User Tools

Site Tools


toh:netgear:telnet.console

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
toh:netgear:telnet.console [2013/02/17 04:40]
theoradicus
toh:netgear:telnet.console [2015/02/01 03:52] (current)
insanid [Unlocking the Netgear Telnet Console]
Line 1: Line 1:
 ====== Unlocking the Netgear Telnet Console ====== ====== Unlocking the Netgear Telnet Console ======
-Some [[toh:​netgear:​start|Netgear]] ​routers run a telnet daemon ​which can be accessed from any computer on its local subnet after unlocking it (see below). The following devices are currently known or assumed ​to support this:+Several ​[[toh:​netgear:​start|Netgear]] ​router models running factory firmware have a telnet daemon ​that listens at the router'​s ​local LAN IP address. Administrators can gain access to a hidden command line interface ​(CLIwith a telnet client, after sending a magic packet ​to the router'​s telnet daemon, to unlock it.
  
 +The following Netgear devices are currently known to support this feature:
 +
 +  * DGN1000v3 Router Firmware Version V1.0.0.14_0.0.14:​ works, gives access to a busybox console w/o authentication
   * WGR614 v1-2: unknown, may well work   * WGR614 v1-2: unknown, may well work
   * WGR614 v3,​v4,​v5,​v6:​ known to work   * WGR614 v3,​v4,​v5,​v6:​ known to work
-  * WGR614 v7: known to work (if it does not work for you, try to hardreset ​your router first)+  * WGR614 v7: known to work (if it does not work for you, try to hard reset your router first)
   * WGR614 v8: aka WGR614L, works, access to a busybox console w/o authentication   * WGR614 v8: aka WGR614L, works, access to a busybox console w/o authentication
   * WGR614 v9: works, gives access to a busybox console w/o authentication   * WGR614 v9: works, gives access to a busybox console w/o authentication
Line 13: Line 16:
   * WGT624 v2, v3: works   * WGT624 v2, v3: works
   * WGT624 (unknown version): [[http://​www.cve.mitre.org/​cgi-bin/​cvename.cgi?​name=2006-1002|assumed to work]]   * WGT624 (unknown version): [[http://​www.cve.mitre.org/​cgi-bin/​cvename.cgi?​name=2006-1002|assumed to work]]
-  * WNR1000 ​v2: works. Does not require username/​password for login. On connection the '#'​ prompt is displayed.+  * WNR1000 ​v1-2: works. Does not require username/​password for login. On connection the '#'​ prompt is displayed. 
 +  * WNR2000 v4: works. Does not require username/​password for login. On connection the '#'​ prompts is displayed. 
 +  * WN3000RP v1: works. Does not require username/​password for login, but necessary for telnetable (Geardog/​Gearguy)
   * [[oldwiki/​openwrtdocs/​hardware/​netgear/​WNDR3300]] : works. Does not require username/​password for login. ​ On connection the '#'​ prompt is displayed.   * [[oldwiki/​openwrtdocs/​hardware/​netgear/​WNDR3300]] : works. Does not require username/​password for login. ​ On connection the '#'​ prompt is displayed.
-  * [[toh/​netgear/​WNR3400|WNDR3400v2]] v1.0.0.16_1.0.34 works. Does NOT ask for username/​password on login. On connection you should be dropped on a '#'​ prompt. 
   * [[toh/​netgear/​WNR3500]] v1.0.29: works. Does NOT ask for username/​password on login. On connection you should be dropped on a '#'​ prompt.   * [[toh/​netgear/​WNR3500]] v1.0.29: works. Does NOT ask for username/​password on login. On connection you should be dropped on a '#'​ prompt.
-  * [[toh/​netgear/​wnr3500l|WNR3500L]] V1.2.2.44: Works. ​ Does NOT ask for username/​password on login. Dropped to '#'​ prompt on connection.+  * [[toh/​netgear/​wnr3500l|WNR3500L]] V1.2.2.44: Works. ​V1.2.2.48_35.0.55NA:​ fails. ​Does NOT ask for username/​password on login. Dropped to '#'​ prompt on connection
 +  * [[toh/​netgear/​WNDR3400|WNDR3400v2]] v1.0.0.16_1.0.34 works. Does NOT ask for username/​password on login. On connection you should be dropped on a '#'​ prompt.
   * [[toh/​netgear/​WNDR3700]] V1.0.7.98: known to work - Does NOT ask for username/​password. After connection you will be root at BusyBox v1.4.2.   * [[toh/​netgear/​WNDR3700]] V1.0.7.98: known to work - Does NOT ask for username/​password. After connection you will be root at BusyBox v1.4.2.
   * [[toh/​netgear/​WNDR3800]] v1.0.0.16 Tested with the python script of telnet enable.   * [[toh/​netgear/​WNDR3800]] v1.0.0.16 Tested with the python script of telnet enable.
   * [[toh/​netgear/​WNDR4000]] v1.0.0.88 works. Does NOT ask for username/​password on login. On connection you should be dropped on a '#'​ prompt.   * [[toh/​netgear/​WNDR4000]] v1.0.0.88 works. Does NOT ask for username/​password on login. On connection you should be dropped on a '#'​ prompt.
-  * [[toh/​netgear/​WNDR4300]] V1.0.1.30 works with the python script. Does NOT ask for username/​password on login. On connection you should be dropped on a '#'​ prompt.+  * [[toh/​netgear/​WNDR4300]] V1.0.1.30/​34/​42 ​works with the python script. Does NOT ask for username/​password on login. On connection you should be dropped on a '#'​ prompt
 +  * R7000 (any version) Assumed to be working with modified python script of telnet enable 
 +  * R7500 V1.0.0.82 Tested and working. Must use a modified python script of telnet enable.
  
 +The router CLI is usually the busybox shell running on Linux.
 +Commands and utilities available typically include changing nvram settings, changing the running configuration,​ upload/​download files, managing flash memory, rebooting, etc. 
  
-===== On Un*x ===== +===== Unlocking Protocol and Algorithms ​===== 
-Netgear ​uses free software ​to make their products, but has not provided information or free software tools to enable them to be used. One needs to either use the Windows binary-only program or reverse engineer its operation in order to discover what magic packets Netgear'​s ​tool sends to the router ​to enable ​the telnet ​interface.+The Netgear ​router CLI unlocking protocol is to open a TCP connection on telnet port 23 to the router'​s ​LAN IP address, send an encrypted probe packet, then close the connection. 
 +If the router ​accepts the probe packet and unlocks the CLI, then the CLI responds after a subsequent connection with a telnet ​client.
  
-Unfortunately,​ there is no ready to go tool for Un*x, - yet. However, thanks to yoshac_at_member_dot_fsf_dot_org,​ the Windows telnetenable has been reverse engineered. ​The following could be determined on the data format and transforms performed by Netgear'​s ''​telnetEnable.exe''​ and a work is in progress to implement the entire tool as open source. The current implementation is attached to this document. +The TelnetEnable utility (see belowbuilds ​the probe packet using authentication ​data supplied on its command line. 
- +The probe packet format ​in unencrypted form is as follows:
-==== C-Program by yoshac ==== +
-  * {{:​toh:​netgear:​telnetenable.zip}} +
-  * [[http://​www.seattlewireless.net/​telnetenable.c|Unix compatible source file]]. +
- +
-=== Usage === +
-Source code for a '​C'​ re-implementation of telnetenable.exe'​s algorithms has been released by yoshac_at_member_dot_fsf_dot_org under the GPL, for use as the basis of a Un*x version of the tool currently in development. The resulting telnetenable binary will operate exactly the same as the original Windows tool, except that it currently does not actually send the raw TCP frame to the router. Network support is left as an exercise for the reader ;-) +
- +
-  * Please read the README file contained in the attached ZIP archive +
-  * The implementation does not provide network connectivity to finish the process from a *nix box, follow the instructions in the README to compile the software, then, run <​code>​ +
-telnetenable 192.168.1.1 000FB5A2BE26 Gearguy Geardog > modpkt.pkt</​code>​ +
-  * Then to send the packet to the router type<​code>​ +
-nc 192.168.1.1 23 < modpkt.pkt +
-</​code>​ +
- +
-=== The algorithm === +
-probe packet ​is built using the data supplied on the command line, and is then signed using the RCA MD5 hashing algorithmAfter signing, the entire probe packet is encrypted using the Blowfish algorithm, using a private key. +
- +
-The probe packet ​payload ​format is as follows:+
  
 <​code>​ <​code>​
 struct payload struct payload
 { {
-char signature[0x10]; +        ​char md5sum[0x10]; 
-char mac[0x10];​ +        char mac[0x10];​ 
-char username[0x10];​ +        char username[0x10];​ 
-char password[0x10];​ +        char password[0x10];​ 
-char reserved[0x40];​+        char reserved[0x40];​
 } }
 </​code>​ </​code>​
  
-The above payload format is transformed by the tool algorithms as follows:+The above payload format is transformed by algorithms as follows:
  
-The MD5 checksum is calculated for the contents of the probe payload MAC, username and password fields ​only, and is done using the normal ​3 passes ​(MD5init, MD5update, MD5final) with the default ​RCA seed. The resulting 16 byte MD5 checksum/​hash is then stored into the signature ​array of the probe payload.+The MD5 checksum is calculated for the contents of the probe payload MAC, usernameand password fields, and is done using the normal ​three steps (MD5init, MD5update, MD5final) with the default ​RSA seed. The resulting 16 byte MD5 checksum/​hash is then stored into the md5sum ​array of the probe payload.
  
-The entire probe payload (including the reserved area, which is always null for this example) is then ENCRYPTED using the blowfish ​algorithm. The secret key used for the blowfish encryption ​isAMBIT_TELNET_ENABLE ​but prior to encryption, a '+' ​followed ​by the password ​is appended to the secret key.+The entire probe payload (including the reserved area, which is always null for this example) is then ENCRYPTED using the Blowfish ​algorithm. The secret key used for Blowfish ​is "''​AMBIT_TELNET_ENABLE+'​'"​ concatenated ​by the password ​in the payload.
  
-The encrypted probe packet is then sent to telnet port (23) on the router using raw TCP sockets ​in the standard manner. Curiously, ​the telnetenable.exe program also includes the necessary support to decode packets incoming from the router, but there does not appear to be any two-way handshake implemented, it is simple a raw TCP send from the client to the router.+The encrypted probe packet is then sent to telnet port (23) on the router using TCP socket ​in the standard manner. 
 +Curiously, ​Netgear'​s Windows ''​telnetEnable.exe'' ​program also includes the necessary support to decode packets incoming from the router, but there does not appear to be any two-way handshake implemented. It is simple a TCP send from the client to the router.
  
 Note: The encrypted probe packet is sized as char output_Buf[0x640] but only an encoded data length of size of 0x80 appears to be used by the code. It is unknown what other capabilities may be similarly enabled via the '​reserved'​ field, or by other passwords. Note: The encrypted probe packet is sized as char output_Buf[0x640] but only an encoded data length of size of 0x80 appears to be used by the code. It is unknown what other capabilities may be similarly enabled via the '​reserved'​ field, or by other passwords.
  
  
 +===== TelnetEnable on Windows =====
 +Netgear formerly provided a developer tool, ''​telnetEnable.exe'',​ for unlocking console access from a Microsoft Windows PC client.
 +The tool was bundled into a firmware update for Netgear WPN824 wireless routers sold in Korea.
 +The download file was [[http://​www.netgear.co.kr/​Support/​Product/​FileInfo.asp?​IDXNo=155|wpn824_ko_2.12_1.2.9.zip]] from the [[http://​www.netgear-support.co.kr/​|Korean Netgear support website]].
  
 +The tool by itself is still available as
 +[[http://​www.myopenrouter.com/​download/​10602/​NETGEAR-Telnet-Enable-Utility/​|telnetEnable.zip]] at 
 +[[http://​www.myopenrouter.com/​|Netgear'​s open source router website]].
 +Pingbin.com also hosts this file [[http://​pingbin.com/​wp-content/​uploads/​2012/​12/​telnetEnable.zip|telnetEnable.zip]].
 + 
 +TelnetEnable works with Windows NT and later.
 +Administrator privileges may be required to permit ''​telnetEnable.exe''​ through Windows firewall.
 +The tool tests successfully with Windows 7 64-bit and with an ordinary (non-privileged) user account:
 +<​code>​
 +D:​\>​telnetEnable.exe
 +Version:​2.1,​ 2003/10/17
 +Usage:
 +telnetEnable.exe <host ip> <host mac> <user name> <​password>​
  
-==== Python-Program by pgebheim ====+D:​\>​telnetEnable.exe 192.168.1.1 000FB5A2BE26 Gearguy Geardog
  
-<file python telnetenable.py> +D:\>telnet 192.168.1.1 
-# Copyright (c) 2009 Paul Gebheim +Connecting To 192.168.1.1...
-#  +
-# Permission is hereby granted, free of charge, to any person obtaining a copy +
-# of this software and associated documentation files (the "​Software"​),​ to deal +
-# in the Software without restriction,​ including without limitation the rights +
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +
-# copies of the Software, and to permit persons to whom the Software is +
-# furnished to do so, subject to the following conditions:​ +
-#  +
-# The above copyright notice and this permission notice shall be included in +
-# all copies or substantial portions of the Software+
-#  +
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,​ +
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENTIN NO EVENT SHALL THE +
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +
-# THE SOFTWARE.+
  
-import sys 
-import socket 
-import array 
-from optparse import OptionParser 
-from Crypto.Cipher import Blowfish 
-from Crypto.Hash import MD5 
  
-TELNET_PORT = 23+BusyBox v0.60.0 (2009.09.01-00:​50+0000) Built-in shell (msh) 
 +Enter '​help'​ for a list of built-in commands.
  
-The version of Blowfish supplied for the telenetenable.c implementation +# exit
-# assumes Big-Endian data, but the code does nothing to convert the +
-# little-endian stuff it's getting on intel to Big-Endian +
-+
-# So, since Crypto.Cipher.Blowfish seems to assume native endianness, we need +
-# to byteswap our buffer before and after encrypting it +
-+
-# This helper does the byteswapping on the string buffer +
-def ByteSwap(data):​ +
-  a = array.array('​i'​) +
-  if(a.itemsize < 4): +
-    a = array.array('​L'​) +
-   +
-  if(a.itemsize != 4): +
-    print "Need a type that is 4 bytes on your platform so we can fix the data!"​ +
-    ​exit(1)+
  
-  a.fromstring(data) 
-  a.byteswap() 
-  return a.tostring() 
  
-def GeneratePayload(mac,​ username, password=""​):​ +Connection to host lost.
-  # Pad the input correctly +
-  assert(len(mac) < 0x10) +
-  just_mac = mac.ljust(0x10, "​\x00"​)+
  
-  assert(len(username) <= 0x10) +D:\> 
-  just_username = username.ljust(0x10,​ "\x00") +</code>
-   +
-  assert(len(password) ​<= 0x10) +
-  just_password = password.ljust(0x10,​ "​\x00"​)+
  
-  cleartext = (just_mac + just_username + just_password).ljust(0x70, ​'\x00'+Note the Windows 7 ''​telnet.exe'' ​client is disabled and inaccessible by default. 
-  md5_key = MD5.new(cleartext).digest()+The telnet client is a Windows feature that users can enable via //Control Panel// -> //​Programs//​ -> //Program and Features// -> //Turn Windows features on or off//.
  
-  payload = ByteSwap((md5_key ​cleartext).ljust(0x80, ​"\x00")) +Instructions for ''​telnetEnable.exe'':​ 
-   +  * Extract ''​telnetEnable.exe''​ from any of the zip file downloads. The ''​wpn824_ko_2.12_1.2.9.zip''​ includes a MS Word document with screenshots and instructions in Korean, a firmware update, and the ''​telnetEnable.exe''​ tool. Only the tool is necessary. 
-  ​secret_key = "AMBIT_TELNET_ENABLE+" ​password+  * Open a command line (windows console) window ​(Press [windows key]+[R] and enter "''​cmd''"​). 
 +  * Get the MAC address of your Netgear router. You can either run "''​arp -a''​" ​on the Windows command line and locate the "​Physical Address"​ (MACfor the router'​s IP address, or look it up on the [[http://​192.168.1.1/​|web interface of your router]] (//​Maintenance//​ -> //Router status// -> //LAN port// -> //MAC Address//). 
 +  ​* Take the MAC address, remove any minus signs (-) or colons (:) and replace all characters by their upper case representation (a -> A, d-> D etc.). 
 +  ​* Copy the result of your editing to the clipboard. 
 +  * Type "''​telnetEnable.exe''​", then the IP address of your router (e.g. "''​192.168.1.1''"​),​ add another space, paste the contents of the clipboard, and append the telnet console default username and password, "''​Gearguy''"​ and "''​Geardog''"​. Correct character case is important here. These credentials differ from those of the web interface. You will need to modify the username and password appropriately if you had changed them previously. The result should look similar to this: <​code>​ 
 +telnetEnable.exe 192.168.1.1 000FB5A2BE26 Gearguy Geardog 
 +</​code>​ 
 +  * Now press Enter to run the tool. It should return to a prompt pretty quickly with no error. If it takes a long time and returns a 'send failed'​ error message, just try again. 
 +  * You should now be able to ''​telnet''​ to the router from any computer in your local LAN. 
 +  * Some routers may prompt for additional authentication (''​login''​ prompt) at the beginning of a telnet session. After successful authentication you will be presented a prompt such as: <​code>​ 
 +U12H02900>​ 
 +</​code>​ 
 +  * For available commands, type: <​code>​help</​code>​ 
 +  * To quit the console, type: <​code>​exit</​code>​
  
-  return ByteSwap(Blowfish.new(secret_key,​ 1).encrypt(payload)) 
  
 +===== TelnetEnable on Unix / Linux / OS X =====
 +The latest version of TelnetEnable for Solaris, Linux, and Apple OS X is available at [[http://​www.myopenrouter.com/​|Netgear'​s open source router website]], as part of file [[http://​www.myopenrouter.com/​download/​11562/​Solaris-Linux-OS-X-TelnetEnable-Utility/​|telnetenable-0.4-2.tar.gz]].
 +Included in this distribution are compiled binaries, C source code, and code for older (buggy) TelnetEnable versions.
  
-def SendPayload(ip,​ payload)+<​code>​ 
-  for res in socket.getaddrinfo(ip, TELNET_PORT,​ socket.AF_INET, socket.SOCK_STREAM,​ socket.IPPROTO_IP):​ +$ ./​telnetenable 
-    af, socktype, proto, canonname, sa = res +Version0.4, 2009/10/18 
-    ​try:​ +Usage: ​./​telnetenable <​host ​ip> <host mac> <user name> [password] 
-      s = socket.socket(af, socktype, proto) +./​telnetenable 192.168.1.1 001E3A04E2EB Gearguy Geardog 
-    ​except socket.error, msg: +$ telnet 192.168.1.1 
-      s = None +Trying 192.168.1.1..
-      continue+Connected to 192.168.1.1
 +Escape character is '​^]'​.
  
-    try: 
-      s.connect(sa) 
-    except socket.error,​ msg: 
-      s.close() 
-      s= None 
-      continue 
-    break 
  
-  if s is None: +BusyBox v0.60.(2008.05.15-10:32+0000Built-in shell (msh
-    print "Could not connect to '​%s:​%d'"​ % (ip, TELNET_PORT) +Enter '​help'​ for a list of built-in commands.
-  else: +
-    s.send(payload) +
-    s.close(+
-    print "Sent telnet enable payload to '​%s:​%d'"​ % (ip, TELNET_PORT) +
-   +
-def main(): +
-  args = sys.argv[1:+
-  if len(args< 3 or len(args> 4: +
-    print "​usage:​ python telnetenable.py <ip> <mac> <​username>​ [<​password>​]"​+
  
-  ip = args[0] +# version 
-  mac = args[1] +Release version : Netgear Wireless Router WGR614v8 
-  ​username = args[2]+                  U12H07200/​V1.1.11/​6.0.36NA 
 +           Time : May 15 2008 18:35:41 
 +# exit 
 +Connection to 192.168.1.1 closed by foreign host. 
 +$ 
 +</​code>​
  
-  password = ""​ +Instructions for ''​telnetenable'':​ 
-  ​if len(args== 4: +  ​* Extract from the tar.gz distribution,​ one of ''​telnetenable.solaris'',​ ''​telnetenable.linux'',​ or ''​telnetenable.osx''​ depending on your OS platform. Rename the selected file ''​telnetenable''​. 
-    ​password = args[3]+  * Obtain a command line session or open a command line window that displays an interactive shell (typically ''​bash'',​ ''​sh'',​ ''​ksh'',​ or ''​csh''​prompt. 
 +  * Change directory (''​cd''​) to the location of the ''​telnetenable''​ executable. 
 +  * The steps to run ''​telnetenable''​ for Unix/​Linux/​OS X are identical with the Windows version of ''​telnetEnable.exe''​ above.
  
-  payload = GeneratePayload(mac,​ username, password) +Of note is the Unix/​Linux/​OS X versions of TelnetEnable were not developed by Netgear. 
-  ​SendPayload(ip,​ payload)+The information necessary to develop these TelnetEnable versions was from  
 +reverse engineering the operation of Windows ''​telnetEnable.exe''​ in order to discover what magic packets Netgear'​s tool sends to the router to enable the telnet interface.
  
-main() +==== Probe packet payload generator in C by yoshac ==== 
-</​file>​+  * {{:​toh:​netgear:​telnetenable.zip}}
  
-  * See the [[http://​code.google.com/​p/​netgear-telnetenable/​|Project Homepage]] for more information +Thanks to yoshac_at_member_dot_fsf_dot_org, ​the Windows TelnetEnable has been reverse engineeredThe following could be determined on the data format ​and transforms performed by Netgear'​s ''​telnetEnable.exe'' and work to implement the entire tool as open source is completeas per example above.
-  * After downloading it insert the cable to the router ​and execute the following command<​code>​ +
-python telnetenable.py 192.168.1.1 $(arp -n | awk "/​192.168.1.1/"' ​ { gsub(/:/"",​ $3); print toupper($3)}'​) Gearguy Geardog</​code>​+
  
-Now there is telnet access ​to the router.+Source code for '​C'​ re-implementation of ''​telnetEnable.exe''​ algorithms has been released by yoshac_at_member_dot_fsf_dot_org under the GPL, for use as the basis of a Unix version of the tool. Yoshac'​s telnetenable binary operates exactly the same as the original Windows tool, except that it does not actually send the TCP frame to the router. Network support was left as an exercise for the reader ;-), and Seattle Wireless was first to add the support (below).
  
 +Usage:
 +  * Please read the README file contained in the attached ZIP archive
 +  * The implementation does not provide network connectivity to finish the process from a Unix box, follow the instructions in the README to compile the software, then, run <​code>​
 +telnetenable 192.168.1.1 000FB5A2BE26 Gearguy Geardog > modpkt.pkt</​code>​
 +  * Then to send the packet to the router type<​code>​
 +nc 192.168.1.1 23 < modpkt.pkt
 +</​code>​
  
 +==== Telnetenable.c in C by Seattle Wireless ====
 +  * [[http://​www.seattlewireless.net/​telnetenable.c|telnetenable.c]].
  
 +==== Telnetenable in Python ====
  
-===== On Windows ===== +**Newer ​Netgear ​Routers (R7000R7500)**
-Netgear ​provides a developer tool for unlocking the console access from a Windows client. Windows NT and later versions are assumed to workadministrator privileges are required. This was successfully tested on Windows XP SP2.+
  
-**''​Note:''​** For sending custom crafted network packets on Windows, which this tool does, you require an account which has administrative privileges.+  ​Download the latest modified telnetenable.py script from Github [[https://​github.com/​insanid/​netgear-telenetenable]] 
 +  ​Readme.txt contains instructions on how to use the python script
  
-  ​Download the file wpn824_ko_2.12_1.2.9.zip file from [[http://​www.netgear.co.kr/​Support/​Product/​FileInfo.asp?​IDXNo=155|the Korean Netgear support website (scroll down)]] or from the other locations I found it at ([[http://​www.sebone.de/​download.php?​file=47e892f71fa9d1036a5615e3b7045190|mirror 1]], [[http://​www1.file-upload.net/​download_10.05.06/​2di5co.zip.html|mirror 2]], UPDATE: Get it here http://​files.to/​get/​349970/​64662/​telnetEnable.rar) and unzip it. A new link that does work for the time being: http://​rapidshare.com/​files/​71670434/​telnetEnable.zip. +**Older Netgear ​Routers**
-  ​You will see a M$ Word doc which contains screenshots and instructions in Korean language, a firmware update (you don't need this) and the ''​telnetEnable.exe''​ tool +
-  * Open a command line (windows console) window (Press [windows key]+[R] and enter ''​cmd''​) +
-  * Get the MAC address of your Netgear ​router. You can use either 'arp -a' and use the '​physical address'​ or look it up on the [[http://​192.168.1.1/​RST_status.htm|web interface of your router]] (//​Maintenance//​ -> //Router status// -> //LAN port// -> //MAC Address//​) +
-  * Take the MAC address, remove any minus signs (-) or colons (:) and replace all characters by their upper case representation (a -> A, d-> D etc.) +
-  ​Copy the result of your editing to the clipboard +
-  ​type ''​telnetenable.exe'',​ then the IP address of your router (e.g. "''​192.168.1.1''"​),​ add another space, paste the contents of the clipboard, and append the telnet console default username and password ''​Gearguy Geardog''​. (they differ from those of the web interface), you need to modify them appropriately if you changed them previously. The result should look similar to this: <​code>​ +
-telnetEnable.exe 192.168.1.1 000FB5A2BE26 Gearguy Geardog +
-</​code>​+
  
-  * Correct character case is important here. +  * Download ​the latest telnetenable.py script ​from Github [[https://github.com/semyazza/​netgear-telenetenable]] 
-  * Now press Enter to run the toolIt should return to the shell pretty quickly with no error. If it takes a long time and returns a 'send failed'​ error message, just try again. +  * Readme.txt contains instructions on how to use the python script
-  * You should now be able to login to the router via telnet ​from any computer in your local subnet  +
-  * After successful authentication you will be presented a prompt such as<​code>​ +
-U12H02900>​ +
-</code> +
-  * For available commands, type <​code>​help<​/code> +
- or <​code>?<​/code> +
-  * To quit the console, type <​code>​exit</​code>​+
  
 +**Legacy Information**
 +  * The information below is somewhat outdated. There are newer versions of telnetenable.py listed in the sections above that support a wider range of devices, and are easier to use.
 +  * See the original Project on Google Code [[http://​code.google.com/​p/​netgear-telnetenable/​|Project Homepage]] for more information
 +
 +How to use the telnetenable.py python script: [[http://​www.cyberciti.biz/​faq/​enable-telnet-access-for-netgear-n600-adsl-router/​]]
 +
 +  * After downloading it insert the cable to the router and execute the following command<​code>​
 +python telnetenable.py 192.168.1.1 $(arp -n | awk "/​192.168.1.1/"' ​ { gsub(/:/, "",​ $3); print toupper($3)}'​) Gearguy Geardog</​code>​
 +
 +Then there is telnet access to the router.
 +
 +===== Using the Netgear Router Console =====
 +
 +The Netgear hidden telnet console is an administrative back door, which implies security concerns.
 +Fortunately,​ it is not known to be exploitable via the router'​s WAN (internet) interface.
 +But unfortunately,​ there'​s no way to disable the telnet console on Netgear routers with this feature.
 +The workaround is to use TelnetEnable and the telnet console itself, then set the username and/or password to non-default values.
 +
 +The procedure to display the router'​s usernames and passwords, and then changing them for the telnet console, is as follows:
 +<​code>​
 +# nvram
 +usage: nvram [get name] [set name=value] [unset name] [show] [commit] ...
 +#
 +# nvram show | grep username
 +size: 12006 bytes (20762 left)
 +pptp_username=
 +http_username=admin
 +bpa_username=
 +ddns_username=
 +ver_check_ftp_username=anonymous
 +pppoe_username=guest
 +super_username=Gearguy
 +#
 +# nvram show | grep passw
 +size: 12006 bytes (20762 left)
 +pptp_passwd=
 +ver_check_ftp_password=WGR614V8@
 +super_passwd=Geardog
 +http_passwd=password
 +bpa_passwd=
 +pppoe_passwd=
 +ddns_passwd=
 +#
 +# nvram set super_username=newusername
 +# nvram set super_passwd=newpasswd
 +# nvram commit
 +#
 +# reboot
 +</​code>​
  
 +Rebooting the router is necessary to re-lock its telnet console.
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
-If you aren't able to login anymore, which may occur after firmware updates ​or telnet-session timeouts/connection ​losses, repeat the unlocking procedure.+If you aren't able to login anymore, which may occur after firmware updatestelnet-session timeoutsconnection ​loss, or router rebootingthen repeat the unlocking procedure.
toh/netgear/telnet.console.1361072454.txt.bz2 · Last modified: 2013/02/17 04:40 by theoradicus · Currently locked by: insanid