User Tools

Site Tools


toh:netgear:telnet.console

Unlocking the Netgear Telnet Console

Some Netgear routers run a telnet daemon which can be accessed from any computer on its local subnet after unlocking it (see below). The following devices are currently known or assumed to support this:

  • WGR614 v1-2: unknown, may well work
  • WGR614 v3,v4,v5,v6: known to work
  • WGR614 v7: known to work (if it does not work for you, try to hardreset your router first)
  • WGR614 v8: aka WGR614L, works, access to a busybox console w/o authentication
  • WGR614 v9: works, gives access to a busybox console w/o authentication
  • WGT624 V3H1: works (after 6-12 try, reboot, try again cycles)
  • WPN824 v1, V2.0.15_1.0.11: known to work
  • WPN824 V3: not needed! Enable the utelnetd option in Remote Management.
  • WG602 (unknown version): assumed to work
  • WGT624 v2, v3: works
  • WGT624 (unknown version): assumed to work
  • WNR1000 v1-2: works. Does not require username/password for login. On connection the '#' prompt is displayed.
  • WN3000RP v1: works. Does not require username/password for login, but necessary for telnetable (Geardog/Gearguy)
  • WNDR3300 : works. Does not require username/password for login. On connection the '#' prompt is displayed.
  • WNR3500 v1.0.29: works. Does NOT ask for username/password on login. On connection you should be dropped on a '#' prompt.
  • WNR3500L V1.2.2.44: Works. V1.2.2.48_35.0.55NA: fails. Does NOT ask for username/password on login. Dropped to '#' prompt on connection.
  • WNDR3400v2 v1.0.0.16_1.0.34 works. Does NOT ask for username/password on login. On connection you should be dropped on a '#' prompt.
  • WNDR3700 V1.0.7.98: known to work - Does NOT ask for username/password. After connection you will be root at BusyBox v1.4.2.
  • WNDR3800 v1.0.0.16 Tested with the python script of telnet enable.
  • WNDR4000 v1.0.0.88 works. Does NOT ask for username/password on login. On connection you should be dropped on a '#' prompt.
  • WNDR4300 V1.0.1.30/34/42 works with the python script. Does NOT ask for username/password on login. On connection you should be dropped on a '#' prompt.

On Un*x

Netgear uses free software to make their products, but has not provided information or free software tools to enable them to be used. One needs to either use the Windows binary-only program or reverse engineer its operation in order to discover what magic packets Netgear's tool sends to the router to enable the telnet interface.

Unfortunately, there is no ready to go tool for Un*x, - yet. However, thanks to yoshac_at_member_dot_fsf_dot_org, the Windows telnetenable has been reverse engineered. The following could be determined on the data format and transforms performed by Netgear's telnetEnable.exe and a work is in progress to implement the entire tool as open source. The current implementation is attached to this document.

C-Program by yoshac

Usage

Source code for a 'C' re-implementation of telnetenable.exe's algorithms has been released by yoshac_at_member_dot_fsf_dot_org under the GPL, for use as the basis of a Un*x version of the tool currently in development. The resulting telnetenable binary will operate exactly the same as the original Windows tool, except that it currently does not actually send the raw TCP frame to the router. Network support is left as an exercise for the reader ;-)

  • Please read the README file contained in the attached ZIP archive
  • The implementation does not provide network connectivity to finish the process from a *nix box, follow the instructions in the README to compile the software, then, run
    telnetenable 192.168.1.1 000FB5A2BE26 Gearguy Geardog > modpkt.pkt
  • Then to send the packet to the router type
    nc 192.168.1.1 23 < modpkt.pkt

The algorithm

A probe packet is built using the data supplied on the command line, and is then signed using the RCA MD5 hashing algorithm. After signing, the entire probe packet is encrypted using the Blowfish algorithm, using a private key.

The probe packet payload format is as follows:

struct payload
{
char signature[0x10];
char mac[0x10];
char username[0x10];
char password[0x10];
char reserved[0x40];
}

The above payload format is transformed by the tool algorithms as follows:

The MD5 checksum is calculated for the contents of the probe payload MAC, username and password fields only, and is done using the normal 3 passes (MD5init, MD5update, MD5final) with the default RCA seed. The resulting 16 byte MD5 checksum/hash is then stored into the signature array of the probe payload.

The entire probe payload (including the reserved area, which is always null for this example) is then ENCRYPTED using the blowfish algorithm. The secret key used for the blowfish encryption is: AMBIT_TELNET_ENABLE but prior to encryption, a '+' followed by the password is appended to the secret key.

The encrypted probe packet is then sent to telnet port (23) on the router using raw TCP sockets in the standard manner. Curiously, the telnetenable.exe program also includes the necessary support to decode packets incoming from the router, but there does not appear to be any two-way handshake implemented, it is simple a raw TCP send from the client to the router.

Note: The encrypted probe packet is sized as char output_Buf[0x640] but only an encoded data length of size of 0x80 appears to be used by the code. It is unknown what other capabilities may be similarly enabled via the 'reserved' field, or by other passwords.

Python-Alternative to the Windows Version

How you can use they pythonprogram: http://www.cyberciti.biz/faq/enable-telnet-access-for-netgear-n600-adsl-router/

* See the Project on Google Code Project Homepage for more information

* After downloading it insert the cable to the router and execute the following command

python telnetenable.py 192.168.1.1 $(arp -n | awk "/192.168.1.1/"'  { gsub(/:/, "", $3); print toupper($3)}') Gearguy Geardog

Than there is a telnet access to the router.

Program by pgebheim

# Copyright (c) 2009 Paul Gebheim
# 
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
# 
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
# 
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.

import sys
import socket
import array
from optparse import OptionParser
from Crypto.Cipher import Blowfish
from Crypto.Hash import MD5

TELNET_PORT = 23

# The version of Blowfish supplied for the telenetenable.c implementation
# assumes Big-Endian data, but the code does nothing to convert the
# little-endian stuff it's getting on intel to Big-Endian
#
# So, since Crypto.Cipher.Blowfish seems to assume native endianness, we need
# to byteswap our buffer before and after encrypting it
#
# This helper does the byteswapping on the string buffer
def ByteSwap(data):
  a = array.array('i')
  if(a.itemsize < 4):
    a = array.array('L')
  
  if(a.itemsize != 4):
    print "Need a type that is 4 bytes on your platform so we can fix the data!"
    exit(1)

  a.fromstring(data)
  a.byteswap()
  return a.tostring()

def GeneratePayload(mac, username, password=""):
  # Pad the input correctly
  assert(len(mac) < 0x10)
  just_mac = mac.ljust(0x10, "\x00")

  assert(len(username) <= 0x10)
  just_username = username.ljust(0x10, "\x00")
  
  assert(len(password) <= 0x10)
  just_password = password.ljust(0x10, "\x00")

  cleartext = (just_mac + just_username + just_password).ljust(0x70, '\x00')
  md5_key = MD5.new(cleartext).digest()

  payload = ByteSwap((md5_key + cleartext).ljust(0x80, "\x00"))
  
  secret_key = "AMBIT_TELNET_ENABLE+" + password

  return ByteSwap(Blowfish.new(secret_key, 1).encrypt(payload))


def SendPayload(ip, payload):
  for res in socket.getaddrinfo(ip, TELNET_PORT, socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_IP):
    af, socktype, proto, canonname, sa = res
    try:
      s = socket.socket(af, socktype, proto)
    except socket.error, msg:
      s = None
      continue

    try:
      s.connect(sa)
    except socket.error, msg:
      s.close()
      s= None
      continue
    break

  if s is None:
    print "Could not connect to '%s:%d'" % (ip, TELNET_PORT)
  else:
    s.send(payload)
    s.close()
    print "Sent telnet enable payload to '%s:%d'" % (ip, TELNET_PORT)
  
def main():
  args = sys.argv[1:]
  if len(args) < 3 or len(args) > 4:
    print "usage: python telnetenable.py <ip> <mac> <username> [<password>]"

  ip = args[0]
  mac = args[1].replace(':', '').upper()
  username = args[2]

  password = ""
  if len(args) == 4:
    password = args[3]

  payload = GeneratePayload(mac, username, password)
  SendPayload(ip, payload)

main()

On Windows

Netgear provides a developer tool for unlocking the console access from a Windows client. Windows NT and later versions are assumed to work, administrator privileges are required. This was successfully tested on Windows XP SP2.

Note: For sending custom crafted network packets on Windows, which this tool does, you require an account which has administrative privileges.

  • Download the file wpn824_ko_2.12_1.2.9.zip file from the Korean Netgear support website (scroll down) or from the other locations I found it at (mirror 1, mirror 2, UPDATE: Get it here http://files.to/get/349970/64662/telnetEnable.rar) and unzip it. A new link that does work for the time being: http://rapidshare.com/files/71670434/telnetEnable.zip.
  • You will see a M$ Word doc which contains screenshots and instructions in Korean language, a firmware update (you don't need this) and the telnetEnable.exe tool
  • Open a command line (windows console) window (Press [windows key]+[R] and enter cmd)
  • Get the MAC address of your Netgear router. You can use either 'arp -a' and use the 'physical address' or look it up on the web interface of your router (MaintenanceRouter statusLAN portMAC Address)
  • Take the MAC address, remove any minus signs (-) or colons (:) and replace all characters by their upper case representation (a → A, d→ D etc.)
  • Copy the result of your editing to the clipboard
  • type telnetenable.exe, then the IP address of your router (e.g. "192.168.1.1"), add another space, paste the contents of the clipboard, and append the telnet console default username and password Gearguy Geardog. (they differ from those of the web interface), you need to modify them appropriately if you changed them previously. The result should look similar to this:
    telnetEnable.exe 192.168.1.1 000FB5A2BE26 Gearguy Geardog
  • Correct character case is important here.
  • Now press Enter to run the tool. It should return to the shell pretty quickly with no error. If it takes a long time and returns a 'send failed' error message, just try again.
  • You should now be able to login to the router via telnet from any computer in your local subnet
  • After successful authentication you will be presented a prompt such as
    U12H02900>
  • For available commands, type
    help

or

?

  • To quit the console, type
    exit

Troubleshooting

If you aren't able to login anymore, which may occur after firmware updates or telnet-session timeouts/connection losses, repeat the unlocking procedure.

toh/netgear/telnet.console.txt · Last modified: 2014/07/05 10:54 by khaosis