technicolor TD5130 routers ftp and telnet vulnerable with connection error

[zdilto]

we have many Technicolor TD5130 routers that users want to update to avoid a certain wps attack but firmware update can only be done via ftp and ftp creds are not known . rsf brute-force are not working with connection errors where i'm running only one instance on the target

Steps that produced the issue for ftp:

1. rsf > use creds/routers/technicolor/ftp_default_creds
2 .rsf (Technicolor Router Default FTP Creds) >  set target  192.168.1.1
[+] target => 192.168.1.1
3. rsf (Technicolor Router Default FTP Creds) > check
[*] Target exposes FTP service
[+] Target is vulnerable
4. rsf (Technicolor Router Default FTP Creds) > run
[*] Running module...
[*] Target exposes FTP service
[*] Starting attack against FTP service
[*] thread-0 thread is starting...
[-] Authentication Failed - Username: 'admin' Password: 'admin'
[-] 
[-] 
[-] 
[-] Too many connections problems. Quiting...
[*] thread-0 thread is terminated.
[*] Elapsed time: 0.08000922203063965 seconds
[-] Credentials not found

Steps that produced the issue for telnet:

rsf (Technicolor Router Default Telnet Creds) > run
[*] Running module...
[*] Target exposes Telnet service
[*] Starting default credentials attack against Telnet service
[*] thread-0 thread is starting...
[-] Telnet connection error
[-] Telnet Authentication Failed - Username: 'admin' Password: 'admin'
[-] Telnet connection error
[-] Telnet connection error
[-] Telnet Authentication Failed - Username: 'admin' Password: 'password'
[-] Telnet Authentication Failed - Username: 'admin' Password: '1234'
[-] Telnet connection error
[-] Telnet connection error
[-] Telnet Authentication Failed - Username: 'Administrator' Password: ''
[*] thread-0 thread is terminated.
[*] Elapsed time: 3.8085930347442627 seconds
[-] Credentials not found

my current Environment

• RouterSploit Version used: 3.1.0
• Operating System and version: kali linux 2018.2
• Python Version: ( python3 --version ) 3.6.5rc1
• Python Environment: ( python3 -m pip freeze )

  AdvancedHTTPServer==2.0.10
  alembic==0.9.7.dev0
  asn1crypto==0.24.0
  basemap==1.1.0
  bcrypt==3.1.4
  beautifulsoup4==4.6.0
  binwalk==2.1.1
  blinker==1.4
  boltons==18.0.0
  Brlapi==0.6.7
  Brotli==1.0.3
  certifi==2018.1.18
  chardet==3.0.4
  chrome-gnome-shell==0.0.0
  click==6.7
  colorama==0.3.7
  ConfigArgParse==0.11.0
  crcelk==1.1
  cryptography==2.1.4
  cupshelpers==1.0
  cycler==0.10.0
  debtags==2.1
  decorator==4.1.2
  dnspython==1.15.0
  Flask==0.12.2
  future==0.16.0
  geoip2==2.7.0
  geojson==2.3.0
  graphene==1.1.3
  graphene-sqlalchemy==1.1.1
  graphql-core==1.0.1
  graphql-relay==0.4.5
  h11==0.7.0
  h2==3.0.1
  hashID==3.1.4
  hpack==3.0.0
  html5lib==0.999999999
  httplib2==0.9.2
  hyperframe==5.1.0
  icalendar==4.0.0
  idna==2.6
  iso8601==0.1.11
  itsdangerous==0.24
  Jinja2==2.10
  jsbeautifier==1.6.4
  kaitaistruct==0.8
  keyring==10.6.0
  keyrings.alt==3.0
  ldap3==2.4.1
  louis==3.5.0
  lxml==4.2.0
  Mako==1.0.7
  MarkupSafe==1.0
  matplotlib==2.1.1
  maxminddb==1.3.0
  mitmproxy==3.0.3
  msgpack==0.5.1
  numpy==1.13.3
  olefile==0.45.1
  paramiko==2.4.0
  passlib==1.7.1
  Pillow==4.3.0
  pluginbase==0.5
  ply==3.11
  promise==1.0.1
  psycopg2==2.7.4
  pyasn1==0.4.2
  pycairo==1.16.2
  pycrypto==2.6.1
  pycryptodomex==3.6.2
  pycups==1.9.73
  pycurl==7.43.0.1
  pygobject==3.28.1
  pyinotify==0.9.6
  PyNaCl==1.2.1
  PyOpenGL==3.1.0
  pyOpenSSL==17.5.0
  pyotp==2.2.6
  pyparsing==2.2.0
  pyperclip==1.6.0
  pyproj==1.9.5.1
  pyqtgraph==0.10.0
  pyserial==3.4
  pyshp==1.2.12
  pysmbc==1.0.15.6
  pysmi==0.3.1
  pysnmp==4.4.4
  python-apt==1.6.0rc2
  python-dateutil==2.6.1
  python-debian==0.1.32
  python-debianbts==2.7.2
  python-editor==0.4
  python-pam==1.8.2
  pytz==2018.3
  pyxdg==0.25
  PyYAML==3.12
  reportbug==7.1.10
  requests==2.18.4
  ruamel.yaml==0.15.34
  scipy==0.19.1
  SecretStorage==2.3.1
  simplejson==3.13.2
  six==1.11.0
  smoke-zephyr==1.2.0
  sortedcontainers==1.5.7
  SQLAlchemy==1.2.5
  tabulate==0.8.2
  termcolor==1.1.0
  termineter==1.0.4
  tornado==5.0
  tzlocal==1.5.1
  unattended-upgrades==0.1
  urllib3==1.22
  urwid==2.0.1
  wafw00f==0.9.4
  webencodings==0.5
  websocket-client==0.37.0
  Werkzeug==0.14.1
  wsproto==0.11.0
  XlsxWriter==0.9.6

Current Behavior

fail to bruteforce the technicolor router and ends with connections errors even target expose ftp,telnet service and is vulnerable and i only run one attack to the target at a time.

Expected Behavior

try all usernames and passwords on vulnerable technicolor routers successfully we have many Technicolor TD5130 routers that users want to update to avoid a certain wps attack but firmware update can only be done via ftp and ftp creds are not known . rsf brute-force are not working with connection errors where i'm running only one instance on the target

[lucyoa]

I'm unable to reproduce this behaviour. I don't have access to Technicolor TD5130 model though :/ Since the issue is with FTP and Telnet (which are completely two different implementations) the actual problem might be somewhere else.

Have you tried manually authenticate to these devices using "telnet" or "ftp" clients? If so, please paste the output so we could try to figure out whats wrong.

[routeropps]

Hi, I have the same issue, any solution please ?