NTE (NetgearTelnetEnable) ========================= NTE version 0.6 2021-09-07 Steven M. Schweda ------------------------------------------------------------------------ NTE enables Telnet access on Netgear routers whose firmware responds to the UDP message sent by this program. (Among these are the D7000 and R7000 (some older firmware versions).) NTE is intended to be a simple, portable, self-contained C program. This program and its relatives have a long and varied heritage. This adaptation began with a source kit from: https://github.com/insanid/NetgearTelnetEnable In general, the code which constructs the message to be sent to the router is largely unchanged. Most other code has been replaced. Files with an "_orig" suffix are preserved from their original source kit(s). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - All the serious work (reverse engineering) was done by others. Anyone who wants more credit for the original code is welcome to ask. The original (insanid) README said the following: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Modified to work with newer Netgear routers R7000 R7500 by insanid Windows telnetenable-win.c and binary by LuKePicci Based on https://github.com/davejagoda/NetgearTelnetEnable For more information: http://wiki.openwrt.org/toh/netgear/telnet.console Comments from original README.md: This code did not quite work for me on OS X, but it was OK on Debian: http://www.seattlewireless.net/telnetenable.c I've made changes so it works on OS X 10.7.4. I've also added some comments to clarify what was wrong. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The scheme using the SHA256 hash of the password instead of the plain-text password in the message sent to the router was adapted from the Python code at: https://github.com/bkerler/netgear_telnet The actual SHA256 code (sha256.c, sha256.h) was adapted from the public-domain source code at: https://github.com/983/SHA-256 ------------------------------------------------------------------------ News ---- Version 0.6 2021-09-07 ----------------------- - Changed to parse more thoroughly a MAC address with colon separators ("dd:dd:dd:dd:dd:dd"). "::" -> ":00:", ":d:" -> ":0d:". Previously, a MAC address with a leading zero, like "04:A1:51:2B:F2:38", would be mishandled if specified without the leading zero. For example, "mac=4:A1:51:2B:F2:38". Some invalid MAC addresses are still accepted. (nte.c) - Added command-line option "sha256", which replaces the plain-text password in the message sent to the router with its SHA256 hash (hexadecimal text). Some recent router models (firmware versions) might require this. With or without the password scrambling, this code also sends a longer message (more space for the password) than previous NTE versions. (descrip.mms, Makefile, nte.c, sha256.c (new), sha256.h (new), vms/stdint (new), win32/nte.vcxproj, win32/nte.vcxproj.filters) - New "debug" mask bits enable display of the SHA256 password hash (when enabled), and (crude) hex dumps of the message data. "debug" without a mask argument now enables all messages except the message dumps. An explicit mask is needed to enable the new message dumps. (nte.c) - On Windows, added code to use FormatMessageW() to provide message text for a Windows-specific error. (nte.c) - Changed the VMS builders to put product files into an architecture-specific subdirectory. Added CLEAN_ALL target and LIST option. Socket code has problems with TCPIP V5.3 - ECO 4 on VAX. (descrip.mms) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Version 0.5 2017-08-01 ----------------------- - New. ------------------------------------------------------------------------ Build ----- UNIX and UNIX-like (including GNU/Linux and macOS): make VMS: MMS ! Or MMK Windows: Visual Studio (2010 Express) project and solution files are provided in the "win32" directory. These should work with any newer Visual Studio version up through (at least) 2019 (Community). Manually compiling and linking the code should also be possible. The actions in "Makefile" or "descrip.mms" should serve as a guide, if any is needed. ------------------------------------------------------------------------ Installation ------------ On any operating system, the NTE executable can be copied to any desired destination. (On a UNIX[-like] system, for example, "/usr/local/bin" might be a reasonable choice.) On a UNIX[-like] or Windows system, this destination directory should appear on the user's PATH, or else an explict path to the NTE executable may be needed. On VMS, it can be helpful to define a foreign-command symbol: NTE == "$ dev:[dir]NTE.EXE" ------------------------------------------------------------------------ Usage ----- Running NTE with no arguments should show usage instructions like the following (here, on a Mac): pro3$ ./nte nte 0.6 (2021-09-07) Usage: nte mac=mac_addr name=dns_name password=pass user=user_name [sha256] [debug[=mask]] Keywords may be abbreviated and in any case (e.g.: M=mac_addr). MAC address (mac_addr) may include colons, and digits a-f in any case. DNS name (dns_name) may be a name or an IP address. "sha256" causes an SHA256 hash of the password to be sent to the router instead of the plain-text password itself. See source for debug details. "debug" with no mask enables many. Example: nte m=50:6b:03:e9:ad:86 n=192.168.0.1 u=admin p=password - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NTE Command Arguments --------------------- For details on the required information, reading the router's User Manual may be helpful. The IP address to specify is that of the router's "LAN port", NOT that of its WAN port ("Internet Port"). Common default LAN IP addresses for these routers include 192.168.0.1, 192.168.1.1, and 10.0.0.1. If your router's LAN interface is in your local "hosts" file or in your DNS data, then its name may be used instead of its address. The MAC address to specify is that of the router's "LAN port", NOT that of the WAN port ("Internet Port"). On the router's managment Web site, a menu path like "ADVANCED" or "ADVANCED > Administration > Router Status" might provide this under "Router Information". Note that with NTE, case and colons don't matter, so copy+paste of the MAC address as displayed should work. The default user name and password may be "admin" and "password", but the password may have been changed by the user. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Other, similar programs may expect the arguments without labels, in a particular order. NTE uses a different syntax, as shown above, and the "keyword=value" specifications may be in any order. Unlike the code on which NTE is based, NTE attempts to read a (UDP) response from the router after the magic message is sent. Experiment reveals that if the enable message succeeded, the router sends a reply message ("ACK"). ------------------------------------------------------------------------