F7D2301 Belkin Router admin lock out

[thhetopham]

Hey, I am using a belkin F7D2301 router at home. I recently moved into a house that had internet already set up. Apparently, our ISP came out and set up the router themselves. Unfortunetly for me, an aspiring network admin, I do not have admin rights to the router! I can log on to the internet using the wireless pass, but when i go to the IP address of the gateway (my router), the wireless password is different then the admin password for the router.

I've already had people tell me to press the reset button. Only problem is I think the ISP set up the connection as static and I don't want to lose any vital IP addresses....

My next project is to look into a brute force or dictionary style attack to find out what password the ISP used. I did a little bit of research on F7D2301, and found out that it has a DNS name spoofing exploit, although I am not sure how i can implent this to gain admin rights to the router... BLAH.
http://www.grc.com/dns/crashtest.htm link for dns spoof test, the test crashed my router, reset by unplugging router and plugging back in.

at this point, any input would be great... i've made it my mission to crack this router

p.s. I have a copy of Bt4r1, and have tried using hydra and xhydra in a VM but I am new to linux and was not comfortable with the CLI. Xhydra, even with the GUI, didn't help me out much either because I have no dictionarys or wordlists to feed it to try passwords.

 

[someone19]

The router manual:

http://cache-www.belkin.com/support/dl/man_f7d2301_v1_8820-00372_surf_router.pdf

Most all of the google responses for belkin f7d2301 password say that the default name and password for your router are both blank. The password you need to supply to a computer to be able to connect wirelessly is different from the password to access the configuration.

Try leaving the username and password blank when logging into the web based configuration.

 

[Emerald]

can you browse the internet when you connect to the modem directly?

 

[thhetopham]

hmm after going into the attic things got interesting. Some background info: i live in a very remote area believe my ISP uses the Airos v ubiquiti network connection. I think this because after network scanning my own network, I found a bunch of 192.168 addresses that did not relate to me. my router is 10.0.0.1 address! i tried one of the 192.168 addresses in my browser and got an Airos login screen. some google research lead to me finding the airos v ubiquity networks vendor or something?

anyway, more background info... my router's wan connection goes into the attic. I went into the attic to follow it and instead of finding a modem with a coax connection i found a "esg-8805 Engenius" switch. what the hell? the switch had three connections, one being the connection that plugs into the wan plug on the router. the other 2 each went into a POE device of some kind. the two devices have 2 ethernet connections, labeled POE and LAN. then a DC power cord to power the POE to LAN adapter thing. the 2 POE cables go up to the roof or somewhere, I couldn't follow them or get on the roof to check. I think they might power a wireless adapter to connect to the airos network? does anyone know about how this stuff works?

 

[someone19]

Ok, but did you try blank passwords to get into the router? It sounds like the network you describe in the attic is similar to the internet provider you suggest. If the password has been changed then call them and demand access to your hardware.

Again, the password to access the system wirelessly needs to be different than the admin password to configure the router. They can be the same, but that's a security hole.

 

[thhetopham]

yeah i tried default and everything, no luck. thats why i tried to bruteforce it lol

 

[thhetopham]

blank passwords did not work. i do think i should be able to call them and demand access to the router

 

[thhetopham]

called the isp and they said they did not set a password... uh oh...

 

[thhetopham]

is my router hacked? my isp cant send out someone until monday!

 

[thhetopham]

does anyone know how to find out all my router settings without admin rights? if i knew them, i could reset the router and put them in again since the password goes back to default. help!

 

[Emerald]

when you connect to the switch in the attic can you browse the internet?

If you can browse, you should be able to just reset the router.

 

[thhetopham]

if i connect to the switch the in attic, i cannot browse. it does give me a 169 ip address tho

 

[Emerald]

do you have the CD that came with the router?

also it is mentioning something about a network information card should have your router's password on it. (see page 10)

http://en-us-support.belkin.com/app/answers/detail/a_id/3644/related/1/session/L2F2LzEvdGltZS8xMjk4NzY3MTc4L3NpZC9iWkFqdURuaw%3D%3D

 

[thhetopham]

i do not have the cd that came with the router. the network information card works for initially setting up the network, but once its set up they ask you to change it, which the ISP did. I tried the password on the card awhile ago and no luck.

 

[Emerald]

if you connect to the attic and set your network settings of your computer to:

IP 192.168.xxx.201 (match the IP scheme of the 192.168.xxx.xxx)
subnet mask 255.255.255.0
gateway 192.168.xxx.1 or 192.168.xxx.254 (usually one of the two)

DNS server 206.13.29.12


can you connect to the internet?

 

[thhetopham]

if i type in 10.0.0.1 (my router address) from my wireless pc i get this info:

internet settings: static connection type
wan ip: 192.168.1.185
subnet mask: 255.255.0.0
default gateway: 192.168.1.50
dns address: 208.67.220.220

Lan settings: ip address: 10.0.0.1
subnet mask 255.255.0.0

now that you know this, what address settings should i use in the attic?

 

[thhetopham]

when i type in cmd ipconfig, my ip address shoes 10.0.0.103

 

[Emerald]

before you connect to the switch in the attic set your computer to:

ip: 192.168.1.253
subnet mask: 255.255.0.0
default gateway: 192.168.1.50
dns address: 208.67.220.220

then connect the network cable the is connected to your router's WAN port and plug it into your computer.

You should be able to browse.

If you can browse, resetting the router to manufacturer default should allow you to use the password on the network information card.

have you tried using your account number as a password? Some techs use either the serial number of the router or the customer account number as a password.

 

[thhetopham]

it worked! i used ip address 192.168.1.252 because 253 was assigned to another device. i was able to browse! while i was browsing, i checked my connection speed with speedtest.net. upload speed: 6 Mbps... wow... download speed: 1 Mbps... what?! could this be right? lol i thought the ratio was supposed to be higher download speeds.

 

[Emerald]

double check that it should be the other way around. 6Mb down and 1Mb up

 

[thhetopham]

ohhh my god it feels soooo good to have admin priv again! THANK YOU SO MUCH EMERALD!!!

I am running wireshark now and checking out the security logs in the router. getting a bunch of this:

02/26/2011 23:21:54 **Smurf** 169.254.8.0, 2048->> 255.255.255.255, 58954 (from WAN Inbound)

smurf attacks? the whole point of me doing all of this is to find out where my bandwidth is going... are smurf attacks running a DOS on me?

 

[Emerald]

the IP range 169.254.0.0 to 169.254.255.255 is usually used in Ad-Hoc connections like DHCP and are reserved addresses.

http://tools.ietf.org/html/rfc3927

 

[thhetopham]

when i plug into the switch and use 192.168.2.252 i had a HUGE Mbps increasse in downloads and uploads. is there any way i can use this address for my router?

 

[Emerald]

after you logged into the router, set your WAN setting to Static IP and use the following settings.

WAN ip: 192.168.1.252
subnet mask: 255.255.0.0
default gateway: 192.168.1.50
dns address: 208.67.220.220

make sure the LAN IP is 10.0.0.1 and DHCP is on