January 26, 2015 at 05:13 PM

Access was obtained to thousands of personal data of users of "Beeline wired Internet»

Information Security

Forgive me for the pretentious headline, but once, then we will continue. Personally, I have always liked such posts.

So, we will talk about the vulnerability of the Beeline provider known in Moscow time (and not only). Many people remember him under the name Corbina. Without a doubt, this is one of the leading Internet providers with a long and good history. At one time, he was a salvation, thanks to high-quality and fast Internet, intranet networks, etc. V currently the provider's employees are aware of the vulnerabilities and the most critical ones have already been closed. However, I am sure that many will discover a lot of new and interesting things. Moreover, the technique is applicable to almost any provider.

By the will of fate, I ended up in a removable Khrushchev. I had a Megafon whistle. Since I had to stay there for a week, I was not bothered by the absence fixed internet... However, my stay there dragged on. I decided that it was not a problem, since I was armed with a toolkit for wardriving. But I could not get anything in a couple of days, except for the open Yota networks(facepalm). As you might have guessed from the title of the post, I found a painfully familiar orange wire in the hallway of the apartment. I connected it - it was Beeline. It would seem that this is just an orange wire. And nevertheless, this is at least a 100MB channel (optimal) with access to local area network(Maybe). In our case, whois said it was 10.0.0.0/8 subnet. It is clear that not all ip will be available, but it's better than nothing.

This is where nmap enters the battle. I forgot about him in the early 2000s, because like the era of open ports is over. However, at the beginning of 2010, I remembered about it again, because all kinds of nosql and other sub-services, which were often without authorization, gained wide popularity. nosql saved on everything in the pursuit of performance, and a bunch of sub-services, such as Zabbix, Jenkins, etc. often turned out to be either open, from the category "who knows that my port 12345 is open", or full of holes. The same zabbiks had a bunch of holes, including sqli without authorization. In short, routers were my goal. 80th ports. Previously, they were often open to the outside, now providers block the outside by default, like the routers themselves. But I was local to them.

I started scanning with nmap, but quickly changed my mind, as he suggested that I wait a couple of days. A zmap was sent into battle. You can read about it, but in short, it is a very fast and narrow alternative to nmap. zmap scanned the same subnet in 2 minutes.

Vulnerability # 1
Not having a login / password from "Beeline", just plugging in the wire, I got access to all local resources and devices (routers, cameras, voip pieces of iron, etc.)

The fact that there were default logins / passwords on the pieces of iron, I won't even consider it a vulnerability. As old as the world. From the category “why should I bet complex password to your router, if it is local. " Or, even more often: "Oh, that's it."

However, a more interesting detail awaited me further. 80% of routers that I found are dir300 with Beeline firmware. Without a doubt, this is one of the most reliable and affordable routers that does its job in full. When I came across non-standard logins / passwords, I decided to see what goes where and how. Those. opened the inspector in a browser and started sniffing requests. Amazing nearby! It turned out that Beeline's firmware returned the following to an attempt at incorrect authorization:

(auth: false)
However, the firmware for some reason sent several requests for authorization at once. Simultaneously. And when the first one just swore auth: false, the second one produced something like:

(auth: false,… settings: (ssid: "blablabla", wpakey: "12345678", login: 089746254 password: "lovelove123"…))
Those. the firmware seemed to say that auth: false, sorry guy. But at the same time, along the way, I gave away all the settings of the router, including the login / pass from the personal account of "Beeline" and from wifi. In some cases, it was generally funny, the webmord swore at the wrong username / password, but she herself showed the username / password, but this was rather an exception, I might have met a couple of such routers:

Vulnerability # 2
The Beeline's firmware for routers sent all the settings of the router itself without knowing the username / password.

I confess, I did not even suspect that everything would turn out like this. Found it all by accident. Indeed, if the firmware did not send several requests at once (obviously by mistake of the developers), I would never have thought of checking its presence.

Even with a login / pass from a personal account, we will not do anything with it. Firstly, as soon as the device has registered under a certain username / password in the Beeline network, no other device can register under this username / password. Secondly, it is hard pale.

We scan routers, collect logins / passwords from wifi. We look at what networks are within reach. We connect to them and sit like partisans. Even networks with huge passwords will not resist. in the router it is stored in open form... Well, so as not to get scorched at all. We take the marker and at the entrance we write the login / password from this wifi network somewhere in a hard-to-reach place. Under the stairs of the first floor, for example. Those. even if they come to you, you turn on the fool and say that under the stairs you found your login and password and a postscript: “Use everything, free wifi».

In my case, I didn't have the patience to collect everything wifi access from all routers. The only network that I quickly found that was within the visibility range of my laptop had good speed, but pings were from 30ms to 7s. With AlfaNetworks, I had a stable signal, but these external wifi cards around the world have a reputation as an assistant ward driver, so it is also pale underneath them.

I kept collecting wifi accesses. There were a lot of them and it bothered me. I wanted the network right now. The simplest and brilliant idea came to mind. Suppose I find a router with port 80 open at 10.82.2.20. Standard dir300. Or anything else, it doesn't matter. Turn off DHCP, and write network settings:

Gateway: 10.82.2.20 (router that you found)
ip: 10.82.2.222 (from the bulldozer in the same subnet)
dns: 8.8.8.8

We connect the network, and, even without intrigue, we have a high-quality Internet via a wire, and not via wifi. We go to the router, look - yes, indeed, we are connected to it as if in lan.

We read again, slowly and delving into every word: We prescribe ANY active IP network as a gateway and have a LAN connection to it.

Fine? In my opinion, quite.

I just had to check a few routers in my personal account for a normal tariff in order to choose "who to be today."
To be honest, this is rather a vulnerability not so much (and not only) of Beeline as of routers. But nonetheless.

Vulnerability # 3
The ability to connect / register locally on any router within the network and get the Internet from it.

Having received moral and aesthetic pleasure, I contacted the representatives of the provider and gave them all the developments.
At the exit, having only a Beeline wire, without knowing the logins / passwords, one could get fast internet for free. As simple as sending 2 bytes.

Some details:

1. 99% of TrendNet routers have a standard login / password. For all the time, I found only 1 or 2 routers from TrendNet, to which the default accesses did not fit.
2. 0% Zyxel routers have a standard username / password. Most likely, when setting up, they require you to change this password.
3. 50% of access to the LC does not change. Anyone familiar with the beeline knows that when concluding a contract, the installer makes a password from the LC either equal to the login, or adds 1 character to the beginning or end of the login.

And here's another thing, at the level of fantasy. Again, quite by accident I stumbled upon a live router, registered it as a gateway and a local 192.168.0.222 for myself. I got the Internet, used it, and then went to the router settings (to 192.168.0.1). I don’t remember why anymore. Maybe check something or something else. Imagine my surprise when a login form for an ADSL router from MTS opened in front of me. I rechecked the network, looked at checkip.dyndns.com, checked the external IP - yes, indeed, this is MTS Internet.

I plugged in the "Beeline" wire, and received the Internet from MTS. I racked my brains for a long time, what is the point here and how this is possible. I connected the system administrator from work and specialists from Beeline to the process. The only one possible variant what i came up with:

1. There is a dude who has both MTS and Beeline Internet, respectively, 2 routers.
2. Both routers are connected to each other.
3. "Beeline" router does not have an Internet and asks for it from the MTS router.
4. "Beeline" router is not in the 192.168.0.0/24 network
5. The MTS router is on the 192.168.0.0/24 network
6. Knowing the local IP of the beeline, inserting it as a gateway, I connect through it to the MTS router and have the Internet from it.

Cool? It is noteworthy that the device disappeared on the 1st of the next month. Presumably, the dude turned off the Beeline.

Thanks to the staff of "Beeline" for the quick response. In particular to the hackers

Today we want to discuss the official Beeline website, its main navigation capabilities and the interface of the personal account.

Beeline website

To visit the official resource of this operator cellular communication, you need to go to the web browser on your computer, laptop or other gadget, at beeline.ru. Immediately after loading the resource, you need to check the correctness of the display of the region at the top of the site. If suddenly the resource incorrectly recognized your home region, change it manually.

Home page

Homepage the company's web resource has a very clear design and user-friendly interface. V top panel we immediately see the main navigation menus:

In the site header:

Choosing the version of the site for individuals;
Choice of version for business clients;
Information about the company.
Region selection;
Button for sending a question to company employees;
Search button.

The main navigation menu, located just below, contains the following buttons:

Products;
Payment;
Help;
Offices and coverage;
Shop.

Naturally, when visiting a resource for up-to-date information, we should be directly interested in the main menu. It is in it, when you hover the mouse cursor, that drop-down lists are displayed, leading to links to the internal sections of the site.

At the bottom of the site, visitors are expected to receive news, contacts for communication with call center operators and company support services, as well as other information that is, perhaps, inherent to the official website of any corporation.

Products

The very first offer on the official website of the mobile operator Beeline is "Products". When they hover over this button, visitors see additional block with lists of available offers from the company. It:

Mobile connection.
Home Internet.
Home TV.
Home phone.

Each of the displayed lists leads to different sections of the site, in which information is available and in most detail, regarding tariffs and services, promotions, additional offers and bonuses related to a certain area of service by the company.

Payment

The next menu also displays drop-down blocks for users of the resource, allowing them to make various financial transactions with their own phone number or phone numbers of other operators. Here we have available:

Account replenishment in automatic mode;
Regular account replenishment;
Payment of a subscriber bill directly from the phone;
Information about the payment card Beeline.

Help

In the next item of the main navigation menu, subscribers are expected to receive information that can help in certain situations when the company's customers are faced with various problems. Unfortunately, problems are a standard practice for users of any innovative service today, so the help of specialists here will not be superfluous. The menu is also divided into blocks and lists according to separate categories.

Offices and coverage

The next sub-item is no longer a drop-down list, but simply leads by link to a separate section of the official website, which contains detailed information about all Beeline offices not only in cities and regions of Russia, but also around the world. In addition, this section contains up-to-date information about the company's coverage.

Shop

As for the link located at the last place of the navigation menu, when you hover over it, site users have the opportunity to see the next drop-down menu. It offers the company's customers a choice of products from the following categories:

Gadgets:
Telephones;
Tablets;
Laptops.
Photo and video equipment;
Accessories.

registration

To access the benefits of your personal account, you first need to register in it. Fortunately, the registration procedure is extremely simple and does not take a lot of time. It is performed as follows:

Visit the company's official website at beeline.ru.
Select the current region if it was not automatically selected correctly.
In the main navigation menu, find the "Personal Account" menu and move the cursor over it.
Select from the drop-down list.
Under the "Password" field, click on the "Get password" link.
Enter your phone number and click "Submit".
Wait for an SMS with a code to activate your account.
You are logged in.

After entering the interface, you can change the dynamic password to the static one. The main thing is to remember it. Although, if you forget it, it doesn't matter, we have already discussed the possibilities of password recovery for your personal account in our other articles.

Detailing

On the next page of the navigation menu of the personal account, users are offered the opportunity to view the details. As you know, detailing is detailed information about the services used, provided by a cellular operator, for a certain period of time.

On Beeline website users are prompted to view the details for the latest:

Day;
A week;
Two weeks;
Month.

In addition, subscribers have the right to compile a more detailed report by selecting the start and end dates that interest them from special lists.

Posts

The section with messages has been created for easy communication with company employees who are ready to help at any time. Thanks to the appeal to specialists from Beeline, subscribers have the opportunity to:

Get the detail.
Order equipment.
Get accurate and detailed answers from the support team.
Make various changes.
Pay for services and make other financial transactions.

In this section, you can not only send a new request to the company's support service operators, but also view archived requests, and re-examine the information provided.

Settings

But the section with settings gives subscribers a really wide range of possibilities. Apart from the fact that here you can change the password for entering your personal account, as well as the ways to restore it, subscribers get the opportunity to configure the following parameters:

Subscriber's personal profile;
Receiving and blocking notifications from the operator;
Provide or block access to other subscribers to manage a specific Beeline phone number.

A personal account, available on the official website of Beeline, gives subscribers extensive opportunities to optimize and efficiently use their personal time to use cellular services.

On this note we end our conversation, but you can also find many other useful information about management personal account Beeline in our other articles on the site.

Some errors the radio does not work!

This source does not open:

VLC cannot open MRL "http://radio.ranetka.ru:8000/". Look for more detailed information in the log file.

This source does not open:

VLC cannot open MRL "http://radio.ranetka.ru:8002/". Look for more details in the log file.

This source does not open:

VLC cannot open MRL "http://radio.ranetka.ru:8005/". Look for more details in the log file.

This source does not open:

VLC cannot open MRL "http://radio.ranetka.ru:8012/". Look for more details in the log file.

This source does not open:

VLC cannot open MRL "http://radio.ranetka.ru:8015/". Look for more details in the log file.

This source does not open:

VLC cannot open MRL "http://radio.ranetka.ru:8017/". Look for more details in the log file.

This source does not open:

VLC cannot open MRL "http://radio.ranetka.ru:8025/". Look for more details in the log file.

This source does not open:

VLC cannot open MRL "http://radio.ranetka.ru:8032/". Look for more details in the log file.

This source does not open:

VLC cannot open MRL "http://radio.ranetka.ru:8035/". Look for more details in the log file.

This source does not open:

VLC cannot open MRL "http://radio.ranetka.ru:8050/". Look for more details in the log file.

This source does not open:

VLC cannot open MRL "http://radio.ranetka.ru:8052/". Look for more details in the log file.

This source does not open:

VLC cannot open MRL "http://radio.ranetka.ru:8054/". Look for more details in the log file.

This source does not open:

VLC cannot open MRL "http://radio.ranetka.ru:8058/". Look for more details in the log file.

This source does not open:

VLC cannot open MRL "http://radio.ranetka.ru:8062/". Look for more details in the log file.

This source does not open:

VLC cannot open MRL "http://radio.ranetka.ru:8045/". Look for more details in the log file.

This source does not open:

VLC cannot open MRL "http://radio.ranetka.ru:8073/". Look for more details in the log file.

This source does not open:

VLC cannot open MRL "http://radio.ranetka.ru:8077/". Look for more details in the log file.

This source does not open:

VLC cannot open MRL "http://radio.ranetka.ru:8083/". Look for more details in the log file.

This source does not open:

VLC cannot open MRL "http://radio.ranetka.ru:8085/". Look for more details in the log file.

This source does not open:

VLC cannot open MRL "http://radio.ranetka.ru:8093/". Look for more details in the log file.

This source does not open:

VLC cannot open MRL "http://radio.ranetka.ru:8127/". Look for more details in the log file.

This source does not open:

VLC cannot open MRL "http://radio.ranetka.ru:8139/". Look for more details in the log file.

This source does not open:

VLC cannot open MRL "http://radio.ranetka.ru:8141/". Look for more details in the log file.

This source does not open:

VLC cannot open MRL "http://radio.ranetka.ru:8145/". Look for more details in the log file.

This source does not open:

VLC cannot open MRL "http://radio.ranetka.ru:8157/". Look for more details in the log file.

This source does not open:

VLC cannot open MRL "http://radio.ranetka.ru:8163/". Look for more details in the log file.

This source does not open:

VLC cannot open MRL "http://radio.ranetka.ru:8195/". Look for more details in the log file.

This source does not open:

VLC cannot open MRL "http://radio.ranetka.ru:8199/". Look for more details in the log file.

This source does not open:

VLC cannot open MRL "http://radio.ranetka.ru:8205/". Look for more details in the log file.

This source does not open:

VLC cannot open MRL "http://radio.ranetka.ru:9058/". Look for more details in the log file.

This source does not open:

VLC cannot open MRL "http://radio.ranetka.ru:8042/". Look for more details in the log file.

Instructions

Connect the provider's cable to network card computer that needs to be connected to the Internet. Turn on this PC and wait for the download to complete operating system... After a while, the OS will automatically detect a new network... Right click on the icon of this network connection and select "Status". Click the Details button. Make sure the IP address assigned to this network card is in 10.22.X.X format.

Now set up your internet connection. If you want to use the automatic method, then go to help.internet.beeline.ru. Download the program "" and install it. Reboot your computer. Launch this application, fill in the Username and Password fields and click the Connect button.

If you want to create a connection yourself, open the Network Control Center and general access(Windows Seven) and go to the "Set up a new connection or network" menu. Select the Connect to a Workplace option and click Next. In the window that opens, click on the item "Use my Internet connection (VPN)". In the "Internet address" field, enter tp.internet.beeline.ru or vpn.corbina.net. Enter an arbitrary name this connection and click the Next button.

Fill in the fields "User" and "Password" with the data provided by the provider. Check the box next to "Save this password" and click the "Connect" button, and then the "Cancel" button. Open the list of existing connections.

Right-click on the newly created connection and select Properties. Click the Security tab. In the "VPN Type" menu, set the option to "Automatic" or L2TP (depending on the region). In the Data Encryption menu, select Optional. Activate the "Allow the following protocols" option and select the "Password Verification Protocol (CHAP)" option. Save the settings.

When working with network y Beeline you will have two active networks: local and VPN. If you need to provide access to others network computers to the Beeline local network, then open the properties of the local network connection. Do not confuse with the created VPN connection. Go to the "Access" tab and allow other network users to use this connection.