Category Archives: Hacks

A vulnerability and a hidden admin account all inside “SITEL DS114-W” routers !

Hello, Hope you are doing well everyone ! It has been a long time since my last post, well let’s say I was occupied by some stuff but I’m back with a new discovery 🙂

As as an Algerian internet consumer, I’m a subscriber at “Djaweb ISP” as I don’t have much choices — let’s not talk about that now and dive into some serious stuff !

I found out the routers shipped by Algerian ISP “Djaweb” are now backdoored with a secret admin account and as it appears they didn’t do a good job in hiding it  … not only that but with a session management vulnerability too !


As usual internet goes down from time to time and we are used to that in Algeria, this time it took long time so I went to restart the modem from the web interface .


But after restarting it I logged out and kept looking at the “login” page thinking “What if there is a vulnerability inside .. ?” and that’s when the journey started ..


As usual, I hooked up “Burp” as a proxy and logged in :


“Cookie : SessionID=3” … too easy to predict !

Now comes Burp “Intruder” functionality, it will allow us to brute force any parameter inside the request body and that’s exactly what we need to brute force the SessionID .

Steps : ( quick tips for Burp )

1- Right click on the request and click “Send to Intruder”

2- Go to the “intruder” tab you’ll see :

Screen Shot 2015-01-04 at 3.23.38 AM

3- Navigate to “Positions”, that’s where we are going to specify the parameter we want to brute force. Leave the “Attack type” to “Sniper”

Screen Shot 2015-01-04 at 3.24.25 AM

4- Go to “payloads” and set the payload type to “Numbers” with :

  • Type : Sequential
  • From : 1
  • To : 100
  • Step : 1

Screen Shot 2015-01-04 at 3.25.10 AM

So in total the app will make 100 requests to the router      

Now with everything set I fired up the intruder attack and …

Screen Shot 2015-01-04 at 3.25.21 AM

We can see that the session #4 is what we had earlier initialized for our access by the web app :

Screen Shot 2015-01-04 at 3.47.24 AM

But when scrolling down we see some weird things :

Screen Shot 2015-01-04 at 3.47.44 AM

Sessions from 40 to 49 are also initialized, I logged off the sessions dropped down .. when logged back in and brute forced the session IDs they appear to be another 10 sessions initialized on another range .

Knowing that the user only require one session to be initialized and it should be hooked to only the user logged in, not any other one, so when the user login to the router other sessions are initialized giving an attacker with a simple brute force access to the router without knowing the password .

This makes up a session management vulnerability .


The vendor has been notified but without response from them .


I had a sense that there was more than one vulnerability inside that damn thing … so have gone further, testing every functionality from login to rebooting the modem and while doing that I came up across another weird thing. The thing resides inside the config file.

Step 1 : I saved the config file, while burp is hooked up as usual .

Step 2 : The router give you a “.img” file which when executed under a OSX environment you’ll get :

Screen Shot 2015-01-04 at 7.52.15 PM

As it’s not a valid image to be mounted . I looked into the burpsuite request-response raw data and surprisingly :

Screen Shot 2015-01-04 at 3.49.46 AM

The configuration parameters are saved in a plain text format !!! I inspected every parameter inside until ….. :

Screen Shot 2015-01-04 at 7.57.22 PM

The first two account I did set and the passwords are the ones I specified, but what about that 3rd “admin” account that has a parameter saying “<V N=”BACKDOOR” V=”0x1″/>”, which means “BACKDOOR = YES”

Trying to ssh to the router with that account :

Screen Shot 2015-01-04 at 8.03.32 PM

Aaaand, IT WORKS !!!


Well, obviously the routers are shipped by the ISP with a backdoor account, and this is the 2nd discovery ! I have built a python script that automate the process of the two attacks :

  • If the user is already logged into the router and have a valid session we can brute force the whole range from 1 to 100 in order to find the other initialized session, and to save time you can chose a step of “10” from 1 to 100 so you’ll only make “10” requests to the router instead of “100” to successfully login .
  • If the attacker is not sure if the user is logged into the account and want to get access then use the backdoor account : Username : admin , Password : 5B80airocon

The vendor has been notified but without response from them .


Routers are becoming the main attack surface for bad hackers, as it’s the entry point for them to take over your network . Make sure your router is secure and doesn’t expose any service ( HTTP, SSH, FTP ) to the wild web .

As usual happy hacking :), for any questions please leave a comment !

Tagged , , , , ,

“Mobilis Algeria” Millions of users at risk

Hello guys,

I’m back with a new post and a new discovery. As I’m a Mobilis GSM subscriber I thought about registering to their online invoice system, I took the steps and I have been provided with access to my account online .


When you first login you get this page :


You can do some things from here, like viewing/downloading your invoices and canceling the online account, we are mainly interested in the invoices as they contain all information about the target in order to help conduct further attacks on him/her

I hooked up burp suite proxy to the browser and I logged in, I was amazed about what I was seeing 😮 …. this is happening upon login :



Isn’t that a session initializer ? : /servlet/InitSessionExt?USER=”account_id”&ACCESS=1&INVOICE=”invoice_id”

The “account_id” can be brute forced as it a sequence number, but how can we get the “invoice_id” for the target account if we don’t have access yet ? .. remember the Graph we saw previously ? well it could be our entry point as it reveals all invoices ids for a particular account .

With fingers crossed I tried to pass a “random” 😉 account_id


wow !! I got all invoices numbers associated to that account 😀

And now that I have everything I can pass those paramerters to the “InitSessionExt” using Burp repeater and see if it initilize the session without a password required,

Screen Shot 2014-08-20 at 6.55.52 PM

And ….



YES ! I’m in (y)


A malicious attacker can then use those information to social engineer the help desk guys into doing things to the account like suspending it, I’ll let you work the machine and think about other potential scenarios 🙂



Tagged , , ,

My MSF ( Metasploit Framework ) workshop

MSF workshop

Join the workshop and let me show you how to conduct a penetration testing using Metasploit, take your knowledge to the next level with : Basic exploitation techniques, Armitage, pivoting, post exploitation, pass the hash attack and many more

HeartBleed – Exploiting the net “CVE-2014-0160”



Heartbleed has the potential to be one of the biggest most widespread vulnerability in the history of the modern Internet, at the root of Heartbleed is encryption. The internet has a set of protocols for security and encryption commonly known as “Security Socket Layers” S.S.L and its successor “Transport Layer Security” T.L.S, the most common implementation of SSL and TLS is a set of open source tools known as OpenSSL.

More information are available here :

You can test if your website is vulnerable to Heartbleed attack from this website : , well I was thinking about creating a tool that would test a list of websites “TOP 1 Million websites in my case” and if the script finds the target vulnerable it send an email to the webmaster telling him that he should fix it !

I have created that tool and its available for download here :

Before using the tool you need to change the following inside “” :

fromaddr = ‘’
username = ’email_username’
password = ’email_password’
server = smtplib.SMTP(‘’)

After the changes just just place the list of CSV domain names into the script directory and run it from the command line : python

Screen Shot 2014-04-18 at 6.03.03 PM

Tagged , , , , ,

Vault app isn’t that secure !


Some of us ( like me ) depend on vault to hide and secure their contacts, sms, pics and videos .. I figured out that this app takes sometime to load after the phone is booted, so this really gives us access to protected apps like “Contacts” before it loads !

This is a test video I’ll investigate that behavior and will let you know guys if I find anything in a detailed future post :


Tagged ,

ZynOS – Part 2 ( Taking over the network )

Hello again 🙂

I’m going to recap from the last post. So what I’m about to demonstrate in this post is the impact that can some attacker cause to your network once he access the router  ..

We have access to the router but our goal is to get a foothold on the remote network, hmm .. we have port forwarding option which is beautiful, what we can do with that is scrap the network pool for internal IPs and forward ports like 445, 139 and try to exploit them from our end. Imagine also a network with 200 machines that will definitely be time consuming .. even if you write a script to automate that what makes you believe that you’re going to actually be able to get meterpreter sessions ?

So .. what’s the solution ?

Hmm, DNS is an interesting thing to look at since we can provide dns IP to the router for the whole network to use !!

Are we talking about DNS intercepting ? Hell yeah 😀

Here is a list of the tools we’re going to use :

Dnschef : A dns proxy ( read about it HERE )
Metasploit : How to install ( ubuntu ) HERE
Webmitm : Find out more about it HERE
Burp Suite : It’s available HERE

-Attacking from ubuntu “Metasploit & dnschef & webmitm” running on (IP:

-Burp suite will be running at (IP:

First, I’ll explain how I’m going to do the attack :

We’re going to setup our Dnschef proxy

Screen Shot 2014-01-18 at 1.30.27 PM

./ –interface –fakeip 

–interface : is going to tell dnschef at what interface it’ll listen for .

–fakeip : this hijacks requests by returning this IP as the result for every request

The next step is to lunch webmitm tool that will handle the http requests and responses, from there we’ll tell webmitm tool to forward the traffic to burp suite proxy that will allow us to inject an iframe of Metasploit browser autopwn server.

Screen Shot 2014-01-18 at 1.38.01 PM

We have to configure burp suite so that it handle requests on port 80

Screen Shot 2014-01-18 at 1.40.00 PM

Have to be invisible ..

Screen Shot 2014-01-18 at 1.40.16 PM

Repeat these steps for port 443 to handle HTTPS traffic .

Ok, so everything is ready now .. I’ll have to modify the scripts I provided in the previous post so that we can inject our DNS server .

Screen Shot 2014-01-18 at 1.49.47 PM

This way I injected my ip address as the first DNS server to use on the router and the 2nd one is the one that belongs to google, this way if  we want to stop the attack on the already injected routers by blocking requests made to our DNS server , then the router will automatically proceed to the 2nd server that belongs to google without showing any DNS resolution error on the victim end.

ok, so now we’ll have to lunch the browser autopwn module on metasploit .

PS: I’ll be using port “8080” because webmitm is already using port “80” to forward traffic .

Screen Shot 2014-01-18 at 2.10.54 PM

Screen Shot 2014-01-18 at 2.12.09 PM

it’s loaded and waiting for victims to browse 🙂

Ok, so from here we’ll have to add the iframe injection to burp suite. So that if it get a response on a page requested by the victim it injects iframe with “; that’s listening on Metasploit.

Screen Shot 2014-01-18 at 2.11.33 PM


After injecting my DNS server to the victim router using the scripts, and after setting up everything from dnschef to metasploit . Let’s follow what happens if a victim browse to a website .

Screen Shot 2014-01-18 at 2.18.13 PM

We got 3 meterpreter sessions :D,


Any questions or comments feel free to contact me. And as always : Happy Hacking 🙂

How I saved your a** from the ZynOS (rom-0) attack !! ( Full disclosure )

Hello everyone, I just wanted to discuss some vulnerability I found and exploited for GOODNESS .. just so that SCRIPT KIDIES won’t attack your home/business network .

Well, in Algeria the main ISP ( Algerie Telecom ) provide you with a router when you pay for an internet plan. So you can conclude that every subscriber is using that router . TD-W8951ND is one of them, I did some ip scanning and I found that every router is using ZYXEL embedded firmware.

Analysis :

Let’s download an update and take a look at it and try to find some vulnerabilities. ( )


The ras file is in LIF format !! …
Hmmm let’s put that file for Binwalk test for God’s sake ! ( check : for more informations on how to install it ).

This is what Binwalk told me about that file :

You can clearly see and confirm that the router is using zynos firmware. We can also see that there is two blocks of LZMA compressed data … let’s extract them and have a look.

The problem is that when I tried to decompress the two blocks I get an error : ” Compressed data is corrupt “Image

Hmm, first the “ras” file was in LIF format .. and now the lzma compress blocks are corrupted !!
I googled this and tried to find a solution for this, FOUND NOTHING . How am I going to solve this ??
One idea came in my mind .. “Strings” command and here is what I got :


Aaaah ! so the blocks aren’t compressed with LZMA or anything ! and the whole “ras” firmware file is just big chunk of data in clear text.
Ok, let’s try and find some useful STRINGS …

After some time searching “I” didn’t find the useful thing that will help us find vulnerabilities on the firmware !!

I didn’t give up …
I just was thinking and questioning :

  • Me: What do you want from this firmware file !
  • Me: I want to find remote vulnerabilities that will help me extract the “admin” password.
  • Me: Does the web interface let you save the current configuration ?


  • Me: yes !!
  • Me: Is the page password protected ?


  • Me: No !!! I tired to access that page on a different IP and it didn’t require a passowrd !

Ok, enough questions haha ..

Now, when I activated TamperData and clicked “ROMFILE SAVE”  I’ve found out that the rom-0 file is located on “IP/rom-0” and the directory isn’t password protected or anything.

So we are able to download the configuration file which contains the “admin” password. I took a look at rom-0 file and couldn’t figure out how to reverse-engineer it, and when you don’t know something it’s not a shame to ask for help .. and that’s what I did !
I contacted “Craig” from, he is an expect when it comes to hacking embdded devices . He’s a great guy and he replied to my email and pointed me to which is a free rom-0 file decompressor .


When you upload and submit the rom-0 file there, the php page replies back with the configuration in clear text ( INCLUDING THE PASSWORD ) .

So what i need to do now is to automate the process of :

  • Download rom-0 file.
  • Upload it to
  • get the repy back and extract the admin password from it.
  • loop this process to a range of ip addresses.

And that’s exactly what I did, I opened an OLD OLD poc python script of mine that accessed routers via telnet using the default passwords. So what I just need to do now is to add some functionality to it.

Well I thought about  this, and I’m posting this script online ONLY FOR EDUCATIONAL PURPOSES.

You can find the scripts here :

Demo :



Prevention :

Now ! how do you prevent attackers from downloading your rom-0 configuration file and manipulating your router ? This is pretty simple if you think about it ..
You just have to forward port 80 on the router to and inused IP address on your network :

THATS ALL, or if you want to play a little with attackers that are using scripts too .. just forward port 80 to you local http server and put a LARGE file in the root directory and name it rom-0 .. just let them download like 1GB rom-0 file haha haha .. I have also automated the process of port forwarding and I’m running the scripts daily just to prevent hackers from attacking weak users …

In the next post I’ll demonstrate how would a malicious hacker exploit this to hack TONS of networks and get a meterpreter/reverse_shell on every PC on the target network ..

Hope you enjoyed this analysis, if you have anything to add or any questions to ask don’t hesitate to contact me ! BE THEIR HERO, HAPPY HACKING 😉


The decoded.php script is now located at : , I have updated the script

Tagged , , , , , ,