Hacking the Dlink 502T router

How to Log in to router interface via telnet
You can login over telnet. This is common feature of all router these days and this the only way to hack into box:
=> Default IP: 192.168.1.1
=> Default Username: admin (or use root both are having UID 0)
=> Default Password: admin

WARNING! These examples are not about stealing other users bandwidth or passwords. Most A/DSL provider control many properties on their end. Hacker is a person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. This article is not about stealing or cracking other users network equipment.
I have changed IP of router to 192.168.1.254 so here is my first session:
$ telnet 192.168.1.254
Sample output:
Trying 192.168.1.254...
Connected to 192.168.1.254.
Escape character is '^]'.

BusyBox on (none) login: root
Password:

BusyBox v0.61.pre (2005.05.30-08:31+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
Let us see password file, enter:
# cat /etc/passwd
Output:
root:x:0:0:Root,,,:/:/bin/sh
admin:x:0:0:Admin,,,:/:/bin/sh
Hack #3: Get more information about router hardware and Linux
Since this is tiny device most of the userland command such as free, uname etc are removed. However /proc file system provides all information.
Display CPU Information
# cat /proc/cpuinfo
Display RAM Information
# cat /proc/meminfo
OR
# free
Display Linux versions
# cat /proc/version
Output:
Linux version 2.4.17_mvl21-malta-mips_fp_le (jenny@fd6e) (gcc version 2.95.3 20010315 (release/MontaVista)) #70 Mon May 30 16:34:48 CST 2005
Display list of running Processes:
# ps
Display list of all kernel module:
# lsmod
Hack # 3: Get more information about network
Display list of all network interfaces:
# ifconfig
Get your Internet public IP info:
# ifconfig ppp0
Output:
ppp0 Link encap:Point-Point Protocol
inet addr:61.xxx.xxx.xxx P-t-P:61.xxx.xxx.xxx Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1 ASYMMTU:1500
RX packets:69586 errors:0 dropped:0 overruns:0 frame:0
TX packets:62540 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:80566538 (76.8 Mb) TX bytes:5349581 (5.1 Mb)
Get default routing information i.e. find out your ISP's router:
# route
Output:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
61.xxx.xxx.xxx * 255.255.255.255 UH 0 0 0 ppp0
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
239.0.0.0 * 255.0.0.0 U 1 0 0 br0
default dsl-xx-00x.xx.x 0.0.0.0 UG 0 0 0 ppp0
Display ethernet statics such as speed and other details:
# cat /proc/avalanche/eth0_rfc2665_stats
Display DSL modem stats:
# cat /proc/avalanche/avsar_modem_stats
Display Iptables firewall rules:
# iptables -L -n
Flush/Stop firewall rules (don't flush untile and unless you have solid reason to do it )
# /etc/flush_firewall
Hack 4 : Secure your router
(A) Open a web browser such as firefox and login to web based interface. Type url http://192.168.1.1/
(B) Enable Firewall
By default firewall is disabled :/? turn it on to protect your router as it runs linux. Click on Home > Wan > Scroll down and select Firewall as Enabled. Click on Apply.
(C) Change default admin password
Click on Tools > Select Administrator and type the password. > Click apply
(D) Save changes and reboot router
Click on Tools > System > Click on Save and Reboot button
Please note that most ISP including Airtel, BSNL and others these days use this router. And by default admin password is not changed by user, in addition to that some software bug exists that allows remote administration via telnet/http. So turning on firewall saves your day.
Hack # 5: Miscellaneous information
Display developer information i.e. the people behind this router development:
# cat /proc/avalanche/developers
Quickly reboot the router:
# reboot
All your binary stored in /bin/ /usr/bin /sbin directory.