1 00:00:00,690 --> 00:00:01,859 Instructor: Welcome back 2 00:00:01,859 --> 00:00:04,890 time to check out the default credentials vulnerability 3 00:00:04,890 --> 00:00:06,090 on your router. 4 00:00:06,090 --> 00:00:06,923 Now, 5 00:00:06,923 --> 00:00:10,020 this tutorial is something that you cannot follow 6 00:00:10,020 --> 00:00:11,550 because this is going to be different 7 00:00:11,550 --> 00:00:14,430 for every type of router that someone has. 8 00:00:14,430 --> 00:00:16,710 I can just show you the process of how I went 9 00:00:16,710 --> 00:00:19,170 and discovered the default credentials 10 00:00:19,170 --> 00:00:21,870 and you can try to do the same thing in order 11 00:00:21,870 --> 00:00:24,603 to see whether you can gain access to your router. 12 00:00:25,530 --> 00:00:29,520 So the first thing that I did is I typed Netstat dash 13 00:00:29,520 --> 00:00:32,580 NR to check out the IP address of my gateway, 14 00:00:32,580 --> 00:00:34,380 which is most likely going to be the IP address 15 00:00:34,380 --> 00:00:35,520 of your router. 16 00:00:35,520 --> 00:00:40,440 Then I went to Google Home and visited that IP address. 17 00:00:40,440 --> 00:00:42,000 If you do the same for your router 18 00:00:42,000 --> 00:00:45,150 it'll most likely lead you to some type of a login page 19 00:00:45,150 --> 00:00:48,930 where it'll ask you for the username and the password. 20 00:00:48,930 --> 00:00:51,660 Once you type the username and the password 21 00:00:51,660 --> 00:00:54,090 you will have access to the router settings 22 00:00:54,090 --> 00:00:57,060 and you will be able to change a few things here and there 23 00:00:57,060 --> 00:00:58,391 from setting up wireless, to port forwarding 24 00:00:58,391 --> 00:01:01,710 and similar settings like that. 25 00:01:01,710 --> 00:01:04,140 Now, if you haven't changed the default password 26 00:01:04,140 --> 00:01:06,480 for your router, you'll most likely be able to 27 00:01:06,480 --> 00:01:08,520 find it on the internet. 28 00:01:08,520 --> 00:01:09,353 Which I did. 29 00:01:09,353 --> 00:01:10,186 I just searched the name 30 00:01:10,186 --> 00:01:11,910 of the router that I have right here 31 00:01:11,910 --> 00:01:14,730 and I found the username to be telecom 32 00:01:14,730 --> 00:01:16,833 and password to be telecom. 33 00:01:17,910 --> 00:01:20,190 Nobody changed this username and password, 34 00:01:20,190 --> 00:01:22,260 therefore they're exactly the same. 35 00:01:22,260 --> 00:01:23,970 And we even get this warning that says 36 00:01:23,970 --> 00:01:28,140 A data breach on a site or app exposed your passwords. 37 00:01:28,140 --> 00:01:30,180 Chrome recommends changing your password 38 00:01:30,180 --> 00:01:31,560 for this IP address. 39 00:01:31,560 --> 00:01:34,320 Now we're going to click on, okay, 40 00:01:34,320 --> 00:01:37,080 and pretty much we already gained access 41 00:01:37,080 --> 00:01:38,640 to the router settings. 42 00:01:38,640 --> 00:01:41,550 We can set up the firewall VLAN settings. 43 00:01:41,550 --> 00:01:44,670 We can check out different settings that we have right here. 44 00:01:44,670 --> 00:01:46,980 We have some security settings right here. 45 00:01:46,980 --> 00:01:50,670 We also get the port forwarding, which we can perform 46 00:01:50,670 --> 00:01:52,200 and this is something that they tested 47 00:01:52,200 --> 00:01:53,640 on multiple home routers, 48 00:01:53,640 --> 00:01:57,660 and many of them appear to have default credentials 49 00:01:57,660 --> 00:01:59,490 where it allows you to log into the router 50 00:01:59,490 --> 00:02:01,950 and change these type of settings. 51 00:02:01,950 --> 00:02:04,620 But these are not the only default credentials 52 00:02:04,620 --> 00:02:06,270 that you can find. 53 00:02:06,270 --> 00:02:07,103 For example, 54 00:02:07,103 --> 00:02:10,110 if I go right here and I run an Nmap scan 55 00:02:10,110 --> 00:02:13,660 with dash sT command on my router IP address 56 00:02:14,520 --> 00:02:17,580 I will also discover that it has some ports open. 57 00:02:17,580 --> 00:02:20,943 For example, it has this telnet port open. 58 00:02:22,080 --> 00:02:24,270 We already know how we can connect to the telnet. 59 00:02:24,270 --> 00:02:27,690 We can type the command telnet and then the IP address 60 00:02:27,690 --> 00:02:29,880 of the targeted we want to connect to. 61 00:02:29,880 --> 00:02:31,770 If I press enter, 62 00:02:31,770 --> 00:02:34,710 we will get another login screen. 63 00:02:34,710 --> 00:02:38,310 So if I type something like telekom, once again 64 00:02:38,310 --> 00:02:41,730 it will tell me that the password is incorrect. 65 00:02:41,730 --> 00:02:43,020 Hmm. 66 00:02:43,020 --> 00:02:45,750 So after three attempts, 67 00:02:45,750 --> 00:02:50,310 it simply just closes the connection to the router, 68 00:02:50,310 --> 00:02:51,930 and I figured, 69 00:02:51,930 --> 00:02:52,763 well 70 00:02:52,763 --> 00:02:55,590 if the router default credentials weren't changed 71 00:02:55,590 --> 00:02:59,190 then probably I can find the telnet credentials as well 72 00:02:59,190 --> 00:03:00,690 on the internet. 73 00:03:00,690 --> 00:03:03,060 And after a few minutes of Googling, 74 00:03:03,060 --> 00:03:06,960 I ran across this website where I scrolled a little bit down 75 00:03:06,960 --> 00:03:10,800 and I found this post that was posted by someone. 76 00:03:10,800 --> 00:03:13,110 It says my router name, which is this one 77 00:03:13,110 --> 00:03:14,940 and we can compare it right here. 78 00:03:14,940 --> 00:03:16,920 It is the same name, 79 00:03:16,920 --> 00:03:20,400 and we get the username and password. 80 00:03:20,400 --> 00:03:23,430 We also get how we can enable the shell inside 81 00:03:23,430 --> 00:03:24,660 of that router. 82 00:03:24,660 --> 00:03:26,250 So let's give it a try. 83 00:03:26,250 --> 00:03:30,030 The username is admin and the password is this. 84 00:03:30,030 --> 00:03:32,493 Let's go and run Telnet once again. 85 00:03:35,130 --> 00:03:38,550 Type username to be admin and password to be 86 00:03:38,550 --> 00:03:39,383 Z T 87 00:03:39,383 --> 00:03:40,216 O N 88 00:03:40,216 --> 00:03:41,880 P K. 89 00:03:41,880 --> 00:03:43,020 And here it is. 90 00:03:43,020 --> 00:03:44,073 We are inside of CLI. 91 00:03:45,510 --> 00:03:47,700 Now, the next thing that this person does 92 00:03:47,700 --> 00:03:49,770 is it types enable. 93 00:03:49,770 --> 00:03:52,320 Then it enters the password of zTe 94 00:03:52,320 --> 00:03:54,390 and then it enables shell. 95 00:03:54,390 --> 00:03:55,380 Let's give it the try. 96 00:03:55,380 --> 00:03:56,620 If I type enable 97 00:03:58,320 --> 00:03:59,940 Type zTe, 98 00:03:59,940 --> 00:04:00,843 and then shell, 99 00:04:01,950 --> 00:04:04,800 hmm, another login attempt. 100 00:04:04,800 --> 00:04:07,560 But luckily, this person also provided us 101 00:04:07,560 --> 00:04:10,200 with username and password for that. 102 00:04:10,200 --> 00:04:12,210 This is something that we will most likely never 103 00:04:12,210 --> 00:04:13,230 be able to brute force 104 00:04:13,230 --> 00:04:15,450 in case we didn't know because this is a really 105 00:04:15,450 --> 00:04:18,329 strong username and strong password. 106 00:04:18,329 --> 00:04:19,920 However, it is default one 107 00:04:19,920 --> 00:04:23,760 and this is something that we can find on the internet. 108 00:04:23,760 --> 00:04:24,600 For your router 109 00:04:24,600 --> 00:04:26,730 of course, this will not be the same 110 00:04:26,730 --> 00:04:28,710 but you can go through the same process 111 00:04:28,710 --> 00:04:30,900 of searching for the default credentials. 112 00:04:30,900 --> 00:04:33,090 Just figure out the name of your router, 113 00:04:33,090 --> 00:04:34,470 type it in in Google, 114 00:04:34,470 --> 00:04:37,470 and try to find some default credentials. 115 00:04:37,470 --> 00:04:38,310 For example, 116 00:04:38,310 --> 00:04:42,300 we notice that I have opened Port SSH and Telnet. 117 00:04:42,300 --> 00:04:45,930 You might be able to target SSH and not telnet 118 00:04:45,930 --> 00:04:49,290 or you might be able to target some different port. 119 00:04:49,290 --> 00:04:51,870 It could all depend on your router. 120 00:04:51,870 --> 00:04:54,090 However, now I'm targeting Telnet, 121 00:04:54,090 --> 00:04:56,940 and let's go and type in the username 122 00:04:56,940 --> 00:04:59,400 and password that this person sent us. 123 00:04:59,400 --> 00:05:03,420 So I have it written on my left screen, and I will type 124 00:05:03,420 --> 00:05:04,410 F N 125 00:05:04,410 --> 00:05:05,340 N S D 126 00:05:05,340 --> 00:05:06,960 three z x 127 00:05:06,960 --> 00:05:08,460 h n h 128 00:05:08,460 --> 00:05:09,870 1 6 8 129 00:05:09,870 --> 00:05:10,950 n v 130 00:05:10,950 --> 00:05:11,783 three one. 131 00:05:13,320 --> 00:05:15,870 For some reason it says bad username. 132 00:05:15,870 --> 00:05:17,970 Let's try once again. 133 00:05:17,970 --> 00:05:20,550 Maybe we type something incorrectly. 134 00:05:20,550 --> 00:05:22,030 So let's go admin 135 00:05:23,580 --> 00:05:24,413 Password 136 00:05:24,413 --> 00:05:28,860 Let's enable the password, the zTe, and let's go into Shell. 137 00:05:28,860 --> 00:05:29,880 Here we want to type 138 00:05:29,880 --> 00:05:30,810 F N 139 00:05:30,810 --> 00:05:31,643 N 140 00:05:31,643 --> 00:05:32,640 S D three z 141 00:05:32,640 --> 00:05:33,473 x 142 00:05:33,473 --> 00:05:34,410 h n h 143 00:05:34,410 --> 00:05:35,760 1 6 8 144 00:05:35,760 --> 00:05:37,290 n v three one 145 00:05:37,290 --> 00:05:39,150 which is the login and the password. 146 00:05:39,150 --> 00:05:40,710 S Z 147 00:05:40,710 --> 00:05:41,543 X H 148 00:05:41,543 --> 00:05:42,376 N H 149 00:05:42,376 --> 00:05:43,560 1 6 8 150 00:05:43,560 --> 00:05:45,003 N V three one. 151 00:05:46,140 --> 00:05:48,180 And here we are. 152 00:05:48,180 --> 00:05:49,770 We are inside of the Shell. 153 00:05:49,770 --> 00:05:51,330 If I type ls 154 00:05:51,330 --> 00:05:54,450 we're going to be able to see the files on our router. 155 00:05:54,450 --> 00:05:56,370 I can type the ifconfig command 156 00:05:56,370 --> 00:05:57,510 to be able to to see all 157 00:05:57,510 --> 00:06:00,300 of the interfaces the tower router has. 158 00:06:00,300 --> 00:06:02,550 Here the first interface has the IP address 159 00:06:02,550 --> 00:06:03,383 of 192 160 00:06:03,383 --> 00:06:04,237 .168 161 00:06:04,237 --> 00:06:05,070 .1.1 162 00:06:05,070 --> 00:06:06,930 And down here we are also going to be able to 163 00:06:06,930 --> 00:06:09,120 find the public IP address, 164 00:06:09,120 --> 00:06:10,173 which is right here. 165 00:06:11,310 --> 00:06:12,690 Okay, great. 166 00:06:12,690 --> 00:06:15,270 We have gained access to the router. 167 00:06:15,270 --> 00:06:17,280 We can also go and change the directories 168 00:06:17,280 --> 00:06:19,233 to different directories if we want to. 169 00:06:20,340 --> 00:06:21,480 We can run different commands 170 00:06:21,480 --> 00:06:23,790 that you can usually run from your terminal, 171 00:06:23,790 --> 00:06:25,830 and that's how you can gain access 172 00:06:25,830 --> 00:06:28,800 to your router with default credentials. 173 00:06:28,800 --> 00:06:30,750 Now, give it a try on your own router. 174 00:06:30,750 --> 00:06:32,730 Try searching the name of the router. 175 00:06:32,730 --> 00:06:36,000 First try logging into this page right here 176 00:06:36,000 --> 00:06:37,320 which will grant you an access 177 00:06:37,320 --> 00:06:39,420 to some of the router settings. 178 00:06:39,420 --> 00:06:41,670 And even if you don't manage to do that 179 00:06:41,670 --> 00:06:43,830 try scanning your router with Nmap. 180 00:06:43,830 --> 00:06:46,560 Figure out whether it has some interesting ports open 181 00:06:46,560 --> 00:06:48,840 and then target those ports 182 00:06:48,840 --> 00:06:51,570 with default credentials that you might manage 183 00:06:51,570 --> 00:06:54,273 to find online just like I did right here. 184 00:06:55,140 --> 00:06:56,820 Okay, now that we covered this 185 00:06:56,820 --> 00:07:00,360 we're ready to continue with our exploitation section. 186 00:07:00,360 --> 00:07:01,660 See you in the next video.