How to HACK your ISP router - step by step.

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

a couple of months ago I made a video which for some reason went viral and has more than 900,000 views as of today roughly 3 months later in it I shared my journey of receiving my optic fiber gigabit internet and all the way to hacking the ISP provided router so that I could get rid of it now apart from many comments from all of you who shared similar frustrations with your isps or should I say the gear that they provide two types of comments stood out the most to me and prompted me to make this video the first type can you show us how exactly did you do it and second you're full of prove [Music] it before we start hacking let's first talk about the word itself because some of the more toxic comments pointed out that what I was doing was in fact not real hacking well to clear any misunderstanding about it let's first look at what the Oxford dictionary says about what hacking means hacking is gaining unauthorized access to data in a system or a computer well since the ISP went above and beyond to prevent me from moving the SFP module that their router comes with uh to another device I think that by succeeded in doing so I gained unauthorized access to the system wouldn't you say so now what most people picture in their minds when the word hacking is used is what they see in the movies usually a guy in some dark basement or a room frantically smashing the keyboard until the system they're trying to hack breaks well in reality hacking is much more a precise detective like work you find what you think is a weakness in a system then try to exploit that weakness most often by trial and error which can take days or even weeks not minutes and even when you do succeed there's usually another barrier behind that that you also have to overcome it takes a lot of skill knowledge and more more importantly most importantly patience which is why most modern hacking is done not on computers but on people you see it's much easier for me to send a meme or an infected joke video to my distant relative who works at a bank at which point that relative will install a back door which will make it super easy for me to record their actions on their work PC this is an example by the way I don't actually have a distant relative that works at a bank I think okay before we start hacking you can see my setup is a bit more more full than usually because we do need a couple of devices to do this first obviously the router that my ISP provided it's a model that's quite old at this point I got it in January of 2020 and from the looks of it it's been old even at that point but no matter as you can see here it's on my desk being used for educational purposes and not to do any actual routing next we have this media converter which well converts media in the context of networking media means what kind of medium the information travels through either copper or Fiber and this media converter which I'll link to down in description below converts gigabit fiber to gigabit copper and vice versa we'll get to why we need it a bit later and finally we have this USB type-c ethernet adapter and that's simply because this laptop right here doesn't have an RJ45 Jack built in I won't hold it against it though because not many laptops have them these days and this particular one is a beast even without it it's the Asus Rog zephrus 16 and it has an RTX 4090 in it yes a 4090 we obviously won't need it for the purposes of this video nor is this laptop mine I don't actually own a Windows laptop so I asked a friend of mine who works at a PC shop whether I could borrow one for a couple of weeks and he said sure take this one and here we are the company he works for is called Annie which I'll leave in the description down below uh they're not sponsoring this video but they are friends of the channel and I do know them personally so if you're in the central EU region and in need of any kind of PC component uh drop them an email tell them I sent you and be blown away by the great prices they'll give you thank me later anyway now that we have all set up let's explore the interface that this router ships with called the fritz OS you can see all your standard features here from the internet settings teleph yes it even has the analog phone uh ports uh setting up home networks wireless networks Diagnostics but you know what you can see a packet capture utility and not because it's not there it's because the vendor deliberately removed any kind of links to that utility but luckily for us forums exist where people exchange that kind of information and on one of those forums I discovered that you can get to the packet capture utility at the IP IP of the frizz box so 1 1921 168 1 78.1 SL HTML SL capture. HTML before we do any investigation let me briefly explain what a packet capture utility is as the name suggests it it packets it captures packets or if we're more technically correct it captures frames uh without going too much into details frames are units of data transportation in layer 2 and they operate with Mac addresses whereas packets are units of data in layer three and they operate with is isps IPS this is also the main difference between a router and a switch routers deal with packets and IPS and switches deals with deal with frames and Maxs and you'll see how they all fit together when we try and analyze the capture data but how do we do that well in our case it's actually pretty straightforward if we first checked this router you can notice there's a dongle in it or to use a more accurate term an SFP module but not just any SFP module a smart one so to speak one that features a system on a chip how can you tell because it has this extra box protruding out of it since it has an additional chip inside this relatively small device a chip that holds a mini Linux distribution well it needs some extra space for that chip and because the dimensions of the pluggable part of this module are standard they had to extend the whole thing outwards here's how SFP modules with s so's compared to those ones without you know how we used to call devices that converted different types of data signals modems so is this device a modem then yes it is okay now that we know that these two are actually two different devices let's remove the SFP module from the one port go back to the packet capture utility start recording traffic on set port and plug the module back in [Music] since the Linux on the SFP takes a couple of seconds to boot let's give it about a minute before we stop capturing data and once we do what we're left with is a file often called a pcap file at this point we're pretty much done with the router we won't need it anymore we'll just take the SFP module out and move it into the media converter which will now allow us to talk to the module from the laptop directly however we can't do that just yet because we don't know how we first have to analyze the capture data by using a program called wire shark let's open the program and simply drag and drop our pcap file that we exported from the router to see what's going on now despite the fact that it might look confusing at first on a surface level it's actually pretty straightforward you have a source column uh so where the traffic is coming from the Des ation column or where the traffic is going to and the info column that holds or shows what kind of data we're looking at and the actual payload itself as you can notice there's mostly data going from an interface with an IP of 1 192 uh 168 47.2 to an interface that is 1 192168 47.1 on Port 88 88 what kind of data you might ask now that is the correct question dear viewer let's focus on this conversation that goes from line 56 and all the way to line 67 and see whether there's anything useful in that payload or in the payload of each frame there we go you see this section here the avmg 6272 Etc it's the serial number of the router how do I know that because it's written on the bottom sticker and additionally you see this cig Shanghai right here well if you take a minute and Google this exact term the first result will point you towards the company that makes Communications Electronics SFP modules being one of them told you hacking was a very much a detective type of work and this line right here is the Smoking Gun we've been looking for the router when we plug in the SFP module sends the serial number to it so that it can identify itself correctly to the Olt which is the switch on the ISP side of my internet connection and this is also why it doesn't simp work if I move it to my switch or to this media converter for that matter without any additional work the serial number is not baked in so how do we bake it in well as it turns out we cannot the port 8888 does not accept an SSH connection or any kind of other access so there's no way for us to log into the device and store the C Ser Ser serial number into its flash memory but that doesn't mean we can't still use this SFP module in our own gear we just need to get a little creative first let's go back to wire shark right click the line with our serial number then follow then TCP stream I won't go too much into details how that network data works but for the purposes of this video compare it to your everyday humano human chat we first greet one another then exchange information and not to each other while doing so so that we acknowledge we've received information and then when we're done we usually say goodbye well it's similar here you can see this sin frame which stands for synchronization or the first device saying hi to the other then we see a bunch of psh which is usually or not usually which is uh pushing data from one device to the other and X which are the nods of acknowledgement so to speak I know this is a sloppy description but that's enough for the purpose of this video I'll leave a couple of links down below for you to in investigate further for you to investigate further okay now that you know that this is a conversation between the two devices with the goal of uploading the serial number from the router to the SFP module we can do something that's known as a replay attack we'll accomplish this by extracting the raw payload of this conversation then pretend our Windows laptop is the router and that's actually pretty easy we just need to give it the IP of the router's interface responsible for uploading the serial number which in our case is 1 192.168 . 47.2 okay now let's connect the laptop to the media converter and try pinging the SFP module it works they can talk to one another so let's go back to wire shark one final time export the raw data and save it to the desktop as serial. that the name doesn't really matter I could name it hello.txt and it would still work just fine now we go back to the Powershell and run the attack by entering cat cat then the source of the file we just created so so C us users tomash desktop serial. that then we enter the pipe character followed by another command which is ncat minus V the IP of the SFP module so 1 192168 47.1 and finally the port 8888 let's go over this command before we run it real quick shall we the cat command reads the contents of our serial de and then sends the result by using the pipe character to another another command which in our case is netcat this utility reads the very same raw data and sends it over the network to the IP and Port of our SFP module okay the moment of truth did it work yes how can I tell given that the actual command just returns a bunch of unreadable gibberish well honestly as I said hacking means a lot of trial and error and this is the only way that I have tried that actually brought my network online which means that regardless of what it gave back the SFP module correctly received and used the serial number to register with the ISP equipment and for 2 years until I found a suitable replacement which I have linked to in the previous video I ran this very same SFP module in the switch in my basement all I did was copy this row payload to my own Super Micro based router created a simple startup script with just the same line we just ran manually and and whenever there was an issue all I had to do was restart the router which would in turn rerun the replay attack and bring the internet back did I need to do any of this of course not as many of you have pointed out I could just put the ISP router in bridge mode and be done with it but where's the fun in that toas from Slovenia signing out

Info

Channel: Tomaž Zaman

Views: 89,281

Rating: undefined out of 5

Keywords: router, hacking

Id: 7RZ6JtjHBfo

Channel Id: undefined

Length: 13min 50sec (830 seconds)

Published: Sat Apr 06 2024