User Tools

Site Tools


toh:netgear:telnet.console

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
toh:netgear:telnet.console [2013/02/17 04:40]
theoradicus
toh:netgear:telnet.console [2015/04/12 14:29] (current)
ruff
Line 1: Line 1:
 ====== Unlocking the Netgear Telnet Console ====== ====== Unlocking the Netgear Telnet Console ======
-Some [[toh:​netgear:​start|Netgear]] ​routers run a telnet daemon ​which can be accessed from any computer on its local subnet after unlocking it (see below). The following devices are currently known or assumed ​to support this:+Several ​[[toh:​netgear:​start|Netgear]] ​router models running factory firmware have a telnet daemon ​that listens at the router'​s ​local LAN IP address. Administrators can gain access to a hidden command line interface ​(CLIwith a telnet client, after sending a magic packet ​to the router'​s telnet daemon, to unlock it.
  
 +The following Netgear devices are currently known to support this feature:
 +
 +  * DGN1000v3 Router Firmware Version V1.0.0.14_0.0.14:​ works, gives access to a busybox console w/o authentication
   * WGR614 v1-2: unknown, may well work   * WGR614 v1-2: unknown, may well work
   * WGR614 v3,​v4,​v5,​v6:​ known to work   * WGR614 v3,​v4,​v5,​v6:​ known to work
-  * WGR614 v7: known to work (if it does not work for you, try to hardreset ​your router first)+  * WGR614 v7: known to work (if it does not work for you, try to hard reset your router first)
   * WGR614 v8: aka WGR614L, works, access to a busybox console w/o authentication   * WGR614 v8: aka WGR614L, works, access to a busybox console w/o authentication
   * WGR614 v9: works, gives access to a busybox console w/o authentication   * WGR614 v9: works, gives access to a busybox console w/o authentication
Line 13: Line 16:
   * WGT624 v2, v3: works   * WGT624 v2, v3: works
   * WGT624 (unknown version): [[http://​www.cve.mitre.org/​cgi-bin/​cvename.cgi?​name=2006-1002|assumed to work]]   * WGT624 (unknown version): [[http://​www.cve.mitre.org/​cgi-bin/​cvename.cgi?​name=2006-1002|assumed to work]]
-  * WNR1000 ​v2: works. Does not require username/​password for login. On connection the '#'​ prompt is displayed.+  * WNR1000 ​v1-2: works. Does not require username/​password for login. On connection the '#'​ prompt is displayed. 
 +  * WNR2000 v4: works. Does not require username/​password for login. On connection the '#'​ prompts is displayed. 
 +  * WN3000RP v1: works. Does not require username/​password for login, but necessary for telnetable (Geardog/​Gearguy)
   * [[oldwiki/​openwrtdocs/​hardware/​netgear/​WNDR3300]] : works. Does not require username/​password for login. ​ On connection the '#'​ prompt is displayed.   * [[oldwiki/​openwrtdocs/​hardware/​netgear/​WNDR3300]] : works. Does not require username/​password for login. ​ On connection the '#'​ prompt is displayed.
-  * [[toh/​netgear/​WNR3400|WNDR3400v2]] v1.0.0.16_1.0.34 works. Does NOT ask for username/​password on login. On connection you should be dropped on a '#'​ prompt. 
   * [[toh/​netgear/​WNR3500]] v1.0.29: works. Does NOT ask for username/​password on login. On connection you should be dropped on a '#'​ prompt.   * [[toh/​netgear/​WNR3500]] v1.0.29: works. Does NOT ask for username/​password on login. On connection you should be dropped on a '#'​ prompt.
-  * [[toh/​netgear/​wnr3500l|WNR3500L]] V1.2.2.44: Works. ​ Does NOT ask for username/​password on login. Dropped to '#'​ prompt on connection.+  * [[toh/​netgear/​wnr3500l|WNR3500L]] V1.2.2.44: Works. ​V1.2.2.48_35.0.55NA:​ fails. ​Does NOT ask for username/​password on login. Dropped to '#'​ prompt on connection
 +  * [[toh/​netgear/​WNDR3400|WNDR3400v2]] v1.0.0.16_1.0.34 works. Does NOT ask for username/​password on login. On connection you should be dropped on a '#'​ prompt.
   * [[toh/​netgear/​WNDR3700]] V1.0.7.98: known to work - Does NOT ask for username/​password. After connection you will be root at BusyBox v1.4.2.   * [[toh/​netgear/​WNDR3700]] V1.0.7.98: known to work - Does NOT ask for username/​password. After connection you will be root at BusyBox v1.4.2.
   * [[toh/​netgear/​WNDR3800]] v1.0.0.16 Tested with the python script of telnet enable.   * [[toh/​netgear/​WNDR3800]] v1.0.0.16 Tested with the python script of telnet enable.
   * [[toh/​netgear/​WNDR4000]] v1.0.0.88 works. Does NOT ask for username/​password on login. On connection you should be dropped on a '#'​ prompt.   * [[toh/​netgear/​WNDR4000]] v1.0.0.88 works. Does NOT ask for username/​password on login. On connection you should be dropped on a '#'​ prompt.
-  * [[toh/​netgear/​WNDR4300]] V1.0.1.30 works with the python script. Does NOT ask for username/​password on login. On connection you should be dropped on a '#'​ prompt.+  * [[toh/​netgear/​WNDR4300]] V1.0.1.30/​34/​42 ​works with the python script. Does NOT ask for username/​password on login. On connection you should be dropped on a '#'​ prompt. 
 +  * [[toh/​netgear/​dgnd3700|DGND3700v1/​DGND3800B]] < 3.0.0.8 works with original telnetenable over TCP; >= 3.0.0.8 works with any telnetenable patched for UDP 
 +  * R7000 (any version) Assumed to be working with modified python script of telnetenable,​ and modified telnetenable binary for linux x86-64. 
 +  * R7500 V1.0.0.82 Tested and working with modified python script of telnetenable,​ and modified telnetenable binary for linux x86-64. 
 +  * EX6100 Works with original telnetenable (TCP/23) with credentials super_username/​super_passwd (not admin/​password as one might think) or Gearguy/​Geardog or both. Sometimes it doesn'​t unlock with first attempt (parser_enable?​)
  
 +The router CLI is usually the busybox shell running on Linux.
 +Commands and utilities available typically include changing nvram settings, changing the running configuration,​ upload/​download files, managing flash memory, rebooting, etc. 
  
-===== On Un*x ===== +===== Unlocking Protocol and Algorithms ​===== 
-Netgear ​uses free software to make their productsbut has not provided information ​or free software tools to enable them to be used. One needs to either use the Windows binary-only program or reverse engineer its operation in order to discover what magic packets Netgear'​s ​tool sends to the router ​to enable ​the telnet ​interface.+The Netgear ​router CLI unlocking protocol establishes a TCP (for older Netgear routers), or UDP (for newer Netgear routers) connection on telnet port 23 to the router'​s ​LAN IP address, send an encrypted probe packet, then close the connection. 
 +If the router ​accepts the probe packet and unlocks the CLI, then the CLI responds after a subsequent connection with a telnet ​client.
  
-Unfortunately,​ there is no ready to go tool for Un*x, - yet. However, thanks to yoshac_at_member_dot_fsf_dot_org, ​the Windows telnetenable has been reverse engineered. The following could be determined on the data format ​and transforms performed by Netgear'​s ''​telnetEnable.exe''​ and a work is in progress to implement the entire tool as open source. The current implementation is attached to this document.+The TelnetEnable utility (see below) builds ​the probe packet using authentication data supplied on its command line. 
 +The probe packet ​format ​in unencrypted form is as follows:
  
-==== C-Program by yoshac ==== +**For older Netgear routers that use the original TelnetEnable utility:**
-  ​{{:toh:​netgear:​telnetenable.zip}} +
-  ​[[http://​www.seattlewireless.net/​telnetenable.c|Unix compatible source file]].+
  
-=== Usage === +Payload ​is sent over TCP
-Source code for a '​C'​ re-implementation of telnetenable.exe'​s algorithms has been released by yoshac_at_member_dot_fsf_dot_org under the GPL, for use as the basis of a Un*x version of the tool currently in development. The resulting telnetenable binary will operate exactly the same as the original Windows tool, except that it currently does not actually send the raw TCP frame to the router. Network support ​is left as an exercise for the reader ;-)+
  
-  * Please read the README file contained in the attached ZIP archive +<​code>​ 
-  * The implementation does not provide network connectivity to finish the process from a *nix box, follow the instructions in the README to compile the softwarethen, run <​code>​ +struct PAYLOAD_TCP_PLAINTEXT 
-telnetenable 192.168.1.1 000FB5A2BE26 Gearguy Geardog > modpkt.pkt<​/code> +{ 
-  * Then to send the packet to the router type<​code>​ +  ​char md5sum[0x10]; ​   /md5 hash 16 byte binary ​*
-nc 192.168.1.1 23 < modpkt.pkt+  char mac[0x10]; ​      /* null terminated string12 characters */ 
 +  char username[0x10]; ​ /* null terminated string *
 +  ​char password[0x10]; ​ /null terminated string */ 
 +  char reserved[0x40];​ 
 +} payload;
 </​code>​ </​code>​
  
-=== The algorithm === +**For newer Netgear routers (R7000R7500) that use the modified TelnetEnable utility:**
-A probe packet is built using the data supplied on the command lineand is then signed using the RCA MD5 hashing algorithm. After signing, the entire probe packet is encrypted using the Blowfish algorithm, using a private key.+
  
-The probe packet payload format ​is as follows:+Payload ​is sent over UDP
  
 <​code>​ <​code>​
-struct ​payload+struct ​PAYLOAD
 { {
-char signature[0x10];​ +  ​char signature[0x10];​ 
-char mac[0x10];​ +  char mac[0x10];​ 
-char username[0x10];​ +  char username[0x10];​ 
-char password[0x10]; +  char password[0x21]; 
-char reserved[0x40]; +  char reserved[0x2F]; 
-}+payload;
 </​code>​ </​code>​
  
-The above payload ​format is transformed by the tool algorithms as follows:+The above payload ​formats are transformed by algorithms as follows:
  
-The MD5 checksum is calculated for the contents of the probe payload MAC, username and password fields ​only, and is done using the normal ​3 passes ​(MD5init, MD5update, MD5final) with the default ​RCA seed. The resulting 16 byte MD5 checksum/​hash is then stored into the signature ​array of the probe payload.+The MD5 checksum, or signature, ​is calculated for the contents of the probe payload MAC, usernameand password fields, and is done using the normal ​three steps (MD5init, MD5update, MD5final) with the default ​RSA seed. The resulting 16 byte MD5 checksum/​hash is then stored into the md5sum ​array of the probe payload.
  
-The entire probe payload (including the reserved area, which is always null for this example) is then ENCRYPTED ​using the blowfish ​algorithm. The secret key used for the blowfish encryption ​is: AMBIT_TELNET_ENABLE but prior to encryption, a '​+' ​followed ​by the password ​is appended to the secret key.+The entire probe payload (including the reserved area, which is always null for this example) is then encrypted ​using the Blowfish ​algorithm, with //​reversed//​ assumptions regarding the endianness of the data stream. The secret key used for Blowfish ​is "''​AMBIT_TELNET_ENABLE+''"​ concatenated ​by the password ​in the payload.
  
-The encrypted probe packet is then sent to telnet port (23) on the router using raw TCP sockets ​in the standard manner. Curiously, ​the telnetenable.exe program also includes the necessary support to decode packets incoming from the router, but there does not appear to be any two-way handshake implemented, it is simple a raw TCP send from the client to the router.+The encrypted probe packet is then sent to telnet port (23) on the router using TCP, or UDP socket ​in the standard manner. 
 +Curiously, ​Netgear'​s Windows ''​telnetEnable.exe'' ​program also includes the necessary support to decode packets incoming from the router, but there does not appear to be any two-way handshake implemented. It is simple a TCP send from the client to the router.
  
 Note: The encrypted probe packet is sized as char output_Buf[0x640] but only an encoded data length of size of 0x80 appears to be used by the code. It is unknown what other capabilities may be similarly enabled via the '​reserved'​ field, or by other passwords. Note: The encrypted probe packet is sized as char output_Buf[0x640] but only an encoded data length of size of 0x80 appears to be used by the code. It is unknown what other capabilities may be similarly enabled via the '​reserved'​ field, or by other passwords.
  
 +Note: It has also been discovered that the '​reserved'​ field of the probe packet can be overwritten up to 0x11 bytes by the password field. This occurs with the newest modified version of the TelnetEnable utility due to 1) Netgear changing the daemon that listens for the probe packed to only accept the packet over UDP, and 2) The default password of '​Geardog'​ no longer works, and instead one must enter the web interface password, which can be up to 33 characters long. Even though the '​reserved'​ field is overwritten,​ the abnormal packet sent to the router will still unlock telnet. An in-depth analysis of the probe packet was recently conducted by Roberto Frenna. View the discussion here: [[https://​github.com/​insanid/​netgear-telenetenable/​commit/​445c972ec7bf04433986d96b8f26dfd9c1af722a#​commitcomment-9706551|Github Commit Comment]]
 +===== Original TelnetEnable for Windows =====
 +Netgear formerly provided a developer tool, ''​telnetEnable.exe'',​ for unlocking console access from a Microsoft Windows PC client.
 +It originally appeared in a firmware update for Netgear WPN824 wireless routers sold in Korea.
 +The download file was [[http://​www.netgear.co.kr/​Support/​Product/​FileInfo.asp?​IDXNo=155|wpn824_ko_2.12_1.2.9.zip]] (no longer available) from the [[http://​www.netgear-support.co.kr/​|Korean Netgear support website]].
  
 +This old tool by itself is still available as
 +[[http://​www.myopenrouter.com/​download/​10602/​NETGEAR-Telnet-Enable-Utility/​|telnetEnable.zip]] at 
 +[[http://​www.myopenrouter.com/​|MyOpenRouter]] (Netgear'​s open source router website).
 +Pingbin.com also hosts this file [[http://​pingbin.com/​wp-content/​uploads/​2012/​12/​telnetEnable.zip|telnetEnable.zip]].
 + 
 +TelnetEnable works with Windows NT and later.
 +Administrator privileges may be required to permit ''​telnetEnable.exe''​ through Windows firewall.
 +The tool tests successfully with Windows 7 64-bit and with an ordinary (non-privileged) user account:
 +<​code>​
 +D:​\>​telnetEnable.exe
 +Version:​2.1,​ 2003/10/17
 +Usage:
 +telnetEnable.exe <host ip> <host mac> <user name> <​password>​
  
 +D:​\>​telnetEnable.exe 192.168.1.1 000FB5A2BE26 Gearguy Geardog
  
-==== Python-Program by pgebheim ====+D:​\>​telnet 192.168.1.1 
 +Connecting To 192.168.1.1...
  
-<file python telnetenable.py>​ 
-# Copyright (c) 2009 Paul Gebheim 
- 
-# Permission is hereby granted, free of charge, to any person obtaining a copy 
-# of this software and associated documentation files (the "​Software"​),​ to deal 
-# in the Software without restriction,​ including without limitation the rights 
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 
-# copies of the Software, and to permit persons to whom the Software is 
-# furnished to do so, subject to the following conditions: 
- 
-# The above copyright notice and this permission notice shall be included in 
-# all copies or substantial portions of the Software. 
- 
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,​ 
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 
-# THE SOFTWARE. 
  
-import sys +BusyBox v0.60.0 (2009.09.01-00:​50+0000) Built-in shell (msh) 
-import socket +Enter '​help'​ for a list of built-in commands.
-import array +
-from optparse import OptionParser +
-from Crypto.Cipher import Blowfish +
-from Crypto.Hash import MD5+
  
-TELNET_PORT = 23+# exit
  
-# The version of Blowfish supplied for the telenetenable.c implementation 
-# assumes Big-Endian data, but the code does nothing to convert the 
-# little-endian stuff it's getting on intel to Big-Endian 
-# 
-# So, since Crypto.Cipher.Blowfish seems to assume native endianness, we need 
-# to byteswap our buffer before and after encrypting it 
-# 
-# This helper does the byteswapping on the string buffer 
-def ByteSwap(data):​ 
-  a = array.array('​i'​) 
-  if(a.itemsize < 4): 
-    a = array.array('​L'​) 
-  ​ 
-  if(a.itemsize != 4): 
-    print "Need a type that is 4 bytes on your platform so we can fix the data!" 
-    exit(1) 
  
-  a.fromstring(data) +Connection to host lost.
-  a.byteswap() +
-  return a.tostring()+
  
-def GeneratePayload(mac,​ username, password=""​)+D:\> 
-  # Pad the input correctly +</code>
-  assert(len(mac) ​0x10) +
-  just_mac = mac.ljust(0x10,​ "​\x00"​)+
  
-  assert(len(username) <= 0x10) +Note the Windows 7 ''​telnet.exe''​ client is disabled and inaccessible by default
-  just_username = username.ljust(0x10, "​\x00"​) +The telnet client is a Windows feature that users can enable via //Control Panel// -> //​Programs//​ -> //Program and Features// -> //Turn Windows features on or off//.
-   +
-  assert(len(password) <= 0x10) +
-  ​just_password = password.ljust(0x10, "​\x00"​)+
  
-  cleartext = (just_mac + just_username ​just_password).ljust(0x70, ​'\x00') +Instructions for ''​telnetEnable.exe'':​ 
-  ​md5_key = MD5.new(cleartext).digest()+  * Extract ''​telnetEnable.exe''​ from any of the zip file downloads. The ''​wpn824_ko_2.12_1.2.9.zip''​ includes a MS Word document with screenshots and instructions in Korean, a firmware update, and the ''​telnetEnable.exe''​ tool. Only the tool is necessary. 
 +  * Open a command line (windows console) window (Press [windows key]+[R] and enter "''​cmd''"​). 
 +  * Get the MAC address of your Netgear router. You can either run "''​arp -a''"​ on the Windows command line and locate the "​Physical Address"​ (MACfor the router'​s IP address, or look it up on the [[http://​192.168.1.1/​|web interface of your router]] (//​Maintenance//​ -> //Router status// -> //LAN port// -> //MAC Address//). 
 +  ​* Take the MAC address, remove any minus signs (-) or colons (:) and replace all characters by their upper case representation (a -> A, d-> D etc.). 
 +  * Copy the result of your editing to the clipboard. 
 +  * Type "''​telnetEnable.exe''",​ then the IP address of your router ​(e.g. "''​192.168.1.1''"​), add another space, paste the contents of the clipboard, and append the telnet console default username and password, "''​Gearguy''"​ and "''​Geardog''"​Correct character case is important here. These credentials differ from those of the web interface. You will need to modify the username and password appropriately if you had changed them previously. The result should look similar to this: <​code>​ 
 +telnetEnable.exe 192.168.1.1 000FB5A2BE26 Gearguy Geardog 
 +</​code>​ 
 +  * Now press Enter to run the tool. It should return to a prompt pretty quickly with no error. If it takes a long time and returns a 'send failed'​ error message, just try again. 
 +  * You should now be able to ''​telnet''​ to the router from any computer in your local LAN. 
 +  * Some routers may prompt for additional authentication ​(''​login''​ promptat the beginning of a telnet session. After successful authentication you will be presented a prompt such as: <​code>​ 
 +U12H02900>​ 
 +</​code>​ 
 +  * For available commands, type: <​code>​help</​code>​ 
 +  * To quit the console, type: <​code>​exit</​code>​
  
-  payload ​ByteSwap((md5_key + cleartext).ljust(0x80,​ "​\x00"​)) +===== New TelnetEnable on Windows =====
-   +
-  secret_key ​"​AMBIT_TELNET_ENABLE+"​ + password+
  
-  return ByteSwap(Blowfish.new(secret_key1).encrypt(payload))+The old Netgear Windows ''​telnetEnable.exe''​ sends probe packets to the router'​s TCP port 23. 
 +Thus, it is not compatible with firmware and routers Netgear introduced after early 2014which require UDP port 23.
  
 +For those new devices you will need a patched version of telnetenable which supports UDP. You can find it [[https://​github.com/​LuKePicci/​NetgearTelnetEnable/​tree/​master/​binaries/​windows|here]]
  
-def SendPayload(ip,​ payload): +Keep in mind that new routers no more uses Gearguy/​Geardog as username and passwordYou will need to provide web interface login details
-  for res in socket.getaddrinfo(ip,​ TELNET_PORT,​ socket.AF_INET, socket.SOCK_STREAM,​ socket.IPPROTO_IP):​ +Alsodon't forget to convert your MAC addres to uppercase lettersand remove any colon.
-    afsocktypeproto, canonname, sa = res +
-    try: +
-      s = socket.socket(af, socktype, proto) +
-    except socket.error,​ msg: +
-      s = None +
-      continue+
  
-    try: +===== TelnetEnable on Unix / Linux / OS X ===== 
-      s.connect(sa) +The latest version of TelnetEnable for Solaris, Linux, and Apple OS X is available as part of file [[http://​www.myopenrouter.com/​download/​11562/​Solaris-Linux-OS-X-TelnetEnable-Utility/​|telnetenable-0.4-2.tar.gz]] at [[http://www.myopenrouter.com/​|MyOpenRouter]] ​(Netgear'​s open source router website). 
-    except socket.error, msg: +Included in this distribution are compiled binaries, C source code, and code for older (buggy) TelnetEnable versions.
-      s.close() +
-      s= None +
-      continue +
-    break+
  
-  if s is None: +<​code>​ 
-    print "Could not connect to '​%s:​%d'"​ % (ip, TELNET_PORT) +./​telnetenable 
-  else: +Version0.4, 2009/10/18 
-    s.send(payload) +Usage: ./​telnetenable ​<host ip> <host mac> <user name> [password] 
-    ​s.close() +$ ./​telnetenable 192.168.1.1 001E3A04E2EB Gearguy Geardog 
-    print "Sent telnet enable payload to '%s:%d'"​ % (ip, TELNET_PORT) +$ telnet 192.168.1.1 
-   +Trying 192.168.1.1... 
-def main(): +Connected to 192.168.1.1. 
-  args = sys.argv[1:] +Escape character is '​^]'​.
-  if len(args) < 3 or len(args) > 4: +
-    print "usagepython telnetenable.py <ip> <mac> <username> [<password>]"+
  
-  ip = args[0] 
-  mac = args[1] 
-  username = args[2] 
  
-  password = ""​ +BusyBox v0.60.0 ​(2008.05.15-10:32+0000) Built-in shell (msh) 
-  if len(args) == 4+Enter '​help'​ for a list of built-in commands.
-    ​password = args[3]+
  
-  payload = GeneratePayload(mac,​ username, password) +# version 
-  ​SendPayload(ip,​ payload)+Release version : Netgear Wireless Router WGR614v8 
 +                  U12H07200/​V1.1.11/​6.0.36NA 
 +           Time : May 15 2008 18:35:41 
 +# exit 
 +Connection to 192.168.1.1 closed by foreign host. 
 +
 +</​code>​
  
-main() +Instructions for ''​telnetenable'':​ 
-</file>+  * Extract from the tar.gz distribution,​ one of ''​telnetenable.solaris'',​ ''​telnetenable.linux'',​ or ''​telnetenable.osx''​ depending on your OS platform. Rename the selected file ''​telnetenable''​. 
 +  * Obtain a command line session or open a command line window that displays an interactive shell (typically ''​bash'',​ ''​sh'',​ ''​ksh'',​ or ''​csh''​prompt. 
 +  * Change directory (''​cd''​) to the location of the ''​telnetenable''​ executable. 
 +  * The steps to run ''​telnetenable''​ for Unix/Linux/OS X are identical with the Windows version of ''​telnetEnable.exe''​ above.
  
-  * See the [[http://code.google.com/p/​netgear-telnetenable/|Project Homepage]] for more information +This ''​telnetenable''​ natively sends network data to TCP port 23, 
-  * After downloading it insert ​the cable to the router ​and execute the following command<​code>​ +but also supports network data redirection to another utility or file. 
-python telnetenable.py 192.168.1.1 $(arp -n | awk "/192.168.1.1/​"' ​ { gsub(/:/"",​ $3); print toupper($3)}') Gearguy Geardog</​code>+With the assistance of the [[http://en.wikipedia.org/wiki/Netcat|netcat]] utility, this ''​telnetenable''​ 
 +can send the probe packet with UDP to newer (after early 2014) Netgear firmware ​and routers.<​code>​ 
 +./​telnetenable - 001E3A04E2EB admin password | nc -u 192.168.1.1 ​23 
 +telnet ​192.168.1.1 
 +</code> 
 +Netgear extended the password length to 33 characters or more with routers supporting TelnetEnable UDP. Without changing the ''​telnetenable''​ code hereits password length limit is 15 characters. 
 +Newer versions of TelnetEnable ​(see belowinclude these code changes.
  
-Now there is a telnet access ​to the router.+Of note is the Unix/​Linux/​OS X versions of TelnetEnable were not developed by Netgear. 
 +The information necessary to develop these TelnetEnable versions was from  
 +reverse engineering the operation of Windows ''​telnetEnable.exe''​ in order to discover what magic packets Netgear'​s tool sends to the router ​to enable the telnet interface.
  
 +==== Probe packet payload generator in C by yoshac ====
 +  * {{:​toh:​netgear:​telnetenable.zip}}
  
 +Thanks to yoshac_at_member_dot_fsf_dot_org,​ the Windows TelnetEnable has been reverse engineered. The following could be determined on the data format and transforms performed by Netgear'​s ''​telnetEnable.exe''​ and work to implement the entire tool as open source is complete, as per example above.
  
 +Source code for a '​C'​ re-implementation of ''​telnetEnable.exe''​ algorithms has been released by yoshac_at_member_dot_fsf_dot_org under the GPL, for use as the basis of a Unix version of the tool. Yoshac'​s telnetenable binary operates exactly the same as the original Windows tool, except that it does not actually send the TCP frame to the router. Network support was left as an exercise for the reader ;-), and Seattle Wireless was first to add the support (below).
  
-===== On Windows ===== +This payload generator is not recommended ​for use due to major bug with handling md5 signatures.
-Netgear provides a developer tool for unlocking the console access from Windows client. Windows NT and later versions are assumed to work, administrator privileges are required. This was successfully tested on Windows XP SP2.+
  
-**''​Note:''​** For sending custom crafted network packets on Windowswhich this tool does, you require an account which has administrative privileges.+Usage: 
 +  ​Please read the README file contained in the attached ZIP archive 
 +  ​The implementation does not provide network connectivity to finish the process from a Unix box, follow the instructions in the README to compile the software, then, run <​code>​ 
 +telnetenable 192.168.1.1 000FB5A2BE26 Gearguy Geardog > modpkt.pkt</​code>​ 
 +  * Then send the packet to the router with the [[http://​en.wikipedia.org/​wiki/​Netcat|netcat]] utility. You may need to install ​''​nc'' ​separatelydepending on your OS distribution.<​code>​ 
 +nc 192.168.1.1 23 < modpkt.pkt 
 +</​code>​
  
-  ​Download the file wpn824_ko_2.12_1.2.9.zip file from [[http://​www.netgear.co.kr/Support/​Product/​FileInfo.asp?​IDXNo=155|the Korean Netgear support website (scroll down)]] or from the other locations I found it at ([[http://​www.sebone.de/​download.php?​file=47e892f71fa9d1036a5615e3b7045190|mirror 1]][[http://www1.file-upload.net/download_10.05.06/2di5co.zip.html|mirror 2]], UPDATE: Get it here http://files.to/get/349970/64662/telnetEnable.rar) and unzip itA new link that does work for the time being: ​http://rapidshare.com/files/71670434/​telnetEnable.zip+==== TelnetEnable in C by Seattle Wireless ==== 
-  * You will see a M$ Word doc which contains screenshots and instructions in Korean language, a firmware update (you don't need this) and the ''​telnetEnable.exe'' ​tool + 
-  * Open a command line (windows console) window (Press [windows key]+[R] and enter ''​cmd''​+  ​* [[http://​www.seattlewireless.net/telnetenable.c|telnetenable.c]] (no longer available) at [[http://​www.seattlewireless.net|Seattle Wireless]] 
-  * Get the MAC address ​of your Netgear router. You can use either ​'arp -a' ​and use the 'physical address' ​or look it up on the [[http://192.168.1.1/RST_status.htm|web interface of your router]] (//Maintenance/​/ -//Router status// -> //LAN port// -> //MAC Address//) +This was the earliest known version of TelnetEnable that added networking support to 
-  * Take the MAC addressremove any minus signs (-) or colons (:) and replace all characters ​by their upper case representation (-> Ad-> D etc.+yoshac'​s probe packet payload generator. 
-  * Copy the result of your editing ​to the clipboard +Archived copies of the code are still available as 
-  * type ''​telnetenable.exe''​then the IP address of your router (e.g"''​192.168.1.1''"​),​ add another space, paste the contents of the clipboard, and append ​the telnet console default username ​and password ''​Gearguy Geardog''​(they differ from those of the web interface), you need to modify them appropriately if you changed them previouslyThe result should look similar ​to this: <​code>​ +[[http://web.archive.org/web/20070430142528/​http://​seattlewireless.net/​telnetenable.c|telnetenable.c 4/30/2007]] and 
-telnetEnable.exe 192.168.1.1 000FB5A2BE26 Gearguy Geardog+[[http://web.archive.org/web/20130812155401/http://www.seattlewireless.net/​telnetenable.c|telnetenable.c 8/​12/​2013]] 
 +at [[http://web.archive.org/|archive.org]]
 +The file ''​telnetenable-0.2.c'' ​included in ''​telnetenable-0.4-2.tar.gz'' ​noted above is also a copy of ''​telnetenable.c'' ​as it appeared at the Seattle Wireless site in 2009. 
 + 
 +This version of TelnetEnable is also not recommended for use due to a major bug with handling md5 signatures. 
 + 
 +==== Forks of TelnetEnable in C (telnetenable.c) ==== 
 + 
 +TelnetEnable in C from Seattle Wireless was forked to  
 +[[http://www.myopenrouter.com/download/11562/Solaris-Linux-OS-X-TelnetEnable-Utility/|telnetenable-0.4-2.tar.gz]] by [[http://www.myopenrouter.com/|MyOpenRouter]] site user "​retro98"​ during October 2009. This fork added major bug fixes, documentation,​ and compiled executables ready for immediate use. 
 +This is the only known version of TelnetEnable in C that correctly fixes a md5 payload buffer overrun and md5 result truncation bug. 
 + 
 +On Aug 20, 2012 TelnetEnable in C was also forked to Github by Dave Jagoda under a new project name of [[https://github.com/davejagoda/NetgearTelnetEnable|NetgearTelnetEnable]] (still also referred to as telnetenable.c). 
 +This fork was an incomplete duplicate of the work retro98 at MyOpenRouter completed three years earlier. 
 +Various fixes and improvements were made to the original telnetenable.c during the short time period 8/20/2012 to 10/08/2012. After this there were no further commits to the Github repository. 
 + 
 +On Feb 122015 [[https://​github.com/​insanid/​NetgearTelnetEnable|NetgearTelnetEnable]] was forked on Github ​by insanid. Changes such as switching from TCP to a UDP payloadand increasing maximum allowed password length to 33 characters were made which allow this modified telnetenable.to unlock telnet on newer Netgear routers such as the R7000 and R7500Some older Netgear routersor Router+ADSL modem devices such as the DGN2200v4 have received recent firmware updates which have changed the device to now only accept probe packets over UDPThis newer, modified, telnetenable.c should unlock telnet on any Netgear router that accepts probe packets over UDP. 
 + 
 +==== For newer Netgear routers that accept probe packet over UDP (R7000, R7500) ==== 
 + 
 +The version of TelnetEnable UDP is available at this [[https://​github.com/​insanid/​NetgearTelnetEnable|NetgearTelnetEnable Github Repository]]Included in this repository are the files for the modified source code for telnetenable.c, and the binary for Linux x86-64 ​and Windows which can be downloaded here: [[https://​github.com/​insanid/​NetgearTelnetEnable/​raw/​master/​binaries/​|telnetenable]] 
 + 
 +**Instructions:​** 
 + 
 +Download ​the binary for telnetenable or build from source. 
 + 
 +Execute these commands ​to clone the repository and build from source: 
 +<​code>​ 
 +git clone https://​github.com/​insanid/​NetgearTelnetEnable.git 
 +gcc -o telnetenable md5.c blowfish.c telnetenable.c
 </​code>​ </​code>​
  
-  * Correct character case is important here. +After downloading ​the binary or building ​from source: 
-  * Now press Enter to run the tool. It should return to the shell pretty quickly with no error. If it takes a long time and returns a 'send failed'​ error message, just try again. + 
-  * You should now be able to login to the router via telnet ​from any computer in your local subnet ​ +<​code>​ 
-  * After successful authentication you will be presented a prompt such as<​code>​ +chmod a+x telnetenable
-U12H02900>​+
 </​code>​ </​code>​
-  * For available commands, type <​code>​help</​code>​ 
- or <​code>?</​code>​ 
-  * To quit the console, type <​code>​exit</​code>​ 
  
 +Then run telnetenable:​
 +
 +<​code>​
 +./​telnetenable <IP> <MAC> <​Username>​ <​Password>​
 +</​code>​
 +IP - The IP of your Netgear device, usually 192.168.1.1
 +
 +MAC - The mac address should be the MAC address of the LAN port on your Netgear device, WITHOUT the ":"​. e.g. "​00:​40:​5E:​21:​14:​4E"​ would be written as "​00405E21144E"​.
 +
 +Username - '​admin'​
 +
 +Password = Use password you set in web interface
 +
 +==== Telnetenable in Python ====
 +
 +**Newer Netgear Routers (R7000, R7500)**
 +
 +  * Download the latest modified ''​telnetenable.py''​ script from Github [[https://​github.com/​insanid/​netgear-telenetenable]]
 +  * Readme.txt contains instructions on how to use the python script
 +
 +**Older Netgear Routers**
 +
 +  * Download the latest ''​telnetenable.py''​ script from Github [[https://​github.com/​semyazza/​netgear-telenetenable]]
 +  * Readme.txt contains instructions on how to use the python script
 +
 +**Legacy Information**
 +  * The information below is somewhat outdated. There are newer versions of ''​telnetenable.py''​ listed in the sections above that support a wider range of devices, and are easier to use.
 +  * See the original Project on Google Code [[http://​code.google.com/​p/​netgear-telnetenable/​|Project Homepage]] for more information
 +
 +How to use the ''​telnetenable.py''​ python script: [[http://​www.cyberciti.biz/​faq/​enable-telnet-access-for-netgear-n600-adsl-router/​]]
 +
 +  * After downloading ''​telnetenable.py''​ execute the following command:
 +  * In this example the MAC address of the router is 01:​23:​45:​67:​89:​AB
 +<​code>​python telnetenable.py 192.168.1.1 0123456789AB Gearguy Geardog</​code>​
 +  * Another method of executing the command:
 +  * In this example the MAC address will be piped to ''​telnetenable.py''​ by using ''​arp''​ and ''​awk'':​
 +<​code>​python telnetenable.py 192.168.1.1 $(arp -n | awk "/​192.168.1.1/"' ​ { gsub(/:/, "",​ $3); print toupper($3)}'​) Gearguy Geardog</​code>​
 +
 +Telnet access should be enabled on the router.
 +
 +===== Using the Netgear Router Console =====
 +
 +The Netgear hidden telnet console is an administrative back door, which implies security concerns.
 +Fortunately,​ it is not known to be exploitable via the router'​s WAN (internet) interface.
 +But unfortunately,​ there'​s no way to disable the telnet console on Netgear routers with this feature.
 +The workaround is to use TelnetEnable and the telnet console itself, then set the username and/or password to non-default values.
 +
 +  * The procedure to display the router'​s usernames and passwords, and then changing them for the telnet console, is as follows:
 +  * NOTE: This only works on some Netgear routers. The R7500, for example, does not use ''​nvram''​ to store settings
 +<​code>​
 +# nvram
 +usage: nvram [get name] [set name=value] [unset name] [show] [commit] ...
 +#
 +# nvram show | grep username
 +size: 12006 bytes (20762 left)
 +pptp_username=
 +http_username=admin
 +bpa_username=
 +ddns_username=
 +ver_check_ftp_username=anonymous
 +pppoe_username=guest
 +super_username=Gearguy
 +#
 +# nvram show | grep passw
 +size: 12006 bytes (20762 left)
 +pptp_passwd=
 +ver_check_ftp_password=WGR614V8@
 +super_passwd=Geardog
 +http_passwd=password
 +bpa_passwd=
 +pppoe_passwd=
 +ddns_passwd=
 +#
 +# nvram set super_username=newusername
 +# nvram set super_passwd=newpasswd
 +# nvram commit
 +#
 +# reboot
 +</​code>​
  
 +Rebooting the router is necessary to re-lock its telnet console.
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
-If you aren't able to login anymore, which may occur after firmware updates ​or telnet-session timeouts/connection ​losses, repeat the unlocking procedure.+If you aren't able to login anymore, which may occur after firmware updatestelnet session timeoutsconnection ​loss, or router rebootingthen repeat the unlocking procedure.
toh/netgear/telnet.console.1361072454.txt.bz2 · Last modified: 2013/02/17 04:40 by theoradicus