Login    Forum    Register    Search    FAQ

Board index » HELP AND ADVICE » GAME/SOFTWARE/HARDWARE PROBLEMS




Post new topic Reply to topic  [ 2 posts ] 
Author Message
 Post subject: BeBox config options
 Post Posted: Tue Nov 20, 2007 10:54 pm 
Offline
Decidedly uninterested
User avatar

Joined: Thu Mar 18, 2004 11:10 pm
Posts: 10184
Location: I watch you while you sleep
Found these around t'internet, if someone more technical would care to comment on their efficacy & authenticity, for general peace of mind....?

Quote:
hxxp://rory.allford.net/2007/03/30/bebox-got-root/

I’ve recently switched to Be There from the cowboys at Pipex, and I have to say I’ve been impressed. Speed-wise, it’s terrific, especially for the price.

This post recounts my first exploration into the mysteries of the descriptively named “BeBox” through which the ADSL service is provided.

Since it arrived on the doorstep for free, I had expected it to be yet another of these mediocre but functional things with some lights and a basic web interface. Despite being adorned with a large pink star and sharing the SpeedTouch brand name with the (notoriously incompatible) “Frog”, it turns out the 780WL is made by Alcatel, and as such is a very different beast. The 4-port wireless router comes equipped with VoIP, QoS, an SPI firewall and routing tables complete with VLANing - it runs a BSD variant with a full CLI as if it were an enterprise-class networking device.

Be naturally hide all this interesting functionality from the end user, and the web based interface looks very run-of-the-mill and irritatingly hand-holding. I only realised there was more lurking under the surface when I found port 21 was open whilst idly Nmap-ing myself from a machine externally. Anticipation overriding any concern about the discovered security holes, I logged in with the provided (default) user account. The resulting access yielded very little functionality over that provided by the web-based interface, most “advanced” commands resulting in policy restriction error messages; nevertheless a remote attacker could certainly wreak some havoc. I needed root access, if only to switch telnet off!

The Speedtouch’s web-based GUI provides the option to backup and restore its configuration to an INI file. Sure enough, poking around in this I found what I was looking for (password hashes removed for obvious reasons):

[ mlpuser.ini ]
add name=Administrator password=_CYP_{removed} role=Administrator hash2={removed} defuser=enabled
add name=tech password=_CYP_{removed} role=TechnicalSupport hash2={removed} defremadmin=enabled
add name=BeTech password=_CYP_{removed} role=TechnicalSupport hash2={removed}
add name=bebox password=_CYP_{removed} role=root hash2={removed}

Well Administrator was me, but I wasn’t liking the look of the other three. Be use the same passwords for every customer hxxp://blogs.securiteam.com/index.php/archives/826, and this was leaving me wide open to attack. Commenting out those lines (in case Be do ever need to remotely login), and adding a user called root with role=root got me the access I required.

This configuration file also had a lot to reveal about services the box was exposing WAN-side:

[ servmgr.ini ]
...
ifadd name=HTTPs group=wan
ifadd name=FTP group=wan
ifadd name=TELNET group=wan
ifadd name=PING_RESPONDER group=wan
...

Certainly telnet and ftp were going right off. Https is for the web-based interface, and despite the “s” would still be exposing a login box a cracker could be run on. Finally I’m not a believer in letting all and sundry ping me (I hope to re-enable it specifically for Be’s server IPs when I get more acquainted with the CLI).

Another annoyance was that the box helpfully redirects all outgoing HTTP requests to an error page whenever the connection is down. Useful for a novice user. Annoying in a similar vein to Verisign’s Sitefinder as it’s not based on transparent proxying (as it should) but spoofing DNS! And even the former can cause problems for things that depend on a TCP timeout rather than a successful connection. (It even gives a HTTP 200 instead of 503 as proxy standards dictate).

This and and the web filtering that powers the “Parental Control” feature that appears locked in the On position is run using “Differentiated Service Delivery (DSD)”. I am not a fan:

[ dnss.ini ]
config domain=local timeout=15 suppress=0 state=enabled trace=disabled syslog=disabled WANDownSpoofing=disabled WDSpoofedIP=10.0.0.201
...

[ dsd.ini ]
...
config state=disabled
...

[ webfilter.ini ]
...
config state=disabled

Once that was all done, using the CLI and my newly-obtained root account, I managed to tweak out my DHCP and QoS settings (removing the bandwidth-throttling rules!). This is just a case of having the right reference material to hand. Unfortunately, despite the humorous “nerdy stuff inside” warning, the CD provided by Be only contains the “End-User” editions of the SpeedTouch manuals - the unabridged version and the CLI reference I’ve included below:

“BeBox” User Manual
“BeBox” CLI Reference

Immediately behind the BeBox I have my own firewall server running iptables, Squid and the usual on Gentoo, so I turned off the unsophisticated SpeedTouch IDS that was hampering my remote portscanning anyway, and put said machine in a DMZ. Next task is to put the built-in wireless interface into a WAN-detached VLAN with the server, but that’s another post…



Is it merely the '#' character to comment out lines in .ini files?


Quote:
hxxp://www.beforum.co.uk/forum/default.aspx?f=5&m=5352

I think it's a good idea to list a few useful CLI commands for our lovely BeBox

here are the ones I collected so far:



#These 3 make your bebox poll a group of NTP servers to keep the time accurate

sntp add name=uk.pool.ntp.org version=3
sntp config poll=60 pollpresync=60
sntp config state=enabled


#This one corrects the grouping operator and decimal place symbol for the en_GB locale.

system locale dec_symbol=. group_symbol=,


#enable ping responder:

service system ifadd name=PING_RESPONDER group=wan


#disable telnet , HTTPs and FTP on WAN (close ports)

service system ifdelete name=TELNET group=wan
service system ifdelete name=FTP group=wan
service system ifdelete name=HTTPs group=wan


#enable SNMP (e.g. for PRTG Traffic Grapher)

service system modify name=SNMP_AGENT state=enabled
snmp community add securityname=RWCommunity communityname=public


#enable nat loopback (access external IP from inside):

ip config natloopback=enabled


#fix against TCP timeouts

firewall config tcpchecks none


#disable DHCP server on LAN side (thanks Zadkiel)

dhcp server config state=disabled


Don't forget this command at the end to permanently save your settings if everything works as expected:
(otherwise all new settings are lost after the next restart)

saveall

_________________
Image
The Pancreas of S.T.F.U. | Never take life too seriously - nobody gets out alive anyway.
Disco_jim: um..... I have no excuse. | Chips: Thank the Beef | Rev Dr: Beef, I think i wee'd a little


Top 
 Profile  
 
 Post subject:
 Post Posted: Wed Nov 21, 2007 1:11 am 
Offline
it is I! Diabetes man!
User avatar

Joined: Wed Mar 03, 2004 1:15 pm
Posts: 14174
Location: anywhere but nowhere
too deep... :lol:

_________________
Image



Image
Went to a zoo, they only had one animal there, a dog............. It was a shitzu....



I’z leakin… bring amberlamps


Top 
 Profile  
 
Display posts from previous:  Sort by  
 
Post new topic Reply to topic  [ 2 posts ] 

Board index » HELP AND ADVICE » GAME/SOFTWARE/HARDWARE PROBLEMS


Who is online

Users browsing this forum: No registered users and 8 guests

 
 

 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
  • Shoutbox
  • Shout Message


test
cron