hvordan hack password på wrt54gr v1.1 (lodde,ttl kabel)
Her er en rask guide hvordan hack password ut fra wrt54gr v1.1 fra linksys
eg poster den guide som eks på den tråden her:
http://www.freakforum.nu/forum/showthread.php?t=116649
http://ranvik.net/privat/router/wrt54ag/CAM_0046.JPG <- bilde av den
flere bilder ligger : http://ranvik.net/privat/router/wrt54gr/
Men over til den som er noe mat nyttig.
Først av alt trenger du en TTL kabel, se forum tråden over.
neste du må er lodde TTL kablen ned på router. jeg har funnet ut pinout her:
http://ranvik.net/privat/router/wrt54gr/pinout.JPG
i text verjson er pinout :
1 =TX
2 =+3.3volt(strøm til TLL)
3 =
4 =+3,3volt(strøm til TLL)
5 =
6 =GND
7 =RX
8 =GND
9 =
når alt det er loddet på så start hyperterminal, eller putty, bruk disse setings:
port speed: 38400
databit: 8
paritet: ingen
stoppbiter: 1
flytkontrll: maksinvare
sett så i strøm på routern, da vil du noe som dette her :
skriv så vidre: nvram show og trykk enter, da vil det komme opp MYE som det her:
Det er dump av helle nvram på routern og du kan enkelt bla opp over/eller søke etter eks "pass" og du vil finne password veldig lett i klar text.
i samme slenge når du er inne på routern kan du jo kjøre andre linux komandoer, hvis noen vil se etter hull i web siden osv..
NB: blei litt lang den nvram dump så måtte kutte den ut litt ting, fulle lista ligger på web siden min.
Her er en rask guide hvordan hack password ut fra wrt54gr v1.1 fra linksys
eg poster den guide som eks på den tråden her:
http://www.freakforum.nu/forum/showthread.php?t=116649
http://ranvik.net/privat/router/wrt54ag/CAM_0046.JPG <- bilde av den
flere bilder ligger : http://ranvik.net/privat/router/wrt54gr/
Men over til den som er noe mat nyttig.
Først av alt trenger du en TTL kabel, se forum tråden over.
neste du må er lodde TTL kablen ned på router. jeg har funnet ut pinout her:
http://ranvik.net/privat/router/wrt54gr/pinout.JPG
i text verjson er pinout :
1 =TX
2 =+3.3volt(strøm til TLL)
3 =
4 =+3,3volt(strøm til TLL)
5 =
6 =GND
7 =RX
8 =GND
9 =
når alt det er loddet på så start hyperterminal, eller putty, bruk disse setings:
port speed: 38400
databit: 8
paritet: ingen
stoppbiter: 1
flytkontrll: maksinvare
sett så i strøm på routern, da vil du noe som dette her :
Kode
+Ethernet eth0: MAC address 00:00:01:02:03:04 IP: 192.168.1.1/255.255.255.0, Gateway: 192.168.1.254 Default server: 0.0.0.0 RedBoot(tm) bootstrap and debug environment [ROM] Non-certified release, version v2_0 - built 18:31:11, Aug 4 2005 Platform: PC (I386) Copyright (C) 2000, 2001, 2002, Red Hat, Inc. RAM: 0x00000000-0x000f0000, 0x00072ed0-0x000a0000 available ver 00:0003 05-24-05 <press Ctrl+C to enter prompt mode> # Activate RDC-Keilven's RS232 Patch V2 RedBoot> # Kernel size = 726222 bytes # FW size = 2635008 bytes # fwcheck: base = 0x00400000, size = 0x00000400 # Firmware Checksum O.K # Kernel copying......BEGIN # Kernel copying......FINISH mem_size: 1000000 Linux version 2.4.29 (heidi@cvs2) (gcc version 3.4.1) #250 Fri Apr 28 15:13:43 CST 2006 BIOS-provided physical RAM map: BIOS-e801: 0000000000000000 - 000000000009f000 (usable) BIOS-e801: 0000000000100000 - 0000000001000000 (usable) 16MB LOWMEM available. On node 0 totalpages: 4096 zone(0): 4096 pages. zone(1): 0 pages. zone(2): 0 pages. DMI not present. Kernel command line: console=ttyS0,38400 root=/dev/mtdblock1 noinitrd Initializing CPU#0 Calibrating delay loop... 49.86 BogoMIPS Memory: 14288k/16384k available (1068k kernel code, 1708k reserved, 192k data, 76k init, 0k highmem) Checking if this processor honours the WP bit even in supervisor mode... Ok. D entry cache hash table entries: 2048 (order: 2, 16384 bytes) Inode cache hash table entries: 1024 (order: 1, 8192 bytes) Mount cache hash table entries: 512 (order: 0, 4096 bytes) Buffer cache hash table entries: 1024 (order: 0, 4096 bytes) Page-cache hash table entries: 4096 (order: 2, 16384 bytes) CPU: Cyrix Cx486SLC Checking 'hlt' instruction... OK. Checking for popad bug... OK. POSIX conformance testing by UNIFIX PCI: Using configuration type 1 PCI: Probing PCI hardware PCI: Probing PCI hardware (bus 00) Linux NET4.0 for Linux 2.4 Based upon Swansea University Computer Society NET3.039 Initializing RT netlink socket Starting kswapd devfs: v1.12c (20020818) Richard Gooch (rgooch@atnf.csiro.au) devfs: boot_options: 0x1 Squashfs 2.1-r2 (released 2004/12/15) (C) 2002-2004 Phillip Lougher keyboard: Timeout - AT keyboard not present?(ed) keyboard: Timeout - AT keyboard not present?(f4) Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ SERIAL_PCI enabled ttyS00 at 0x03f8 (irq = 4) is a 16550A RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize rdc: RDC R6040 net driver, version 0.6 (9July2004) rdc: RDC R6040 net driver, version 0.6 (9July2004) rdc: RDC R6040 net driver, version 0.6 (9July2004) PPP generic driver version 2.4.2 flash device: 400000 at ffc00000 ## Decide to use AMD/Fujitsu Standard command set. ## MFG ID = 0x00C2, DEV ID = 0x22A7 Total size = 4 MB Creating 5 MTD partitions on "RDC3210 Flash": 0x00000000-0x003c0000 : "linux" 0x000b1500-0x003c0000 : "romfs" mtd: partition "romfs" doesn't start on an erase block boundary -- force read-only 0x003c0000-0x003d0000 : "nvram" 0x003d0000-0x003e0000 : "factory" 0x003e0000-0x00400000 : "bootldr" NET4: Linux TCP/IP 1.0 for NET4.0 IP Protocols: ICMP, UDP, TCP, IGMP IP: routing cache hash table of 512 buckets, 4Kbytes TCP: Hash tables configured (established 1024 bind 2048) IPv4 over IPv4 tunneling driver GRE over IPv4 tunneling driver Linux IP multicast router 0.06 plus PIM-SM i p_conntrack version 2.1 (8192 buckets, 65536 max) - 340 bytes per conntrack ip_tables: (C) 2000-2002 Netfilter core team ipt_time loading NET4: Unix domain sockets 1.0/SMP for Linux NET4.0. NET4: Ethernet Bridge 008 for NET4.0 V FS: Mounted root (squashfs filesystem) readonly. Mounted devfs on /dev Freeing unused kernel memory: 76k freed BusyBox v1.00 (2006.04.26-03:52+0000) Built-in shell (msh) Enter 'help' for a list of built-in commands. # #sysinit: [sysinit] Using /etc/resetDefault.o Using /etc/RDC_reboot.o ---- Restarting system ---- ---- Enable Watchdog ---- This is the parent process, pid = 28 # update nvram with default list! # interfaces_init...... Using /etc/rt61ap.o This is the child process, pid = 35 Setting ra0 configuration.... CountryRegion=1 BssidNum=1 SSID=ranviksyden WirelessMode=0 TxRate=0 Channel=6 BeaconPeriod=100 DtimPeriod=1 TxPower=100 BGProtection=0 RTSThreshold=2346 FragThreshold=2346 TxBurst=1 ShortSlot=1 PktAggregate=1 NoForwarding=0 NoForwardingBTNBSSID=0 HideSSID=0 Key1Type=0 Key1Str= Key2Type=0 Key2Str= Key3Type=0 Key3Str= Key4Type=0 Key4Str= WdsEnable=0 WdsList= WdsKey= WdsEncrypType=NONE AutoChannelSelect=0 RekeyInterval=3600 WPAPSK= AccessPolicy0=0 RADIUS_Server=0.0.0.0 RADIUS_Port=1812 RADIUS_Key= own_ip_addr=192.168.15.2 session_timeout_interval=0 DisableOLBC=1 WmmCapable=0 AckPolicy=0;0;0;0 APAifsn=3;7;1;1 APCwmin=4;4;3;2 APCwmax=6;10;4;3 APTxop=0;0;94;47 APACM=0;0;0;0 BSSAifsn=3;7;2;2 BSSCwmin=4;4;3;2 BSSCwmax=10;10;4;3 BSSTxop=0;0;94;47 BSSACM=0;0;0;0 TxAntenna=1 AuthMode=WEPAUTO EncrypType=NONE DefaultKeyID=1 BasicRate=15 IEEE8021X=0 device eth1 entered promiscuous mode device ra0 entered promiscuous mode ra0: attempt to add interface with same source address. br0: port 2(ra0) entering listening state br0: port 1(eth1) entering listening state # lan services init...... Start UPnP Start tftpd Configuration file: /var/RT61AP/RT61AP.dat conf->SsidNum=1 IP address: '0.0.0.0' RADIUS_Port: '1812' Line 39: empty shared secret is not allowed. RADIUS_Key: '', Key_len: 0 session_timeout policy = not use Read Session Timeout Interval 0 seconds. Set Session Timeout Interval 3600 seconds. 1 errors found in configuration file '/var/RT61AP/RT61AP.dat' Could not allocate memory for rtapd->conf Dante's tiny TFTP Server is ready on port 69 route: resolving gw route: resolving gw route: resolving gw route: resolving gw route: resolving gw # wan_init...... httpd : This is httpd...ssl_enabled is 0
Kode
# nvram show fw_version=1.04, Apr 26, 2006 my_fw_version=1.0.58 2006_04_28_1450 hw_version=WRTR_136G_v01 pppoe_username= pppoe_password= pppoe_service_name= pppoe_mtu=1492 pppoe_autoReconnect=0 pppoe_demand=0 pppoe_idle_time=15 pppoe_redial_time=30 pptp_username= pptp_password= bigpond_enabled=0 bigpond_serveripr=0.0.0.0 bigpond_username= bigpond_password= httpd_realm=uClinux IXP425 httpd_username=admin httpd_password=admin httpd_wanport=0 tproxy_enabled=0 tproxy_localport=81 tproxy_proxyhost= tproxy_proxyport= client_from_remote=0 remote_upgrade=0 udptest_enabled=0 http_username= login_password=admin http_passwd=admin web_use_https=0 wireless_control=1 remote_mgmt_enabled=0 upnp_enabled=1 allow_user_conf=1 allow_user_disable=1 auth_title=Linksys WRT54GR #
i samme slenge når du er inne på routern kan du jo kjøre andre linux komandoer, hvis noen vil se etter hull i web siden osv..
NB: blei litt lang den nvram dump så måtte kutte den ut litt ting, fulle lista ligger på web siden min.
Sist endret av ranvik; 26. oktober 2008 kl. 03:52.