:
VIDEOTELEFONIA:
CONFIGURACION PPP:
Ataques que se pueden realizar contra servidor Orange.
Usurpación de usuario, tenemos los certificados públicos y privados del router (hay parte eliminadas para no comprometer la seguridad de Orange):
Citar
00018740: 47 49 4e 20 52 53 41 20 50 52 49 56 41 54 45 20 |GIN RSA PRIVATE |
00018750: 4b 45 59 2d 2d 2d 2d 2d 0a 4d 49 49 43 58 51 49 |KEY-----.MIICXQI|
00018760: 42 41 41 4b 42 67 51 44 78 75 34 51 55 6b 56 4d |BAAKBgQDxu4QUkVM|
00018770: 31 57 31 58 30 61 71 38 49 48 59 58 71 53 35 33 |1W1X0aq8IHYXqS53|
00018780: 6c 71 36 51 4b 69 31 6a 73 30 65 66 57 42 67 6a |lq6QKi1js0efWBgj|
00018790: 43 6e 4a 55 63 30 72 4d 32 0a 70 70 67 77 77 57 |CnJUc0rM2.ppgwwW|
000187a0: 45 5a 36 35 45 31 54 4a 71 63 70 33 37 4e 6f 66 |EZ65E1TJqcp37Nof|
000187b0: 2b 4a 36 62 56 36 37 38 42 59 72 36 74 5a 56 2b |+J6bV678BYr6tZV+|
000187c0: 33 79 41 63 2b 61 56 6f 63 74 54 46 42 4f 4e 4c |3yAc+aVoctTFBONL|
000187d0: 31 71 57 6b 6f 62 65 57 78 59 0a 57 42 39 66 75 |1qWkobeWxY.WB9fu|
000187e0: 2b 7a 75 6d 71 44 30 65 73 79 65 34 58 6b 68 52 |+zumqD0esye4XkhR|
000187f0: 66 70 67 78 6a 35 63 61 41 75 76 76 6f 5a 51 70 |fpgxj5caAuvvoZQp|
00018800: 6d 7a 43 35 79 4e 74 58 47 6f 57 6c 7a 54 76 74 |mzC5yNtXGoWlzTvt|
00018810: 39 64 33 6f 51 49 44 41 51 41 42 0a 41 6f 47 41 |9d3oQIDAQAB.AoGA|
00018820: 45 75 77 45 75 4c 39 76 62 66 76 4b 54 4b 6d 56 |EuwEuL9vbfvKTKmV|
00018830: 4c 65 4e 78 75 68 64 56 4d 73 63 75 76 67 79 4f |LeNxuhdVMscuvgyO|
00018840: 56 32 74 4f 35 48 66 77 63 35 74 69 4b 4c 46 74 |V2tO5Hfwc5tiKLFt|
00018850: 69 64 65 63 6a 69 52 30 2f 31 78 72 0a 4c 32 72 |idecjiR0/1xr.L2r|
00018860: 68 70 32 57 4e 44 58 65 69 30 78 37 53 4c 39 39 |hp2WNDXei0x7SL99|
00018870: 59 68 52 69 72 4a 74 6f 2f 4b 70 43 62 73 66 35 |YhRirJto/KpCbsf5|
00018880: 51 79 65 52 71 58 4e 57 6f 61 6d 71 37 46 4a 79 |QyeRqXNWoamq7FJy|
00018890: 66 50 61 62 4c 32 38 79 4e 41 4e 46 49 0a 4e 52 |fPabL28yNANFI.NR|
000188a0: 42 54 50 38 6e 30 70 46 6f 78 51 50 52 50 6e 4e |BTP8n0pFoxQPRPnN|
000188b0: 33 58 65 4b 52 6d 58 47 67 4b 47 70 79 77 74 54 |3XeKRmXGgKGpywtT|
000188c0: 52 38 31 39 67 36 69 54 44 6b 48 4d 6b 43 51 51 |R819g6iTDkHMkCQQ|
000188d0: 44 2f 36 2f 68 74 30 4e 63 76 38 55 72 43 0a 5a |D/6/ht0Ncv8UrC.Z|
000188e0: 70 72 53 6b 47 6f 73 71 4e 4e 44 52 6e 39 36 47 |prSkGosqNNDRn96G|
000188f0: 76 55 33 7a 36 62 68 50 46 69 76 4c 30 37 54 38 |vU3z6bhPFivL07T8|
00018900: 44 6c 65 78 45 70 76 54 44 55 33 6a 49 67 77 59 |DlexEpvTDU3jIgwY|
00018910: 69 2f 66 6b 6c 79 41 2f 64 6c 54 55 48 67 2f 0a |i/fklyA/dlTUHg/.|
00018a90: 46 0a 2d 2d 2d 2d 2d 45 4e 44 20 52 53 41 20 50 |F.-----END RSA P|
00018aa0: 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a |RIVATE KEY-----.|
________________________________________
00018f30: 00 00 00 00 00 00 00 00 00 2d 2d 2d 2d 2d 42 45 |.........-----BE|
00018f40: 47 49 4e 20 43 45 52 54 49 46 49 43 41 54 45 2d |GIN CERTIFICATE-|
00018f50: 2d 2d 2d 2d 0a 4d 49 49 43 2b 6a 43 43 41 65 4b |----.MIIC+jCCAeK|
00018f60: 67 41 77 49 42 41 67 49 50 54 45 73 78 4d 44 45 |gAwIBAgIPTEsxMDE|
00018f70: 79 4e 55 52 51 4d 6a 49 77 4d 7a 51 32 4d 41 30 |yNURQMjIwMzQ2MA0|
00018f80: 47 43 53 71 47 53 49 62 33 44 51 45 42 42 51 55 |GCSqGSIb3DQEBBQU|
00018f90: 41 4d 44 55 78 0a 43 7a 41 4a 42 67 4e 56 42 41 |AMDUx.CzAJBgNVBA|
00018fa0: 59 54 41 6b 5a 53 4d 51 34 77 44 41 59 44 56 51 |YTAkZSMQ4wDAYDVQ|
00018fb0: 51 44 45 77 56 54 51 55 64 46 54 54 45 57 4d 42 |QDEwVTQUdFTTEWMB|
00018fc0: 51 47 41 31 55 45 43 78 4d 4e 54 47 6c 32 5a 57 |QGA1UECxMNTGl2ZW|
00018fd0: 4a 76 65 43 42 54 0a 51 55 64 46 54 54 41 65 46 |JveCBT.QUdFTTAeF|
00018fe0: 77 30 78 4d 44 41 31 4d 44 55 78 4f 54 49 34 4d |w0xMDA1MDUxOTI4M|
00019360: 70 67 3d 3d 0a 2d 2d 2d 2d 2d 45 4e 44 20 43 45 |pg==.-----END CE|
00019370: 52 54 49 46 49 43 41 54 45 2d 2d 2d 2d 2d 0a 00 |RTIFICATE-----..|
00018750: 4b 45 59 2d 2d 2d 2d 2d 0a 4d 49 49 43 58 51 49 |KEY-----.MIICXQI|
00018760: 42 41 41 4b 42 67 51 44 78 75 34 51 55 6b 56 4d |BAAKBgQDxu4QUkVM|
00018770: 31 57 31 58 30 61 71 38 49 48 59 58 71 53 35 33 |1W1X0aq8IHYXqS53|
00018780: 6c 71 36 51 4b 69 31 6a 73 30 65 66 57 42 67 6a |lq6QKi1js0efWBgj|
00018790: 43 6e 4a 55 63 30 72 4d 32 0a 70 70 67 77 77 57 |CnJUc0rM2.ppgwwW|
000187a0: 45 5a 36 35 45 31 54 4a 71 63 70 33 37 4e 6f 66 |EZ65E1TJqcp37Nof|
000187b0: 2b 4a 36 62 56 36 37 38 42 59 72 36 74 5a 56 2b |+J6bV678BYr6tZV+|
000187c0: 33 79 41 63 2b 61 56 6f 63 74 54 46 42 4f 4e 4c |3yAc+aVoctTFBONL|
000187d0: 31 71 57 6b 6f 62 65 57 78 59 0a 57 42 39 66 75 |1qWkobeWxY.WB9fu|
000187e0: 2b 7a 75 6d 71 44 30 65 73 79 65 34 58 6b 68 52 |+zumqD0esye4XkhR|
000187f0: 66 70 67 78 6a 35 63 61 41 75 76 76 6f 5a 51 70 |fpgxj5caAuvvoZQp|
00018800: 6d 7a 43 35 79 4e 74 58 47 6f 57 6c 7a 54 76 74 |mzC5yNtXGoWlzTvt|
00018810: 39 64 33 6f 51 49 44 41 51 41 42 0a 41 6f 47 41 |9d3oQIDAQAB.AoGA|
00018820: 45 75 77 45 75 4c 39 76 62 66 76 4b 54 4b 6d 56 |EuwEuL9vbfvKTKmV|
00018830: 4c 65 4e 78 75 68 64 56 4d 73 63 75 76 67 79 4f |LeNxuhdVMscuvgyO|
00018840: 56 32 74 4f 35 48 66 77 63 35 74 69 4b 4c 46 74 |V2tO5Hfwc5tiKLFt|
00018850: 69 64 65 63 6a 69 52 30 2f 31 78 72 0a 4c 32 72 |idecjiR0/1xr.L2r|
00018860: 68 70 32 57 4e 44 58 65 69 30 78 37 53 4c 39 39 |hp2WNDXei0x7SL99|
00018870: 59 68 52 69 72 4a 74 6f 2f 4b 70 43 62 73 66 35 |YhRirJto/KpCbsf5|
00018880: 51 79 65 52 71 58 4e 57 6f 61 6d 71 37 46 4a 79 |QyeRqXNWoamq7FJy|
00018890: 66 50 61 62 4c 32 38 79 4e 41 4e 46 49 0a 4e 52 |fPabL28yNANFI.NR|
000188a0: 42 54 50 38 6e 30 70 46 6f 78 51 50 52 50 6e 4e |BTP8n0pFoxQPRPnN|
000188b0: 33 58 65 4b 52 6d 58 47 67 4b 47 70 79 77 74 54 |3XeKRmXGgKGpywtT|
000188c0: 52 38 31 39 67 36 69 54 44 6b 48 4d 6b 43 51 51 |R819g6iTDkHMkCQQ|
000188d0: 44 2f 36 2f 68 74 30 4e 63 76 38 55 72 43 0a 5a |D/6/ht0Ncv8UrC.Z|
000188e0: 70 72 53 6b 47 6f 73 71 4e 4e 44 52 6e 39 36 47 |prSkGosqNNDRn96G|
000188f0: 76 55 33 7a 36 62 68 50 46 69 76 4c 30 37 54 38 |vU3z6bhPFivL07T8|
00018900: 44 6c 65 78 45 70 76 54 44 55 33 6a 49 67 77 59 |DlexEpvTDU3jIgwY|
00018910: 69 2f 66 6b 6c 79 41 2f 64 6c 54 55 48 67 2f 0a |i/fklyA/dlTUHg/.|
00018a90: 46 0a 2d 2d 2d 2d 2d 45 4e 44 20 52 53 41 20 50 |F.-----END RSA P|
00018aa0: 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a |RIVATE KEY-----.|
________________________________________
00018f30: 00 00 00 00 00 00 00 00 00 2d 2d 2d 2d 2d 42 45 |.........-----BE|
00018f40: 47 49 4e 20 43 45 52 54 49 46 49 43 41 54 45 2d |GIN CERTIFICATE-|
00018f50: 2d 2d 2d 2d 0a 4d 49 49 43 2b 6a 43 43 41 65 4b |----.MIIC+jCCAeK|
00018f60: 67 41 77 49 42 41 67 49 50 54 45 73 78 4d 44 45 |gAwIBAgIPTEsxMDE|
00018f70: 79 4e 55 52 51 4d 6a 49 77 4d 7a 51 32 4d 41 30 |yNURQMjIwMzQ2MA0|
00018f80: 47 43 53 71 47 53 49 62 33 44 51 45 42 42 51 55 |GCSqGSIb3DQEBBQU|
00018f90: 41 4d 44 55 78 0a 43 7a 41 4a 42 67 4e 56 42 41 |AMDUx.CzAJBgNVBA|
00018fa0: 59 54 41 6b 5a 53 4d 51 34 77 44 41 59 44 56 51 |YTAkZSMQ4wDAYDVQ|
00018fb0: 51 44 45 77 56 54 51 55 64 46 54 54 45 57 4d 42 |QDEwVTQUdFTTEWMB|
00018fc0: 51 47 41 31 55 45 43 78 4d 4e 54 47 6c 32 5a 57 |QGA1UECxMNTGl2ZW|
00018fd0: 4a 76 65 43 42 54 0a 51 55 64 46 54 54 41 65 46 |JveCBT.QUdFTTAeF|
00018fe0: 77 30 78 4d 44 41 31 4d 44 55 78 4f 54 49 34 4d |w0xMDA1MDUxOTI4M|
00019360: 70 67 3d 3d 0a 2d 2d 2d 2d 2d 45 4e 44 20 43 45 |pg==.-----END CE|
00019370: 52 54 49 46 49 43 41 54 45 2d 2d 2d 2d 2d 0a 00 |RTIFICATE-----..|
Una vez tenemos esto podemos hacernos pasar por otro router ya que se comunican mediante el protocolo TR069. Cada vez que arranca el router este comunica con el servidor de Orange para obtener actualizaciones o configuración del proveedor SIP:
http://karma-sip.orange.com:80/fr/parameter_request
Las claves que usa se encuentran en:
Citar
/etc # cat parameters.txt
ACS_URL string https://karma.orange.com/krmx69/es
username string sage*****
password string ca******
ConnectionRequestPort unsignedInt 50805
IGD_Mngt_ConnectionRequestURLPath string /
ConnectionRequest_basic_auth_activate boolean 0
ConnectionRequest_digest_auth_activate boolean 1
ConnectionRequestBacklog unsignedInt 100
ConnectionRequestUsername string Default
ConnectionRequestPassword string orange
authrealm string gSOAP_Web_Service
id string LIVEBOX_ID_
send_http_opaque boolean 1
Maxenvelopes unsignedInt 1
receive_timeout unsignedInt 20
PeriodicInformInterval unsignedInt 432000
PeriodicInformTime unsignedInt 0
nbr_max_connection_request unsignedInt 50
ConnectionRequestPeriod unsignedInt 3600
id_activate boolean 1
PeriodicInformEnable boolean 1
DownloadSleepDuration unsignedInt 25
autonome_mode boolean 0
with_certif_exchange boolean 1
client_pem string /etc/client.pem
password_ssl string NULL
cacert_pem string /etc/cacert.pem
capath string NULL
ssl_randfile string NULL
comm_mode unsignedInt 2
/etc #
ACS_URL string https://karma.orange.com/krmx69/es
username string sage*****
password string ca******
ConnectionRequestPort unsignedInt 50805
IGD_Mngt_ConnectionRequestURLPath string /
ConnectionRequest_basic_auth_activate boolean 0
ConnectionRequest_digest_auth_activate boolean 1
ConnectionRequestBacklog unsignedInt 100
ConnectionRequestUsername string Default
ConnectionRequestPassword string orange
authrealm string gSOAP_Web_Service
id string LIVEBOX_ID_
send_http_opaque boolean 1
Maxenvelopes unsignedInt 1
receive_timeout unsignedInt 20
PeriodicInformInterval unsignedInt 432000
PeriodicInformTime unsignedInt 0
nbr_max_connection_request unsignedInt 50
ConnectionRequestPeriod unsignedInt 3600
id_activate boolean 1
PeriodicInformEnable boolean 1
DownloadSleepDuration unsignedInt 25
autonome_mode boolean 0
with_certif_exchange boolean 1
client_pem string /etc/client.pem
password_ssl string NULL
cacert_pem string /etc/cacert.pem
capath string NULL
ssl_randfile string NULL
comm_mode unsignedInt 2
/etc #
Por lo tanto, nos podríamos hacer pasar por otro usuario, robarle los credenciales VOIP y llamar desde nuestro Smartphone a cualquier parte del mundo, cobrándole a la otra persona las llamadas.
DDOS contra servidor Orange, modificamos el router para que este una vez dentro del server, haga, peticiones estúpidas contra el servidor y lo sature. Varios routers haciendo esto, dejarían sin servicio VOIP a Orange
Formación del usuario hsdpa:
XXXXXX-YYYYYYYYYYYYYYY@orangeBackup.net
XXXXXX - principio de MAC de la pegatina.
YYYYYYYYYYYYYYY - número de serie de la pegatina.
@orangeBackup.net - terminación para todos.
Datos de conexión ADSL Orange:
Vpi : 8
Vci : 35
usuario : orangeuser@orangeadsl
password : orangeuser123
Aplicación para windows.
Proximamente .........
Aplicación para android.
Proximamente .........
Esperamos pronto podais disfrutar con moderación del control total de vuestro router Livebox2. Esto es solo el principio.
Equipo : Estudio de Cifrados
www.Seguridadwireless.net
SeguridadWireless - Política de Publicación de Vulnerabilidades
En línea
