Enabling telnet on a
WNR2000v4 Router
(OpenWRT install)
Background:
During late 2018 due to reasons, I temporarily moved back home into my parents' basement to look for better game development employment elsewhere while working at a few temp jobs. Previously I was living with my great roommates in an apartment, and fortunately my room was close enough to run a 20ft or so long Ethernet cable from the ISP's router to my room for Internet. Earlier in 2018, back at home, my father "upgraded" the shady Comcast router with a shadier, newer one, and gave me the old router, a Netgear WNR2000v4 router. At the apartment, I used this router as an overglorified network switch for the devices in my room, for giving Internet access to my laptop, a legacy PC, or any older video game consoles or devices that required wired Internet. I also prefer a wired Ethernet connection over WiFi when I can, since it can be more secure and have less overhead (faster and more reliable) than dealing with wireless Internet. Unfortunately, since this was a 2-router network setup, the network was somewhat complex (outer ISP router being on a 192.168.x.x subnet, with my inner router being on a 10.0.x.x subnet). This 2-router network prevented things such as connecting the PS2 versions of Star Wars Battlefront 1 & 2 to SWBFSpy (which requires getting an IP whitelisted by the server's admin for usage).
Unfortunately, when I moved back home into my room, I didn't have the privilege of having wired Ethernet available, due to the ISP's router being on the other end of the house from my room and my "roommates" not going to like having a 50+ ft. length of Ethernet cable running across the houses to the ISP's router. This obviously wasn't a problem to give Internet access for devices that can use WiFi, but definitely one for devices that only have a wired connection (such as those older video game consoles). Most modern day routers have a web-based GUI for configuring the router (by connecting to the default router gateway in a web browser and logging in as the admin); the WNR2000v4 was no exception. Unfortunately, the default gateway's GUI (called "Genie" by Netgear) for this particular router model does not have a wireless bridging feature, just basic router functionality (via Ethernet or WiFi) for an Internet connection and network switch functionality between wired devices. Getting a wireless bridge function working would allow me to connect devices via wired Ethernet to my room's router and then forward the network data wirelessly (via WiFi) to the main router on the other side of the house. This would allow wired Internet connections from my room to connect to the Internet, and would additionally make the network appear as a single-router network from my router's perspective (with a single subnet; not having to use 2 subnets like at the apartment). Rather than wasting precious money on a dedicated wireless bridge to solve my problem, I was resourceful and used my brain instead, looking into hacking my spare Netgear WNR2000v4 router to install OpenWRT.
Telnet enable attempt/Installing OpenWRT
For those whom are unaware, OpenWRT is a lightweight Linux distribution meant for embedded devices (especially routers). Installing OpenWRT as a replacement firmware on a router removes any restrictions with the stock firmware, and allows full control of the hardware, as well as beefed up security. Basically it can turn any router into a fully configurable business one (with telnet, VLan setting up, etc), just like the Cisco ones my classmates and I learned about in my networking class at college. Most importantly, OpenWRT has a few packages that can be installed to enable wireless bridging functionality on this router. This would solve my problem of connecting my wired devices to the ISP router on the other end of the house without using a double-router setup with 2 subnets and a very long Ethernet cable.
Unfortunately, the stock firmware on the WNR2000v4 has its telnet feature locked. To summarize the basic process of installing OpenWRT on router devices, you need to telnet into the router (using software such as PuTTY) and flash the device with the new firmware. This file is sent to the router via a TFTP server on a computer, and the flashing is done through a Linux console on the router by running some Linux commands. Most Netgear routers have the telnet locked for security reasons, and in order to unlock the telnet, a special packet usually must be sent either over UDP or TCP (depending on the particular router model). Usually a special program is used to send the magic packet and unlock the telnet. More details about unlocking the telnet on Netgear routers can be found on this OpenWRT article, and full details about installing OpenWRT on the WNR2000v4 router (including an UDP telnet enable python script) can be found on this other OpenWRT article under "How to Install OpenWRT on the Netgear WNR2000v4 through u-boot-env modification on Linux" section.
Also unfortunately, neither the UDPtelnetenable.py script worked within a Linux virtual machine, nor did any of the telnet enable programs for Windows in the other article were able to unlock the telnet on my router. Perhaps my particular router unit was a newer hardware revision that blocked telnet enabling altogehter, or some other weird networking issues were preventing the packet from being sent/received and properly unlocking the telnet. Fortunately, while doing a Google search about my problems, I came across a security vulnerability (CVE-2016-10174) for the similar WNR2000v5 router, which, when exploited, can allow an attacker to bruteforce the admin password, enable telnet, and then gain a Linux root console access. These privilege escalations through the exploit are a pretty serious security vulnerability, and you really should replace this router with a more secure one if you wish to use its stock firmware (or do the smart thing and replace the firmware with the much more secure OpenWRT like I'm doing). A person online also wrote up details about the security vulnerability and a PoC hack here. Most importantly, a formal exploit was published and included with the Metasploit framework for white hat hackers. This security vulnerability is confirmed to exist and to work on the v5 router, but only has static analysis to show possible existence on the v4 and v3 routers. Using this exploit to enable telnet and gain the Linux root console access, I could properly install OpenWRT fully without relying upon the broken telnet enable programs that weren't working for me. Since I know the admin password to my own router, I could bypass the password bruteforcing, and just use the exploit to enable telnet/gain Linux root console access, speeding up the exploit process.
Unfortunately, the stock firmware on the WNR2000v4 has its telnet feature locked. To summarize the basic process of installing OpenWRT on router devices, you need to telnet into the router (using software such as PuTTY) and flash the device with the new firmware. This file is sent to the router via a TFTP server on a computer, and the flashing is done through a Linux console on the router by running some Linux commands. Most Netgear routers have the telnet locked for security reasons, and in order to unlock the telnet, a special packet usually must be sent either over UDP or TCP (depending on the particular router model). Usually a special program is used to send the magic packet and unlock the telnet. More details about unlocking the telnet on Netgear routers can be found on this OpenWRT article, and full details about installing OpenWRT on the WNR2000v4 router (including an UDP telnet enable python script) can be found on this other OpenWRT article under "How to Install OpenWRT on the Netgear WNR2000v4 through u-boot-env modification on Linux" section.
Also unfortunately, neither the UDPtelnetenable.py script worked within a Linux virtual machine, nor did any of the telnet enable programs for Windows in the other article were able to unlock the telnet on my router. Perhaps my particular router unit was a newer hardware revision that blocked telnet enabling altogehter, or some other weird networking issues were preventing the packet from being sent/received and properly unlocking the telnet. Fortunately, while doing a Google search about my problems, I came across a security vulnerability (CVE-2016-10174) for the similar WNR2000v5 router, which, when exploited, can allow an attacker to bruteforce the admin password, enable telnet, and then gain a Linux root console access. These privilege escalations through the exploit are a pretty serious security vulnerability, and you really should replace this router with a more secure one if you wish to use its stock firmware (or do the smart thing and replace the firmware with the much more secure OpenWRT like I'm doing). A person online also wrote up details about the security vulnerability and a PoC hack here. Most importantly, a formal exploit was published and included with the Metasploit framework for white hat hackers. This security vulnerability is confirmed to exist and to work on the v5 router, but only has static analysis to show possible existence on the v4 and v3 routers. Using this exploit to enable telnet and gain the Linux root console access, I could properly install OpenWRT fully without relying upon the broken telnet enable programs that weren't working for me. Since I know the admin password to my own router, I could bypass the password bruteforcing, and just use the exploit to enable telnet/gain Linux root console access, speeding up the exploit process.
Enabling Telnet the hard way
via the security exploit
Since none of the UDP telnet enable programs were able to properly send the magic packet and enable telnet, I decided to enable telnet the hard way, by bruteforcing telnet enable and gain a root Linux console through the exploit. I did this through installing and using Pentestbox with Metasploit. Fortunately Metasploit has a penetration module to run the exploit on the WNR2000 series of routers; instructions and details on the module usage here. I also had to upgrade my router to firmware 10.0.0.58, which is required for installing OpenWRT (see the main OpenWRT install article for this router for the stock firmware link). If I remember correctly, basically I logged into my router's gateway interface (Genie) via the admin password (in order to get the timestamp from the router for the exploit), and then immediately ran the Metasploit module on the page that confirmed access was granted, and was able to get temporary telnet enable and a root Linux console access on the router after the exploit successfully ran. Then I ran all of the normal OpenWRT installation steps for the WNR2000v4 router (setup the TFTP server, send the OpenWRT firmware, run the Linux consoles commands to flash the firmware, etc).
After all of this was done, I got OpenWRT installed on my spare WNR2000v4 router, and proceeded to setup wireless bridging to solve my original networking problem. So now this router has wireless bridging functionality, and a much more secure firmware (OpenWRT) without nasty, inexcusable security vulnerabilities like CVE-2016-10147. This installation also proves that the vulnerability exists and that the exploit does indeed work for not only the WNR2000v5 router, but also for the v4 router. (Meaning you really should replace this router if you have one or install the much more secure OpenWRT firmware on this model.) Hopefully anybody who runs across the same issue I had with being unable to unlock telnet for an OpenWRT install on a WNR2000 v3-v5 router with the special magic packet programs will find this article useful, and use the security vulnerability method to bruteforce telnet enable/root Linux console access as a last resort.
-Tamkis
While I was trying to do the same thing with my WNR2000V4 I faced a problem. It says "could not open mtd device: u-boot-env.
ReplyDelete