Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
toh:netgear:telnet.console [2018/04/28 19:00] – ↷ Links adapted because of a move operation toh:netgear:telnet.console [2021/08/29 15:37] – ↷ Links adapted because of a move operation tmomas
Line 2: Line 2:
 Several [[toh:netgear:start|Netgear]] router models running factory firmware have a telnet daemon that listens at the router's local LAN IP address. Administrators have a couple of ways of gaining access to a hidden command line interface (CLI) with a telnet client: Several [[toh:netgear:start|Netgear]] router models running factory firmware have a telnet daemon that listens at the router's local LAN IP address. Administrators have a couple of ways of gaining access to a hidden command line interface (CLI) with a telnet client:
  
-  - Calling the routers "debug" endpoint, by simply going to the router's debug endpoint in a browser, i.e. at [[http://192.168.1.1/setup.cgi?todo=debug]] to enable the telnet daemon (may use username: root, and no password).+  - Calling the routers "debug" endpoint, by simply going to the router's debug endpoint in a browser, i.e. at ''%%http://192.168.1.1/setup.cgi?todo=debug%%'' to enable the telnet daemon (may use username: root, and no password).
   - Sending a magic packet to the router's telnet daemon, to unlock it (see below instructions).   - Sending a magic packet to the router's telnet daemon, to unlock it (see below instructions).
  
Line 10: Line 10:
  
   * DC112a v1: Works with UDP of version TelnetEnable and adminstration admin/pw, telnet does not require password.   * DC112a v1: Works with UDP of version TelnetEnable and adminstration admin/pw, telnet does not require password.
 +  * D7000 v1: Works with http unlock and telnet, using normal admin user-id and password.
   * DGN1000v3: Router Firmware Version V1.0.0.14_0.0.14 works, gives access to a BusyBox console w/o authentication   * DGN1000v3: Router Firmware Version V1.0.0.14_0.0.14 works, gives access to a BusyBox console w/o authentication
   * [[toh/netgear/dgnd3700|DGND3700v1/DGND3800B]]: < 3.0.0.8 works with original telnetenable over TCP; >= 3.0.0.8 works with any telnetenable patched for UDP   * [[toh/netgear/dgnd3700|DGND3700v1/DGND3800B]]: < 3.0.0.8 works with original telnetenable over TCP; >= 3.0.0.8 works with any telnetenable patched for UDP
-  * [[toh/netgear/netgear_ex2700|EX2700]]: firmware V1.0.1.8 works, gives access to root shell w/o authentication (telnetenable listens on UDP/23)+  * [[toh:netgear:ex2700|EX2700]]: firmware V1.0.1.8 works, gives access to root shell w/o authentication (telnetenable listens on UDP/23)
   * EX6100: Works with original telnetenable (TCP/23) with credentials super_username/super_passwd (not admin/password as one might think) or Gearguy/Geardog or both. Sometimes it doesn't unlock with first attempt (parser_enable?)   * EX6100: Works with original telnetenable (TCP/23) with credentials super_username/super_passwd (not admin/password as one might think) or Gearguy/Geardog or both. Sometimes it doesn't unlock with first attempt (parser_enable?)
   * EX6100v2: V1.0.1.50 works with new telnetenable (UDP/23). Use username "admin" with the password set in the web interface. Does NOT ask for username/password on login.   * EX6100v2: V1.0.1.50 works with new telnetenable (UDP/23). Use username "admin" with the password set in the web interface. Does NOT ask for username/password on login.
-  * R6300v2: Tested and working with telnetenable2 (UDP Windows 10 version) (Use web interface credentials instead of Gearguy/Geardog)+  * [[toh:netgear:r6300_v2|R6300v2]]: Tested and working with telnetenable2 (UDP Windows 10 version) (Use web interface credentials instead of Gearguy/Geardog)
   * R6700: V1.0.0.2_1.0.1 Tested and working with modified python script of telnetenable.   * R6700: V1.0.0.2_1.0.1 Tested and working with modified python script of telnetenable.
-  * R7000: Assumed to be working with modified python script of telnetenable, and modified telnetenable binary for linux x86-64. V1.0.4.30_1.1.67 & V1.0.7.2_1.1.93 tested working with linux telnetenable from insanid github using web GUI credentials. Doesn't work with super_username & super_passwd nvram variables that are still present. Changing them does nothing. The telnet login ignores credentials (telnet -l //username// router_ip). +  * [[toh:netgear:r7000|R7000]]: Assumed to be working with modified python script of telnetenable, and modified telnetenable binary for linux x86-64. V1.0.4.30_1.1.67 & V1.0.7.2_1.1.93 tested working with linux telnetenable from insanid github using web GUI credentials. Doesn't work with super_username & super_passwd nvram variables that are still present. Changing them does nothing. The telnet login ignores credentials (telnet -l //username// router_ip). 
-  * R7500: V1.0.0.82 Tested and working with modified python script of telnetenable, and modified telnetenable binary for linux x86-64.+  * [[toh:netgear:r7500|R7500]]: V1.0.0.82 Tested and working with modified python script of telnetenable, and modified telnetenable binary for linux x86-64.
   * WG602 (unknown version): [[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1002|assumed to work]]   * WG602 (unknown version): [[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1002|assumed to work]]
   * WGR614 v1-2: unknown; may work   * WGR614 v1-2: unknown; may work
Line 31: Line 32:
   * WGT624 v2, v3: works   * WGT624 v2, v3: works
   * WGT624 V3H1: works (after 6-12 try, reboot, try again cycles)   * WGT624 V3H1: works (after 6-12 try, reboot, try again cycles)
 +  * [[toh:netgear:WN2500RP_V1]] V1.0.0.30_1.0.58: use ./telnetenable 192.168.1.250 MACADDRESS Gearguy Geardog. On connection you should be dropped on a '#' prompt.
   * WN3000RP v1: works; does not require username/password for login, but necessary for telnetenable (Geardog/Gearguy)   * WN3000RP v1: works; does not require username/password for login, but necessary for telnetenable (Geardog/Gearguy)
-  * [[oldwiki/openwrtdocs/hardware/netgear/WNDR3300]] : works. Does not require username/password for login.  On connection the '#' prompt is displayed. +  * [[toh:netgear:wndr3300_v1]]: works. Does not require username/password for login.  On connection the '#' prompt is displayed. 
-  * [[toh/netgear/WNDR3400|WNDR3400v2]] v1.0.0.16_1.0.34 works; does not ask for username/password on login. On connection you should be dropped on a '#' prompt. +  * [[toh:netgear:WNDR3400|WNDR3400v2]] v1.0.0.16_1.0.34 works; does not ask for username/password on login. On connection you should be dropped on a '#' prompt. 
-  * [[toh/netgear/WNDR3700]] V1.0.7.98: known to work - does not ask for username/password. After connection you will be root at BusyBox v1.4.2. +  * [[toh:netgear:WNDR3700]] V1.0.7.98: known to work - does not ask for username/password. After connection you will be root at BusyBox v1.4.2. 
-  * [[toh/netgear/WNDR3800]] v1.0.0.16 Tested with the python script of telnetenable. +  * [[toh:netgear:WNDR3800]] v1.0.0.16 Tested with the python script of telnetenable. 
-  * [[toh/netgear/WNDR4000]] v1.0.0.88 works. Does NOT ask for username/password on login. On connection you should be dropped on a '#' prompt.+  * [[toh:netgear:WNDR4000]] v1.0.0.88 works. Does NOT ask for username/password on login. On connection you should be dropped on a '#' prompt.
   * [[toh/netgear/WNDR4300]] V1.0.1.30/34/42 works with the python script. Does NOT ask for username/password on login. On connection you should be dropped on a '#' prompt.   * [[toh/netgear/WNDR4300]] V1.0.1.30/34/42 works with the python script. Does NOT ask for username/password on login. On connection you should be dropped on a '#' prompt.
-  * [[toh/netgear/WNDR4500]] V1.0.1.40 works with the python script. Does NOT ask for username/password on login. On connection you should be dropped on a '#' prompt. +  * [[toh:netgear:WNDR4500]] V1.0.1.40 works with the python script. Does NOT ask for username/password on login. On connection you should be dropped on a '#' prompt. 
-  * WNR1000 v1-2: works; does not require username/password for login. On connection the '#' prompt is displayed. +  * [[toh:netgear:wnr1000_v2|WNR1000 v1-2]]: works; does not require username/password for login. On connection the '#' prompt is displayed. 
-  * WNR1000 v3: works using the new UDP utility with GUI user/password, using latest OEM firmware 1.0.2.68_60.0.93NA+  * [[toh:netgear:wnr1000_v3|WNR1000 v3]]: works using the new UDP utility with GUI user/password, using latest OEM firmware 1.0.2.68_60.0.93NA
     - did not work initially, only having performed a GUI reset after upgrading firmware to latest     - did not work initially, only having performed a GUI reset after upgrading firmware to latest
     - BusyBox 0.60.0 worked after a hard reset (power on holding reset button until lights flash)     - BusyBox 0.60.0 worked after a hard reset (power on holding reset button until lights flash)
     - firmware prior to latest was not tested, but expect the old TCP utility was required, per WGR614v10     - firmware prior to latest was not tested, but expect the old TCP utility was required, per WGR614v10
 +  * [[toh:netgear:wnr1000_v4|WNR1000 v4]]: works. Use username “admin” with the password set in the web interface.
   * WNR2000 v2: works; does not require username/password for login. On connection to stock, Busybox header is shown. Use old TCP method. Gearguy/Geardog   * WNR2000 v2: works; does not require username/password for login. On connection to stock, Busybox header is shown. Use old TCP method. Gearguy/Geardog
-  * WNR2000 v4: works; does not require username/password for login. On connection the '#' prompts is displayed. +  * [[toh:netgear:wnr2000v4|WNR2000 v4]]: works; does not require username/password for login. On connection the '#' prompts is displayed. 
-  * WNR2200 v1: works; does not require username/password for login. Uses Gearguy/Geardog and the old TCP method. Displays OpenWrt header on connect (stock firmware)+  * [[toh:netgear:wnr2200|WNR2200 v1]]: works; does not require username/password for login. Uses Gearguy/Geardog and the old TCP method. Displays OpenWrt header on connect (stock firmware)
   * [[toh:netgear:wnr3500_v1]] v1.0.29: works; does not ask for username/password on login. On connection you should be dropped on a '#' prompt.   * [[toh:netgear:wnr3500_v1]] v1.0.29: works; does not ask for username/password on login. On connection you should be dropped on a '#' prompt.
-  * [[toh/netgear/wnr3500l|WNR3500L]] V1.2.2.44: Works. V1.2.2.48_35.0.55NA: fails. Does NOT ask for username/password on login. Dropped to '#' prompt on connection. +  * [[toh:netgear:wnr3500_v2]] v1.0.2.10: use ./telnetenable 192.168.1.1 MACADDRESS Gearguy Geardog. On connection you should be dropped on a '#' prompt. 
-  * WPN824 v1, V2.0.15_1.0.11: known to work +  * [[toh:netgear:wnr3500l|WNR3500L]] V1.2.2.44: Works. V1.2.2.48_35.0.55NA: fails. Does NOT ask for username/password on login. Dropped to '#' prompt on connection. 
-  * WPN824 v2: known to work +  * [[https://oldwiki.archive.openwrt.org/toh/netgear/wpn824v1|WPN824 v1]], V2.0.15_1.0.11: known to work 
-  * WPN824 V3: not needed; enable the utelnetd option in Remote Management.+  * [[https://oldwiki.archive.openwrt.org/toh/netgear/wpn824v2|WPN824 v2]]: known to work 
 +  * [[https://oldwiki.archive.openwrt.org/toh/netgear/wpn824v3|WPN824 v3]]: not needed; enable the utelnetd option in Remote Management.
  
 The router CLI is usually the busybox shell running on Linux. The router CLI is usually the busybox shell running on Linux.
Line 147: Line 151:
   * Extract ''telnetEnable.exe'' from any of the zip file downloads. The ''wpn824_ko_2.12_1.2.9.zip'' includes a MS Word document with screenshots and instructions in Korean, a firmware update, and the ''telnetEnable.exe'' tool. Only the tool is necessary.   * Extract ''telnetEnable.exe'' from any of the zip file downloads. The ''wpn824_ko_2.12_1.2.9.zip'' includes a MS Word document with screenshots and instructions in Korean, a firmware update, and the ''telnetEnable.exe'' tool. Only the tool is necessary.
   * Open a command line (windows console) window (Press [windows key]+[R] and enter "''cmd''").   * Open a command line (windows console) window (Press [windows key]+[R] and enter "''cmd''").
-  * Get the MAC address of your Netgear router. You can either run "''arp -a''" on the Windows command line and locate the "Physical Address" (MAC) for the router's IP address, or look it up on the [[http://192.168.1.1/|web interface of your router]] (//Maintenance// -> //Router status// -> //LAN port// -> //MAC Address//).+  * Get the MAC address of your Netgear router. You can either run "''arp -a''" on the Windows command line and locate the "Physical Address" (MAC) for the router's IP address, or look it up on the web interface of your router (''%%http://192.168.1.1/%%''; //Maintenance// -> //Router status// -> //LAN port// -> //MAC Address//).
   * Take the MAC address, remove any minus signs (-) or colons (:) and replace all characters by their upper case representation (a -> A, d-> D etc.).   * Take the MAC address, remove any minus signs (-) or colons (:) and replace all characters by their upper case representation (a -> A, d-> D etc.).
   * Copy the result of your editing to the clipboard.   * Copy the result of your editing to the clipboard.
  • Last modified: 2024/04/18 13:49
  • by tboege