Sunday, July 29, 2018

Arris model DG3270A SNMP and backup decoding

I have a remote install of XTension setup at my mother in laws condo. The internet and tv company there started with DSL modems in the building, but it’s an older building and the wires in the walls never resulted in a very good connection. They finally got around to putting in a cable head end in the basement and switched everyone to cable modems. They did this without calling me first or otherwise letting me know that they were going to show up and drop in a new modem and make everything I have installed there home automation wise to drop off the network and kill all my incoming passthroughs and such. I got there last night to have a look at the new modem and reset everything up and I discovered some interesting things.

The modem is an Arris DG3270A and actually works pretty nicely. The wifi is significantly better than the old modem actually supporting a 5ghz wifi network as well as 2.4ghz AND it will allow you to set both the 2.4ghz and 5ghz to the same network name. This is the preferrable way to do this as your devices will migrate between the 2 as needed and you won’t have to be using the faster 5ghz one and then walk upstairs or into bedroom and have it drop out and have to manually switch to the other. Your device will just always connect to the strongest one.

They have the interface to it setup so that you can do all the configuration of almost everything you’d want to yourself. The default password on the box was not changed which in this case was just admin/password. There are many different models and many providers lock you out of these settings. With the old modem I had to actually call the company to get the password to it and they told me that they would give it to me but would charge me for the service call if I screwed it up ;) I didn’t screw it up ;)

I was able to change the DHCP range to carve out the same block of static IP’s that I give to her XTension machine and the Vera there as well as setup the couple of pass throughs so that I can ssh into the machine and the webcam if necessary. It even has dynamic dns support so I was able to add the modem to my account there and have it update that info too. I also have the client running on the Mac in her closet but it never hurts to have a backup to such things, without that updated I can’t talk back to her machine very easily.

With the previous modem I had written a little script that polled the status page of the modem periodically and dumped the values of the noise and signal level on the DSL line into XTdb for graphing. It was interesting to watch how bad the wires were in the building and how they got slowly worse over time. It really was time to either pull more wires or switch to the cable system as they had been promising to do for so long. So I went looking for the same status into for the cable mode to see if there was anything interesting there to parse out and track just for fun.

Even though the modem is on the standard router address of 192.168.0.1 there is another page that gives all the status information on address 192.168.100.1 which seems strange to me, why run it on a separate IP like that and not just on a different link on the main router address? I suppose it’s possible that is bound to that network and ip address regardless of what NAT network you have the rest of your network set to? So perhaps that will still work even if your network is set to use the 10.0.0.xxx range? I don’t know but it seems needlessly complicated.

There is a lot of fun info there that I’ll probably parse out in the future though I hope the cable modem will be operating well enough that I won’t really care. At the very end of the tab bar across the top though is a tab called “Advanced” and so I had to have a look at that only to be provided with a password field. Obviously setup with a daily password system that takes a known salt and does some kind of hash or encryption against the date to come up with a daily changing password. This is really a good idea as even if the user is looking over your shoulder and sees the password, or you have to send a password to one in an email or something after the day you did it it’s no longer valid and they can’t publish it and let the entire internet into the machine to screw everything up. Indeed, searching on the internet led to several sites with information about this and even daily password calculators like this one arris password of the day generator that one didn’t work as it seems each company changes the salt value for it. I never did get into that screen but I did learn some interesting things in trying to find out what it was. On that site above he talks about decoding the router.data file that you can download from the regular interface as a backup which I had already done. On his page he talks about having to untar it and then decrypt it. None of that was necessary for my file from this machine. It turned out that each line was just base64 encoded. Each line has to be decoded separately you can’t do the entire file. There was no other encryption.

The file that resulted had some initial setup stuff that starts with MAC address like data and long hex strings. None of which were the right length to have been the salt for the daily password unfortunately. And then a user section with a long list of SNMP looking addresses and all the configuration data that I had entered into the machine. Again nothing that looked like the salt but if the device supports SNMP then it may be possible to scan more values in there and find that as well as lots of other information. Of course there are no comments or anything else in the file that would help you figure it out I present mine here with any real data or password information changed. If you would benefit from seeing the actual data in these fields I’ll send you the real file, I doubt anyone really cares about getting on the wifi at my mother in laws house but I’m still not posting the passwords to the internet.


<POSTDATAVER>
version 4
</POSTDATAVER>
<CLIENTDB>
version 1
8c:ec:4b:e8:be:0f 0 4c2d31303639 7e6e6f636f6d6d656e747e 00000000
00:0e:8f:92:e4:f1 0 756e6b6e6f776e 7e6e6f636f6d6d656e747e 00000000
48:bf:6b:71:89:b3 0 4d696e64794e6168736950686f6e65 7e6e6f636f6d6d656e747e 00000000
40:4d:7f:1c:2a:a6 0 4d696e64797341706c655761746368 7e6e6f636f6d6d656e747e 00000000
dc:a9:04:8c:f2:c8 0 4a616d65732d4d6163626f6f6b 7e6e6f636f6d6d656e747e 00000000
48:d7:05:d9:14:bf 0 4d696e64794e616841697232303134 7e6e6f636f6d6d656e747e 00000000
</CLIENTDB>
<USR>
1.3.6.1.4.1.4115.1.3.7.1.1.10.0=admin;4;&_=@<20180419 233953>TR69 (likely the admin password user name, though I do not see the actual
admin password here. Likely it will only be present if you set it to something
other than the default which was just "password")
1.3.6.1.4.1.4115.1.3.7.1.1.6.0=10800;66;&_=@<20180606 120200>TR69
1.3.6.1.4.1.4115.1.20.1.1.3.22.1.3.10001=1;2;&_=@<20180727 085921>USER
1.3.6.1.4.1.4115.1.20.1.1.3.22.1.3.10101=1;2;&_=@<20180727 085923>USER
1.3.6.1.4.1.4115.1.20.1.1.2.2.1.11.200=%24C5A81164;4;&_=@<20180728 182904>USER (5 hex values, altered from what they really were)
1.3.6.1.4.1.4115.1.20.1.1.2.2.1.19.200=1;2;&_=@<20180728 182904>USER
1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.10001=wifipassword;4;&_=@<20180728 183201>USER (one of these is the password for the 2.4 ghz and one for the 5ghz
1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.10101=wifipassword;4;&_=@<20180728 183446>USER since I have them set to the same I don't know which is which)
1.3.6.1.4.1.4115.1.20.1.1.4.21.0=1;2;&_=@<20180728 183615>USER
1.3.6.1.4.1.4115.1.20.1.1.3.22.1.2.10001=wifi SSID;4;&_=@<20180728 184019>USER (the SSID of the 2.4 and 5ghz wifi networks, again I have them set
1.3.6.1.4.1.4115.1.20.1.1.3.22.1.2.10101=wifi SSID;4;&_=@<20180728 184104>USER to the same value so I don't know which is which)
1.3.6.1.4.1.4115.1.20.1.1.4.12.1.2.1=name of a NAT map;4;&_=@<20180728 184933>USER (this is a NAT port mapping
1.3.6.1.4.1.4115.1.20.1.1.4.12.1.3.1=start port;66;&_=@<20180728 184934>USER there are 4 port setting associated with each mapping, the external
1.3.6.1.4.1.4115.1.20.1.1.4.12.1.4.1=end port;66;&_=@<20180728 184934>USER start and end port and the internal start and end port. I don't know
1.3.6.1.4.1.4115.1.20.1.1.4.12.1.5.1=1;2;&_=@<20180728 184935>USER which of these 4 values here is which as I am passing through only one port
1.3.6.1.4.1.4115.1.20.1.1.4.12.1.7.1=%24C1A81042;4;&_=@<20180728 184936>USER so all 4 values were the same.)
1.3.6.1.4.1.4115.1.20.1.1.4.12.1.9.1=start port;66;&_=@<20180728 184937>USER
1.3.6.1.4.1.4115.1.20.1.1.4.12.1.10.1=end port;66;&_=@<20180728 184938>USER
1.3.6.1.4.1.4115.1.20.1.1.4.12.1.11.1=1;2;&_=@<20180728 184939>USER
1.3.6.1.4.1.4115.1.20.1.1.4.12.1.2.2=another port map;4;&_=@<20180728 192237>USER (another port mapping here)
1.3.6.1.4.1.4115.1.20.1.1.4.12.1.3.2=start port;66;&_=@<20180728 192237>USER
1.3.6.1.4.1.4115.1.20.1.1.4.12.1.4.2=end port;66;&_=@<20180728 192238>USER
1.3.6.1.4.1.4115.1.20.1.1.4.12.1.5.2=1;2;&_=@<20180728 192238>USER
1.3.6.1.4.1.4115.1.20.1.1.4.12.1.7.2=%24C1A84012;4;&_=@<20180728 192239>USER
1.3.6.1.4.1.4115.1.20.1.1.4.12.1.9.2=start port;66;&_=@<20180728 192240>USER
1.3.6.1.4.1.4115.1.20.1.1.4.12.1.10.2=end port;66;&_=@<20180728 192240>USER
1.3.6.1.4.1.4115.1.20.1.1.4.12.1.11.2=1;2;&_=@<20180728 192240>USER
1.3.6.1.4.1.4115.1.20.1.1.4.12.1.2.3=another port map;4;&_=@<20180728 192319>USER (yet another NAT mapping)
1.3.6.1.4.1.4115.1.20.1.1.4.12.1.3.3=ext port start;66;&_=@<20180728 192319>USER (in this case I can see this is the external port)
1.3.6.1.4.1.4115.1.20.1.1.4.12.1.4.3=ext port end;66;&_=@<20180728 192320>USER
1.3.6.1.4.1.4115.1.20.1.1.4.12.1.5.3=1;2;&_=@<20180728 192320>USER
1.3.6.1.4.1.4115.1.20.1.1.4.12.1.7.3=%24C5A80BC4;4;&_=@<20180728 192321>USER
1.3.6.1.4.1.4115.1.20.1.1.4.12.1.9.3=int port start;66;&_=@<20180728 192322>USER
1.3.6.1.4.1.4115.1.20.1.1.4.12.1.10.3=int port end;66;&_=@<20180728 192322>USER
1.3.6.1.4.1.4115.1.20.1.1.4.12.1.11.3=1;2;&_=@<20180728 192323>USER
1.3.6.1.4.1.4115.1.20.1.1.4.18.1.0=1;2;&_=@<20180728 202234>USER
1.3.6.1.4.1.4115.1.20.1.1.4.18.2.0=1;2;&_=@<20180728 202235>USER
1.3.6.1.4.1.4115.1.20.1.1.4.18.3.0=dyndns username;4;&_=@<20180728 202235>USER
1.3.6.1.4.1.4115.1.20.1.1.4.18.4.0=dyndns password;4;&_=@<20180728 202236>USER
1.3.6.1.4.1.4115.1.20.1.1.4.18.5.0=dyndns hostname;4;&_=@<20180728 202236>USER
</USR>


Note that Ive munged the data above including the hex values just so I dont expose something important. Not that I think there is anything anyone could do with this info who wasnt already standing in her living room but still. Since I dont know what it is I altered it but kept the layout and length and format the same. My comments in parentheses are also obviously not part of the actual file either.

So it may be possible to setup these devices via SNMP including all the port mappings you wish as well as any other user data. Thats potentially useful if you wish to dynamically turn on and off port mappings or something like that. Im sure that much more data is available to a real SNMP dump of the thing assuming it doesnt require other passwords or encryption to set the data. In future visits I will play with the SNMP properties of the modem but I didnt have a chance to do that this trip. I might be able to get the connection quality and error rate that way which would be interesting to graph.

If someone can see the salt for the advanced daily password in that Id sure love to know what it is. It may be discoverable via a different SNMP address and Ill experiment with that in the future.