Hacking Wireless DSL routers via Administrative password Reset Vulnerability

If you want to hack a Netgear and Linkys Wireless Routers, there is a quick backdoor entry available, that allow an attacker to reset the admin panel password to defaults.

Eloi Vanderbeken, a hacker and reverse-engineer from France has discovered an administration password Reset vulnerability in many Netgear and Linkys Routers.

In a blog post, Eloi said that During Christmas Holidays he forgot the admin interface password of his Linksys WAG200G router and in an effort to gain access back of its administration panel, he first scanned the Router and found a suspicious open TCP port i.e. 32764.

To do further research on this port service, he downloaded a copy Linksys firmware and reverse-engineered it. He found was a secret backdoor interface that allowed him to send commands to the router from a command-line shell without being authenticated as the administrator.

Then he blindly tested commands, but doing so flips the router's configuration back to factory settings with default router administration username and password.

He described the complete details of this Serious vulnerability in above slides. After his post, other hackers around the world did further research, that shows that these devices are made by Sercomm, meaning that Cisco, Watchguard, Belkin and various others may be affected as well. The Complete List of vulnerable devices is available at his GitHub post i.e. Linksys WAG200G, Netgear DM111Pv2, Linksys WAG320N, Linksys WAG54G2, DGN1000 Netgear N150 and many more. Click here to see the complete list of vulnerable routers.

The Python based exploit script can be downloaded from here.

Update: To perform this attack, an attacker should be the part of router's network, but also there are more than 2000 vulnerable routers available on the Internet, according to Shodan Scan search i.e Search-1 & Search-2.