Hello friends, this time I bring you top-notch material ;), it’s about how to modify filtering rules on Zyxel Prestige P-660HW-D1, P-660R-D1 routers via SNMP. These devices come configured with a default community for both reading and writing, so the device can be configured remotely via SNMP.

To begin, let’s download and compile the braa tool, which is an SNMP scanner.

Now that we have braa on our system, we request an OID for a range of addresses. This OID is to request the system name from Zyxel equipment (each manufacturer uses its own MIB).

Now we just need to select the victim.

We check that the ports are closed:

Starting Nmap 4.53 ( http://insecure.org ) at 2009-06-22 19:12 CEST
Interesting ports on 100.Red-88-22-xyz.staticIP.rima-tde.net (88.22.xyz.100):
PORT STATE SERVICE
21/tcp filtered ftp
23/tcp filtered telnet
80/tcp filtered http

Now we open them.

For P-660HW-D1 models:

It can be deduced that the logic is port+1, we want to open port 80 –> i"port+1" –> i80+1 –> i81

We check that they are really open:

Starting Nmap 4.53 ( http://insecure.org ) at 2009-06-22 19:09 CEST
Interesting ports on 100.Red-88-22-xyz.staticIP.rima-tde.net (88.22.xyz.100):
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
80/tcp open http

To leave it as before:

We check that they are closed again.

Starting Nmap 4.53 ( http://insecure.org ) at 2009-06-22 19:12 CEST
Interesting ports on 100.Red-88-22-xyz.staticIP.rima-tde.net (88.22.xyz.100):
PORT STATE SERVICE
21/tcp filtered ftp
23/tcp filtered telnet
80/tcp filtered http

You see, it seems incredible, but I can attest that it works ;)

In the P-660R-D1 model:

To remedy all this, SNMP will have to be configured with a less known community, hehehe.

People usually don’t change the default password of home routers since they disable access on the WAN interface, but this way BANG!! we are inside.