Nokia G-010G-P ONT
TL;DR
This is a Nokia G-010G-P ONT (Optical network terminal) recovered from a scrapyard running an embedded Linux 2.6.30.9. The ONTs are network devices usually installed in home fiber-optics broadband facilities. Their purpose is to convert the optical signal from the ISP into an electrical signal, so home Gigabit-Ethernet routers can interpret it. These devices can be internal, if integrated inside the router delivered by the ISP; or external, as in the case of this device. When external, it must be installed between the home router and the ISP network, and acts as a demarcation point between the carrier's local loop and the customer's premises wiring.
This is very easy to root this device as telnet port is open and root credentials can be easily found in internet; therefore, it is a good starting point for pentesters wanting to initiate themselves in the field of hardware/IoT hacking. Apart from telnet root, this write-up includes: rooting via UART port, Busybox upgrade, port scanning and web interface enumeration.
KEYWORDS
Nokia G-010G-P, ONT, UART, CP2120, GPON.
REFERENCES
https://www.normann-engineering.com/en/refurbished/products/1234/nokia-g-010g-p/
https://www.normann-engineering.com/products/product_pdf/gpon_equipment/nokia/EN_G-010G-P.pdf
https://www.busybox.net/downloads/binaries/1.18.4/busybox-mips
https://hack-gpon.org/ont-nokia-g-010g-p/
https://forum.openwrt.org/t/help-for-how-to-root-the-g-010g-p-via-usb-ttl/115656
TOOLING
Screwdriver, CP2102 USB to UART converter, Dupont wire connectors.
ENUMERATION
A quick Google search returns Nokia G-010G documentation links and datasheets.
https://www.normann-engineering.com/en/refurbished/products/1234/nokia-g-010g-p
https://www.normann-engineering.com/products/product_pdf/gpon_equipment/nokia/EN_G-010G-P.pdf
First step is to remove the cover case to get access to the device internals. Just turn the ONT around and remove the top pads, there are 2 screws beneath them, unscrew them and open the case.
Inspect the PCB and identify the relevant items.
Realtek RTL90601b network chipset.
UART port, with soldered connection pins.
Winbond 25Q128JSVQ flash memory to store the firmware (https://www.winbond.com/hq/product/code-storage-flash-memory/serial-nor-flash/?__locale=en&partNo=W25Q128JV)
UART ROOT
First step is to find the UART ground with a multimeter, and proceed to find Rx and Tx pins. Then connect the UART pins to the CP2102 USB converter, which in turn is connected to the laptop USB port.
Keep in mind that UART GND goes to CP2102 GND, Tx UART goes to Rx CP2102, and Rx UART goes to Tx CP2102.
Open a picocom serial terminal at 115200 bauds in Kali and power on the device, the bootlog is dumped.
> picocom -b 115200 /dev/ttyUSB0
picocom v3.1
port is : /dev/ttyUSB0
flowcontrol : none
baudrate is : 115200
parity is : none
databits are : 8
stopbits are : 1
escape is : C-a
local echo is : no
noinit is : no
noreset is : no
hangup is : no
nolock is : no
send_cmd is : sz -vv
receive_cmd is : rz -vv -E
imap is :
omap is :
emap is : crcrlf,delbs,
logfile is : none
initstring : none
exit_after is : not set
exit is : no
Type [C-a] [C-h] to see available commands
Terminal ready
PRELOADER.3.2.0.REL_R2787.w11
DD: efuse2: 00000060 => 55e6 => 0x01c4; 00000000 => 0xbcc8... done
DD: efuse3: 0000bebe => 0xbcc4... done
DD: efuse4: 00008888 => 0xbcdc... done
DD: efuse5: 0000aaaa => 0xbce0... done
DD: efuse6: di: a1; sds_num: 1; gphy_num: 0
DD: efuse gphy: done
DD: efuse sds: [0000fd2b => 00000421] done
DD: efuse lxb: break
II: Disabling OCP/LX timeout monitors... done
Get prestate = 1 in the init stage...
II: NOR SPI-F... Generic 3B NOR SPI-F [00ef4018] selected... done
II: OCP 100MHz(400/P4/C1), MEM 325MHz, LX 200MHz, SPIF 50MHz(1000/(5*4))
DRAM AUTO CALIBRATION
AutoK: ZQ Calibration Passed
AutoK: MR0: 0x00100b62
AutoK: MR1: 0x00110040
AutoK: MR2: 0x00120000
AutoK: MR3: 0x00130000
bit:00, max_w_s(00), max_w_len(17), max_r_s(00), max_r_len(31): (0xb8001510) = 0x1e0f00
bit:01, max_w_s(00), max_w_len(19), max_r_s(02), max_r_len(29): (0xb8001514) = 0x1e1102
bit:02, max_w_s(00), max_w_len(17), max_r_s(04), max_r_len(27): (0xb8001518) = 0x1e1304
bit:03, max_w_s(00), max_w_len(19), max_r_s(00), max_r_len(31): (0xb800151c) = 0x1e0f00
bit:04, max_w_s(00), max_w_len(19), max_r_s(04), max_r_len(27): (0xb8001520) = 0x1e1304
bit:05, max_w_s(00), max_w_len(17), max_r_s(02), max_r_len(29): (0xb8001524) = 0x1e1102
bit:06, max_w_s(00), max_w_len(19), max_r_s(00), max_r_len(31): (0xb8001528) = 0x1e0f00
bit:07, max_w_s(00), max_w_len(19), max_r_s(00), max_r_len(31): (0xb800152c) = 0x1e0f00
bit:08, max_w_s(00), max_w_len(17), max_r_s(02), max_r_len(29): (0xb8001530) = 0x1e1102
bit:09, max_w_s(00), max_w_len(19), max_r_s(00), max_r_len(31): (0xb8001534) = 0x1e0f00
bit:10, max_w_s(04), max_w_len(03), max_r_s(00), max_r_len(31): (0xb8001538) = 0x1e0f00
bit:11, max_w_s(00), max_w_len(19), max_r_s(02), max_r_len(29): (0xb800153c) = 0x1e1102
bit:12, max_w_s(00), max_w_len(21), max_r_s(00), max_r_len(31): (0xb8001540) = 0x1e0f00
bit:13, max_w_s(00), max_w_len(19), max_r_s(02), max_r_len(29): (0xb8001544) = 0x1e1102
bit:14, max_w_s(00), max_w_len(19), max_r_s(02), max_r_len(29): (0xb8001548) = 0x1e1102
bit:15, max_w_s(00), max_w_len(19), max_r_s(00), max_r_len(31): (0xb800154c) = 0x1e0f00
bit:16, max_w_s(00), max_w_len(17), max_r_s(00), max_r_len(31): (0xb8001550) = 0x1e0f00
bit:17, max_w_s(00), max_w_len(17), max_r_s(02), max_r_len(29): (0xb8001554) = 0x1e1102
bit:18, max_w_s(00), max_w_len(17), max_r_s(02), max_r_len(29): (0xb8001558) = 0x1e1102
bit:19, max_w_s(00), max_w_len(17), max_r_s(02), max_r_len(29): (0xb800155c) = 0x1e1102
bit:20, max_w_s(00), max_w_len(17), max_r_s(04), max_r_len(27): (0xb8001560) = 0x1e1304
bit:21, max_w_s(00), max_w_len(17), max_r_s(02), max_r_len(29): (0xb8001564) = 0x1e1102
bit:22, max_w_s(00), max_w_len(19), max_r_s(00), max_r_len(31): (0xb8001568) = 0x1e0f00
bit:23, max_w_s(00), max_w_len(19), max_r_s(00), max_r_len(31): (0xb800156c) = 0x1e0f00
bit:24, max_w_s(00), max_w_len(15), max_r_s(02), max_r_len(29): (0xb8001570) = 0x1e1102
bit:25, max_w_s(10), max_w_len(03), max_r_s(02), max_r_len(29): (0xb8001574) = 0x1e1102
bit:26, max_w_s(00), max_w_len(15), max_r_s(02), max_r_len(29): (0xb8001578) = 0x1e1102
bit:27, max_w_s(00), max_w_len(17), max_r_s(04), max_r_len(27): (0xb800157c) = 0x1e1304
bit:28, max_w_s(00), max_w_len(19), max_r_s(02), max_r_len(29): (0xb8001580) = 0x1e1102
bit:29, max_w_s(00), max_w_len(17), max_r_s(02), max_r_len(29): (0xb8001584) = 0x1e1102
bit:30, max_w_s(00), max_w_len(19), max_r_s(04), max_r_len(27): (0xb8001588) = 0x1e1304
bit:31, max_w_s(00), max_w_len(17), max_r_s(00), max_r_len(31): (0xb800158c) = 0x1e0f00
AutoK: dram auto calibrtaion is done
II: MEM_PROBE_OK
II: MEM_XLAT_OK
II: MEM_TO_REG_OK
II: MEM_CNTLR_ZQ_STRICT_OK
II: MEM_CAL_OK
II: cntlr zq result: 0018e975
II: dcr result: 11210000
II: Decompressing U-Boot (0x80f00000 <- 0x9fc1a200)... (212 KB <- 80 KB) OK
II: Starting U-boot...
CIG Version: 3.04.09
U-Boot 2011.12.NA-svn94986 (Jan 15 2016 - 17:00:30)
Board: RTL9601B CPU:100MHz LX:200MHz DDR2:325MHz..
SPI-F: 1x16 MB (plr_flash_info @ 9f002d20)
[debug] start to init flash_info (1)
[debug] <0> unit size=0x10000, unit count=256
*** Warning - bad CRC, using default environment
*** !!! Check Result: Chk_CRC: 0x0, Chk_Empty: 0x0
Net: LUNA GMAC
Warning: eth device name has a space!
**************************************
* *
* KEY -- Enter console terminal *
* *
**************************************
waiting for your select .....
do_jffs2_fsload offset 0x80400000 loadaddr=0xbd088000..
get loadbit 0,bootbit 0
Get current Image = ImageB..
--- jffs2_part_info: partition number 3 for device sflash0 (sflash.0)
Loading 'uImage' from CRAMFS Partition 'imageb' to 0x80400000.
Root Filesystem crc check successfully!
PRODUCT: sfu
SS : noss
DSP : nodsp
WIFI: nowifi
XDSL: nodsl
Software version: 3FE45655BOCK56
## Booting kernel from Legacy Image at 80400000 ...
Image Name: Linux Kernel Image
Created: 2015-12-11 6:28:09 UTC
Image Type: MIPS Linux Kernel Image (gzip compressed)
Data Size: 1440099 Bytes = 1.4 MB
Load Address: 80000000
Entry Point: 80000000
Verifying Checksum ... OK
Uncompressing Kernel Image ... OK
Starting kernel ...
Linux version 2.6.30.9-cig-sfu-1 (taojipeng@sw1-dev) (gcc version 4.4.6 (Realtek RSDK-1.5.6p2) ) #1 Fri Dec 11 11:48:11 CST 2015
CPU revision is: 0000dc02
Determined physical RAM map:
memory: 03800000 @ 00000000 (usable)
User-defined physical RAM map:
memory: 01f00000 @ 00000000 (usable)
Zone PFN ranges:
Normal 0x00000000 -> 0x00001f00
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
0: 0x00000000 -> 0x00001f00
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 7874
Kernel command line: console=ttyS0,115200 mem=31M root=/dev/mtdblock3 mtdparts=sflash:512K@0x0(Boot),0x180000@0x80000(Config),7M@0x200000(ImageA),7M@0x900000(ImageB) rootfstype=cramfs hasEeprom=0 5srst=0
root_dev_setup line 179 root: /dev/mtdblock3
icache: 64kB/32B, dcache: 32kB/32B, scache: 0kB/0B
NR_IRQS:128
PID hash table entries: 128 (order: 7, 512 bytes)
console [ttyS0] enabled
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 28056k/31744k available (2448k kernel code, 3688k reserved, 653k data, 108k init, 0k highmem)
Calibrating delay loop... 97.79 BogoMIPS (lpj=48896)
Mount-cache hash table entries: 512
IMEM section size = 0x3244
net_namespace: 788 bytes
NET: Registered protocol family 16
bio: create slab <bio-0> at 0
Sangoma WANPIPE Router v1.1 (c) 1995-2000 Sangoma Technologies Inc.
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
NET: Registered protocol family 1
Realtek GPIO Driver for Flash Reload Default
netlog: listening on port 4660
NTFS driver 2.1.29 [Flags: R/W].
JFFS2 version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
msgmni has been set to 54
alg: No test for stdrng (krng)
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0x0 (irq = 49) is a 16550A
loop: module loaded
PPP generic driver version 2.4.2
NET: Registered protocol family 24
===============================================================================
init_luna_nor_spi_map: flash map at 0xbd000000
luna spi probe...
luna SPI FLASH G2 driver version 1.00-II: NOR SPI-F... Generic 3B NOR SPI-F detected... done
master->name sflash
cmd: cmdlinepart
4 cmdlinepart partitions found on MTD device sflash
add luna nor spi partition
MTD partitions obtained from kernel command line
Creating 4 MTD partitions on "sflash":
0x000000000000-0x000000080000 : "Boot"
0x000000080000-0x000000200000 : "Config"
0x000000200000-0x000000900000 : "ImageA"
0x000000900000-0x000001000000 : "ImageB"
===============================================================================
u32 classifier
nf_conntrack version 0.5.0 (496 buckets, 1984 max)
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP cubic registered
Realtek SD2-FastPath v1.00beta_2.4.26-uc0
/proc/FastPath created
Realtek MCast FastPath
/proc/mc_FastPath created
NET: Registered protocol family 10
lo: Disabled Privacy Extensions
IPv6 over IPv4 tunneling driver
sit0: Disabled Privacy Extensions
ip6tnl0: Disabled Privacy Extensions
NET: Registered protocol family 17
Bridge firewalling registered
Ebtables v2.0 registered
VFS: Mounted root (cramfs filesystem) readonly on device 31:3.
Freeing unused kernel memory: 108k freed
# num is 10,nothing need to do
ONT>SSP read eqvid :3FE45458ACAA05
Starting Application: 0x00002000, /bin/TimerMgr................Done.
Starting Application: 0x00001000, /bin/LogMgr................Done.
app 0x00007000 stop invalid timer[0]
### Invalid Decimal_Factor, use default 0xdb
### Invalid Settle_Time, use default 0x68
### Invalid P1_Mask, use default 0x5a
Tx has been calibrated!!
Starting Application: 0x00007000, /bin/MiscMgr................Done.
starting to upgrade boot
file[/bootimg/00a9_01_01] length=189440
Flash bootload versin is 3.04.09
Upgrading bootload versin is 3.04.09
Upgrading boot is old
Check base image file CRC ... cal_crc (706307a4) ori_crc (706307a4) Success.
Mount Backup[/dev/mtdblock2] as cramfs...Success.
major ID[0xa9] minor ID[0x1]
cp: can't stat '/mnt/rwdir2/sys.log': No such file or directory
mv: can't create '/mnt/rwdir2/sys.log': Read-only file system
cp: can't stat '/mnt/rwdir2/sys.log': No such file or directory
mv: can't create '/mnt/rwdir2/sys.log': Read-only file system
receive MMR_MSG_SET_ACTIVE_IMAGE_ID
receive MMR_MSG_SET_COMMIT_IMAGE_ID
Starting Application: 0x00003000, /bin/MecMgr................Done.
Starting Application: 0x00004000, /bin/PonMgr................Done.
------>NET open default xml failedVOS_RegisterEventListener:2672, Init event socket 9
vos_OnKernelEvent:2593, Start receving event on socket 9
Starting Application: 0x00009000, /bin/NetMgr................Done.
Starting Application: 0x00005000, /bin/EthMgr................Done.
Starting Application: 0x0000c000, /bin/WebMgr................Done.
Laser TX OFF
Laser TX ON
INFO: ALL APPs are ready.
Preparing stress ...
ONT>After load finishes, first step is to enable the login prompt. Login credentials are root:huigu309
These 2 resources are helpful:
https://hack-gpon.org/ont-nokia-g-010g-p
https://forum.openwrt.org/t/help-for-how-to-root-the-g-010g-p-via-usb-ttl/115656
Type enable to activate the login prompt, then type login to enter credentials.
ONT>enable
#ONT>login
User name:root
Password:After entering credentials the screen is cleared and a new the prompt appears. In the new prompt, type help for a list of possible input commands.
#ONT>help
Description: CLI Root
+traffic Service CLI menu
+system System CLI menuSpawn a Linux shell by typing system command, and then type shell
From this shell we can further enumerate the Busybox version, and view the allowed commands.
#ONT/system/shell>cd /bin
#ONT/system/shell>ls
Console dnsdomainname klogd pwd
EthMgr dropbear ln qc
GponCLI dsp loadconfig reboot
GponSLID echo login rm
LogMgr ecmh lp rmdir
MecMgr egrep lpadmin route
MiscMgr expr lpstat run-parts
NetMgr factory ls saveconfig
PonMgr false mReport sed
ShowStatus fgrep mdev sh
Ssp flash mfcv6d sleep
TimerMgr flatfsd miniupnpd slogd
WebMgr ftp mkdir startup
arp ftpd mknod stat
ash fuser mktemp stty
brctl grep mount sync
busybox gunzip mountpoint tar
cat gzip mpoactl telnetd
catv halt mpoad tftpd
chat hostname msh touch
chgrp ifconfig mv traceroute
chmod inetd netstat true
chown ip nice udhcpd
config ipaddr ntpclient umount
configd iplink parallel uname
cp iproute pidof usleep
date iprule ping vi
dd iptables ping6 vsntp
df iptables-batch poweroff zcat
diag iptunnel printenv
dmesg kill ps
#ONT/system/shell>./busybox
BusyBox v1.18.4 (2017-03-15 17:29:57 CST) multi-call binary.
Copyright (C) 1998-2009 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.
See source distribution for full notice.
Usage: busybox [function] [arguments]...
or: busybox --list[-full]
or: function [arguments]...
BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable. Most people will create a
link to busybox for each function they wish to use and BusyBox
will act like whatever it was invoked as.
Currently defined functions:
[, [[, ar, arp, arping, ash, awk, basename, bunzip2, bzcat, bzip2, cal,
cat, catv, chgrp, chmod, chown, cksum, cmp, comm, cp, cut, date, dd,
df, dirname, dmesg, dnsdomainname, dos2unix, du, echo, egrep, env,
expand, expr, false, fgrep, fold, free, ftpget, ftpput, grep, gunzip,
gzip, halt, head, hostid, hostname, id, ifconfig, ifdown, ifup, init,
insmod, install, ip, ipaddr, ipcs, iplink, iproute, iprule, iptunnel,
kill, killall, killall5, length, linuxrc, ln, logname, logread,
losetup, ls, lsmod, lspci, lsusb, md5sum, mkdir, mkfifo, mknod, mktemp,
modinfo, modprobe, mount, mountpoint, mv, netstat, nice, nohup, od,
pidof, ping, ping6, poweroff, printenv, printf, ps, pwd, readlink,
realpath, reboot, rm, rmdir, rmmod, route, run-parts, sed, seq, sh,
sha1sum, sha256sum, sha512sum, sleep, sort, split, stat, stty, sum,
sync, sysctl, syslogd, tac, tail, tar, tee, test, tftp, top, touch, tr,
traceroute, traceroute6, true, tty, udhcpc, umount, uname, unexpand,
uniq, unix2dos, usleep, uudecode, uuencode, vconfig, vi, wget, zcatThe defined functions available are limited, but enough to continue enumerating the system.
#ONT/system/shell>uname -a
Linux (none) 2.6.30.9-cig-sfu-1 #1 Fri Dec 11 11:48:11 CST 2015 rlx GNU/LinuxAnd the network config.
#ONT/system/shell>ifconfig
eth0 Link encap:Ethernet HWaddr A4:81:7A:CB:72:2C
inet6 addr: fe80::a681:7aff:fecb:722c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:866 (866.0 B)
Interrupt:26 Base address:0x2000
lan0 Link encap:Ethernet HWaddr A4:81:7A:CB:72:2C
inet addr:192.168.100.1 Bcast:192.168.100.255 Mask:255.255.255.0
inet6 addr: fe80::a681:7aff:fecb:722c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:468 (468.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)A full Busybox version would provide more flexibility. The the binary can be downloaded from here: https://www.busybox.net/downloads/binaries/1.18.4/busybox-mips
Good news are the currently installed Busybox allows to run wget, so we can transfer files from our Kali machine. Also, a writable directory is needed as destination, for example this one /var/tmp
#ONT/system/shell>cd /var/tmp
#ONT/system/shell>wget http://192.168.100.5/busybox-mips
Connecting to 192.168.100.5 (192.168.100.5:80)
busybox-mips 100% |***********************************************************************| 1506k 00:00:00 ETA
#ONT/system/shell>chmod +x busybox-mips
#ONT/system/shell>./busybox-mips
BusyBox v1.18.4 (2011-04-04 19:31:40 CDT) multi-call binary.
Copyright (C) 1998-2009 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.
See source distribution for full notice.
Usage: busybox [function] [arguments]...
or: busybox --list[-full]
or: function [arguments]...
BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable. Most people will create a
link to busybox for each function they wish to use and BusyBox
will act like whatever it was invoked as.
Currently defined functions:
[, [[, acpid, add-shell, addgroup, adduser, adjtimex, arp, arping, ash, awk, base64, basename, beep, blkid, blockdev, bootchartd, brctl, bunzip2, bzcat, bzip2, cal, cat, catv, chat, chattr, chgrp, chmod, chown, chpasswd, chpst, chroot, chrt, chvt, cksum, clear, cmp, comm, cp, cpio, crond, crontab, cryptpw, cttyhack, cut, date, dc, dd, deallocvt, delgroup, deluser, depmod, devmem, df, dhcprelay, diff, dirname, dmesg, dnsd, dnsdomainname, dos2unix, du, dumpkmap, dumpleases, echo, ed, egrep, eject, env, envdir, envuidgid, ether-wake, expand, expr, fakeidentd, false, fbset, fbsplash, fdflush, fdformat, fdisk, fgconsole, fgrep, find, findfs, flock, fold, free, freeramdisk, fsck, fsck.minix, fsync, ftpd, ftpget, ftpput, fuser, getopt, getty, grep, gunzip, gzip, halt, hd, hdparm, head, hexdump, hostid, hostname, httpd, hush, hwclock, id, ifconfig, ifdown, ifenslave, ifplugd, ifup, inetd, init, insmod, install, ionice, iostat, ip, ipaddr, ipcalc, ipcrm, ipcs, iplink, iproute, iprule, iptunnel, kbd_mode, kill, killall, killall5, klogd, last, length, less, linux32, linux64, linuxrc, ln, loadfont, loadkmap, logger, login, logname, logread, losetup, lpd, lpq, lpr, ls, lsattr, lsmod, lspci, lsusb, lzcat, lzma, lzop, lzopcat, makedevs, makemime, man, md5sum, mdev, mesg, microcom, mkdir, mkdosfs, mke2fs, mkfifo, mkfs.ext2, mkfs.minix, mkfs.vfat, mknod, mkpasswd, mkswap, mktemp, modinfo, modprobe, more, mount, mountpoint, mpstat, mt, mv, nameif, nbd-client, nc, netstat, nice, nmeter, nohup, nslookup, ntpd, od, openvt, passwd, patch, pgrep, pidof, ping, ping6, pipe_progress, pivot_root, pkill, pmap, popmaildir, poweroff, powertop, printenv, printf, ps, pscan, pwd, raidautorun, rdate, rdev, readahead, readlink, readprofile, realpath, reboot, reformime, remove-shell, renice, reset, resize, rev, rm, rmdir, rmmod, route, rpm, rpm2cpio, rtcwake, run-parts, runlevel, runsv, runsvdir, rx, script, scriptreplay, sed, sendmail, seq, setarch, setconsole, setfont, setkeycodes, setlogcons, setsid, setuidgid, sh, sha1sum, sha256sum, sha512sum, showkey, slattach, sleep, smemcap, softlimit, sort, split, start-stop-daemon, stat, strings, stty, su, sulogin, sum, sv, svlogd, swapoff, swapon, switch_root, sync, sysctl, syslogd, tac, tail, tar, tcpsvd, tee, telnet, telnetd, test, tftp, tftpd, time, timeout, top, touch, tr, traceroute, traceroute6, true, tty, ttysize, tunctl, udhcpc, udhcpd, udpsvd, umount, uname, unexpand, uniq, unix2dos, unlzma, unlzop, unxz, unzip, uptime, usleep, uudecode, uuencode, vconfig, vi, vlock, volname, wall, watch, watchdog, wc, wget, which, who, whoami, xargs, xz, xzcat, yes, zcat, zcip
#ONT/system/shell>./busybox-mips whoami
root
#ONT/system/shell>PORT SCAN
Connect the ONT Ethernet port to your laptop with a network wire and launch Kali in bridged network mode in Virtual Box. Then configure an IP for the eth0 interface in Kali.
> ifconfig eth0 192.168.100.5 netmask 255.255.255.0Verify there is connectivity with the ONT, keeping in mind the device configures itself with address 192.168.100.1.
> ping 192.168.100.1
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=2.02 ms
64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=1.15 ms
^C
--- 192.168.100.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1012ms
rtt min/avg/max/mdev = 1.147/1.581/2.015/0.434 msLaunch a port scan with nmap
> export target=192.168.100.1
> nmap $target -p- --min-rate=5000 -Pn --open --reason
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-21 06:20 EDT
Nmap scan report for 192.168.100.1
Host is up, received user-set (0.0000040s latency).
Not shown: 45821 filtered tcp ports (no-response), 19406 filtered tcp ports (net-unreach), 306 closed tcp ports (conn-refused)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
23/tcp open telnet syn-ack
80/tcp open http syn-ack
Nmap done: 1 IP address (1 host up) scanned in 31.77 seconds
# enumerate the open ports
nmap $target -p23,80 -sV -sC -Pn -vv -n
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-21 07:03 EDT
Nmap scan report for 192.168.100.1
Host is up, received user-set (0.0014s latency).
Scanned at 2024-03-21 07:03:37 EDT for 53s
PORT STATE SERVICE REASON VERSION
23/tcp open telnet syn-ack
| fingerprint-strings:
| GenericLines:
| Login as:
| Login as: Login as:
| GetRequest:
| Login as: GET / HTTP/1.0
| Password:
| Help:
| Login as: HELP
| Password:
| NCP:
| Login as: DmdT^@^@^@
| ^@^@^@^A^@^@^@^@^@
| NULL:
| Login as:
| RPCCheck:
| Login as:
| ^@^@(r
| SIPOptions:
| Login as: OPTIONS sip:nm SIP/2.0
| Via: SIP/2.0/TCP nm;branch=foo
| From: <sip:nm@nm>;tag=root
| <sip:nm2@nm2>
| Call-ID: 50000
| CSeq: 42 OPTIONS
| Max-Forwards: 70
| Content-Length: 0
| Contact: <sip:nm@nm>
| Accept: application/sdp
| Password:
| tn3270:
|_ Login as: ^@IBM-3279-4-E
80/tcp open http syn-ack GoAhead WebServer
|_http-favicon: Unknown favicon MD5: BD1E09910249CCA3E8EC3B66CE4EA36D
| http-methods:
|_ Supported Methods: GET HEAD
|_http-title: GPON Home Gateway
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port23-TCP:V=7.93%I=7%D=3/21%Time=65FC140F%P=x86_64-pc-linux-gnu%r(NULL
SF:,19,"\xff\xfd\x01\xff\xfd\x1f\xff\xfd!\xff\xfb\x01\xff\xfb\x03Login\x20
SF:as:\x20")%r(GenericLines,31,"\xff\xfd\x01\xff\xfd\x1f\xff\xfd!\xff\xfb\
SF:x01\xff\xfb\x03Login\x20as:\x20\r\n\r\nLogin\x20as:\x20Login\x20as:\x20
SF:")%r(tn3270,2A,"\xff\xfd\x01\xff\xfd\x1f\xff\xfd!\xff\xfb\x01\xff\xfb\x
SF:03Login\x20as:\x20\^@IBM-3279-4-E\xfb\^Y")%r(GetRequest,35,"\xff\xfd\x0
SF:1\xff\xfd\x1f\xff\xfd!\xff\xfb\x01\xff\xfb\x03Login\x20as:\x20GET\x20/\
SF:x20HTTP/1\.0\r\n\r\nPassword:\x20")%r(RPCCheck,23,"\xff\xfd\x01\xff\xfd
SF:\x1f\xff\xfd!\xff\xfb\x01\xff\xfb\x03Login\x20as:\x20\x80\^@\^@\(r\xfe\
SF:^\]")%r(Help,29,"\xff\xfd\x01\xff\xfd\x1f\xff\xfd!\xff\xfb\x01\xff\xfb\
SF:x03Login\x20as:\x20HELP\r\nPassword:\x20")%r(SIPOptions,102,"\xff\xfd\x
SF:01\xff\xfd\x1f\xff\xfd!\xff\xfb\x01\xff\xfb\x03Login\x20as:\x20OPTIONS\
SF:x20sip:nm\x20SIP/2\.0\r\nVia:\x20SIP/2\.0/TCP\x20nm;branch=foo\r\nFrom:
SF:\x20<sip:nm@nm>;tag=root\r\nTo:\x20<sip:nm2@nm2>\r\nCall-ID:\x2050000
SF:\nCSeq:\x2042\x20OPTIONS\r\nMax-Forwards:\x2070\r\nContent-Length:\x200
SF:\r\nContact:\x20<sip:nm@nm>\r\nAccept:\x20application/sdp\r\n\r\nPasswo
SF:rd:\x20")%r(NCP,53,"\xff\xfd\x01\xff\xfd\x1f\xff\xfd!\xff\xfb\x01\xff\x
SF:fb\x03Login\x20as:\x20DmdT\^@\^@\^@\x08\x20\x08\x08\x20\x08\x08\x20\x08
SF:\x08\x20\x08\x08\x20\x08\x08\x20\x08\x08\x20\x08\x08\x20\x08\x08\x20\x0
SF:8\x08\x20\x08\^@\^@\^@\^A\^@\^@\^@\^@\^@");
Nmap done: 1 IP address (1 host up) scanned in 53.92 secondsNavigate to http://192.168.100.1 with Firefox, a login portal appears.
Login with credentials admin:1234, the site basically allows to update the PLOAM password, which is essentially what authenticates the device in the network. Also, when clicking on "More Info" we gather additional info about the device.
Last updated