Several Netgear router models running factory firmware have a telnet daemon that listens at the router's local LAN IP address. Administrators have a couple of ways of gaining access to a hidden command line interface (CLI) with a telnet client:
http://192.168.1.1/setup.cgi?todo=debug
to enable the telnet daemon (may use username: root, and no password).The first much simpler method should be attempted before trying the second “magic packet” method.
The following Netgear devices are currently known to support this hidden Telnet feature:
The router CLI is usually the busybox shell running on Linux. Commands and utilities available typically include changing nvram settings, changing the running configuration, upload/download files, managing flash memory, rebooting, etc.
The Netgear router CLI unlocking protocol establishes a TCP (for older Netgear routers), or UDP (for newer Netgear routers) connection on telnet port 23 to the router's LAN IP address, send an encrypted probe packet, then close the connection. If the router accepts the probe packet and unlocks the CLI, then the CLI responds after a subsequent connection with a telnet client.
The TelnetEnable utility (see below) builds the probe packet using authentication data supplied on its command line. The probe packet format in unencrypted form is as follows:
For older Netgear routers that use the original TelnetEnable utility:
Payload is sent over TCP
struct PAYLOAD_TCP_PLAINTEXT { char md5sum[0x10]; /* md5 hash 16 byte binary */ char mac[0x10]; /* null terminated string, 12 characters */ char username[0x10]; /* null terminated string */ char password[0x10]; /* null terminated string */ char reserved[0x40]; } payload;
For newer Netgear routers (R6700, R7000, R7500) that use the modified TelnetEnable utility:
Payload is sent over UDP
struct PAYLOAD { char signature[0x10]; char mac[0x10]; char username[0x10]; char password[0x21]; char reserved[0x2F]; } payload;
The above payload formats are transformed by algorithms as follows:
The MD5 checksum, or signature, is calculated for the contents of the probe payload MAC, username, and password fields, and is done using the normal three steps (MD5init, MD5update, MD5final) with the default RSA seed. The resulting 16 byte MD5 checksum/hash is then stored into the md5sum array of the probe payload.
The entire probe payload (including the reserved area, which is always null for this example) is then encrypted using the Blowfish algorithm, with reversed assumptions regarding the endianness of the data stream. The secret key used for Blowfish is “AMBIT_TELNET_ENABLE+
” concatenated by the password in the payload.
The encrypted probe packet is then sent to telnet port (23) on the router using a TCP, or UDP socket in the standard manner.
Curiously, Netgear's Windows telnetEnable.exe
program also includes the necessary support to decode packets incoming from the router, but there does not appear to be any two-way handshake implemented. It is simple a TCP send from the client to the router.
Note: The encrypted probe packet is sized as char output_Buf[0x640] but only an encoded data length of size of 0x80 appears to be used by the code. It is unknown what other capabilities may be similarly enabled via the 'reserved' field, or by other passwords.
Note: It has also been discovered that the 'reserved' field of the probe packet can be overwritten up to 0x11 bytes by the password field. This occurs with the newest modified version of the TelnetEnable utility due to 1) Netgear changing the daemon that listens for the probe packed to only accept the packet over UDP, and 2) The default password of 'Geardog' no longer works, and instead one must enter the web interface password, which can be up to 33 characters long. Even though the 'reserved' field is overwritten, the abnormal packet sent to the router will still unlock telnet. An in-depth analysis of the probe packet was recently conducted by Roberto Frenna. View the discussion here: Github Commit Comment
Netgear formerly provided a developer tool, telnetEnable.exe
, for unlocking console access from a Microsoft Windows PC client.
It originally appeared in a firmware update for Netgear WPN824 wireless routers sold in Korea.
The download file was wpn824_ko_2.12_1.2.9.zip (no longer available) from the Korean Netgear support website.
This old tool by itself is still available as telnetEnable.zip at MyOpenRouter (Netgear's open source router website). Pingbin.com also hosts this file telnetEnable.zip.
TelnetEnable works with Windows NT and later.
Administrator privileges may be required to permit telnetEnable.exe
through Windows firewall.
The tool tests successfully with Windows 7 64-bit and with an ordinary (non-privileged) user account:
D:\>telnetEnable.exe Version:2.1, 2003/10/17 Usage: telnetEnable.exe <host ip> <host mac> <user name> <password> D:\>telnetEnable.exe 192.168.1.1 000FB5A2BE26 Gearguy Geardog D:\>telnet 192.168.1.1 Connecting To 192.168.1.1... BusyBox v0.60.0 (2009.09.01-00:50+0000) Built-in shell (msh) Enter 'help' for a list of built-in commands. # exit Connection to host lost. D:\>
Note the Windows 7 telnet.exe
client is disabled and inaccessible by default.
The telnet client is a Windows feature that users can enable via Control Panel → Programs → Program and Features → Turn Windows features on or off.
Instructions for telnetEnable.exe
:
telnetEnable.exe
from any of the zip file downloads. The wpn824_ko_2.12_1.2.9.zip
includes a MS Word document with screenshots and instructions in Korean, a firmware update, and the telnetEnable.exe
tool. Only the tool is necessary.cmd
”).arp -a
” on the Windows command line and locate the “Physical Address” (MAC) for the router's IP address, or look it up on the web interface of your router (http://192.168.1.1/
; Maintenance → Router status → LAN port → MAC Address).telnetEnable.exe
”, then the IP address of your router (e.g. “192.168.1.1
”), add another space, paste the contents of the clipboard, and append the telnet console default username and password, “Gearguy
” and “Geardog
”. Correct character case is important here. These credentials differ from those of the web interface. You will need to modify the username and password appropriately if you had changed them previously. The result should look similar to this: telnetEnable.exe 192.168.1.1 000FB5A2BE26 Gearguy Geardog
telnet
to the router from any computer in your local LAN.login
prompt) at the beginning of a telnet session. After successful authentication you will be presented a prompt such as: U12H02900>
help
exit
The old Netgear Windows telnetEnable.exe
sends probe packets to the router's TCP port 23.
Thus, it is not compatible with newer routers and firmware introduced by Netgear after early 2014, which now require probe packets sent over UDP port 23.
For these you will need a patched version of telnetenable which supports UDP. You can find it here (However that version does not work on Windows 10, was compiled with dependencies.)
For one that works on Windows 10 with the UDP / Newer netgear firmwares: here
Keep in mind that new routers no longer use Gearguy/Geardog as the username and password. You will need to provide your web interface credentials (usually admin / password) Also, don't forget to convert the MAC address of the router to uppercase letters, and remove any colon.
The latest version of TelnetEnable for Solaris, Linux, and Apple OS X is available as part of file telnetenable-0.4-2.tar.gz at MyOpenRouter (Netgear's open source router website). Included in this distribution are compiled binaries, C source code, and code for older (buggy) TelnetEnable versions.
$ ./telnetenable
Version: 0.4, 2009/10/18
Usage: ./telnetenable <host ip> <host mac> <user name> [password]
$ ./telnetenable 192.168.1.1 001E3A04E2EB Gearguy Geardog
$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
BusyBox v0.60.0 (2008.05.15-10:32+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.
# version
Release version : Netgear Wireless Router WGR614v8
U12H07200/V1.1.11/6.0.36NA
Time : May 15 2008 18:35:41
# exit
Connection to 192.168.1.1 closed by foreign host.
$
Instructions for telnetenable
:
telnetenable.solaris
, telnetenable.linux
, or telnetenable.osx
depending on your OS platform. Rename the selected file telnetenable
.bash
, sh
, ksh
, or csh
) prompt.cd
) to the location of the telnetenable
executable.telnetenable
for Unix/Linux/OS X are identical with the Windows version of telnetEnable.exe
above.
This telnetenable
natively sends network data to TCP port 23,
but also supports network data redirection to another utility or file.
With the assistance of the netcat utility, this telnetenable
can send the probe packet with UDP to newer (after early 2014) Netgear firmware and routers.
$ ./telnetenable - 001E3A04E2EB admin password | nc -u 192.168.1.1 23 $ telnet 192.168.1.1
Netgear extended the password length to 33 characters or more with routers supporting TelnetEnable UDP. Without changing the telnetenable
code here, its password length limit is 15 characters.
Newer versions of TelnetEnable (see below) include these code changes.
Of note is the Unix/Linux/OS X versions of TelnetEnable were not developed by Netgear.
The information necessary to develop these TelnetEnable versions was from
reverse engineering the operation of Windows telnetEnable.exe
in order to discover what magic packets Netgear's tool sends to the router to enable the telnet interface.
Thanks to yoshac_at_member_dot_fsf_dot_org, the Windows TelnetEnable has been reverse engineered. The following could be determined on the data format and transforms performed by Netgear's telnetEnable.exe
and work to implement the entire tool as open source is complete, as per example above.
Source code for a 'C' re-implementation of telnetEnable.exe
algorithms has been released by yoshac_at_member_dot_fsf_dot_org under the GPL, for use as the basis of a Unix version of the tool. Yoshac's telnetenable binary operates exactly the same as the original Windows tool, except that it does not actually send the TCP frame to the router. Network support was left as an exercise for the reader , and Seattle Wireless was first to add the support (below).
This payload generator is not recommended for use due to a major bug with handling md5 signatures.
Usage:
telnetenable 192.168.1.1 000FB5A2BE26 Gearguy Geardog > modpkt.pkt
nc
separately, depending on your OS distribution.nc 192.168.1.1 23 < modpkt.pkt
This was the earliest known version of TelnetEnable that added networking support to
yoshac's probe packet payload generator.
Archived copies of the code are still available as
telnetenable.c 4/30/2007 and
telnetenable.c 8/12/2013
at archive.org.
The file telnetenable-0.2.c
included in telnetenable-0.4-2.tar.gz
noted above is also a copy of telnetenable.c
as it appeared at the Seattle Wireless site in 2009.
This version of TelnetEnable is also not recommended for use due to a major bug with handling md5 signatures.
TelnetEnable in C from Seattle Wireless was forked to telnetenable-0.4-2.tar.gz by MyOpenRouter site user “retro98” during October 2009. This fork added major bug fixes, documentation, and compiled executables ready for immediate use. This is the only known version of TelnetEnable in C that correctly fixes a md5 payload buffer overrun and md5 result truncation bug.
On Aug 20, 2012 TelnetEnable in C was also forked to Github by Dave Jagoda under a new project name of NetgearTelnetEnable (still also referred to as telnetenable.c). This fork was an incomplete duplicate of the work retro98 at MyOpenRouter completed three years earlier. Various fixes and improvements were made to the original telnetenable.c during the short time period 8/20/2012 to 10/08/2012. After this there were no further commits to the Github repository.
On Feb 12, 2015 NetgearTelnetEnable was forked on Github by insanid. Changes such as switching from a TCP to a UDP payload, and increasing maximum allowed password length to 33 characters were made which allow this modified telnetenable.c to unlock telnet on newer Netgear routers such as the R6700, R7000, and R7500. Some older Netgear routers, or Router+ADSL modem devices such as the DGN2200v4 have received recent firmware updates which have changed the device to now only accept probe packets over UDP. This newer, modified, telnetenable.c should unlock telnet on any Netgear router that accepts probe packets over UDP.
The version of TelnetEnable UDP is available at this NetgearTelnetEnable Github Repository. Included in this repository are the files for the modified source code for telnetenable.c, and the binary for Linux x86-64 and Windows which can be downloaded here: telnetenable
Instructions:
Download the binary for telnetenable or build from source.
Execute these commands to clone the repository and build from source:
git clone https://github.com/insanid/NetgearTelnetEnable.git
gcc -o telnetenable md5.c blowfish.c telnetenable.c
After downloading the binary or building from source:
chmod a+x telnetenable
Then run telnetenable:
./telnetenable <IP> <MAC> <Username> <Password>
IP - The IP of your Netgear device, usually 192.168.1.1
MAC - The mac address should be the MAC address of the LAN port on your Netgear device, WITHOUT the “:”. e.g. “00:40:5E:21:14:4E” would be written as “00405E21144E”.
Username - 'admin'
Password = Use password you set in web interface
Newer Netgear Routers (R6700, R7000, R7500)
telnetenable.py
script from Github https://github.com/insanid/netgear-telenetenableOlder Netgear Routers
telnetenable.py
script from Github https://github.com/semyazza/netgear-telenetenableLegacy Information
telnetenable.py
listed in the sections above that support a wider range of devices, and are easier to use.
How to use the telnetenable.py
python script: http://www.cyberciti.biz/faq/enable-telnet-access-for-netgear-n600-adsl-router/
telnetenable.py
execute the following command:python telnetenable.py 192.168.1.1 0123456789AB Gearguy Geardog
telnetenable.py
by using arp
and awk
:python telnetenable.py 192.168.1.1 $(arp -n | awk "/192.168.1.1/"' { gsub(/:/, "", $3); print toupper($3)}') Gearguy Geardog
Telnet access should be enabled on the router.
The Netgear hidden telnet console is an administrative back door, which implies security concerns. Fortunately, it is not known to be exploitable via the router's WAN (internet) interface. But unfortunately, there's no way to disable the telnet console on Netgear routers with this feature, but please read further. The workaround is to use TelnetEnable and the telnet console itself, then set the username and/or password to non-default values.
nvram
to store settingsparam
instead of nvram
. (DNG2200v4)# nvram usage: nvram [get name] [set name=value] [unset name] [show] [commit] ... # # nvram show | grep username size: 12006 bytes (20762 left) pptp_username= http_username=admin bpa_username= ddns_username= ver_check_ftp_username=anonymous pppoe_username=guest super_username=Gearguy # # nvram show | grep passw size: 12006 bytes (20762 left) pptp_passwd= ver_check_ftp_password=WGR614V8@ super_passwd=Geardog http_passwd=password bpa_passwd= pppoe_passwd= ddns_passwd= # # nvram set super_username=newusername # nvram set super_passwd=newpasswd # nvram commit # # reboot
Rebooting the router is necessary to re-lock its telnet console. Another way is from the console prompt:
killall utelnetd
To login again, either reboot the router or apply some change in the GUI (e.g. disable UPnP, apply, then set back, then apply) and resend the telnetenable command… then telnet.
If you aren't able to login anymore, which may occur after firmware updates, telnet session timeouts, connection loss, or router rebooting, then repeat the unlocking procedure.