Successful Ancient Netgear ADSL Router hacking

[CJay]

I have an ancient Netgear DG834V2 ADSL router which is in daily use providing internet access for testing soft VPN clients, so far so good, it works but I've recently had to replace the capacitors in the PSU section of the router and I *really* want a back up solution in case it dies permanently.

Now, I've got some rather nice Draytek and other routers but, due to a series of re-organisations, buy outs etc. I have no idea of the ADSL service login credentials, I've tracked down the provider who've also been bought out, rebranded, turned upside down etc. but they won't provide me with the service credentials (quite reasonably as I'm not the bill payer)

I have no idea who is paying the bill, if it's the company I work for, the company who contracts us or the parent company and depsite all my efforts to date, I cannot track them down.

None of the staff who worked here when the router was installed are still here, the two I managed to track down have no idea so...

I have physical access to the router, I cannot login to it via the web portal or the debug portal (no passwords)

I am happy to solder a header onto the serial console pins inside the router but I am less happy about having to desolder and read out the flash chip.

Is it possible to extract service credentials via the serial port?

[Black Phoenix]

Try this:

    In the address field of your browser type, www.routerlogin.net.
    A login window opens.
    Click Cancel .
    If the password recovery is enabled, you are prompted to enter the serial number of the router.
    The serial number is on the product label.
    Enter the serial number of the router.
    Click Continue .
    A screen displays requesting the answers to your security questions.
    Enter the saved answers to your security questions.
    Click Continue .
    A screen displays to reset the router password.
    Enter the new password and confirm.
    Enter your security questions or set new security questions.
    Click Next .
    You have successfully reset your password.
    Click Login to log back into the router with your new password.

https://kb.netgear.com/000059608/How-do-I-reset-the-admin-password-on-my-NETGEAR-router

Possibly there aren't any security questions or the answers are blank.

Other thing:

Default credentials are useful in instances when you do not know the password for a device, you need to set up a device again, or you need to reset a device to the factory default settings.

Exceptions: ReadyNAS and ReadyDATA storage systems, fully managed switches, and newer extender products that require you to create credentials during initial set up.

    Username for all models: admin
    Password for current models: password
    Password for very old models: 1234

https://kb.netgear.com/1148/What-are-the-default-web-interface-passwords-for-NETGEAR-devices

Regarding Hacking:

https://www.pitt-pladdy.com/blog/_20100424-103102_0100_OpenWrt_Take_2_-_native_IPv6_on_DG834_v3_using_AAISP_/

[CJay]

Thanks, but that article doesn't cover the router i have, it's about 14 years old

[madires]

Let's see if we can find some known security issue to gain access: https://gist.github.com/adamcaudill/4246813

[Hogwild]

If there are version of this router that were customized for another ISP, you could always try flashing to the firmware from that ISP. That should reset everything, IIRC. That's what I did with my 2-Wire and it worked great.

[Per Hansson]

If memory serves me right there is no authentication via the serial port.
And you should be able to create a new user or set the password to null for the admin account for example...

https://forum.archive.openwrt.org/viewtopic.php?id=2221

[magic]

It's possible to grab the serial port holes in the PCB with hook probes, no need to solder.

But absolutely make sure that ground connection is solid and will not be lost if the router uses a floating PSU, which it probably does.
Otherwise, 

[LateLesley]

I had a problem with an ISP, who wouldn't give me the ADSL log in credentials so I could use my own router. The way I get around this was to turn off everything on the network, fire up wireshark on my machine, then power on the router and sniff the login packets as they happened. I found it in a guide somewhere on the internet. It may be the best way for you to get the credentials.

I tried to find the article, but didn't find it.I did find this interesting thread though, which may be helpful to you. It may be worth a try.

http://www.skyuser.co.uk/forum/extracting-sky-router-passwords/59028-simple-tool-extracting-username-password-your-router.html

Edit : I think this was the article I followed for the wireshark instructions. http://taupila.co.uk/posts/replace-sky-router/

[magic]

Wait, so a router with built-in ADSL interface broadcasts its ADSL login credentials in DHCP discover packets on LAN ports for anyone to intercept?

What a fail

You got lucky, it really shouldn't be possible. Worth trying, though, costs nothing.

[madires]

Might be done on purpose to support an alternative Ethernet based uplink. ISPs/telcos push for plug'n'play boxes because any support call will decrease profit.

[LateLesley]

Wait, so a router with built-in ADSL interface broadcasts its ADSL login credentials in DHCP discover packets on LAN ports for anyone to intercept?

What a fail

You got lucky, it really shouldn't be possible. Worth trying, though, costs nothing.

Yep! But then, when did we expect ISPs (well at least here in the UK) to care about securing their users, especially when they have to conform to Govt regs which want backdoors into stuff. Now you know why I wanted my own router on, it at least made it a little harder for them. Not impossible, but not a walk in the park either, that their provided one was like. They are the cheapest, nastiest, full of security holes routers you can get, with barely enough horsepower to handle one connection. My own router is an Asus DSL-AC68U, which I'm sure isn't without it's own problems, with outdated packages installed. But i'm 99% sure it's better than the ISP provided one. I ended up moving from Sky, and i'm with another provider now. But in the UK it's difficult to find a secure ISP that is budget friendly. They're all expensive.

[CJay]

If there are version of this router that were customized for another ISP, you could always try flashing to the firmware from that ISP. That should reset everything, IIRC. That's what I did with my 2-Wire and it worked great.

That's kind of exactly the opposite of what I need to do, I need to recover the credentials rather than wipe them.

I've had a few 2Wire routers, they were nice pieces of kit, worked well as I remember.

As for sniffing packets, I don't think they're broadcast over the LAN, this unit has a built in ADSL modem so it would make no sense to do that but who knows, this is an *old* device.

So far serial port looks the best option but I'm away from work for a bit so it'll have to wait.

[CJay]

FWIW, the serial console got me to busybox which gave me access to the htpasswd file in /etc, that contains the plaintext password for the admin GUI.

Once in the admin GUI I was able to backup the router config to a file which is, again, plaintext so I now have the necessary details to configure a more reliable, modern router which should also be faster as I believe all the lines were upgraded to ADSL2+.

Thanks for the suggestions.

[optotester]

The easiest option was to connect with serial and type « nvram show » in the busybox. On default firmware all config data are stored in nvram partition (except wireless calibration data). The backup you exported is most likely a copy of this partition.