Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
DHCP Option 60 spoof needed
#1
I'm seeing something really weird on Charter, and it's duplicatable. Say I have a good NoBPI MAC address, checked by looking at it's tftp config file and seeing if Privacy Enable is set to 1. I clone the address on my sb5101 and disabling BPI, and then bring it up online with a forced NoBPI config. It begins working after a couple of false starts, but then when I re-download the real tftp file, it has changed to a BPI enabled config.

Somehow, Charter is detecting that I have a BPI enabled modem, regardless of what MAC address I use, and then configuring the tftp file accordingly. What's interesting is I don't know whats going to happen to the real modem I had cloned, because it probably isn't BPI enabled in the first place.

I suspect the modem sends out a DHCP discover that it gives off some indication of its capabilities, specifically option 60, which sends out a string of "docsis#.#" according to the cisco documents I've read. Since Haxorware is based on the SB5101E-2.7.5.0-LTSH firmware, I'm assuming that it still sends a string of "docsis2.0". Haxorware somehow needs to change this option 60 to a "docsis1.0" when BPI is set to disable if this is the case, unless someone knows how to do this manually.
Reply
#2
with bpi disabled the modem should only reply with docsis#.#
but the config you are getting could be different based on the spoof you are sending to the ctms
try spoofing a docsis1 modem
__________________________________________________________________________________
******new discord chat link https://discord.gg/5BQQbsb*******
Reply
#3
Got any DOCSIS 1.0 spoof strings handy? I'm going off http://www.cablelabs.com/cablemodem/down...oducts.pdf and am not sure if this is exactly correct.

Is there anyway to see exactly what info is being passed to the modem to the CMTS?

(21-09-2010, 07:29 AM)drewmerc Wrote: with bpi disabled the modem should only reply with docsis#.#
but the config you are getting could be different based on the spoof you are sending to the ctms
try spoofing a docsis1 modem

Reply
#4
this is what i use but then i'm not on same network as you
VENDOR: Scientific Atlanta
MODEL:WebSTAR DPX100
SW_REV: 1.1.2r1.1.3.1
HW_REV: 2.1
__________________________________________________________________________________
******new discord chat link https://discord.gg/5BQQbsb*******
Reply
#5
I did some testing with that spoof string (and a valid same model mac address) and it still changed the configuration from NoBPI to BPI. As a side-note, I wasn't able to override the HW_REV to 2.1. It always loses the ".2" part and turns to 2 after saving.

I'll do some more exact testing later tonight. I wanted to query the TFTP server after every step of a modem's sync-up, and see which step actually prompts the server to change the privacy setting. Is there any way to get a dhcpdump or any other information that the modem sends to the CMTS? Wireshark doesn't start capturing until after the modem is already synced. Also, is there source code to the firmware so I can audit it myself, or is it strictly modified assembly?
Reply
#6
the hardware sting losing part, is normal but i never checked to see if it was a limit of the firmware or if all modems do it

beyond watching telnet with a max232 cable theres not much i know of mostley due to the fact i never needed to (at lease with a max cable theres no waiting for the ethernet cable)

and source there is none
__________________________________________________________________________________
******new discord chat link https://discord.gg/5BQQbsb*******
Reply
#7
Did some testing.

I wanted to pinpoint when the CMTS decides to switch to a BPI enabled tftp config file. I polled and md5sumed a tftp config file every second that was verified NoBPI. Plugged in the modem, and traced when the md5sum changed in the other window. My suspicions were correct in thinking that it happened during the DHCP Discover of the modem. What happens is that the DHCP Discover is broadcasted, the a timeout occurs while the file is changed, and when the Discover retry happens, it gets the right config.

This is not just exclusive to Haxorware. I also tried all builds of Sigma X2 in my testing, and it's all the same. I really believe that Charter is inspecting our DHCP Discover request's option 60 for which docsis version and features the modem is capable of. Since I'm trying to emulate a DOCSIS 1.0 modem not capable of BPI, this is pretty much a dead giveaway to Charter, and I think that's why my mac is getting banned every day.
Reply
#8
post this on sbhacker cause it's way past me and you may get a better answer
__________________________________________________________________________________
******new discord chat link https://discord.gg/5BQQbsb*******
Reply
#9
Ok, thanks. Was hoping to get some input from rajkosto. How do I disassemble the firmware like him?
Reply
#10
i know the answer you'll get same as what he told me, fucking magic
__________________________________________________________________________________
******new discord chat link https://discord.gg/5BQQbsb*******
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)