The pfSense Store

Author Topic: Actiontec MI424-WR Router Impersonation  (Read 2471 times)

0 Members and 1 Guest are viewing this topic.

Offline NOYB

  • Sr. Member
  • ****
  • Posts: 440
  • Karma: +0/-0
    • View Profile
Actiontec MI424-WR Router Impersonation
« on: August 16, 2011, 01:57:33 am »
Impersonation of other routers is probably also possible with appropriate alterations.

# Actiontec MI424-WR Router Impersonation

#   ISP:      Verizon FiOS
#   Router Make:   (Verizon) Actiontec
#   Router Model:   MI242-WR
#   Router HW:   Rev. C
#   Router FW:   4.0.16.1.56.0.10.11.6 (Verizon Provided)

#   ISP:      Frontier FiOS
#   Router Make:   (Frontier) Actiontec
#   Router Model:   MI424-WR
#   Router HW:   Rev. C
#   Router FW:   4.0.16.1.56.0.10.12.4.1 (Frontier Provided)

# pfSense 2.0 RC3 (FreeBSD 8.1)

File:
/etc/inc/interfaces.inc

Notes:
Probably will survive reboot.
Probably will not survive an update.

dhcp-class-identifier (dhcp option 60) is not in FreeBSD 8.1 Manual (at least I could not find it there).

Replace These Option-125 Strings Portions With Your Actiontec Router WAN MAC Address:
ASCII: 00180160EB84
HEX:   30:30:31:38:30:31:36:30:45:42:38:34


Replace This:
Code: [Select]
/*
$dhclientconf .= <<<EOD
interface "{$wanif}" {
timeout 60;
retry 1;
select-timeout 0;
initial-interval 1;
{$dhclientconf_hostname}
script "/sbin/dhclient-script";
}

EOD;
/**/


With This:
Code: [Select]
/* Get MAC as ascii string and strip out colon (:) delimiters. */
$dhcpclientconf_mac_ascii = str_replace(":", "", strtoupper(get_interface_mac($wanif)));

/* Convert MAC ascii string to HEX with colon (:) delimiters. */
$dhcpclientconf_mac_hex = "";
$delimiter = "";
for($i = 0; $i < strlen($dhcpclientconf_mac_ascii); $i++) {
$dhcpclientconf_mac_hex .= $delimiter. bin2hex($dhcpclientconf_mac_ascii[$i]);
$delimiter = ":";
}

$dhclientconf .= <<<EOD
interface "{$wanif}" {
timeout 60;
retry 1;
select-timeout 0;
initial-interval 1;

 send dhcp-class-identifier "Wireless Broadband Router"; # Option 60 ## Hard Coded Class Identifier
 send dhcp-client-identifier ""; # Option 61  ## Blank to Prevent Send

 send host-name "Wireless_Broadband_Router"; # Option 12 ## Hard Coded Host Name
#send host-name "{$wancfg['dhcphostname']}"; # Option 12 ## Obtained From Web Configurator (WAN Hostname Setting)

 send domain-name "home"; # Option 15 ## Hard Coded Domain Name

# V-I Vendor-specific Information # Option 125 ## Hard Coded MAC
#send option-125 "\\x00\\x00\\x0d\\xe9\\x1f\\x01\\x06000FB3\\x02\\x0c00180160EB84\\x03\\x07MI424WR";
 send option-125 00:00:0d:e9:1f:01:06:30:30:30:46:42:33:02:0c:30:30:31:38:30:31:36:30:45:42:38:34:03:07:4d:49:34:32:34:57:52;

# V-I Vendor-specific Information # Option 125 ## Obtained From Web Configurator (WAN MAC Address Spoof Setting)
#send option-125 "\\x00\\x00\\x0d\\xe9\\x1f\\x01\\x06000FB3\\x02\\x0c{$dhcpclientconf_mac_ascii}\\x03\\x07MI424WR";
#send option-125 00:00:0d:e9:1f:01:06:30:30:30:46:42:33:02:0c:{$dhcpclientconf_mac_hex}:03:07:4d:49:34:32:34:57:52;

# Parameter Request List # Option 55 ## Hard Coded Parameter Request List
 request subnet-mask, broadcast-address, time-offset, routers, domain-name, domain-name-servers, time-servers, log-servers, default-ip-ttl, interface-mtu, vendor-encapsulated-options, dhcp-requested-address, dhcp-lease-time, dhcp-server-identifier, dhcp-parameter-request-list,   dhcp-class-identifier, dhcp-client-identifier, www-server, option-125;

 require subnet-mask, domain-name-servers, routers; # These are required by the client

 script "/sbin/dhclient-script";
}

EOD;

« Last Edit: August 17, 2011, 01:50:15 am by NOYB »

Offline NOYB

  • Sr. Member
  • ****
  • Posts: 440
  • Karma: +0/-0
    • View Profile
Re: Actiontec MI424-WR Router Impersonation
« Reply #1 on: August 17, 2011, 03:35:55 am »

Attached PHP include file will make it easier to apply and restore after updates.

As well as switch between multiple impersonation configurations of other routers.

Usage info is included in the file.