User Tools

Site Tools


toh:netgear:telnet.console

Unlocking the Netgear Telnet Console

Several Netgear router models running factory firmware have a telnet daemon that listens at the router's local LAN IP address. Administrators can gain access to a hidden command line interface (CLI) with a telnet client, after sending a magic packet to the router's telnet daemon, to unlock it.

The following Netgear devices are currently known to support this feature:

  • DGN1000v3 Router Firmware Version V1.0.0.14_0.0.14: works, gives access to a busybox console w/o authentication
  • WGR614 v1-2: unknown, may well work
  • WGR614 v3,v4,v5,v6: known to work
  • WGR614 v7: known to work (if it does not work for you, try to hard reset your router first)
  • WGR614 v8: aka WGR614L, works, access to a busybox console w/o authentication
  • WGR614 v9: works, gives access to a busybox console w/o authentication
  • WGT624 V3H1: works (after 6-12 try, reboot, try again cycles)
  • WPN824 v1, V2.0.15_1.0.11: known to work
  • WPN824 V3: not needed! Enable the utelnetd option in Remote Management.
  • WG602 (unknown version): assumed to work
  • WGT624 v2, v3: works
  • WGT624 (unknown version): assumed to work
  • WNR1000 v1-2: works. Does not require username/password for login. On connection the '#' prompt is displayed.
  • WNR2000 v4: works. Does not require username/password for login. On connection the '#' prompts is displayed.
  • WN3000RP v1: works. Does not require username/password for login, but necessary for telnetable (Geardog/Gearguy)
  • WNDR3300 : works. Does not require username/password for login. On connection the '#' prompt is displayed.
  • WNR3500 v1.0.29: works. Does NOT ask for username/password on login. On connection you should be dropped on a '#' prompt.
  • WNR3500L V1.2.2.44: Works. V1.2.2.48_35.0.55NA: fails. Does NOT ask for username/password on login. Dropped to '#' prompt on connection.
  • WNDR3400v2 v1.0.0.16_1.0.34 works. Does NOT ask for username/password on login. On connection you should be dropped on a '#' prompt.
  • WNDR3700 V1.0.7.98: known to work - Does NOT ask for username/password. After connection you will be root at BusyBox v1.4.2.
  • WNDR3800 v1.0.0.16 Tested with the python script of telnet enable.
  • WNDR4000 v1.0.0.88 works. Does NOT ask for username/password on login. On connection you should be dropped on a '#' prompt.
  • WNDR4300 V1.0.1.30/34/42 works with the python script. Does NOT ask for username/password on login. On connection you should be dropped on a '#' prompt.

The router CLI is usually the busybox shell running on Linux. Commands and utilities available typically include changing nvram settings, changing the running configuration, upload/download files, managing flash memory, rebooting, etc.

Unlocking Protocol and Algorithms

The Netgear router CLI unlocking protocol is to open a TCP connection on telnet port 23 to the router's LAN IP address, send an encrypted probe packet, then close the connection. If the router accepts the probe packet and unlocks the CLI, then the CLI responds after a subsequent connection with a telnet client.

The TelnetEnable utility (see below) builds the probe packet using authentication data supplied on its command line. The probe packet format in unencrypted form is as follows:

struct payload
{
        char md5sum[0x10];
        char mac[0x10];
        char username[0x10];
        char password[0x10];
        char reserved[0x40];
}

The above payload format is transformed by algorithms as follows:

The MD5 checksum is calculated for the contents of the probe payload MAC, username, and password fields, and is done using the normal three steps (MD5init, MD5update, MD5final) with the default RSA seed. The resulting 16 byte MD5 checksum/hash is then stored into the md5sum array of the probe payload.

The entire probe payload (including the reserved area, which is always null for this example) is then ENCRYPTED using the Blowfish algorithm. The secret key used for Blowfish is "AMBIT_TELNET_ENABLE+" concatenated by the password in the payload.

The encrypted probe packet is then sent to telnet port (23) on the router using a TCP socket in the standard manner. Curiously, Netgear's Windows telnetEnable.exe program also includes the necessary support to decode packets incoming from the router, but there does not appear to be any two-way handshake implemented. It is simple a TCP send from the client to the router.

Note: The encrypted probe packet is sized as char output_Buf[0x640] but only an encoded data length of size of 0x80 appears to be used by the code. It is unknown what other capabilities may be similarly enabled via the 'reserved' field, or by other passwords.

TelnetEnable on Windows

Netgear formerly provided a developer tool, telnetEnable.exe, for unlocking console access from a Microsoft Windows PC client. The tool was bundled into a firmware update for Netgear WPN824 wireless routers sold in Korea. The download file was wpn824_ko_2.12_1.2.9.zip from the Korean Netgear support website.

The tool by itself is still available as telnetEnable.zip at Netgear's open source router website. Pingbin.com also hosts this file telnetEnable.zip.

TelnetEnable works with Windows NT and later. Administrator privileges may be required to permit telnetEnable.exe through Windows firewall. The tool tests successfully with Windows 7 64-bit and with an ordinary (non-privileged) user account:

D:\>telnetEnable.exe
Version:2.1, 2003/10/17
Usage:
telnetEnable.exe <host ip> <host mac> <user name> <password>

D:\>telnetEnable.exe 192.168.1.1 000FB5A2BE26 Gearguy Geardog

D:\>telnet 192.168.1.1
Connecting To 192.168.1.1...


BusyBox v0.60.0 (2009.09.01-00:50+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

# exit


Connection to host lost.

D:\>

Note the Windows 7 telnet.exe client is disabled and inaccessible by default. The telnet client is a Windows feature that users can enable via Control PanelProgramsProgram and FeaturesTurn Windows features on or off.

Instructions for telnetEnable.exe:

  • Extract telnetEnable.exe from any of the zip file downloads. The wpn824_ko_2.12_1.2.9.zip includes a MS Word document with screenshots and instructions in Korean, a firmware update, and the telnetEnable.exe tool. Only the tool is necessary.
  • Open a command line (windows console) window (Press [windows key]+[R] and enter "cmd").
  • Get the MAC address of your Netgear router. You can either run "arp -a" on the Windows command line and locate the "Physical Address" (MAC) for the router's IP address, or look it up on the web interface of your router (MaintenanceRouter statusLAN portMAC Address).
  • Take the MAC address, remove any minus signs (-) or colons (:) and replace all characters by their upper case representation (a → A, d→ D etc.).
  • Copy the result of your editing to the clipboard.
  • Type "telnetEnable.exe", then the IP address of your router (e.g. "192.168.1.1"), add another space, paste the contents of the clipboard, and append the telnet console default username and password, "Gearguy" and "Geardog". Correct character case is important here. These credentials differ from those of the web interface. You will need to modify the username and password appropriately if you had changed them previously. The result should look similar to this:
    telnetEnable.exe 192.168.1.1 000FB5A2BE26 Gearguy Geardog
  • Now press Enter to run the tool. It should return to a prompt pretty quickly with no error. If it takes a long time and returns a 'send failed' error message, just try again.
  • You should now be able to telnet to the router from any computer in your local LAN.
  • Some routers may prompt for additional authentication (login prompt) at the beginning of a telnet session. After successful authentication you will be presented a prompt such as:
    U12H02900>
  • For available commands, type:
    help
  • To quit the console, type:
    exit

TelnetEnable on Unix / Linux / OS X

The latest version of TelnetEnable for Solaris, Linux, and Apple OS X is available at Netgear's open source router website, as part of file telnetenable-0.4-2.tar.gz. Included in this distribution are compiled binaries, C source code, and code for older (buggy) TelnetEnable versions.

$ ./telnetenable
Version: 0.4, 2009/10/18
Usage: ./telnetenable <host ip> <host mac> <user name> [password]
$ ./telnetenable 192.168.1.1 001E3A04E2EB Gearguy Geardog
$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.


BusyBox v0.60.0 (2008.05.15-10:32+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

# version
Release version : Netgear Wireless Router WGR614v8
                  U12H07200/V1.1.11/6.0.36NA
           Time : May 15 2008 18:35:41
# exit
Connection to 192.168.1.1 closed by foreign host.
$

Instructions for telnetenable:

  • Extract from the tar.gz distribution, one of telnetenable.solaris, telnetenable.linux, or telnetenable.osx depending on your OS platform. Rename the selected file telnetenable.
  • Obtain a command line session or open a command line window that displays an interactive shell (typically bash, sh, ksh, or csh) prompt.
  • Change directory (cd) to the location of the telnetenable executable.
  • The steps to run telnetenable for Unix/Linux/OS X are identical with the Windows version of telnetEnable.exe above.

Of note is the Unix/Linux/OS X versions of TelnetEnable were not developed by Netgear. The information necessary to develop these TelnetEnable versions was from reverse engineering the operation of Windows telnetEnable.exe in order to discover what magic packets Netgear's tool sends to the router to enable the telnet interface.

Probe packet payload generator in C by yoshac

Thanks to yoshac_at_member_dot_fsf_dot_org, the Windows TelnetEnable has been reverse engineered. The following could be determined on the data format and transforms performed by Netgear's telnetEnable.exe and work to implement the entire tool as open source is complete, as per example above.

Source code for a 'C' re-implementation of telnetEnable.exe algorithms has been released by yoshac_at_member_dot_fsf_dot_org under the GPL, for use as the basis of a Unix version of the tool. Yoshac's telnetenable binary operates exactly the same as the original Windows tool, except that it does not actually send the TCP frame to the router. Network support was left as an exercise for the reader ;-), and Seattle Wireless was first to add the support (below).

Usage:

  • Please read the README file contained in the attached ZIP archive
  • The implementation does not provide network connectivity to finish the process from a Unix box, follow the instructions in the README to compile the software, then, run
    telnetenable 192.168.1.1 000FB5A2BE26 Gearguy Geardog > modpkt.pkt
  • Then to send the packet to the router type
    nc 192.168.1.1 23 < modpkt.pkt

Telnetenable.c in C by Seattle Wireless

Telnetenable.py in Python

How you can use the python program: http://www.cyberciti.biz/faq/enable-telnet-access-for-netgear-n600-adsl-router/

* See the Project on Google Code Project Homepage for more information

* After downloading it insert the cable to the router and execute the following command

python telnetenable.py 192.168.1.1 $(arp -n | awk "/192.168.1.1/"'  { gsub(/:/, "", $3); print toupper($3)}') Gearguy Geardog

Then there is telnet access to the router.

Using the Netgear Router Console

The Netgear hidden telnet console is an administrative back door, which implies security concerns. Fortunately, it is not known to be exploitable via the router's WAN (internet) interface. But unfortunately, there's no way to disable the telnet console on Netgear routers with this feature. The workaround is to use TelnetEnable and the telnet console itself, then set the username and/or password to non-default values.

The procedure to display the router's usernames and passwords, and then changing them for the telnet console, is as follows:

# nvram
usage: nvram [get name] [set name=value] [unset name] [show] [commit] ...
#
# nvram show | grep username
size: 12006 bytes (20762 left)
pptp_username=
http_username=admin
bpa_username=
ddns_username=
ver_check_ftp_username=anonymous
pppoe_username=guest
super_username=Gearguy
#
# nvram show | grep passw
size: 12006 bytes (20762 left)
pptp_passwd=
ver_check_ftp_password=WGR614V8@
super_passwd=Geardog
http_passwd=password
bpa_passwd=
pppoe_passwd=
ddns_passwd=
#
# nvram set super_username=newusername
# nvram set super_passwd=newpasswd
# nvram commit
#
# reboot

Rebooting the router is necessary to re-lock its telnet console.

Troubleshooting

If you aren't able to login anymore, which may occur after firmware updates, telnet-session timeouts, connection loss, or router rebooting, then repeat the unlocking procedure.

toh/netgear/telnet.console.txt · Last modified: 2015/01/11 18:43 by cmdline-admin