How I turned my cable modem into a sniffer - WAS: Hijack IP Address using cable modem

From: Justin Ellison (justinat_private)
Date: Tue May 01 2001 - 06:38:50 PDT

Next message: Rajkumar S.: "Re: How I turned my cable modem into a sniffer"

Previous message: Marcin Dawcewicz: "Re: Hijack IP Address using cable modem"
Next in thread: Rajkumar S.: "Re: How I turned my cable modem into a sniffer"
Reply: Rajkumar S.: "Re: How I turned my cable modem into a sniffer"
Reply: Marcin Dawcewicz: "Re: How I turned my cable modem into a sniffer - WAS: Hijack IP Address using cable modem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The subject says it all.  It requires some work, and if the ISP knows what
they are doing, you probably can't do it.

I know that this works on 3Com cable modems, as well as the GI SurfBoards -
I think it's a DOCSIS standard.

First, you need the IP address of your cablemodem.  Social engineering,
instruction manual, whatever.  Second, you need the snmp strings that the
cable modems use (if the ISP knows what they are doing, they won't be public
and private).

Let's say that your cable modem IP address is 10.20.0.19 and your SNMP
strings are public/private.  Issue the following command from a linux box:

snmpset 10.20.0.19 private
ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifPromiscuousMode.2 i 1

This sets the coax interface to go into promiscuous mode.  You should see
the lights start to blaze on the cable modem.  Fire up your favorite
sniffer, and off you go.

Also of interest in the MIB are:
transmission.127.1.1.3.1.3.1 = xxxxxx
transmission.127.1.1.3.1.5.1 = xxxxxx

These are the upstream and downstream bandwidth limiters.  I tried to change
them, but I got notWritable errors.  Maybe someone who's more familiar with
SNMP can work on those ;-)

I didn't issue any security advisories, one because I've never done one, and
two because I think this is more of a problem with ISP's, not modem vendors.
If anyone disagrees, please let me know.

Justin

----- Original Message -----
From: "Rajkumar S." <listuserat_private>
To: <VULN-DEVat_private>
Sent: Monday, April 30, 2001 11:50 AM
Subject: Re: Hijack IP Address using cable modem

> On Sat, 28 Apr 2001, Rev. Chris Cappuccio wrote:
>
> > Install ucd-snmp and try snmpwalk 192.168.100.1 public ! You can get
> > most, if not all, of the information that the Surfboard's web server
> > will give you, plus a lot more.
>
> Attached is the snmpwalk 10.1.15.42 public of the modem. 10.1.15.42 is the
> ip of the cable interface. I have masked the first 2 octets of my ip. I
> am not as experienced as many of you, so kindly provide your analysis.
>
> raj
>
>

Next message: Rajkumar S.: "Re: How I turned my cable modem into a sniffer"
Previous message: Marcin Dawcewicz: "Re: Hijack IP Address using cable modem"
Next in thread: Rajkumar S.: "Re: How I turned my cable modem into a sniffer"
Reply: Rajkumar S.: "Re: How I turned my cable modem into a sniffer"
Reply: Marcin Dawcewicz: "Re: How I turned my cable modem into a sniffer - WAS: Hijack IP Address using cable modem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 01 2001 - 21:59:59 PDT