Even if we learned some useful things about our router (and in the next posts, we will continue to explore it), we still need to find the credentials to access to the interface.
The interface is available via http or https and telnet, on the external interface – you can access it only from the local network, but you need to use the external ip address of the router.
But how can we find the username / password? Well, when Fastweb started delivering those boxes, they left the default values of admin / admin – guessing that was easy, and everyone was happy :) But the fun didn’t last long – they quickly remotely upgraded the firmware, changing the password and stopping the joy.
So, what can we do? Luckily I found a couple of those things:
They are media converters – the media converter it’s the link between optical fiber and twisted pair. A couple of those, an hub, Wireshark, and we have the perfect setup to do Man In The Middle!
The plan is simple: we start to sniff packets between the router and the Fastweb infrastructure, then we reset the router configuration (keeping pressed the reset pushbutton for about 15 sec), and… yes! We get the configuration file!
Luckily, in OpenRG the password is obfuscated (and not encrypted!), and we can deobfuscate it with Zibri’s OpenRG deobfiscator. Bingo!
Username: lanadmin / Password: lanpasswd
Username: UserName / Password: Password
Yes… they didn’t learn anything.