Video : MEGAUPLOAD - The leading online storage and file delivery service (open .html file in rar to play)
Hello, Did you know that all modems VM issue to customers seem to be pingable on the internal network.. oops? Lol.. Not only can you ping scan them but some seem to have port 80 open on the internal side... oops again!
What does this mean? Well basically you can browse other peoples modem config webpages! (Ambit and WebSTAR) These include nice information such as MACs/Configs/ExIP
I already knew about this in the past, I didn’t see the point in mentioning it since I assumed the IPs could only be pinged because I was on the same UBR therefore grabbing MACs would be impossible. However it seems that you can reach parts of the internal blueyonder network.. lol (Not sure about Ex-NTL)
Down to basics
If your using infinite firmware take a look at the CM IP address section...
As you can see the start of the IP is 10.127.XXX.XX
Anyway.. So lets say your CM IP is 10.127.133.7.. ping it and it will reply.. now if you move up a few digits.. say 10.127.133.14 and you ping that it should respond.
Now what if you goto http://10.127.133.14 (example only) well you might see the modems web interface! this will contain the MAC address / External IP / Config of the modem (WebSTARs only)
Now the problem is you can't clone this MAC because its on the same node (very likely) however all you have to do is move up subnet for example your IP is 10.127.133.7 you change to 10.127.141.7 for example.. but that's not going to help since you will need to do a bigger range of scans.
A nice tool to help with this is Nmap here is an example of a scan I did to show how effective this tool is at scanning for modems. Watch my video about for more information.
Find a WebSTARs modems page and do a reverse DNS if its outside the node (Upcoming YAMS 1.0 will do this easily and write a log) if so then you can use that MAC address on your modem. Note : WebSTARs only give out this information.. not Ambit 256.
However Ambit 256s still give out MAC address, and using some common sense you can match it to the correct node.
Serious security flaw that could lead to widescale DDOS attack! on webstar modems
Do you remember when VM attacked the Ambit modems and caused them to brick? Well the same sort of attack could be performed at the customer side of the network. Except not as destructive (But would lead to widescale lose of service)
WebSTARs have hidden pages that could be used for evil purposes in my video I show how easy it would be to cause lose of service to a modem.
Update : Ambit 256 also has a flaw where the modem will stop responding after 30mins of elinks looping (discovered on another forum) only way to recover would be power cycling.
I hope you learned something about piss poor security in embedded devices Have fun!
Hello, Did you know that all modems VM issue to customers seem to be pingable on the internal network.. oops? Lol.. Not only can you ping scan them but some seem to have port 80 open on the internal side... oops again!
What does this mean? Well basically you can browse other peoples modem config webpages! (Ambit and WebSTAR) These include nice information such as MACs/Configs/ExIP
I already knew about this in the past, I didn’t see the point in mentioning it since I assumed the IPs could only be pinged because I was on the same UBR therefore grabbing MACs would be impossible. However it seems that you can reach parts of the internal blueyonder network.. lol (Not sure about Ex-NTL)
Down to basics
If your using infinite firmware take a look at the CM IP address section...
As you can see the start of the IP is 10.127.XXX.XX
Anyway.. So lets say your CM IP is 10.127.133.7.. ping it and it will reply.. now if you move up a few digits.. say 10.127.133.14 and you ping that it should respond.
Now what if you goto http://10.127.133.14 (example only) well you might see the modems web interface! this will contain the MAC address / External IP / Config of the modem (WebSTARs only)
Now the problem is you can't clone this MAC because its on the same node (very likely) however all you have to do is move up subnet for example your IP is 10.127.133.7 you change to 10.127.141.7 for example.. but that's not going to help since you will need to do a bigger range of scans.
A nice tool to help with this is Nmap here is an example of a scan I did to show how effective this tool is at scanning for modems. Watch my video about for more information.
Find a WebSTARs modems page and do a reverse DNS if its outside the node (Upcoming YAMS 1.0 will do this easily and write a log) if so then you can use that MAC address on your modem. Note : WebSTARs only give out this information.. not Ambit 256.
However Ambit 256s still give out MAC address, and using some common sense you can match it to the correct node.
Serious security flaw that could lead to widescale DDOS attack! on webstar modems
Do you remember when VM attacked the Ambit modems and caused them to brick? Well the same sort of attack could be performed at the customer side of the network. Except not as destructive (But would lead to widescale lose of service)
WebSTARs have hidden pages that could be used for evil purposes in my video I show how easy it would be to cause lose of service to a modem.
Update : Ambit 256 also has a flaw where the modem will stop responding after 30mins of elinks looping (discovered on another forum) only way to recover would be power cycling.
I hope you learned something about piss poor security in embedded devices Have fun!
thanks anyway.
