Amtec (ElsagDatamag) Argo 55/95 – Take 3: Sniffing the password! —
Even if we learned some useful things about our router (and in the next posts, we will continue to explore it), we still need to find the credentials to access to the interface.
The interface is available via http or https and telnet, on the external interface – you can access it only from the local network, but you need to use the external ip address of the router.
But how can we find the username / password? Well, when Fastweb started delivering those boxes, they left the default values of admin / admin – guessing that was easy, and everyone was happy :) But the fun didn’t last long – they quickly remotely upgraded the firmware, changing the password and stopping the joy.
So, what can we do? Luckily I found a couple of those things:
They are media converters – the media converter it’s the link between optical fiber and twisted pair. A couple of those, an hub, Wireshark, and we have the perfect setup to do Man In The Middle!
The plan is simple: we start to sniff packets between the router and the Fastweb infrastructure, then we reset the router configuration (keeping pressed the reset pushbutton for about 15 sec), and… yes! We get the configuration file!
Luckily, in OpenRG the password is obfuscated (and not encrypted!), and we can deobfuscate it with Zibri’s OpenRG deobfiscator. Bingo!
Username: lanadmin / Password: lanpasswd
Username: UserName / Password: Password
Yes… they didn’t learn anything.
Categorised as: Hacking
Hello!
I do not know if I can write in Italian … but they that are interested, I also in this project … the first thing I wanted to ask where you bought the media converters with 3M VF45 … on ebay there are not many products … and then how do you access from your LAN? I ask because first, you could access via the IP MAN but now with an additional Update and was uninhibited access from the LAN …
In my opinion you should necessarily go through the media converter via the WAN …
Another problem … in theory to access the WAN, you must set the IP address from which you access with a PC in a static way because, in my opinion, the Fast MAN, there is no active DHCP … so what would be the IP and mask address ?
Fortunately I already know the IP, but we have to explain more in details for the others …
Greetings and see you soon!
Hi iulius, I’d like do keep english as main blog language, but if you feel uncomfortable with that we can switch to italian.
Anyway, the mediaconverters came with an old small business Fastweb contract: sadly I haven’t been unable to find them elsewhere – and apparently almost only Fastweb is using the 3M system.
I’m not sure I understood correctly – now http and https ports are closed on the external ip addresses (WAN, MAN)?
I think that, if this is the case, the best way would be to use the serial port header – at the end of the boot, you can login and configure the router via shell.
I think that the media converter method is somewhat impraticable.
So if you tried to enter the WAN side (the VF45) you can not login?
I thought that could be done.
Before the last update …. I disabled the TR-069 and someone entered the same, in the router … and did the updates … Now, I am with the router, which will not let me enter the interface as “Argos Manager Console” because someone has disabled access to the user side (LAN) …
Frankly I didn’t try, but I’m fairly sure that is unaccessible. Reading the configuration, the only allowed access from outside is via telnet, and only for selected networks.
Out of curiosity, when did you notice this “update”?
I’ll try to do a post with some info to harden the router – only disabling TR-069 didn’t work for me either (when the username / password was admin / admin).
first of all thank you for your work,
I looked for the media converters you used but I cannot find them anywhere.
Since I am looking for getting rid of that router I was wondering if it was possibile to use a media converter and an ethernet router to substitute the elsa.
Now I am trying to find a way to convert the terrible 3M VF-45 connector to something common like SC or LC so I can use common media converters.
cheers!
Panda, did you succeed? I would also love to replace the Argo with a converter and use my own router.
Ciao Bano,
Prima di tutto grazie per la tua guida: la seguii 4 anni fa riuscendo a sbloccare il mio argo di allora, ma poi per motivi tecnici, un anno e mezzo fa me lo hanno sostituito perchè morto… dandomi un altro argo lasciato intatto.
Da allora l’ho tenuto stock, ed ora volevo muovermi per una modifica un po’ più radicale: rimuovere l’ARGO e sostituirlo con un router mio.
In questo momento ho acquistato una bretella vf-45 to SC e un media converter 100base-sx, protocollo suggerito vedendo quelli qui riportati in foto (purtroppo ho potuto acquistare solo un AT-MC116XL), ma ho un problema probabilmente di negoziazione del protocollo: la cosa strana che appunto mi capita è che quando collego qualcosa alla porta ethernet, essa viene vista “down” dal dispositivo, quindi esso stesso sembra non dialogare con l’altro capo del cavo. Il media converter presenta
3 spie lato fibra:
– rec -> attività
– 10 -> si accende se allineato a 10base-sx
– 100 -> si accende se allineato a 100base-sx
3 spie lato ethernet:
– rec -> attività
– 10 o 100 -> in caso lato eth il dispositivo supporti l’una o l’altra velocità
Nel momento in cui collego il cavo in fibra, la spia 100 della fibra si illumina, mentre quando collego il pc / router via ethernet, ottengo un comportamento strano:
– Se l’autonegoziazione della velocità è attiva, la spia attività lato ethernet continua a lampeggiare, se la spengo settando a mano la velocità, vedo purtroppo la spia della velocità impostata che fissa, ogni 10 secondi si spegne ed accende, ma per il dispositivo ethernet la porta rimane DOWN.
Inutile dire che ho modificato il mac address, ho settato gli ip esterno e MAN, ma purtroppo non ne sono venuto a capo.
Se collego invece il media conv alla porta fibra dell’argo, la porta ethernet va up e riesco a vedere l’argo con il suo ip MAN.
Volevo quindi approfittarne per chiederti se avevi avuto modo di fare queste prove, avendo tu più esperienza e più materiale a disposizione, per capire se questo swap è possibile o se l’argo effettua delle operazioni di autenticazione particolari che non conosciamo, anche se a me ad occhio sembrano più problemi di mancata negoziazione.
Grazie mille
Paolo