Never Ending Security

It starts all here

Category Archives: Router

Router Hack – How to hack ADSL router using NMAP

Asynchronous digital subscriber line (DSL or ADSL) modem is a device used to connect a computer or router to a telephone line which provides the digital subscriber line service for connectivity to the Internet, which is often called DSL or ADSL broadband. In this guide I will show you show you how to scan IP range for connected ADSL or DSL modem routers and find DSL ADSL router hack remotely. This guide applies to Windows, Linux or Mac, so it doesn’t matter what’s your Operating system is, you can try the same steps from all these operating systems. The term DSL or ADSL modem is technically used to describe a modem which connects to a single computer, through a USB port or is installed in a computer PCI slot. The more common DSL or ADSL router which combines the function of a DSL or ADSL modem and a home router, is a standalone device which can be connected to multiple computers through multiple Ethernet ports or an integral wireless access point. Also called a residential gateway, a DSL or ADSL router usually manages the connection and sharing of the DSL or ADSL service in a home or small office network.

Put this together with Wireshark hacking for http websites, you got a nightmare for the user behind that router as all their passwords and details can be tracked very easily.

What’s in a DSL ADSL Router?

A DSL or ADSL router consists of a box which has an RJ11 jack to connect to a standard subscriber telephone line. It has several RJ45 jacks for Ethernet cables to connect it to computers or printers, creating a local network. It usually also has a USB jack which can be used to connect to computers via a USB cable, to allow connection to computers without an Ethernet port. A wireless DSL or ADSL router also has antennas to allow it to act as a wireless access point, so computers can connect to it forming a wireless network. Power is usually supplied by a cord from a wall wart transformer. It usually has a series of LED status lights which show the status of parts of the DSL or ADSL communications link:

  1. Power light – indicates that the modem is turned on and has power.
  2. Ethernet lights – There is usually a light over each Ethernet jack. A steady (or sometimes flashing) light indicates that the Ethernet link to that computer or device is functioning
  3. DSL or ADSL light – a steady light indicates that the modem has established contact with the equipment in the local telephone exchange (DSL or ADSLAM) so the DSL or ADSL link over the telephone line is functioning
  4. Internet light – a steady light indicates that the IP address and DHCP protocol are initialized and working, so the system is connected to the Internet
  5. Wireless light – only in wireless DSL or ADSL modems, this indicates that the wireless network is initialized and working

Almost every ADSL DSL modem router provides a management web-page available via Internal network (LAN or Local area network) for device management, configuration and status reporting. You are supposed to login to the management web-page, configure a username password combination provided by your ISP (Internet service provider) which then allows you to connect to internet. The network is divided into two parts:

External Network

External network indicates the part where ADSL DSL modem routers connects to upstream provider for internet connectivity. Once connected to the ISP via a Phone line (ADSL DSL Modem routers can use conventional Copper Phone lines to connect to ISP at a much higher speed), the router gets an IP address. This is usually a Publicly routable IP address which is open to the whole world.

Internal Network

Internal network indicates the part where devices in Local Area Network connects to the ADSL DSL modem router via either Wireless or Ethernet cable. Most modem DSL ADSL Modem routers runs a DHCP server internally which assigns an Internall IP address to the connected device. When I say device, this can be anything from a conventional computer, a laptop, a phone (Android, Apple, Nokia or Blackberry etc.), A smart TV, A Car, NAS, SAN, An orange, A banana, A cow, A dragon, Harry Potter … I mean anything that’s able to connect to internet! So you get the idea. Each device get’s it’s own IP address, a Gateway IP and DNS entries. Depending on different DSL ADSL Modem router, this can be slightly different, but the idea remains the same, the DSL ADSL Router allows users to share internet connectivity. These DSL ADSL Modem Routers are like miniature Gateway devices that can have many services running on them. Usually they all use BusyBox or similar proprietary Linux applications on them. You want to know what a DSL ADSL Router can do? Here’s a list of common services that can run on a DSL ADSL Modem Router:

  1. ADSL2 and/or ADSL2+ support
  2. Antenna/ae (wireless)
  3. Bridge/Half-bridge mode
  4. Cookie blocking
  5. DHCP server
  6. DDNS support
  7. DoS protection
  8. Switching
  9. Intrusion detection
  10. LAN port rate limiting
  11. Inbuilt firewall
  12. Inbuilt or Free micro-filter
  13. Java/ActiveX applet blocking
  14. Javascript blocking
  15. MAC address filtering
  16. Multiple public IP address binding
  17. NAT
  18. Packet filter
  19. Port forwarding/port range forwarding
  20. POP mail checking
  21. QoS (especially useful for VoIP applications)
  22. RIP-1/RIP-2
  23. SNTP facility
  24. SPI firewall
  25. Static routing
  26. So-called “DMZ” facility
  27. RFC1483 (bridged/routed)
  28. IPoA
  29. PPPoE
  30. PPPoA
  31. Embedded PPPoX login clients
  32. Parental controls
  33. Print server inbuilt
  34. Scheduling by time/day of week
  35. USB print server
  36. URL blocking facility
  37. UPnP facility
  38. VPN pass-through
  39. Embedded VPN servers
  40. WEP 64/128/256 bit (wireless security)
  41. WPA (wireless security)
  42. WPA-PSK (wireless security)

That’s a lot of services running on a small device that are configured by nanny, granny, uncle, aunt and the next door neighbour, in short many non technical people around the world. How many of those configured badly? Left ports open left right and center? Didn’t change default admin passwords? Many! I mean MANY! In this guide we will use namp to scan a range of IP addresses, from output we will determine which are DSL ADSL Routers and have left their Management ports open to External Network. (again read top section to know which one is a external network). A typical ADSL Router’s Management interface is available via following URL:

This is the Management page for DSL ADSL modem router and it’s always protected by a password. By default, this password is written below a DSL ADSL modem router in a sticker and they are one of these combinations: Username/Password


A lot of the home users doesn’t change this password. Well, that’s ok. It doesn’t hurt much cause this is only available via a connected device. But what’s not OKAY is when users open up their management to the external network. All you need to know what’s the Public IP address for your target and just try to access this management page externally.

Installing NMAP

I use Kali Linux which comes with NMAP Preinstalled. If you are using Windows or Mac (or any other flavour of Linux) go to the following website to download and install NMAP.

Linux Installation:

For Ubuntu, Debian or aptitude based system NMAP is usually made available via default repository. Install NMAP using the following command:

sudo apt-get install nmap

For YUM Based systems such as Redhat, CentOS, install via

sudo yum install nmap

For PACMAN based systems such as Arch Linux, install via

sudo pacman -S nmap

Windows Installation:

For Windows Computers, download installer and run the executable. Link:

Mac Installation:

For Mac users, download installer and install Link:

Official NMAP site

You can read more about NMAP here:

Search for Vulnerable Routers

Now that we have NMAP sorted, we are going to run the following command to scan for ADSL Modem Routers based on their Banner on Port 80 to start our ADSL router hack. All you need is to pick an IP range. I’ve used an example below using range.

Search from Linux using command Line

In Linux run the following command:

nmap -sS -sV -vv -n -Pn -T5 -p80 -oG - | grep 'open' | grep -v 'tcpwrapped'

In Windows or Mac open NMAP and copy paste this line:

nmap -sS -sV -vv -n -Pn -T5 -p80 -oG -

Once it finds the results, search for the word ‘open’ to narrow down results. A typical Linux NMAP command would return outputs line below: (and of course I’ve changed the IP details)

Host: ()  Ports: 80/open/tcp//tcpwrapped///
Host: ()  Ports: 80/open/tcp//http//micro_httpd/
Host: ()  Ports: 80/open/tcp//tcpwrapped///
Host: () Ports: 80/open/tcp//tcpwrapped///
Host: () Ports: 80/open/tcp//http//Fortinet VPN|firewall http config/
Host: () Ports: 80/open/tcp//tcpwrapped///
Host: () Ports: 80/open/tcp//http?///
Host: () Ports: 80/open/tcp//tcpwrapped///
Host: () Ports: 80/open/tcp//http?///
Host: () Ports: 80/open/tcp//http?///
Host: () Ports: 80/open/tcp//http//Gadspot|Avtech AV787 webcam http config/
Host: () Ports: 80/open/tcp//http?///
Host: () Ports: 80/open/tcp//ssl|http//thttpd/
Host: () Ports: 80/open/tcp//http?///
Host: () Ports: 80/open/tcp//tcpwrapped///
Host: () Ports: 80/open/tcp//http//Gadspot|Avtech AV787 webcam http config/
Host: () Ports: 80/open/tcp//http//Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)/
Host: () Ports: 80/open/tcp//http//Apache httpd/
Host: () Ports: 80/open/tcp//http//micro_httpd/
Host: ()        Ports: 80/open/tcp//http?///
Host: ()        Ports: 80/open/tcp//http?///
Host: ()        Ports: 80/open/tcp//tcpwrapped///
Host: ()        Ports: 80/open/tcp//tcpwrapped///
Host: ()        Ports: 80/open/tcp//http//Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)/
Host: ()        Ports: 80/open/tcp//tcpwrapped///
Host: ()        Ports: 80/open/tcp//http//micro_httpd/
Host: ()        Ports: 80/open/tcp//http//Microsoft IIS httpd 6.0/
Host: ()        Ports: 80/open/tcp//tcpwrapped///
Host: ()        Ports: 80/open/tcp//http//Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)/
Host: ()        Ports: 80/open/tcp//http?///
Host: ()        Ports: 80/open/tcp//tcpwrapped///
Host: ()        Ports: 80/open/tcp//tcpwrapped///
Host: ()        Ports: 80/open/tcp//http//Apache httpd 2.2.15 ((CentOS))/
Host: ()        Ports: 80/open/tcp//tcpwrapped///
Host: ()        Ports: 80/open/tcp//http//Allegro RomPager 4.51 UPnP|1.0 (ZyXEL ZyWALL 2)/

This was taking a long time (we are after all try to scan 256 hosts using the command above). Me being just impatient, I wanted to check if my Kali Linux was actually doing anything to ADSL router hack. I used the following command in a separate Terminal to monitor what my PC was doing… it was doing a lot …

tcpdump -ni eth0

That’s a lot of connected hosts with TCP Port 80 open. Some got ‘tcpwrapped’ marked on them. It means they are possibly not accessible.

Search from Windows, Mac or Linux using GUI – NMAP or Zenmap

Assuming you got NMAP installation sorted, you can now open NMAP (In Kali Linux or similar Linux distro, you can use Zenmap which is GUI version of NAMP cross platform). Copy paste the following line in Command field

nmap -sS -sV -vv -n -Pn -T5 -p80 -oG -

another version of this command is using different representation of Subnet MASK.

nmap -sS -sV -vv -n -Pn -T5 -p80 -oG -

Press SCAN Button and wait few minutes till the scan is over.

Remote Router Hack - Hack ADSL router using NMAP - blackMORE Ops - 4

Once you have some results, then you need to find the open devices with open ports. In search Result page:

  1. Click on Services Button
  2. Click on http Service
  3. Click on Ports/Hosts TAB (Twice to sort them by status)

As you can see, I’ve found a few devices with open http port 80.

Remote Router Hack - Hack ADSL router using NMAP - blackMORE Ops - 5

It is quite amazing how many devices got ports open facing outer DMZ.

Access Management Webpage

Pick one at a time. For example try this:

You get the idea. If it opens a webpage asking for username and password, try one of the following combinations:


If you can find the Router’s model number and make, you can find exact username and password from this webpage: Before we finish up, I am sure you were already impatient like me as a lot of the routers had ‘tcpwrapped’ on them which was actually stopping us from accessing the web management interface to ADSL router hack. Following command will exclude those devices from our search. I’ve also expanded my search to a broader range using a slightly different Subnet MASK.

nmap -sS -sV -vv -n -Pn -T5 -p80 -oG - | grep 'open' | grep -v 'tcpwrapped'

In this command I am using /22 Subnet Mask with 2 specific outputs: I am looking for the work ‘open’ and excluding ‘tcpwrapped’ on my output. As you can see, I still get a lot of outputs.


You’ll be surprised how many have default username and passwords enabled. Once you get your access to the router, you can do a lot more, like DNS hijacking, steal username and passwords (for example: Social Media username passwords (FaceBook, Twitter, WebMail etc.)) using tcpdump/snoop on router’s interface and many more using ADSL router hack …

There’s many things you can do after you’ve got access to a router. You can change DNS settings, setup a tcpdump and later snoop all plaintext passwords using wireshark etc. If you know a friends, family. colleague or neighbor who didn’t change their routers default password, let them know of the risks.

But I am not here to judge whether it should be done or not, but this is definitely a way to gain access to a router. So hacking is not always bad, it sometime is required when you loose access or a system just wouldn’t respond. As a pentester, you should raise awareness. Share this guide as anyone who uses a Linux, Windows, Mac can use this guide to test their own network and fix ADSL router hack issue.


What is the Difference Between Client Bridge & Wireless Repeater Modes in DD-WRT?

DD-WRT router firmware distinguishes itself in many way but one of the most useful is the simple setup of Wireless Modes within its interface. Many consumers and network administrators turn to DD-WRT when seeking for the optimal choice in setting up a Client Bridge. Once they go DD-WRT, they never seem to go back due to the simplicity, customization possibilities, and the ease of the setup process.

There are a few basic networking terms to become acquainted with before reading further.

AP (Access Point) – The standard wireless mode for most routers in DD-WRT.

DHCP (Dynamic Host Configuration Protocol) – Automates network-parameter assignment to network devices. Simply, it is a process that allows a router to automatically assign connected devices local IP address

NAT (Network Address Translation) – The process of modifying IP address information  while in transit across a router.

WDS (Wireless Distribution System) – A system enabling the wireless interconnection of AP allows a wireless network to be expanded using multiple access points without the traditional requirement without having to be wired themselves.

A breakdown of the available bridging modes available in DD-WRT- How to Set Client Bridge/Wireless Bridge/Repeater Mode in DD-WRT

How Does the Client Wireless Bridge Differ from Repeater Mode?

To put it simply, a Client Bridge links computers while a Wireless Repeater connects routers.

These mode changing options can be found in later builds of DD-WRT under the Wireless –> Basic Settings Tab (as seen in the image above). The default mode in DD-WRT is AP, which sets your router up as a standard access point for users.

A Client Bridge can connect disparate pieces of a company of home network that were previously unable to connect through a router. The intended use for a Repeater is  to take a wireless signal from a network and giving it a new-found, extended range.

Placing a Repeater in an opportune location can significantly strengthen a computer’s connection and network signal from a primary gateway. A Repeater is useful in a home or office when you are trying to boost wireless connection strengths, wireless range, and overall network sensitivity.

Client Bridges are increasingly popular for creating secured wired connections without the involvement of wireless signals. With Client Bridges, the WLAN and the LAN are on the same subnet. Consequently, NAT is no longer used and services that are running on the original network (like DHCP) work seamlessly on the the created bridged network.

Inside a client bridged network, computers can see one another inside a Windows Network. However, the router will no longer accept wireless clients or broadcast beacons as it would in Repeater mode, minimizing the outside accessibility to the network.

If you are looking to extend wireless access to more remote parts of a home or office then the Repeater is the way to go. If you are looking to create a more seamless integrated network of computers without concern for extended wireless signal, then a Client Bridge could be the solution.

What is the Difference between the alternate DD-WRT Repeater Modes?

  • Repeater
    A) DHCP & NAT enabled
    B) Clients on different subnet from primary router.
    C) Computers connected to one router cannot see computers connected to other routers in Windows Network.
  • Repeater Bridge
    A) Wireless Repeater capabilities with DHCP & NAT disabled.
    B) Clients on the same subnet as primary router.
    C) All computers can see one another in Windows Network.
  • Universal Wireless Repeater
    Uses a program/script called AutoAP to keep wireless connection with the nearest/optimal host Access Point.

Explanation of Alternative Wireless Modes in DD-WRT

Client Mode (AP Client)
Used to link two wired networks using two wireless routers without creating a bridge. Computers on one wired network can not see computers on other wired network in Windows Network. Client mode allows the router to connect to other access points as a client.

Client Mode in DD-WRT turns the WLAN portion of your router into the WAN. In this mode, the router will no longer function as an access point (doesn’t allow clients), therefore, you will need wires to use the router and to configure it. The router won’t even be visible to your own wireless configuration software or Wi-Fi packet sniffer software like Wireshark, Kismet or Netstumbler.

In Client Mode, the WLAN and the LAN will not be bridged, creating different subnets on the same router. To create FTP servers, port forwarding from WLAN to LAN will be necessary. Most users select to use client bridge mode instead of client mode.

Ad-hoc Mode
Ad -hoc mode allows the router to connect to other wireless devices that are also available for ad hoc connections. Ad hoc networks lack the typical central management of an infrastructure type network. Ad hoc mode uses STP (Spanning Tree Protocol) not WDS. Think of this mode as a Client Mode that doesn’t connect to infrastructure networks but rather to similarly ad hoc configured devices.

Fixing Tomato/DD-WRT Mac address clone resets upon startup

1) Go to Web interface > Administration> Commands
2) Paste this:

nvram set wan_hwaddr=”12:40:CC:11:00:00″

nvram commit

stopservice wan
startservice wan

Not that:
“12:40:CC:11:00:00″ is my MAc address and you need to type your own there!

3) Click Save Startup

P2Partisan – Mass IP blocking – Peerblock/Peerguardian for Tomato firmware

Fixing bricked router after flashing from DD-WRT to Tomato firmware

If you where running DD-WRT on your router, and you uploaded a Tomato firmware from the firmware upgrade tab from the router login page in your webbrowser.

If the NVRAM not complete erased before flashing your device can get bricked.
The firmware update process will finish without a problem, but after rebooting the router you can’t login to it, Not from the login page in your browser and also not with telnet.

This is because the DD-WRT password is still in the NVRAM, and DD-WRT uses encrypted passwords to store them in the NVRAM and Tomato doesn’t. So tomato can decrypt the passwords.

We will activate a hidden backdoor in tomato, so we can telnet into the router without any verification. When we are connected with telnet, we have to erase the NVRAM so that the password will be reset to the standard Tomato setting (login: admin, password: admin)

To do this process, follow the next steps:
1) run router and wait 2-3 minutes so it’s started completely
2) push and hold wifi on/off button for 25 secs – this will enable a “backdoor” access to the router.
3) use putty and connect via telnet on port 233 and log in to router without password, by using the command: telnet 233
4) run command: mtd-erase -d nvram
5) wait for the output: “nvram successfully erased.” and type: “reboot”
6) After rebooting the router, point your browser to
7) And log in with username: “admin”, and use the password: “admin” (without the ” ” signs)

That’s it, and now you should be good to and being able to log in to router again.

DD-WRT Setup & Configurations Guides

How to setup static dhcp address for your clients in dd-wrt

Unleash Even More Power from Your Home Router with DD-WRT Mod-Kit:


Optware website:

[Howto] Install Optware

Software Installation on DD-WRT — Part 1

Software Installation on DD-WRT — Part 2

How To Install Additional Software On Your Home Router (DD-WRT):

How To Access Your Machines Using DNS Names with DD-WRT:

How To Forward Ports on Your Router:

How to Run Multiple Terminal Servers on a Single IP Address:

How to Schedule Your Computer to Wake Up at Specific Times with DD-WRT:

Setup SSH on Your Router for Secure Web Access from Anywhere:

How To Knock Into Your Network (DD-WRT):

Script for installing optware on DD-WRT:

How to flash a rom with DD-WRT firmware on an Asus RT-N66U router.

In this guide we are assuming that you have installed Asus original firmware on your router.
Otherwise it would be useful to install the original Asus firmware first, before you start to minimize any errors.

Open your webbrowser and go to your router login page, mostly at
Enter the login credentials and go to Administration > System and set the option for “enable telnet” to yes.
And don’t forget to click on “apply” on the end of the page to get telnet enabled.

Open up a command-line, to connect with your router over telnet by entering the command:
$ telnet
Enter your router login credentials when this is asked, when successfully connected run the command:
$ strings /dev/mtd0ro | grep bl_version
This will output something like this: “bl_version=”
And tells what boot loader version is installed on your router.
If this is or lower, then your router only runs with 32k NVRAM.
If it is or higher then your router runs with 64k NVRAM.

Now you know if you need the 64k firmware version, or just the normal version (32k) for your router.
And saves you from potential bricking your device by using an incorrect firmware version.

If your router runs only with 32k NVRAM, you can upgrade the boot loader to a newer version.
In order to make it running with 64k NVRAM, in this guide i will not go into the boot loader upgrade process.
A guide about this can be found at:

If you downloaded the correct firmware version, you can upgrade or flashing it to the device as described in the next steps:
Go back to the terminal again, and check if the telnet connection to your router is still up and running.
If not, reconnect your terminal once again with the router.
Now we need to clear the router’s NVRAM, by using the command:
$ mtd-erase -d nvram
If the output shows something like: nvram successfully erased, you may have to restart the router with the command:
$ reboot
Once the router is completely rebooted , point your webbrowser to and login to your router.
Go to Administration > Firmware Upgrade > New Firmware File and click on “Choose File” and select the new .TRX firmware you dowloaded.
And click on “Upload” to start the firmware upgrading process.
Once the upload process is done, do not restart the device but open up the command-line again, and telnet into your router with the command:
$ telnet
And enter the following login credentials, for username: “root” password: “admin” (both without the ” ” signs)
Now we have to erase the NVRAM again, by entering the command:
$ erase nvram
And reboot the device, by entering the command:
$ reboot
after the reboot you are good to go, and can setup your login and username on the webpage

Difference between DD-WRT BrainSlayer, Eko, Fractal, and Kong Builds + All other things you need to know

NTap: The Raspberry Pi Network Tap

NTap is a very simple configuration to make a Raspberry Pi act as a transparent network tap.

If you’re interested to verify whether one of your devices (being a laptop, router or else) is connecting to unknown destinations or it’s performing some unusual network activity (for example as a result of a compromise), you can use NTap to intercept and store transiting traffic and later inspect it.

You’ll just need a Raspberry Pi with a default Raspbian installation, a USB Ethernet adapter and two cables.

The needed files and more information can be found on:

Split OpenVPN clients with port forwarding and Torrent server on a router that’s running Tomato firmware

Split VPN on router: 2 VPN clients, which only route specific vlans (assigned to bridges) through the VPN tunnels. While other vlans go through normal ISP. Exceptions can be entered of course. Linux Host: If assigned a dynamically changing Port Fowarding assignment from a VPN service…. these scripts will allow a linux Torrent box to keep Port assignment and maintain ability for incoming torrent connections.

Unbricking Asus routers & flashing the firmware without using Windows.

In the blog post from the link down here, will be explained how to unbrick your Asus router. Or how to flash a new firmware on your Asus router without using a system that’s running windows. So the router can be flashed from a Linux, BSD or Mac OS X system without a problem.

Look here for instructions: