TL;DR: Time Based Blind SQL Injection with some common sense. If you don't want to read all this technical jargon just scroll down to the end for some important advice/learnings.
Last week I visited my hometown Nagpur for an extended weekend. I have deep love for Nagpur for most of the things except for its Internet. There are no good ISPs providing fiber connections or broadband with a high enough FUP. So my family has settled for a 2 Mbps 50 GB per month plan from a local ISP.
What is FUP?
Most ISPs implement a Fair Usage Policy which will decrease the speed after you reach the usage limit. For eg. - in my case I will have to live with 512 kbps after my 50 GB data usage is over
The ISP doesn't (officialy) provide customers with any interface to view their current usage. This is pretty frustrating as you never know whether you have actually gone over your FUP limit or not.
With the outside temperatures reaching 43-44 degrees, I had no other option but to stay in the house and do something. My first aim was to understand how the ISP was maintaining the usage info of its customers. I logged into my router's admin console (192.168.2.1) and went straight to the page which shows me the info about the internet connection ( PPPOE ). From there I found the gateway IP address. Gateway IP address is the IP address of a router/computer through which all your internet traffic goes. You can imagine it as a big router which connects all the customers to internet. This should be the place where my internet usage is getting recorded.
I started a scanning the Gateway IP address for open ports using Zenmap(nmap GUI for Windows) . I found that the following ports were open and seemed interesting.
- Port 80 - http
- Port 443 - https
- Port 3306 - mysql
Since port 80 and 443 were open. I quickly opened the Gateway IP address on my browser and found the login page of the customer management portal. This was the place I was looking for.
I tried entering my PPPOE username and default password and voila it worked. I could now see my current usage, change the default password and do much more. A quick glance on the info assured me of the foul play by my ISP. The ISP was actually just giving me 30GB FUP instead of the promised 50GB.
This was enough for the hacker inside me to wake up and start working. I went to the login page and tried some basic SQL injection inputs and luckily one of inputs worked and I was logged into someone else's account. I saw that this username was starting with letter 'a' and I quickly figured out that this must be the first username in the database. The SQL injection has bypassed the username and password check and logged me in as the first available user. I tried some more SQL injection queries to find whether error based SQL injection was an option or not. But sadly they have disabled all the errors. I also tried some other options but none of them seemed to work.
StackExchange provides a great explanation of SQL injection for non-techies.
Now the only option that I could think of was doing a Time Based Blind SQL injection which would take a lot of time since it like asking database true or false questions and then making sense depending on the answers.
I knew that doing this manually is not an option. So I fired up a KALI Linux instance on a Hyper-V Virtual Machine and instructed SQLMAP (an automated SQL injection tool) to do all of the hard work for me for the rest of the night. You have to patient if you are doing a Time Based SQL injection.
KALI Linux is an Advanced Penetration Testing Linux distribution used for Penetration Testing. Hyper-V is an alternative to Virtual Box that comes pre-installed on Windows.
I woke up next morning to find out the I have got the dump of table containing four username and password of elevated users of the management software. I appended /admin to the Gateway IP hoping that it would take me to the admin login page and I was right.
Now the problem was that the password was hashed one way. I looked at the hash and quickly figured out that it is a MD5 hash(32 character). I googled 'MD5 reverse', opened the first link and pasted the hash in the hope of getting the original value. Out of the four hashes I was able to reverse the two because the passwords were same and very simple. You must be wondering what was the password. Try to reverse this hash
d8578edf8458ce06fbc5bb76a58c5ca4 and you will get it. It was really that simple.
I logged in with the username and password and the ship was now in my control.
But this user didn't had some of the more elevated privileges like changing the minimum speed of the user etc.
So I took the other hash and started trying to reverse it on various different websites. Luckily on one of the sites, I was able to successfully reverse the hash, the password was 9 character long containing upper and lowercase letters, numbers and special characters. I know such a password is generallly regarded as safe but one should clearly accept the fact that MD5 is easy to reverse and short passwords are always a bad idea even if there contain special characters.
What information was available in admin panel?
- All the usernames and their MD5 password hashes. The ISP used the default password for everyone and it was a single password therefore it was very simple to reverse it.
- A good thing was that each account was binded with a MAC address. So even if I had the username and password of someone else I would not be able to use that. The bad thing about this was I also got their MAC addresses from the admin panel so I could easily fake my MAC address in my router settings and use any other username and password easily. I never tried this but I am sure that it would have worked for sure.
- Various other information like phone, email, address etc. that I didn't cared about.