Reverse engineering hacked SB6141

No replies
pookabooms
Offline
Neophyte
Joined: 2019/05/06

Hi, first post, obligatory apology if I'm doing it wrong. I'm not experienced with this stuff, but I'm learning linux and I'm using Kali linux right now to practice getting good with it.

I've got a hacked SB6141 which gets download speeds of around 200 mbps. I bought it off a guy who says he's been running it for 7 years, but doesn't want to tell me how he did it. I'm trying to figure out what he did to make it work. When I look at the snmpwalk results, which only worked one time, every other time I tried to run it it timed out, I'm seeing 42 down and 30 up. However, it is always around 200. I suspect, now that I watched the Defcon 18 presentation on Docsis, that what's been done is they've changed the DNS so the modem is anonymous and flashed a custom config file so that the speed is high. However, I don't think that was done using haxorware or anything else, because the box has not been opened that I can tell.

Couple of things:

1. When I go to the modem GUI (a pathetic thing on Comcast), the IP address is the standard IP for this modem, and the MAC matches the MAC on the sticker. However, the seller told me he'd changed the MAC to something with mostly 1s and 0s in it, though he may have said the 1s and 0s just to make me think hes a l33t hacker.

2. None of the regular ports are open except for 80 for http. There are two udp ports open for snmp and snmp trap (161 and 162). Nothing else is accessible, so I can't access the modem through Putty in any way that I know of (like port 22 and ssh).

3. I also know that he's changed the community from public to private (as the snmpwalk did not work until I put private in as a guess).

4. Given that the modem itself reports on the GUI the MAC address on the box, and I can access the GUI through the default IP, I suspect that he is actually spoofing the default IP address and MAC so that it looks legit, but that on the "inside" it's using something else and has different DNS servers.

Questions:

1. How do I see what firmware is actually being used on the modem? snmpwalk reports the typical SB_KOMODO, but I really don't think that's what it really is.

2. Is there a way I can open up some ports and what would that do for me?

3. How can I found out what the actual MAC address and IP address are?

4. Am I on the wrong track completely?

5. How do I figure out exactly what he did? I'd like to see the real config file and what DNS server it's set to too. All my Google foo gives me is changing DNS servers for routers or devices, but not for modems, but the Defcon 18 presentation was clear that it was necessary to change the DNS server on the modem.

Thanks for your help!