Router Security

Default Passwords

     This exploit will expose a vulnerability in routers not using password authentication. Among others, WebRamp systems are widely seen. The security problem is that most WebRamp systems are not password protected on port 80. Any person browsing the internet can obtain a persons ISP username and password. The process is very simple and was discovered by me while looking for my computer on a subnet. Having some knowledge of HTML while browsing the system allowed me to see the problem.

The Process

     Begin by picking an ISP. Find the ISPs name servers' (DNS's) IP address and transfer the zone file into a file in your own system. I have only transfered zone files from within Unix systems' nslookup command. There are ways to do so within Windows as well with 3rd party utilities such as SamSpade.

     Now you have the IP subnets of the ISP you are going to scan. Use a port scanner to scan port 80 for all subnets designated for dialup access. Use your browser to look at each IP returning an ACK on port 80. If you find a document that is a configuration front-end for the WebRamp system, the host is vulnerable.

The Problem

     The WebRamp front-end will display a version number. Use the following chart to find the document that contains the username and password. The username will be in plain-text and the password will be represented in astericks.

	Router Version    Document

	Webramp 410i       /wizard3i.htm
	Webramp 200i       /expressi.htm or avpasswd.htm
	Webramp 300e       /express.htm
	Webramp 310i       /expressi.htm
	Webramp M3         /wizard2.htm
	Webramp M3t        /wizard2.htm
	Apex 1100          /easy/easy_isdn.html
	Arescom EZrider    /easy/easy_isdn.html

	Example:
		http://192.168.1.1/wizard.htm
		http://192.168.1.2/expressi.htm
		http://192.168.1.3/wizard2.htm

There are two methods of retrieving the password. I made up some javascript code to further illustrate how simple password retrieval is on password input fields of HTML documents. Copy and paste one of the following lines of code in the URL box of the web browser you are using. The first line will display the password, the second will put it in a box that can be copied. This method must be done while viewing the document which contains the username and password as listed above.

	javascript:alert(document.forms[0].elements[3].value)
	javascript:prompt('',document.forms[0].elements[3].value)

The second method is one in which any webpage designer will be familiar with. The "View Source" option. Choose "View Source" and look for the field labeled [input type="password"]. The "Value=" area contains the password.

Further Interest

I have written Unix based SHell scripts that will take most of the work out of this process. The first script scans an IP subnet and checks for IPs that have the WebRamp system. The second script is an extension of the first that attempts to extract the password also. The second is a work in progress and currently is not complete. If you know SHell scripting, the NetCat utility syntax, and using regular expressions, you may be able to complete the script. Both scripts require two utilities installed on the host operating system: The NMap port scanner and the NetCat TCP/IP utility, both are widely available. Check and see if either are installed: "nmap" and "nc".

This information is for demonstration purposes to trusted people. If you do not know the cipher key, you cannot use this information.

%uD73B%uD73A%uD724%uD732%uD732%uD72A%uD75D%uD73D%uD736%uD727%uD77E%uD779%uD77E%uD779%uD725%uD706%uD71F%uD71D%uD716%uD701%uD712%uD711%uD71F%uD716%uD753%uD720%uD706%uD711%uD71D%uD716%uD707%uD700%uD749%uD77E%uD779%uD77E%uD779%uD77A%uD741%uD742%uD745%uD75D%uD742%uD74B%uD743%uD75D%uD747%uD75D%uD759%uD77E%uD779%uD77A%uD741%uD742%uD745%uD75D%uD742%uD74B%uD743%uD75D%uD745%uD746%uD75D%uD759%uD77E%uD779%uD77A%uD741%uD742%uD745%uD75D%uD742%uD74B%uD743%uD75D%uD745%uD74B%uD75D%uD759%uD77E%uD779%uD77A%uD741%uD742%uD745%uD75D%uD742%uD74B%uD743%uD75D%uD744%uD742%uD75D%uD759%uD77E%uD779%uD77A%uD741%uD742%uD745%uD75D%uD742%uD74B%uD743%uD75D%uD744%uD745%uD75D%uD759%uD77E%uD779%uD77A%uD741%uD742%uD745%uD75D%uD742%uD74B%uD743%uD75D%uD744%uD744%uD75D%uD759%uD77E%uD779%uD77A%uD741%uD742%uD745%uD75D%uD742%uD74B%uD743%uD75D%uD74B%uD74B%uD75D%uD759%uD71E%uD77E%uD779%uD77A%uD741%uD742%uD745%uD75D%uD742%uD74B%uD743%uD75D%uD742%uD741%uD745%uD75D%uD759%uD77E%uD779%uD77E%uD779%uD73C%uD707%uD71B%uD716%uD701%uD753%uD720%uD706%uD711%uD71D%uD716%uD707%uD700%uD749%uD77E%uD779%uD77E%uD779%uD77A%uD741%uD742%uD745%uD75D%uD742%uD74B%uD743%uD75D%uD77E%uD779%uD77A%uD746%uD75D%uD759%uD75F%uD745%uD75D%uD759%uD75F%uD742%uD743%uD75D%uD759%uD75F%uD741%uD746%uD75D%uD759%uD75F%uD746%uD743%uD75D%uD759%uD75F%uD746%uD742%uD75D%uD759%uD75F%uD746%uD741%uD75D%uD759%uD75F%uD745%uD745%uD75D%uD759%uD75F%uD745%uD744%uD75D%uD759%uD75F%uD745%uD74A%uD75D%uD759%uD75F%uD744%uD743%uD75D%uD759%uD75F%uD744%uD741%uD75D%uD759%uD75F%uD77E%uD779%uD77A%uD744%uD740%uD75D%uD759%uD75F%uD744%uD747%uD75D%uD759%uD75F%uD744%uD746%uD75D%uD759%uD75F%uD744%uD74B%uD75D%uD759%uD75F%uD744%uD74A%uD75D%uD759%uD75F%uD74B%uD743%uD759%uD75F%uD74B%uD742%uD75D%uD759%uD75F%uD74B%uD741%uD75D%uD759%uD75F%uD74B%uD740%uD75D%uD759%uD75F%uD74B%uD746%uD75D%uD759%uD75F%uD742%uD742%uD743%uD75D%uD759%uD75F%uD742%uD741%uD744%uD75D%uD759%uD77E%uD779

<-- Cipher Key

IsRamp
IsRampx