Primary Goal
Can we get shell access with SSH!?
Why there is an SSH server running on a home router?
Created on: 2019-09-04
Tag: useless_rnd
Discovery: First found with a random port search with Port Authority port scanner.
brand: TP-Link
Hardware Version: WR841N v11 00000000
Firmware Version: 3.16.9 Build 151021 Rel.76995n
Can we get shell access with SSH!?
Nmap scan shows it usages Dropbear sshd:
# Nmap 7.60 scan initiated Wed Sep 4 03:04:09 2019 as: nmap -sC -sV -oA wr841N_v11/wr841N_v11 192.168.0.1 Nmap scan report for _gateway (192.168.0.1) Host is up (0.0062s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh Dropbear sshd 2012.55 (protocol 2.0) | ssh-hostkey: | 1024 d2:b1:fa:6c:de:58:d9:17:f7:e5:dd:ba:44:37:39:d4 (DSA) |_ 1040 f8:cc:5b:03:94:db:0c:3f:04:56:d4:76:29:51:5b:0d (RSA) 80/tcp open http TP-LINK WR841N WAP http config |_http-title: TL-WR841N 1900/tcp open upnp ipOS upnpd (TP-LINK TL-WR841N WAP 11.0; UPnP 1.0) 49152/tcp open http Huawei HG8245T modem http config |_http-title: Site doesn't have a title. MAC Address: 84:16:F9:FC:9B:CC (Tp-link Technologies) Service Info: OSs: Linux, ipOS 7.0; Devices: WAP, broadband router; CPE: cpe:/o:linux:linux_kernel, cpe:/h:tp-link:wr841n, cpe:/h:tp-link:tl-wr841n, cpe:/o:ubicom:ipos:7.0, cpe:/h:huawei:hg8245t Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Mar 3 13:57:03 2020 -- 1 IP address (1 host up) scanned in 154.57 seconds
If we try to log in with the router's web interface login credentials it gives the following error:
bobcat@what-the-ssh:~/fr37/temp$ ssh admin@192.168.10.1 admin@192.168.10.1's password: PTY allocation request failed on channel 0 shell request failed on channel 0 bobcat@what-the-ssh:~/fr37/temp$
search with the error dropbear ssh pty allocation request failed tplink in Google; we get this forum post leading use to the officail support faq which say it is for the usage of their officail android app's like Tether and more.
Update: Mar 03, 2020
Same behaviour found with Archer C60
brand: TP-Link
Hardware Version: Archer C60 v2.0
Firmware Version: 2.0.0 Build 20161206 rel.65407er
Update: Mar 08, 2020
Surprise! Surprise! I found one router in the wild with Telnet port open. It asked for authentication which is nice, at least it is not open for all. And guess what happened when I tried the web interface login credentials. Ladies and gentleman we are dropped into the configure terminal of the router. Due to lack to time and not being very efficient with termux I neither got to collect the hardware and firmware version nor any screenshot. Will try to update soon!
Update: Mar 27, 2020
Just found this link: https://0x90.psaux.io/2020/03/01/Taking-Back-What-Is-Already-Yours-Router-Wars-Episode-I/. Maybe Root is a potential user name?
From primary recon it seems the shell access is blocked so NO direct access to shell is possible.
see how the ssh is denying the shell access ei. block shell access on ssh
emulator: https://www.tp-link.com/us/support/emulator/, https://emulator.tp-link.com/TL-WR720N_V2/index.htm, https://emulator.tp-link.com/EAP120_1.0/pages/login.html (admin, admin)