Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[ehabtanta]

i need your help

i will tell u all the situation so u can figure out what is best to be done

i work in a mini isp
and we have the employee of the year challenge

it is about the hg532 / hg531 v1  routers

the admin would set a random pppoe user& pwd
then change the admin pwd and we are supposed to get the pppoe data


the challenge has many levels

in the 1st level i was able to get the data using the upnp tools

then the admin disabled it and i was challenged one more time

i used some tr064 actions i found in a Russian cd i got of the internet

the tr064 client with this cd only works with the normal dslf-config user of the tr064 and not the dslf-reset

and i  was able to get to the web interface but not to extract the pppoe pwd
then being able to some how do the web level actions on the router i developed a way to enable the upnp using the cookie acquired  by the tr064

in the current level the upnp is disabled & the tr064 pwd is changed also

so i am trying to get any tr064 client that works with the dslf-reset account of the tr064 that as i red must have a static pwd which i can figure out or search for

but this way isn't giving me much

so i am thinking in one of other 2 solutions i thought of

1- to decrypt the .conf file and get the pppoe data of it or to edit it making the upnp enabled

2-to edit the firmware of the router to make the upnp always on ignoring the setting added by the .conf file


this is an uncompressed firmware image along with a conf file

https://www.dropbox.com/s/q3y6lia8fvui9pp/532.rar?dl=0


the open ports of the routers are

tcp/udp 53 dns
tcp 80   http
tcp 37215 the upnp port wich the traffic directed to from the udp 1900
 tcp 37443 unknown wasnt able to get any info about this port

if u can help me please decrypt the conf file or force the upnp to be always on

here is a link to the open source for the 532 firmware

https://www.dropbox.com/s/48k2w1wnki38f1m/opensource_hg532.tar.gz?dl=0



thanks in advance

[burakkucat]

Having now read through you post a couple of times, I can now understand the challenge that you have been set.

After downloading the firmware image and configuration file (https://www.dropbox.com/s/q3y6lia8fvui9pp/532.rar?dl=0), I spent some time attempting to decrypt the latter but with no success. 

My next thought was to consider the possibility of obtaining the PPPoE credentials from the "other side". What do I mean by the "other side"? So far, all your attempts have been made via connections to the LAN side of the HG532 . . . Might it be possible to obtain the credentials from the WAN side? If you have access to a DSLAM (or any device that can act as the CO end of an xDSL link) could you possibly look at the data interchange that takes place between the modem/router (the HG532) and the system which authenticates the PPPoE session? Packet sniffing at the DSLAM end of the xDSL link, perhaps?

That is best suggestion I am able to make. Sorry for not being able to find a way to decrypt the configuration file.

[ehabtanta]

thanks for your reply sir

a similar .conf file was decrypted here if it would help

https://hg658c.wordpress.com/2015/03/17/hg658c_configtool/

already tried it but not the same signature maybe the same method applies

as for the wan side
i thought of it but the only possibility for this is to mimic the system

using an emulator for the router and the d-slam most likely the qemu would do it but i don't know how to do it the right way
if u could provide me with a way to make a pppoe server that would catch the requests made by another machine that would have the firmware emulated using the qemu
i would be extremely happy

after all thanks a lot for your help & time

[burakkucat]

a similar .conf file was decrypted here if it would help

https://hg658c.wordpress.com/2015/03/17/hg658c_configtool/

already tried it but not the same signature maybe the same method applies

That looks like a useful tool. Having downloaded a copy, I am unable to get it to execute correctly. It is probably due to the version of Python that I have installed on this system . . . and due to me not being proficient in the use of Python. I wonder it the author of that utility would be able to assist you in converting it for use with an HG532?

I am sorry but I have never configured a PPPoE server and so I am unable to assist you. Perhaps a careful search with Google will reveal something that you could use?

[ehabtanta]

already used it with the 532 but the .conf signature isn't the same so the tool wasn't able to deal with my file
i mailed its owner but he wont reply
any way thanks a lot for your time

[ahmedfarazch]

Hello!


Have you tried:
- there is a default user with username "user" without quotes and with blank password
- there is default telnet user with username "admin" and password "admin" without quotes
- will a default config file (not encrypted) for the TalkTalk HG532 be helpful to you??? If yes, I'll attach it later on!

Regards,
Ahmed

[ehabtanta]

thanks a lot mr ahmed

none of the default usernames/pwds wold works cuz the admin changed them on purpose

the telnet is disabled

the default conf  for the hg532 is always encrypted the even the one inside the firmware
but if u were able to get a non encrypted one i would be very interested in having a look in it

after some searching i understand that the web.elf file of the firmware is what encrypts and decrypts the conf i am trying to work with it using ida but i dont have the sufficient knowledge of this stuff will try to learn more about it

any help would be appreciated
 thanks all

[ahmedfarazch]

Hello Again!

You are welcome! I have attached the (default) config file for a:
Product name  EchoLife HG532   
Hardware version  B.1.01 
Firmware version  v3.03t

Hope this helps!


Regards,
Ahmed

[ehabtanta]

thanks sir
here is the values i have in my router


Product name    HG532e 

Hardware version    HG532EAM1HG530ERRAMVER.B
Firmware version    V100R001C81B025
Batch number    TWC81P0.025.320240
can you please provide photos for the router u have or its firmware

thanks