"So we managed to change passwords for both ssh and telnet, gain access to Root user for the web interface, changed that password too. We changed ACS URL to ours and remove the IP restrictions. To put it simply, we cleaned up our router from our ISP. Good for our privacy."
You forgot this bit of the summary, which I think is more interesting!
"Still there is an authorized ssh key left in the firmware but for now it’s enough that we’re keeping the ISP out. Maybe in the future, we can repack the firmware with our configuration and keys and install it on the router. For now, take care!"
It's funny to think that if you were to report all of your findings to your local newspaper (Turkish newspaper in this case), as to how Turkish ISPs have complete access to your router or how Huawei (China) has an SSH key for your router, people would go absolutely ballistic. But for us it's just another day of expected craziness and we're tired of talking about it
> The Huawei SSH key is a little strange, but depressingly common for network equipment, even big names like Cisco...
There’s an understandable reason for this: the isp’s staff aren’t necessarily any more competent than the isp’s customers (some are, but there are so many ISPs that I suspect they are now a small minority). So just at the isp wants to be able to reset your interface devices remotely, so will Huawei and Cisco support for the ISPs themselves.
I am not implying that “understandable” means “justified”
Turkish newspapers are almost universally subservient to the autocratic government. Any free press that's still somehow around has way more consequential dictatorial abuses of power to report on, if they dare.
Indeed, I've had a linux box between the router and the local network since the days of dial-up (originally it was the dial-up box, which made and shared the 'net connection). The only reason I've ever had to upgrade the hardware has been because the original setup only had 10MBps NICs.
I'm pretty sure my new CenturyLInk fiber router is similar. I tried to create a PPoE connection from my WRT1900 direclty to century link using the same credentials and I couldn't connect to my internet. However, now I am motivated to create a bridge and find out why.
For CenturyLink fiber I have two boxes:
Box A: the exterior fiber enters this box, the tech said it was a "translator"; and the port 4 ethernet on it goes to ...
Box B: the centurylink wireless router, which performs the PPoE with my credentials which were somehow hardwired because no one ever told me my username/password. I'm guesing TR-069? Then port 4 on this goes to ...
Box C: MY WRT1900AC, which then goes to other subnets for my cameras, lab, and office.
I figured Box B was redundant, but trying to remove it has been problematic.
"Box A" is an ONT or optical network terminal, which is really just a media converter with some additional intelligence related to how GPON schedules use of the media. It's more or less the same thing as an ADSL modem (actual modem only) except that GPON usually uses Ethernet while ADSL usually uses ATM. But both are used the other way sometimes.
For "Box B" you can use anything you wish as long as it supports PPPoE. Contact CenturyLink by phone or chat to tell them you need your PPP credentials, they'll have no trouble giving them to you. The only trick besides PPP is that CenturyLink usually uses a VLAN for customer equipment on their GPON, but that's pretty common with ethernet over ADSL as well so routers made for use with a DSL modem should have it in their UIs alongside the PPP info. Unfortunately most newer routers are made without this use case in mind so there may not be support, in which case you can always upgrade to something a little more configurable or use a computer as a router. You can ask the CSR for the VLAN ID but in every case I've seen it's 201.
I've done this a number of times and never had the CSR give me any trouble. They also don't seem to keep very good track of who has CL-owned CPE, I've ended up with "free" CenturyLink routers a couple of times because they fell through the cracks when switching to my own.
> PPoE with my credentials which were somehow hardwired because no one ever told me my username/password
They make it very hard to use your own "Box B", but I've set this up twice now (most recently last week). Get the username and password from CenturyLink (the tech that installs the service has this, or call them). Then, google search "century link vlan 201 wan tag". The trick is you need a router that has this functionality, most basic consumer ones don't.
Unfortunately, even if you follow all directions and it still doesn't work troubleshooting is a nightmare, very little or no help from their customer support.
Ah I see. My WRT1900AC doesn't have that option. I was running OpenWRT but ran into some issues and panicked back to the default firmware. Now that I have another wireless router I might dare it again.
B probably exists so they can split fiber between multiple end users or support things like phone service over the same link. Did you use the same VPI and VCI? PPPoE also sends an identifier (the "Host-Uniq" tag if I'm understanding it right) that probably has to match what your ISP is expecting or has assigned.
I had CL fiber. VLAN tagging; The vlan tagging value was so high, OpenWRT didn't support it so I was left with the useless middle box. Your mileage may very.
In the Netherlands we now have a law where ISPs must allow your own choice of network equipment. This means they must give you the required information on how to connect your own device with their network.
I have a fiber connection, which I connected directly to a Ubiquity router through a suitable SFP module. My ISP supplied the information on the fiber type and which VLAN ID's to setup for internet, TV and telephony.
This way I have my own equipment, that I control myself. The 'modem' [0] which my ISP supplied is still in its original, unopened box.
Same in Germany! ISPs hate it because it it makes their lives a lot harder - in cable networks, they now have to deal with a zoo of endpoints on a shared medium vs. a small set of standardized devices.
> ISPs hate it because it it makes their lives a lot harder - in cable networks, they now have to deal with a zoo of endpoints on a shared medium vs. a small set of standardized devices.
In other words, ISPs hate it because it forces them to actually do their jobs and be ISPs. The Internet itself is "a zoo of endpoints on a shared medium", and ISP stands for Internet Service Provider.
It's not the provision of Internet that's the problem, it's the customer service requests.
e.g., AT&T could provide perfect service to the home endpoint, but the customer bought some aftermarket router from their cousin, who had configured it for Verizon. Customer calls AT&T to holler. Tier 1 support doesn't know what that particular router config GUI even looks like, so it gets bumped to T2 or T3. Ultimately to find out that the customer's cousin had hardcoded DNS to some internal Verizon system that's not visible to AT&T.
Repeat x100K. ISPs job isn't just "provide the Internet," it's also "provide all the troubleshooting for every non-technical customer who just wants to watch Netflix but doesn't even know what a router is"
> ISPs job isn't just "provide the Internet," it's also "provide all the troubleshooting for every non-technical customer who just wants to watch Netflix but doesn't even know what a router is"
No ISP that I'm aware of will provide troubleshooting for devices they don't own. They just say "sorry, not our device, not our problem". When I installed my own cable modem and router, Comcast was quite clear about that. And I said "fine, no problem".
The ISP I work for does, and it's a very large one (not in the US). If a router is not ours, we check for sync or if PPPoE is up. We tell the customer what's the result of our tests and offer a technician if they are willing to pay in case it's not our fault.
Most people are unwilling to pay, and yell at customer service. Most of the times, specially when the router has sync it's customer fault.
The problem with this kind of procedure is that it's only a reasonable way to locate the problem when there are problems at that very moment. You're getting stonewalled when - during the day - you're reporting that it frequently loses sync during the night.
We can track sync changes, or really almost anything, crc errors, traffic, whatever we want really, although we only do it on demand.
You put a customer ID in the tracking system an it queries and stores results. It also performs analysis automatically, but most cases just puts the result in a frontend for analysis.
My ISP does, but they're the exception to the rule and cater to techies. Of course support questions for random devices need to be more specific than just "it doesn't work".
init7.net. They have a bunch of official guides, but also help with other devices and have debugged issues with new devices. Basically if your device is capable they want to make it work.
Init7 is great, I only had to tick a checkbox saying something like "I know what I am doing" and apart from providing the technical information they left me alone. Only had one problem with them that they resolved very quickly (the fiber cable got damaged somewhere in the basement).
+1 to init7. They've gone above and beyond when I needed them to change their routing policies to improve end to end latency to a specific destination. Good luck getting that from a major us carrier. And I wasn't even a customer.
> provide all the troubleshooting for every non-technical customer who just wants to watch Netflix but doesn't even know what a router is
People who don't even know what a router is don't buy their own equipment. Those who buy better routers don't require support for them, they call when there's a problem between the ISP and the router.
I disagree. If it is standard practice to BYOR, family or friends might give one to grandma, saying "use this, it will save you money".
I used to install satellite TV and saw this all the time. People would get old receivers from friends and family. Fortunately for me, the receivers were proprietary to that service (we don't use generic pay TV receivers in Canada) and the old ones were built like tanks. If people could have supplied any old cheap generic receiver, I probably would have had a bad time.
Problem is you'll eventually reach a point where the problem is deep and requires them to escalate, and if you aren't checking the box of tested customer cpe they'll stop. Example of this is when I found a Comcast backbone link with an incorrect/inconsistent MTU setting. Had to go back channel in the end to someone on the ibone team, but I had no chance in hell of getting that fixed promptly via regular support.
> you'll eventually reach a point where the problem is deep and requires them to escalate, and if you aren't checking the box of tested customer cpe they'll stop
I've been a Comcast customer for more than 20 years (in two different states) and have never encountered a problem like this, so I expect such problems are extremely rare. Every issue I've had has been of the kind where Comcast's support person can see right away that there's a problem on their end because they can't even see my cable modem's status even though I confirm to them that it's powered up and the cable is connected (and of course I have to go through the dance of rebooting it multiple times before they'll be satisfied). Most of the time they put me on hold for a while and then come back and the problem is fixed (I assume because some tech in the background rebooted or reset something that was borked). Once they had to send a tech to my house and it turned out there was a bad connection in the junction box they had installed outside.
I work at an ISP of sorts. It is a regional research and education network. We are owned by our members. Heterogeneity is definitely par for the course, but that does not stop us from trying to roll out some ubiquity where we can. Many of our CPE routers are the same make and model, and that makes maintenance and analysis much less error prone. I.e. better service for our member institutions.
If you want an ISP whose competitive advantage is dealing with whatever crazy shit the edge throws at it, then that is your prerogative. But having some ground rules and baseline behavior makes it so that the ISP can focus on more rewarding tasks, such as negotiating peerings, establishing direct tunnels, improving network observability, and predicting necessary backbone upgrades.
>The Internet itself is "a zoo of endpoints on a shared medium",
No, the shared medium in this case is referring the last part of the cable network where everyone in a neighborhood is transmitting effectively onto the same cable.
That is a really good point and one I hadn't considered.
Is it really that easy for a single device to take down a neighborhood? For example, could a bad actor trivially disrupt a node with a modified modem? I guess that would be difficult to defend against.
I don't know enough about docsis to say if it has any protections against out-of-spec devices.
I don't know why I'm surprised when things outside my area of expertise are fragile, considering things inside my area of expertise are fragile.
> Is it really that easy for a single device to take down a neighborhood? For example, could a bad actor trivially disrupt a node with a modified modem? I guess that would be difficult to defend against.
Yes, similarly to how you could jam a radio frequency. Fortunately, this is rare and only ever happens due to hardware failures in modems.
To bolster your point: Honestly they don't need to do much - the infrastructure is already there as a matter of being able to turn people's service up/down/on/off.
There is always a provider-managed CPE device that functions as the service demarcation point. This is the point where your contracted service speed is enforced (shape + egress queue and ingress policing).
You can have literally whatever router (dumb, smart, next-gen, whatever) spewing bits at X rate. The CPE will essentially normalize (police) that bit rate to your contracted speed (upstream scenario).
Can't they still just provide you with a "modem" and give you full IP access through that? What difference does it make if they put the modem inside our outside your premises? (Eg they put a switch/DSLAM/modem into a box on the street and then they give you a cable?)
I have Spectrum cable Internet. I use their modem, but I supply my own router, and they've never given me any trouble. In fact, they recently upgraded my modem (from a Scientific Atlanta 2203C to a Ubee E31U2V1) and they didn't send me a router. The Ubee E31U2V1, like the Scientific Atlanta 2203C before it, only has one Ethernet port, and their official guide to getting the new modem working involved rebooting an external router, so there's no possible way they have a problem with customer-owned routers.
Which works out great for me. I can use OpenWRT with no hassle.
More to the point, I see the cable stuff as "ISP land" in that it's directly interfacing with their internal hardware, and so has to dance to their tune very directly, whereas Ethernet and TCP/IP are common, and so will obey my rules in my home. I don't expect my modem to perform adblocking, which is why my router does it, and I'm not going to be stupid and try to "uncap" my modem to get more speed, so I don't see a point to being able to provide my own cable modem. As long as I can own the router which provides the only path in and out of my LAN, I can do everything I'm capable of doing anyway, as far as I can see.
I use my own one because the $2 Huawei ones perform really poorly, they’re the source of a large portion of general internet performance issues for a lot of people.
> I'm not going to be stupid and try to "uncap" my modem to get more speed
I think this modem "uncapping" thing has mostly been an urban myth. Maybe there were some really early cable modem systems in the 90s where that would have been possible, but AFAIK with DOCSIS the speed is regulated by the CMTS [0], not the modems.
> I think this modem "uncapping" thing has mostly been an urban myth. Maybe there were some really early cable modem systems in the 90s where that would have been possible, but AFAIK with DOCSIS the speed is regulated by the CMTS [0], not the modems.
It depends in precisely what CMTS is running, what firmware it has and the ISP's willingness to replace/upgrade old hardware at great expense.
At the last telco I worked for we had about 12 CMTS's, and 2 of them were holding up a bunch of upgrades because of their age. One of the things they specifically couldn't do was provision the speed of the individual circuits.
The US has (had?) some network neutrality rules around discriminating against different types of hardware, but AT&T just does it anyway. (They require you to use their DSL modem + router + wifi and it has broken support for adding a second router behind it.)
Dealing with the same thing with AT&T fiber. There was word of a hack involving putting your router behind a switch with the AT&T router after cloning the MAC, then booting them both up and letting your router pick up the DHCP responses along with the AT&T router. Once the AT&T router had done its proprietary handshake, you could disconnect the AT&T router.
Unfortunately I had no luck with that - my loose theory is that my EdgeRouter was doing a ping check to see if the IP was already taken before accepting the DHCP lease...
I was able to get "IP passthrough" mode working with the AT&T router though. The key hiccup was that the AT&T router had to be on a different subnet than my router's LAN subnet.
I don't know if it's "law" in America but I've never seen a major ISP give any more guff than sometimes making a technician come out to read the modem's MAC address. I've never had a ISP's router or modem on my networks
Also, if you didn't need so much bandwidth, is it possible to just order a basic 100Mb/10mb connection for a nominal fee of, say, 30Euro?
The speeds in the US aren't actually that bad, but you're basically forced to pay for everything: paid cable TV, equipment rental fees, etc, and your $40 plan ends up creeping towards $100 / month after the fees and taxes, with increases every year.
This varies greatly by locale and is not uniform across the USA. In Berkeley, California I have fiber service that terminates in my own equipment, no rented equipment and no bundled services (TV, phone, etc). It's nominally symmetric gigabit service for $40/month.
For me, in NL, it's about 55 Euro per month for 200/200 fiber and TV (including fees and taxes). Unfortunately this increases every year in NL as well.
Central / East Europe sounds like a paradise sometimes. Cheap rent, more conservative cultures, and fast internet at low speeds.
What I'm guessing, though, is that 10EUR internet and 200EUR apartment rentals are the equivalent of our $70 internet and $1500 one bedroom apartments when adjusted for salaries.
As far as I'm aware, UK doesn't have a law like this, but I've never had a situation where an ISP cared, they just tell you that if you have problems they might not be able to help. I think you get interop issues with TV and landline with those ISPs where everything is bundled into one fibre, but the internet bit usually works fine.
You can call your ISP with any arbitrary piece of non-branded random AliExpress $#@$ of a network eq. and they must walk you through configuring it? That does not make much sense to me.
Parent note that the ISP provide a router anyway. It's safe to assume that most people will simply use that, if not for the support just because it is already there.
Yeah this. My mom isn't ever going to add a 3rd party router. Even most of the technical people I know (well paid python devs, etc.) probably wouldn't mess the on-prem ISP gear.
I do network engineering for a living, so I totally would, but I'm an outlier compared to the rest of the population.
I'm not completely sure about this, as I don't have a cable connection to my house (only fiber) so I never paid attention. But AFIAK the major cable providers here allow you to configure the supplied modem-router into passthrough mode (thus, only acting as a modem) so you can install your own router behind it.
I have never met someone who attempted to install their own cable modem. I do know that the cable modulation standard (DOCSIS) is wildly complicated, so even buying the right type of cable modem for your connection would be challenging. There may also be licensing issues involved that would prevent you from buying such modem completely.
I know some cable ISPs outside NL will allow it if your modem is from a reputable brand without any known issues (and compatible with whatever DOCSIS version they're using of course). Ziggo's "connectbox" modem/router even in bridge mode has quite poor latency stability so I was hoping I could use this law to persuade them to activate an Arris SURFboard or some other decent brand modem.
Fiber internet (at least where I live) is just a TCP/IP connection. You could even connect it straight to your PC and it would work.
So, I use a SFP module that it suitable for the wavelength and mode of my fiber connection, and plugged that in an Ubiquity Edgerouter. In case of my ISP I had to configure a VLAN on the external interface, as they use separate VLANs for internet, TV and telephony. Once you configure the VLAN, the router will receive an IP address over DHCP and you'll be online.
In my case, I have VZ Fios in the northeast US. Their termination point at my house has an RJ45 Ethernet connection. It goes directly to my pfSense router.
Usually (always?) the way FiOS works is that every subscriber gets his own ONT. That ONT can be configured to output network bits on either an RJ45 port or using MoCA.
For many people MoCA is more convenient because most houses and apartments are already wired for "cable", ie RG-6 for television purposes. FiOS is offered as a "triple play" service: internet, TV, and phone. Cable is the TV part of that.
There usually isn't an existing Cat 6 connection from the ONT to the living area of the "flat". (Except we don't have "flats" here in the USA). So Verizon will use MoCA to send bits to a more conveniently located wireless access point that they can also supply.
When Verizon installed my FiOS I didn't want to deal with MoCA or their access point, so I had them run Ethernet from the ONT to my den.
I'm not clear on your objection to an ONT. They way GPON works is that the ONT has to be somewhere nearby; if it's not in your flat it still has to be elsewhere in the apartment building.
Just one less pieces of equipment really. Having an RJ45 cable directly to Router is just a much cleaner solution. For those of us living in a extremely small sub 200 Square Feet apartment, getting rid of an equipment results in less cluster.
Apparently a polish carrier called Multimedia has recently introduced a new, revolutionary service for some customers. It's called "set up a custom wi-fi configuration", and it's just 5 pln (a little over $1)! It lets you think up of a ssid and password, and configure your router to use those! That's an amazing invention, isn't it? /s
Some customers apparently have absolutely no access to their routers, not even to the web interface, and they can't use their own either. All reconfiguration must be done through the customer service portal or by phone. That means the carrier can change for every little thing, including changing the Wi-Fi config! I'm not sure if you can even bridge, but I guess not. Note that this does not affect all customers of that carrier, just a minority.
Daisy-chaining routers is can severely degrade some services (gaming, p2p) due to NAT. Assuming the ISP-provided one supports PCP or UPnP-IGD you need a client on your own router that relays port forwarding configuration to the upstream router. This is possible but may need non-trival setup.
Fantastic write up from a hacking point of view. I did wonder about this statement though:
"This is very invasive and unacceptable. It may seem necessary to apply security patches published by your ISP but the user should be able to disable it whenever she wants."
Legally, at least in countries where I've lived, the ISP still owns the router. This surprised me a bit when I first found out, but then I got used to the idea, but you should treat any ISP or telecom gear in your house as something that's "rented but still owned and controlled by someone else".
True, but I think it's worth comparing it to other utilities in your home - what if your electric company could make all your lightbulbs 20% dimmer without notice? Or if your water heater was remotely administered? ISPs, like mobile telcos, like to claim they must have control over your hardware "for security" but I think the most charitable interpretation is that it's to make their customer service dept. sweat less (more nefarious possibilities exist, of course).
The difference is that non-updated routers can cause global problems. At the very least as an ISP I'd want to say you can look after updates yourself, but we will disable your access to the internet (other than to get the update from us) whenever we try to push an update to you and you reject it.
Hello, OP here, I've actually spent considerable amount time to find a code execution. I know you'll want to learn details of FUN_004122c0 but here is the decompiled version of iptables part from ghidra:
undefined4 FUN_004045a0(int param_1,int param_2)
{
int iVar1;
int iVar2;
char pcVar3;
char cVar4;
code pcVar5;
undefined auStack544 [256];
undefined auStack288 [260];
i guess you already tried issuing commands like i mentioned?!
i am still confused by this code but to me it looks like this has been originally written in another language but maybe this is just what it looks like after de-compiling. seeing this function would likely be more interesting.
...and that's why my ISPs router is running in modem mode with a non-ISP-controlled router from Ubiquiti behind it - which I may replace with a pfSense box in the future.
I'm pretty happy that my cable ISP is allowing this mode so I don't have to double-NAT in my setup.
You're lucky your ISP's router offers you that option. My ISP's VDSL2 router would require "unlocking" in order to get bridge mode and it can't be easily replaced.
I recently upgraded my internet speed and my pfSense box was limiting my top download speed. So, I just went from pfSense to a Ubiquiti Secure Gateway. There are pros and cons of each, but I couldn't find any trustworthy pfSense hardware with the performance of a USG for anywhere near the same price. I do miss the configurability of pfSense though so I might switch back some day. That said, the ubiquiti interface and provisioning model is really slick.
This is why, in my case, the ISP's router (that awful box Verizon provides with FIOS) is sitting, beside the DMARC, unplugged and powered off.
My DMARC has a hot ethernet jack, and my firewall (PC running Linux) that I control is connected to that ethernet jack. No ISP shenanigans (other than what they can remotely do to configure the FIOS DMARC itself).
I'd be grateful for guidance eg a link to a writeup of recommended hardware and config for a reasonably technical audience, eg "Given a Verizon FIOS G1100, put it in bridge mode and connect hw that supports software X"...
If you just have internet service from Verizon, and your router is already hooked up to the ONT by Ethernet, you can pretty much just pull the cable from that and hook it up to any Ubiquiti unit. I have a USG 3 and it works swimmingly.
For those who also have TV service, it’s more complicated, since the STBs talk TCP/IP over MoCA for various services (I believe including the program guide and DVR functions). The Ubiquiti forums have lots of posts on people trying (and succeeding) to get their gear working with FiOS.
most of the time you only require PPPoE or DHCP as you practically speaking get a ethernet tunnel to your ISP using that bridge. Some ISPs additionally segment this network by VLANs so your list of required features is probably already complete here.
If your ISP didn't have that feature, could you just replace the cable modem too? My ISP's router is running EuroDOCSIS 3.0 and I'm wondering if I could replace the router with a modem + router of my own.
if you happened to live in Germany there is a law in place that force ISPs to allow that. But if you would live in Germany you would probably know about this. That said there is no technical reason making it impossible. If you connect an unknown device here, you get access to the customer web panel only and can register your device using it. Afterwards it gets provisioned as usual (with caveats [no PacketCable for example])
practically though what is the difference between having the endpoint in a shaft by the elevator or in your apartment or even down the street? in all scenarios i'd put my own router behind the ISP equipment and run my local network however i want.
the only issue is with getting a public ip address for inbound connections.
here we are not getting public ip addresses anyways, so the point is moot for me. but if you do get one, then all they need to do is configure their router to forward the public ip to yours.
in my case the ISP even installed two routers. one was theirs that i had no access to and one was "ours" that i was able to configure as i liked or replace with my own. both routers had their own wifi, but i don't use the one from the ISP endpoint router
I have been so disappointed with my ubiquiti hardware. That UI is gorgeous, but lacks some real functionality that I need. I can’t block BitTorrent (see forums). And I can’t see a detailed traffic log; only the categories. Plus, those pretty graphs that tell you how much data you’ve used doesn’t give a time frame. I have no idea if it’s a week or a month.
I never thought to nmap my own router until reading this.
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
631/tcp open ipp
5000/tcp open upnp
7777/tcp open cbt
20005/tcp open btx
Now begins the three-hours-and-counting rabbit hole of trying to figure out what the hell is running on ports 7777 and 20005. Or why UPNP is apparently running, despite UPNP being explicitly disabled on the Netgear router's admin page.
Maybe it's a remote administration port for your ISP. I have a router provided by Froniter, formerly Verizon FiOS, where port 4567 is always open and cannot be closed with a firewall rule from the router's web UI (grayed out). After some googling I found out that it's their maintenance port:
https://www.speedguide.net/port.php?port=4567
For a while I had my own OpenWRT router in place of the ISP one, but I think they got wise to it and blocked the MAC. I changed it to match the ISP router's MAC address, but it only worked for about 3 minutes before being blocked again.
I bought both my modem and my router, so I'd be a little incredulous if my ISP had somehow forced a port open on it.
The 20005 one may be some port that NetGear uses for its USB Printing, I've found some articles that mention it.
It also struck me that I hit it with nmap using the LAN IP, so perhaps these are only open within the network. I probably need to hit the external IP of the router to see what is externally open. ShieldsUP! didn't show anything unusual.[1]
EDIT: Disclosure of a vulnerability regarding port 20005[2], and Netgear confirming that it does affect my router[3], but should have been fixed. I assume the "fix" was fixing the buffer overflow vulnerability, rather than closing the port altogether.
> After looking into folders, I found some interesting files. I won’t go through them here but I want to mention just one of them: [$ cat etc/ssh/authorized_keys]. Maybe an engineer from Huawei (I assume z00163152@HUAWEI-627FB9A3) who owns a specific DSS key, can connect all HG253s routers without needing a password, who knows?
Trivia: Strictly speaking a box that does NAT is not a router in the IP protocol sense, it's a kind of proxy. The router requirements RFC explicitly forbids altering most fields (incl the address field) in the IP header.
Adding more functions to a router doesn't make it a non-router. But if it's doing NAT and not routing, then it's a different distinction. But yep it depends on the configuration.
Media converter maybe? (Like those $100 or so fiber to ethernet converters, I say this as it’s usually a modem/router plugged into the ONT‘s ethernet port that does isp to cpe authentication, tunneling, etc. so the ONT is just converting fiber (from isps OLT) to ethernet for something more common to plug into)
Modem comes from MODulator/DEModulator. It's taking a signal of one sort (electrical) and modulating light to send info, and also demodulating incoming light to receive. It's a modem.
The NAT RFCs came after the routing RFC and refer to NAT as a router function not as an orthogonal function, boxes that do NAT are referred to as routers in the RFC. This is reflected in the real world where NAT is implemented as part of the routing chain not as a separate module. Remember NAT isn't a box creating 2 sockets and ferrying data between them it is just the translation of fields on top of normal routing functionality.
> boxes that do NAT are referred to as routers in the RFC
This is not the case, certainly if you are referring to the router requirements. Last I looked, the rest of the IETF was also very cognizant of the distinction, as there has been wide anti-NAT sentiment in the IETF, trying to get people to move over to IPv6 etc.
Again router requirements came out before NAT, you're not going to find anything in that RFC about something else they hadn't written yet. You have to look at the RFCs for NAT to see they are referred to as routers e.g. starting with https://tools.ietf.org/html/rfc1631:
"2. Overview of NAT
The design presented in this memo is called NAT, for Network Address Translator. NAT is a router function that can be configured as shown in figure 1. Only the stub border router requires modifications."
The IETF collectively aren't big fans of NAT as a good solution but that hasn't stopped multiple standards track NAT RFCs per year. v6 only increased this with all of the transitional mode NAT types (46, 64, 464, 646).
That's an informational rfc that has no weight in this manner, router requirements is a standards track document.
"4.2.2 Informational
An "Informational" specification is published for the general information of the Internet community, and does not represent an Internet community consensus or recommendation. The Informational designation is intended to provide for the timely publication of a very broad range of responsible informational documents from many sources, subject only to editorial considerations and to verification that there has been adequate coordination with the standards process (see section 4.2.3)."
Very true. Yet at the same time, it does route traffic to the appropriate boxes. And the name 'router', when referring to something someone has at their house, has entered the vernacular to mean "the box at home which lets me share the internet connection across all my computers".
Most folks have no idea how it works behind the scenes, which typically is a combination of NAT (IPv4), routing (IPv6), DHCP, DNS, UPnP, and more. So, it's just "the router".
It existed, but was definitely not in wide use. I worked for several early internet providers during that period (mid to late 90's.) Most folks had public addresses on their desktops. No customer we ever set up wanted NAT. Most didn't even have firewalls, sadly! Some of these were small companies, some of these were large corporations or universities.
And I'd argue NAT actually is necessary if you want IPv4 for home use. We'd be out of addresses otherwise.
ISPs didn't use it in the early days, but it was used in corporate/organizational networks. The PIX was apparently marketed as a security appliance (heh) so that defined the user base to a large extent.
You can access the web over v4 with other kind of proxies besides NAT, for example application level HTTP proxies.
If you want working v4 for all the protocols, NAT is out by definition anyways.
Trivia: Strictly speaking a box that does NAT is not a kind of proxy. Proxies act as the destination end point of one connection, establish a separate connection to another endpoint and forward data between the two separate connections. A NAT device changes IP header information such as the address field and if also doing PAT the port field but doesn't act as the source or destination for connections.
I am using the exact same router from the same ISP. I was wondering what the problem was when I wasn't able to forward port 22 to my computer for an SSH connection.
I had thought it had something to with the ISP allocating the same static IP to multiple clients and blocking some common ports to prevent collisions (ended up using port 109.. something for SSH). Turns out it was more interesting!
Enjoyed this write-up, but most of the exploration seemed to be facilitated by someone having already leaked the CLI root password online. Anyone have suggestions on how you might otherwise obtain that information?
Hi, OP here, actually it's not true. Think the scenario as this: you don't have the CLI root password, you just do a MitM attack and learn about root password when your ISP attempts to change it. This applies my situation, also I could learn about the default password just by looking into the firmware.
IANAL, but Turkcell would lose the case in Turkey too. This is not due to net neutrality regulations (Turkey deliberately lacks it), but due to case law arisen from competition and customer rights regulations. However, telcos work around that too, by "leasing" modems, like telephone divisions did in the past. Does the trick of "leasing" work in the EU too?
in marketing they try hard to make it sound like what you are going to get by renting their device is WiFi not just the ability to turn on WiFi functionality of the CPE. of course everybody wants that but most people don't get that's not something that has to be provided by the ISP. I am not sure if its required, but i have seen often a lower end device (without WiFi accessible) is given for the lifetime of the contract free of charge.
in Germany you have the right to use a compatible device you own yourself. However my ISP Vodafone does not accept lots of modems as compatible and when this regulation started there were basically none you could actually buy. Its not much better now i guess but i distress.
EDIT:
reading your comment again the trick you mentioned probably works because its "yours" when you lease it instead of renting it?
Many people here pointed out a problem: Removing access for the ISP and/or device manufacturer means they cannot fix bugs remotely and automatically. This is bad in situations like when the Mirai malware hit.
How about this?: "You can use your own device and we provide all required information, but there will be no advanced support and you have to check for bugfixes yourself monthly."
... now that I wrote it, I see the answer: There is no way to enforce this, especially not reliably.
Slightly off-topic: I'd really like to run screenfetch on my router (Asus RT-N66U), but it doesn't have enough free space to sftp the script to it [1]. Piping the script just freezes up. Does anyone know a good workaround? Has anyone ever tried this?
My ISP (Internode) provide a ‘modem’ for my NBN hybrid coax / fibre connection. I just put my OPNSense router in front of it and it’s all secure. They provided me with all the config settings, which are a bit more obscure than usual (PPPoE but on a specific vlan tag). Works like a charm and I don’t have to worry about weird government wiretapping or backdoors. My ISP provide an IPv6 range too, which is pretty cool.
My ISP has a cloud access "feature". If I go to 192.168.1.1 it redirects me to their "router.MYISP.net" site. What's the best way to go about disabling this? Should I just dump the rented router for my own?
asus (and others) have the same feature.
In my case it's a simple redirect from the ip of 192.168.1.1 to router.myasus.com which has a dns record of 192.168.1.1. so all it does is do a redirect to a domain.
I'm overseas now, and using one of these crappy ISP-provided routers. I miss my nice Linksys router back home with high-density mesh, tri-band WiFi, and four gigabit ethernet ports.
A while back, I was playing around with the cable modem / router the ISP gave me because I was curious and an idiot. After screwing around a bit, I managed to find a vulnerability that exposed technician credentials plaintext and they actually worked. Had no idea where to report it though, because the manufacturers contact page could be summed up as fuck you we don't talk directly to consumers. I dont think the vulnerability was that bad, as you had to be logged in to the web interface already with another account, but still.
I don't really trust ISP provided hardware / software now though.
> you had to be logged in to the web interface already with another account
Obviously I don't know specifics, but if this applies to any router which has multiple tiers of login then it could be a pretty serious problem. I suspect that might be true for
routers designed specifically broadcast multiple networks (e.g. school or shared apartment-building routers)?
But how do you publish it without the liability of getting sued? A person like me who don't work in security still occasionally find some vulnerability. Sometimes you get angry emails from the company even if you just try to warn them.
If you think they'd sue, you can always send the details to a tech journalist specialized in such matters (someone with a proven track record of protecting their sources). Use an anonymous email service to be sure.
If something goes wrong, they'll take the thread of legal action and probably win. Companies know that suing journalists often leads to more bad press than cooperating. They can even try to contact the company in question for you if the vulnerability is bad enough.
If the company doesn't respond or get their shit together, journalists will get a scoop and the company is forced to fix their shit. If the company does fix their shit, the journalist will still get a story out of it and you can rest easy that you've helped make the internet just a little bit safer for everyone.
Ah, thanks. If nmap was run exhaustively on all 64k ports, would that both (a) take forever, and (b) raise alarm bells on the target? Why isn't a full scan the norm?
Yes to both of those (but not thaaat long). But in this case I still would have ran an exhaustive nmap because it's a device on my local network rather than a remote server.
Part 2: https://0x90.psaux.io/2020/03/19/Taking-Back-What-Is-Already...
And 3: https://0x90.psaux.io/2020/03/22/Taking-Back-What-Is-Already...
Summary from the end of Part 3:
"So we managed to change passwords for both ssh and telnet, gain access to Root user for the web interface, changed that password too. We changed ACS URL to ours and remove the IP restrictions. To put it simply, we cleaned up our router from our ISP. Good for our privacy."