Results 1 to 4 of 4

Thread: How to Retrieve TP-Link Router Password Instantly and Remotely

  1. #1
    Join Date
    2013-Jul
    Posts
    841

    How to Retrieve TP-Link Router Password Instantly and Remotely

    To access the password first download the routers backup configuration file.

    Associate to the router with wired or wireless access, open up your favorite web browser and enter:

    http://192.168.1.1/rom-0

    in the address block and wait

    You will get a download/save menu -save the file.You now have an encrypted rom-0 router configuration file. In kali-linux the file will be in the /root/downloads folder. For purposes here we moved all files referenced to root.

    Now go to the following address and download a rom-o decoder:

    http://piotrbania.com/all/utils/RomDecoder.c

    This program is in C++. You must first compile it.

    Open a terminal window. With your program in root type:

    gcc -o Decoder RomDecoder.c

    gcc will write an executeable file called Decoder from the RomDecoder.c file you just downloaded

    Now to get your password: point the Decoder program at the router configuration file.

    ./Decoder rom-0

    Wahlah - You may see your password below

    There is nothing original here. MTeams just carried the work outlined in nirsoft.net down the next logical step.Further reading and sources

    http://www.nirsoft.net/utils/router_..._recovery.html

    http://piotrbania.com/all/articles/tplink_patch/

    MTeams
    Last edited by mmusket33; 2014-09-30 at 03:22. Reason: Questions from readers

  2. #2
    Join Date
    2013-Jul
    Posts
    841
    We have seen cases where D-Link Routers providing the wifi accesss are bridged thru LAN to a TP-Link router in the back ground. When 192.168.1.1/rom-0 is entered the TP-Link router immediately appeared and gave up its rom-0 configuration file, then stayed active on the screen allowing for keyboard input.
    Lesson here test the router even if it is not TP-Link, you never know what is hiding behind the secret door.

    MusketTeams

  3. #3
    Join Date
    2013-Jul
    Posts
    841
    MTeams has found this backdoor embedded in other vendor firmware so this is NOT specific to TP-Link. The test is simple just run the ip address of the router and append it with /rom-0. Note 0=zero. For example the router is on 192.168.2.1 so just type 192.168.2.1/rom-0. The file will immediately appear for download.

    Furthermore look for a non broadcasting router behind and linked to the router broadcasting. If you see the router is broadcasting on 192.168.2.1 and the default gate way is 192.168.1.1 it is a good bet there is another router existingt. In this case try 192.168.1.1/rom-0 and see what you get.

    MTeams

  4. #4
    Join Date
    2013-Jul
    Posts
    841
    MTeams continues to find this flaw embedded in firmware written by ISPs who write their own router firmware.

    So before you try using hydra or burpsuite save yourself some time and test the router for this flaw.

    MTeams

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •