Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
extracting certs via Telnet - on modems that don't respond to Fastcert
#1
hello, world

has anyone had success extracting certs via Telnet using 'diag readmem' command?

I could find some kind of pvt key using (on SVG1202)

diag readmem -s 1 -n 16384 0x80bd60dc

(but it did not work as expected)


I saw some posts using this address instead

diag readmem -s 4 -n 5838 0x83fa8b80

can it be done?
Reply
#2
read the entire memory then extract with http://www.haxorware.com/forums/showthre...7#pid16207
untested but i done see why it would not work
__________________________________________________________________________________
******new discord chat linkĀ https://discord.gg/5BQQbsb*******
Reply
#3
thank you

you mean 'extract with CMnOnVol_Extractor', right?

cmnonexp needs a .bin file to work

how can I convert the output - that goes like this below - to a .bin file?

"
Console/system> diag readmem -s 1 -n 16384 0x80bd60dc
80bd60dc: 20 d8 d9 00 00 00 00 00 2d 2d 2d 2d 2d 42 45 47 | .......-----BEG
80bd60ec: 49 4e 20 52 53 41 20 50 52 49 56 41 54 45 20 4b | IN RSA PRIVATE K
80bd60fc: 45 59 2d 2d 2d 2d 2d 0a 4d 49 49 43 57 77 49 42 | EY-----.MIICWwIB
80bd610c: 41 41 4b 42 67 51 43 39 59 43 57 37 52 31 48 64 | AAKBgQC9YCW7R1Hd
80bd611c: 31 55 78 72 57 44 59 78 77 50 6a 39 76 68 52 57 | 1UxrWDYxwPj9vhRW
80bd612c: 6f 57 4c 53 77 31 39 74 73 39 70 57 74 44 2b 69 | oWLSw19ts9pWtD+i
80bd613c: 50 2f 49 78 6d 53 61 5a 0a 34 42 46 30 49 78 70 | P/IxmSaZ.4BF0Ixp
...etc "
Reply
#4
If you can telnet then you can activate factory mode, once you have done this you can use snmp to grab the certs
Reply
#5
I must be unaware of the OIDs to achieve this

In old modems - i.e. sb5100 and sb5101 - I can get the certs easily via fastcert

Newer modems will not respond to fastcert although I can access them via telnet

Any ideas on how to find those OIDs?

Using solarwinds SNMP Walk I can get some of the certs but not the pvt key

Maybe the community string for newer modems is different,
But I'd bet on a different OID


Thank you
Reply
#6
(07-05-2015, 06:01 AM)drewmerc Wrote: read the entire memory then extract with http://www.haxorware.com/forums/showthre...7#pid16207
untested but i done see why it would not work

What is the command to read the entire memory?

diag readmem ?
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)