hvordan hack password på wrt54gr v1.1 (lodde,ttl kabel)
Her er en rask guide hvordan hack password ut fra wrt54gr v1.1 fra linksys
eg poster den guide som eks på den tråden her:
http://www.freakforum.nu/forum/showthread.php?t=116649
http://ranvik.net/privat/router/wrt54ag/CAM_0046.JPG <- bilde av den
flere bilder ligger : http://ranvik.net/privat/router/wrt54gr/
Men over til den som er noe mat nyttig.
Først av alt trenger du en TTL kabel, se forum tråden over.
neste du må er lodde TTL kablen ned på router. jeg har funnet ut pinout her:
http://ranvik.net/privat/router/wrt54gr/pinout.JPG
i text verjson er pinout :
1 =TX
2 =+3.3volt(strøm til TLL)
3 =
4 =+3,3volt(strøm til TLL)
5 =
6 =GND
7 =RX
8 =GND
9 =
når alt det er loddet på så start hyperterminal, eller putty, bruk disse setings:
port speed: 38400
databit: 8
paritet: ingen
stoppbiter: 1
flytkontrll: maksinvare
sett så i strøm på routern, da vil du noe som dette her :
skriv så vidre: nvram show og trykk enter, da vil det komme opp MYE som det her:
Det er dump av helle nvram på routern og du kan enkelt bla opp over/eller søke etter eks "pass" og du vil finne password veldig lett i klar text.
i samme slenge når du er inne på routern kan du jo kjøre andre linux komandoer, hvis noen vil se etter hull i web siden osv..
NB: blei litt lang den nvram dump så måtte kutte den ut litt ting, fulle lista ligger på web siden min.
Her er en rask guide hvordan hack password ut fra wrt54gr v1.1 fra linksys
eg poster den guide som eks på den tråden her:
http://www.freakforum.nu/forum/showthread.php?t=116649
http://ranvik.net/privat/router/wrt54ag/CAM_0046.JPG <- bilde av den
flere bilder ligger : http://ranvik.net/privat/router/wrt54gr/
Men over til den som er noe mat nyttig.
Først av alt trenger du en TTL kabel, se forum tråden over.
neste du må er lodde TTL kablen ned på router. jeg har funnet ut pinout her:
http://ranvik.net/privat/router/wrt54gr/pinout.JPG
i text verjson er pinout :
1 =TX
2 =+3.3volt(strøm til TLL)
3 =
4 =+3,3volt(strøm til TLL)
5 =
6 =GND
7 =RX
8 =GND
9 =
når alt det er loddet på så start hyperterminal, eller putty, bruk disse setings:
port speed: 38400
databit: 8
paritet: ingen
stoppbiter: 1
flytkontrll: maksinvare
sett så i strøm på routern, da vil du noe som dette her :
Kode
+Ethernet eth0: MAC address 00:00:01:02:03:04
IP: 192.168.1.1/255.255.255.0, Gateway: 192.168.1.254
Default server: 0.0.0.0
RedBoot(tm) bootstrap and debug environment [ROM]
Non-certified release, version v2_0 - built 18:31:11, Aug 4 2005
Platform: PC (I386)
Copyright (C) 2000, 2001, 2002, Red Hat, Inc.
RAM: 0x00000000-0x000f0000, 0x00072ed0-0x000a0000 available
ver 00:0003 05-24-05
<press Ctrl+C to enter prompt mode>
# Activate RDC-Keilven's RS232 Patch V2
RedBoot>
# Kernel size = 726222 bytes
# FW size = 2635008 bytes
# fwcheck: base = 0x00400000, size = 0x00000400
# Firmware Checksum O.K
# Kernel copying......BEGIN
# Kernel copying......FINISH
mem_size: 1000000
Linux version 2.4.29 (heidi@cvs2) (gcc version 3.4.1) #250 Fri Apr 28 15:13:43 CST 2006
BIOS-provided physical RAM
map:
BIOS-e801: 0000000000000000 - 000000000009f000 (usable)
BIOS-e801: 0000000000100000 - 0000000001000000
(usable)
16MB LOWMEM available.
On node 0 totalpages: 4096
zone(0): 4096 pages.
zone(1): 0 pages.
zone(2): 0
pages.
DMI not present.
Kernel command line: console=ttyS0,38400 root=/dev/mtdblock1 noinitrd
Initializing
CPU#0
Calibrating delay loop... 49.86 BogoMIPS
Memory: 14288k/16384k available (1068k kernel code, 1708k reserved,
192k data, 76k init, 0k highmem)
Checking if this processor honours the WP bit even in supervisor mode... Ok.
D
entry cache hash table entries: 2048 (order: 2, 16384 bytes)
Inode cache hash table entries: 1024 (order: 1, 8192
bytes)
Mount cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer cache hash table entries: 1024 (order: 0,
4096 bytes)
Page-cache hash table entries: 4096 (order: 2, 16384 bytes)
CPU: Cyrix Cx486SLC
Checking 'hlt'
instruction... OK.
Checking for popad bug... OK.
POSIX conformance testing by UNIFIX
PCI: Using configuration
type 1
PCI: Probing PCI hardware
PCI: Probing PCI hardware (bus 00)
Linux NET4.0 for Linux 2.4
Based upon
Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
devfs: v1.12c
(20020818) Richard Gooch (rgooch@atnf.csiro.au)
devfs: boot_options: 0x1
Squashfs 2.1-r2 (released 2004/12/15) (C)
2002-2004 Phillip Lougher
keyboard: Timeout - AT keyboard not present?(ed)
keyboard: Timeout - AT keyboard not
present?(f4)
Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ SERIAL_PCI enabled
ttyS00 at
0x03f8 (irq = 4) is a 16550A
RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize
rdc: RDC R6040
net driver, version 0.6 (9July2004)
rdc: RDC R6040 net driver, version 0.6 (9July2004)
rdc: RDC R6040 net driver,
version 0.6 (9July2004)
PPP generic driver version 2.4.2
flash device: 400000 at ffc00000
## Decide to use
AMD/Fujitsu Standard command set.
## MFG ID = 0x00C2, DEV ID = 0x22A7
Total size = 4 MB
Creating 5 MTD partitions
on "RDC3210 Flash":
0x00000000-0x003c0000 : "linux"
0x000b1500-0x003c0000 : "romfs"
mtd: partition "romfs"
doesn't start on an erase block boundary -- force read-only
0x003c0000-0x003d0000 : "nvram"
0x003d0000-0x003e0000
: "factory"
0x003e0000-0x00400000 : "bootldr"
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP,
IGMP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 1024 bind
2048)
IPv4 over IPv4 tunneling driver
GRE over IPv4 tunneling driver
Linux IP multicast router 0.06 plus PIM-SM
i
p_conntrack version 2.1 (8192 buckets, 65536 max) - 340 bytes per conntrack
ip_tables: (C) 2000-2002 Netfilter core
team
ipt_time loading
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
NET4: Ethernet Bridge 008 for NET4.0
V
FS: Mounted root (squashfs filesystem) readonly.
Mounted devfs on /dev
Freeing unused kernel memory: 76k freed
BusyBox v1.00 (2006.04.26-03:52+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.
# #sysinit: [sysinit]
Using /etc/resetDefault.o
Using /etc/RDC_reboot.o
---- Restarting system ----
---- Enable Watchdog ----
This is the parent process, pid = 28
# update nvram with default list!
# interfaces_init......
Using /etc/rt61ap.o
This is the child process, pid = 35
Setting ra0 configuration....
CountryRegion=1
BssidNum=1
SSID=ranviksyden
WirelessMode=0
TxRate=0
Channel=6
BeaconPeriod=100
DtimPeriod=1
TxPower=100
BGProtection=0
RTSThreshold=2346
FragThreshold=2346
TxBurst=1
ShortSlot=1
PktAggregate=1
NoForwarding=0
NoForwardingBTNBSSID=0
HideSSID=0
Key1Type=0
Key1Str=
Key2Type=0
Key2Str=
Key3Type=0
Key3Str=
Key4Type=0
Key4Str=
WdsEnable=0
WdsList=
WdsKey=
WdsEncrypType=NONE
AutoChannelSelect=0
RekeyInterval=3600
WPAPSK=
AccessPolicy0=0
RADIUS_Server=0.0.0.0
RADIUS_Port=1812
RADIUS_Key=
own_ip_addr=192.168.15.2
session_timeout_interval=0
DisableOLBC=1
WmmCapable=0
AckPolicy=0;0;0;0
APAifsn=3;7;1;1
APCwmin=4;4;3;2
APCwmax=6;10;4;3
APTxop=0;0;94;47
APACM=0;0;0;0
BSSAifsn=3;7;2;2
BSSCwmin=4;4;3;2
BSSCwmax=10;10;4;3
BSSTxop=0;0;94;47
BSSACM=0;0;0;0
TxAntenna=1
AuthMode=WEPAUTO
EncrypType=NONE
DefaultKeyID=1
BasicRate=15
IEEE8021X=0
device eth1 entered promiscuous mode
device ra0 entered promiscuous mode
ra0: attempt to add interface with same
source address.
br0: port 2(ra0) entering listening state
br0: port 1(eth1) entering listening state
# lan
services init......
Start UPnP
Start tftpd
Configuration file: /var/RT61AP/RT61AP.dat
conf->SsidNum=1
IP address: '0.0.0.0'
RADIUS_Port: '1812'
Line 39: empty shared secret is not allowed.
RADIUS_Key: '', Key_len: 0
session_timeout policy = not use
Read Session Timeout Interval 0 seconds.
Set Session Timeout Interval 3600 seconds.
1 errors found in configuration file '/var/RT61AP/RT61AP.dat'
Could not allocate memory for rtapd->conf
Dante's tiny TFTP Server is ready on port 69
route: resolving gw
route: resolving gw
route: resolving gw
route: resolving gw
route: resolving gw
# wan_init......
httpd : This is httpd...ssl_enabled is 0
Kode
# nvram show fw_version=1.04, Apr 26, 2006 my_fw_version=1.0.58 2006_04_28_1450 hw_version=WRTR_136G_v01 pppoe_username= pppoe_password= pppoe_service_name= pppoe_mtu=1492 pppoe_autoReconnect=0 pppoe_demand=0 pppoe_idle_time=15 pppoe_redial_time=30 pptp_username= pptp_password= bigpond_enabled=0 bigpond_serveripr=0.0.0.0 bigpond_username= bigpond_password= httpd_realm=uClinux IXP425 httpd_username=admin httpd_password=admin httpd_wanport=0 tproxy_enabled=0 tproxy_localport=81 tproxy_proxyhost= tproxy_proxyport= client_from_remote=0 remote_upgrade=0 udptest_enabled=0 http_username= login_password=admin http_passwd=admin web_use_https=0 wireless_control=1 remote_mgmt_enabled=0 upnp_enabled=1 allow_user_conf=1 allow_user_disable=1 auth_title=Linksys WRT54GR #
i samme slenge når du er inne på routern kan du jo kjøre andre linux komandoer, hvis noen vil se etter hull i web siden osv..
NB: blei litt lang den nvram dump så måtte kutte den ut litt ting, fulle lista ligger på web siden min.
Sist endret av ranvik; 26. oktober 2008 kl. 03:52.