Enabling Telnet Console on Certain Netgear Routers

[larryhaja]

This tutorial covers how to enable a telnet session on certain Netgear routers. The program that we will use is called telnetenable. For more information on this program then use the links below.

Useful Links
http://wiki.openwrt.org/OpenWrtDocs/.../TelnetConsole
http://www.seattlewireless.net/Netge...e8790b0722e370
http://blog.ktdreyer.com/2008/01/hacking-wgr614.html

OK, so lets get onto the fun part.

Testing
Before we can actually run this program we need to make sure that we have a viable candidate. To do this we will run the program Nmap. There are many different variables that you could use with nmap but for our purposes we will just do a quick scan to get some basic information. I will show you two different nmap scans on two different Netgear routers. One router has the telnet port open and the other doesn't have telnet enabled at all.

Viable Candidate

Code:

bt ~ # nmap -A -T4 192.168.1.1

Interesting ports on 192.168.1.1:
Not shown: 1713 closed ports
PORT   STATE SERVICE    VERSION
23/tcp open  telnet?
80/tcp open  tcpwrapped
|  HTTP Auth: HTTP Service requires authentication
|_   Auth type: Basic, realm = WGR614v7
MAC Address: AA:AA:AA:AA:AA:AA (Netgear)
Device type: WAP
Running: Netgear embedded
OS details: Netgear WGR614v7 or WPN824v2 wireless broadband router
Uptime: 5.153 days (since Sat Jul 19 12:19:33 2008)
Network Distance: 1 hop

We can see from the output that the telnet port is open. But if we try to connect to the telnet port we will get the following.

Code:

bt telnet # telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.

Connection closed by foreign host.

We can see that it is open but not enabled. This is where the program I will show comes in handy.

Not a viable candidate

Code:

bt ~ # nmap -A -T4 192.168.0.1

Interesting ports on 192.168.0.1:
Not shown: 1710 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Netgear MR814v2 wireless router http config (IP_SHARER WEB httpd 1.0)
|_ HTML title: Site doesn't have a title.
|  HTTP Auth: HTTP Service requires authentication
|_   Auth type: Basic, realm = MR814v2
MAC Address: XX:XX:XX:XX:XX:XX (Netgear)
Device type: WAP|firewall
Running (JUST GUESSING) : TRENDnet embedded (96%), Netgear embedded (93%)
Aggressive OS guesses: TRENDnet TEW-431BRP wireless broadband router (96%), Netgear FR114P ProSafe VPN firewall (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Device: router

As we can see on this particular router there is no telnet port enabled. From my limited experience from working with Netgear routers it seems most of the older routers, mainly the 802.11b only routers, don't have the telnet port open. Most of the newer 802.11bg routers do have the telnet port open. If you find this not to be the case I would like to hear it.

Obtaining the software
There are probably many ways to obtain this software if you do a quick google search. So I'm providing links to the files needed to compile the program that worked for me.

Code:

bt ~ # mkdir telnet
bt ~ # cd telnet
bt telnet # wget http://ktdreyer.googlepages.com/telnetenable.c
bt telnet # wget http://ktdreyer.googlepages.com/md5.h
bt telnet # wget http://ktdreyer.googlepages.com/md5.c
bt telnet # wget http://ktdreyer.googlepages.com/blowfish.h
bt telnet # wget http://ktdreyer.googlepages.com/blowfish.c

Compile the program
We will use the gcc compiler to compile the telnetenable program. Make sure that you are running as root or that you compile it with root priviledges.

Code:

bt telnet # gcc -o telnetenable md5.c blowfish.c telnetenable.c
md5.c: In function 'MD5Update':
md5.c:74: warning: incompatible implicit declaration of built-in function 'memmove'
md5.c:77: warning: incompatible implicit declaration of built-in function 'memmove'
md5.c:85: warning: incompatible implicit declaration of built-in function 'memmove'
md5.c:92: warning: incompatible implicit declaration of built-in function 'memmove'
md5.c: In function 'MD5Final':
md5.c:112: warning: incompatible implicit declaration of built-in function 'memset'
md5.c:118: warning: incompatible implicit declaration of built-in function 'memset'
md5.c:128: warning: incompatible implicit declaration of built-in function 'memmove'
md5.c:129: warning: incompatible implicit declaration of built-in function 'memset'
telnetenable.c: In function 'usage':
telnetenable.c:66: warning: incompatible implicit declaration of built-in function 'exit'
telnetenable.c: In function 'EncodeString':
telnetenable.c:94: warning: passing argument 2 of 'Blowfish_Encrypt' from incompatible pointer type
telnetenable.c:94: warning: passing argument 3 of 'Blowfish_Encrypt' from incompatible pointer type
When you look in the directory then you will find the new program called telnetenable.

Code:

bt telnet # ls
blowfish.c  blowfish.h  md5.c  md5.h  telnetenable*  telnetenable.c

We can see that there are many warnings when you compile the program. We can safely ignore those warning messages. One of the comments on one of the links above said that you need to be root to compile and run the program. So, as stated above, I would recommend logging in as root or issuing the command "sudo -s" to obtain root privileges. I'm assuming that you are running as root as BT3 runs best as root.

Opening the connection
The telnetenable program doesn't actually open up and communicate with the router by itself but instead makes a packet that is sent to the router via the netcat program. You can run the program with no variables with it so it will tell us what information we need to provide.

Code:

bt telnet # ./telnetenable

Version:0.1, 2006/06/22
Usage:
./telnetenable <host ip> <host mac> <user name> <password>

From the output we can see that we need to provide the host IP of the router, the MAC address of the router, the default username, and the default password. So lets provide the information that we obtained from the viable candidate. From the viable candidate we can see that the host IP in this case is 192.168.1.1 and the MAC address is AA:AA:AA:AA:AA:AA. When typing in the MAC address the telnetenable program doesn't like the colons, so leave them out. The default username and password is Gearguy and Geardog, respectively, and the packet that we are going to make is called modpkt.pkt. I don't believe the name of the resulting file is important but it is what I found and worked for me. Once the packet is made then we will send the packet to the router via netcat.

Code:

bt telnet # ./telnetenable 192.168.1.1 AAAAAAAAAAAA Gearguy Geardog > modpkt.pkt
bt telnet # nc 192.168.1.1 23 < modpkt.pkt

Logging in
So now that we have sent the packet to the router lets see if it worked. From here just telnet into the router.

Code:

bt telnet # telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
Login: Gearguy
Password: *******
U12H06400>

And if you are successful then you will have a command prompt like the one above. We now have full administrative access to the router. The router has a version of VxWorks on it so the two best commands to use to weave your way around are "help" and "..". The help command will list any directories and/or files in the current directory. The ".." command works just like the "cd .." command does in Linux and allows us to move out of directories. To exit cleanly we need to be in the top level folder and issue the command exit to close our telnet session. An example of help in the top directory will result in the following menu.

Code:

U12H06400> help

Commands are:

bridge         ddns           exit           ftpc           ip
lan            nat            passwd         pot            reboot
save           show           sntp           time           uptime
version        wan            web            wla

 '..'    return to previous directory

U12H06400> exit

Connection closed by foreign host.

And that is how you enable the telnet session in Netgear routers. I tried to provide enough information to clear up any ambiguity, so I apologize for the length of this tutorial. If you find that there are any mistakes then please leave a post and I will either clear up the mistake or try to explain better.

Caveats
1) Every time the router is rebooted or a setting is changed then the telnet session is open but not enabled.
2) If, for some reason, the telnetenable program doesn't work then the telnet port is completely disabled. You need to reboot the router to open the port and then try the telnetenable process again. This is what you will see if you try to telnet into the router after a failed netcat attempt.

Code:

bt ~ # telnet 192.168.1.1
Trying 192.168.1.1...
telnet: connect to address 192.168.1.1: Connection refused

3) I have tried using this program many times on Ubuntu with limited to no success. It worked for me on BT3 for this tutorial with root privileges. So, from my limited experience with the Linux version of this program then YMMV on successfully using it.
4) If all fails then try using the windows version called "telnetEnable.exe"

[PeppersGhost]

You put some nice effort into this larryhaja. Good job. Thanks.

[sheikh76]

hi...
How to telnet bt3? I mean from other pc to bt3. If using ubuntu i just installed telnetd, xinetd from command line apt-get install (XXXXX). But how about on bt3? what i need install to my bt3 and configuration? Can you help me and guide i be able telnet to bt3?

Note: using telnet from bt3 to other pc it's working fine. I just want to know how do i telnet from other pc to bt3? Thanks.

[adri_ht_]

Quote:

Originally Posted by sheikh76

hi...
How to telnet bt3? I mean from other pc to bt3. If using ubuntu i just installed telnetd, xinetd from command line apt-get install (XXXXX). But how about on bt3? what i need install to my bt3 and configuration? Can you help me and guide i be able telnet to bt3?

Note: using telnet from bt3 to other pc it's working fine. I just want to know how do i telnet from other pc to bt3? Thanks.

Have you try looking for the same programs in slackware.com or better yet why not use the ssh service already included in BT3.

[sheikh76]

Thanks for reply... so i need to use putty to connect bt3? how about other way? If using putty connect from local IP it's no problem, but how to connect if from WAN? I have been setting my router (Dynamic DNS) in D-link. Anything i need configure out to my bt3? I hope you can help me on this.

[adri_ht_]

Quote:

Originally Posted by sheikh76

Thanks for reply... so i need to use putty to connect bt3? how about other way? If using putty connect from local IP it's no problem, but how to connect if from WAN? I have been setting my router (Dynamic DNS) in D-link. Anything i need configure out to my bt3? I hope you can help me on this.

SSHD opens port 22 in BT3 and that all you need to access it locally. Now for WAN, you must open that same port in the router's firewall and point it to the local IP of the BT3 workstation. After that you can obtain a Secure Shell from your public IP address!

[sheikh76]

Thanks... Okay that mean i need open port in my router port 22?
How about other way or via command line to telnet beside putty?
D-Link512 can do like (Enabling Telnet Console on Certain Netgear Routers)?

[adri_ht_]

Quote:

Originally Posted by sheikh76

D-Link512 can do like (Enabling Telnet Console on Certain Netgear Routers)?

I actually flashed both of my Linksys routers with dd-wrt which allows me to do all kind funky stuff with them (including telnet, ssh...) You should check their site and see if your router is supported...

[sheikh76]

how to ftp bt3?

C:\>ftp 192.168.0.178
Connected to 192.168.0.178.
Connection closed by remote host.

C:\>

[fastboi]

i followed step-by-step but still after telnet ip, it closes on me.

Trying 10.0.0.1...
Connected to 10.0.0.1.
Escape character is '^]'.
Connection closed by foreign host.