Even if we learned some useful things about our router (and in the next posts, we will continue to explore it), we still need to find the credentials to access to the interface.
The interface is available via http or https and telnet, on the external interface - you can access it only from the local network, but you need to use the external ip address of the router.
But how can we find the username / password? Well, when Fastweb started delivering those boxes, they left the default values of admin / admin – guessing that was easy, and everyone was happy :) But the fun didn’t last long – they quickly remotely upgraded the firmware, changing the password and stopping the joy.
So, what can we do? Luckily I found a couple of those things:
They are media converters – the media converter it’s the link between optical fiber and twisted pair. A couple of those, an hub, Wireshark, and we have the perfect setup to do Man In The Middle!
The plan is simple: we start to sniff packets between the router and the Fastweb infrastructure, then we reset the router configuration (keeping pressed the reset pushbutton for about 15 sec), and… yes! We get the configuration file!
Luckily, in OpenRG the password is obfuscated (and not encrypted!), and we can deobfuscate it with Zibri’s OpenRG deobfiscator. Bingo!
Username: lanadmin / Password: lanpasswd
Username: UserName / Password: Password
Yes… they didn’t learn anything.
Hello!
I do not know if I can write in Italian … but they that are interested, I also in this project … the first thing I wanted to ask where you bought the media converters with 3M VF45 … on ebay there are not many products … and then how do you access from your LAN? I ask because first, you could access via the IP MAN but now with an additional Update and was uninhibited access from the LAN …
In my opinion you should necessarily go through the media converter via the WAN …
Another problem … in theory to access the WAN, you must set the IP address from which you access with a PC in a static way because, in my opinion, the Fast MAN, there is no active DHCP … so what would be the IP and mask address ?
Fortunately I already know the IP, but we have to explain more in details for the others …
Greetings and see you soon!
Hi iulius, I’d like do keep english as main blog language, but if you feel uncomfortable with that we can switch to italian.
Anyway, the mediaconverters came with an old small business Fastweb contract: sadly I haven’t been unable to find them elsewhere – and apparently almost only Fastweb is using the 3M system.
I’m not sure I understood correctly – now http and https ports are closed on the external ip addresses (WAN, MAN)?
I think that, if this is the case, the best way would be to use the serial port header – at the end of the boot, you can login and configure the router via shell.
I think that the media converter method is somewhat impraticable.
So if you tried to enter the WAN side (the VF45) you can not login?
I thought that could be done.
Before the last update …. I disabled the TR-069 and someone entered the same, in the router … and did the updates … Now, I am with the router, which will not let me enter the interface as “Argos Manager Console” because someone has disabled access to the user side (LAN) …
Frankly I didn’t try, but I’m fairly sure that is unaccessible. Reading the configuration, the only allowed access from outside is via telnet, and only for selected networks.
Out of curiosity, when did you notice this “update”?
I’ll try to do a post with some info to harden the router – only disabling TR-069 didn’t work for me either (when the username / password was admin / admin).