On Tue, 1 May 2001, Justin Ellison wrote: > The subject says it all. It requires some work, and if the ISP knows what > they are doing, you probably can't do it. > > I know that this works on 3Com cable modems, as well as the GI SurfBoards - > I think it's a DOCSIS standard. > > First, you need the IP address of your cablemodem. Social engineering, > instruction manual, www pages on CM, sniffing for DHCP packets and then ping sweeping whole cable modem subnet ... > whatever. Second, you need the snmp strings that the > cable modems use (if the ISP knows what they are doing, they won't be public > and private). ... but you still can get 'em if you manage to download some config files from ISP > > Let's say that your cable modem IP address is 10.20.0.19 and your SNMP > strings are public/private. Issue the following command from a linux box: > > snmpset 10.20.0.19 private > ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifPromiscuousMode.2 i 1 > > This sets the coax interface to go into promiscuous mode. You should see > the lights start to blaze on the cable modem. Fire up your favorite > sniffer, and off you go. > > Also of interest in the MIB are: > transmission.127.1.1.3.1.3.1 = xxxxxx > transmission.127.1.1.3.1.5.1 = xxxxxx > > These are the upstream and downstream bandwidth limiters. I tried to change > them, but I got notWritable errors. Maybe someone who's more familiar with > SNMP can work on those ;-) Some MIB entries can be set read-only in CM configuration file. I think that's the reason. > > I didn't issue any security advisories, one because I've never done one, and > two because I think this is more of a problem with ISP's, not modem vendors. > If anyone disagrees, please let me know. IMHO that's particular ISP's problem. -- greets, -= Marcin Dawcewicz =- mailto: mivat_private "When freedom is outlawed, only outlaws will be free"
This archive was generated by hypermail 2b30 : Wed May 02 2001 - 07:13:56 PDT