This was accidently sent to Bugtraq. :) Russell Handorf said: > As for current hacks for cable modems, there are a few that I have > discovered specifically with comcast.net > > However this cannot be disclosed at this time. I will post it at a > later date. > > Russ > Well, just to describe to some people who may not know, let me try and describe the boot-up process of a cable modem, to the best of my knowledge. I could be wrong here, if I am, feel free to correct me. As the cable modem boots up, it links up via the coax link, blah blah. It then DHCPs itself a private, non-routeable 10.x.x.x address from a DHCP server. At this point it TFTPs a configuration file from a TFTP server (also with a 10.x.x.x address) inside the network. The TFTP server hands this file out based on MAC address (of the modem), and this file is what contains the upload/download caps. This 10.x.x.x private address is also what is used to set the SNMP paraments on the modem, such as caps, passwords, etc. I've been playing around with Charter's network, and found some interesting things that you can do with the 10.x.x.x addresses. For example, anything I send out is routed through one of these private addresses. I can ping, telnet, etc, to that 10.x.x.x address, as well as others.. this means that the modem (specifically my Motorola Surfboard) is routing those addresses via the ethernet port. The SNMP feature of the modems is also pretty cool - the cable company can do things like power cycle your modem, etc, all with SNMP. If you could somehow sniff some of these SNMP packets and figure out the private community name, again, you'd probably be home free... Now, follow me here. I have several servers in my house for development purposes. Among them, FreeBSD, Linux and NetWare machines. Currently, I have a NetWare 6 machine doing NAT for my home network. What I am about to say is NOT specific to NetWare, as I've done it with the other OSes: NOTHING is stopping me from grabbing as many IP addresses as I want. I can just assign them as secondaries/aliases/whatevers to the NIC that is connected to the modem. They do nothing to stop this. In fact, they seem to encourage it: their DHCP server will ping addresses to make sure they are inactive before handing them out. This means if you claim an unleased address, its yours for good. Now.. here's an interesting question. What's to keep me from taking the IP address of .. say, the default gateway? Or the DHCP server (EITHER the 10.x.x.x one or the public one that assigns IPs to workstations?)? Or the DNS server? Or even that 10.x.x.x TFTP server? This seems like a pretty big vulnerability.. one that could cause a DOS on a large scale. Or even on a smaller scale, whats to keep me from taking my neighbor's MAC address? Nothing is... If the cable company is smart, they'll have static ARP entries for all the important things like DNS servers, gateways, etc etc. But.. Charter, at least, doesn't. Or didn't as of a few months ago when I tested this theory. I've kept my mouth shut about this but since others have brought up the thread, I thought I'd put my .02 cents in. Another interesting tidbit: if you have a Motorola Surfboard, go to http://192.168.100.1 in your browser. ;) - mrr Michael R. Rudel * mrrat_private * 734.417.4859 * www.gotclue.org Technician, Pinckney Community Schools * mrrat_private Principal Engineer, Michael R. Rudel Consulting * mrrat_private Michael R. Rudel * mrrat_private * 734.417.4859 * www.gotclue.org Technician, Pinckney Community Schools * mrrat_private Principal Engineer, Michael R. Rudel Consulting * mrrat_private
This archive was generated by hypermail 2b30 : Wed Feb 06 2002 - 09:20:57 PST