How do I discover ISP's PPPoE credentials and connection settings?
-
@scilek said in How do I discover ISP's PPPoE credentials and connection settings?:
So my thinking is:
When the modem/router is reset, it loses all information stored on it. But when it is back online, it connects to the ISP in a matter of seconds. Since the ISP cannot embed the connection information into each and every device before they ship it, it has to be obtaining its configuration data from the ISP, and all the information necessary must be contained in ethernet frames.I don't think that is how it works...
PPPoE includes username and password which can not be automatically read from the connection, in plain text. That would defeat the purpose.
- each device is actually set up with credentials. Either batch loading before delivery, but more likely it's done via remote management (automatically). Meaning the device is set up to call into a server, and identifies itself as the device in question (MAC, Serial etc?) and then receives the credentials.
- it is not necessarily lost at reboot, it is stored in non volatile memory.
I'm not sure but it might be possible to set up your own device to behave like the modem and get the settings automatically. Assuming you can figure out how the ISP has set things up, since it needs to be identified and accepted as a if it is the ISP modem basically.
-
@Gblenn said in How do I discover ISP's PPPoE credentials and connection settings?:
it is not necessarily lost at reboot, it is stored in non volatile memory.
I was referring to hard reset, not a reboot.
@Gblenn said in How do I discover ISP's PPPoE credentials and connection settings?:
I'm not sure but it might be possible to set up your own device to behave like the modem and get the settings automatically.
The ISP device must be initiate a conversation with their system, right?
-
@scilek said in How do I discover ISP's PPPoE credentials and connection settings?:
The ISP device must be initiate a conversation with their system, right?
Yes, it needs to know the destination, and the "credentials" in order to identifiy itself to the ISP server. It is most likely secured in a way that you can not simply copy the process. Even if MAC and Serial can be cloned, there may be a certificate embedded in their devices.
-
@Gblenn
Some guy managed to retrieve the PPPoE credentials using an off-the-shelf router. (I do not want to mention from what vendor.) As it happens, there is no VLAN. I was able to connect without even cloning the MAC. I guess they put too much trust in their setup.We should be able to do the same on pfSense too.
-
I assume you have no access to the ISP device config interface? What device is that exactly?
You can put a switch that supports port mirroring upstream of it and capture the PPPoE connection. The ISP doesn't have to use encryption for the credentials, but they probably do.
The ISP doesn't actually have to use individual credentials at all. BT in the UK for example use the same login for all devices. They know who you are by what line you're connecting on.
You could probably also bridge some ports in pfSense and use that instead of the switch mirror port to pcap on.
-
@stephenw10 said in How do I discover ISP's PPPoE credentials and connection settings?:
I assume you have no access to the ISP device config interface? What device is that exactly?
The site is in another city, but I guess it's a ZTE. It allows access on the LAN, but you cannot configure WAN, or view configuration.
@stephenw10 said in How do I discover ISP's PPPoE credentials and connection settings?:
The ISP doesn't actually have to use individual credentials at all. BT in the UK for example use the same login for all devices. They know who you are by what line you're connecting on.
This one does use credentials. But they probably know who you are by the line.
@stephenw10 said in How do I discover ISP's PPPoE credentials and connection settings?:
You could probably also bridge some ports in pfSense and use that instead of the switch mirror port to pcap on.
That was my thinking exactly. I'll try that the next time. I cannot call and ask them to undo what they've just done.
-
I think I've solved the riddle.
I have had this issue in my mind for a long time and the revelation came when I watched a short Youtube tutorial in which the presenter connects the ISP router's WAN to a certain router's 4th port and retrieves the credentials.
That got me thinking... Why the 4th port? Well, because it runs the PPPoE server on that port when it is asked to retrieve the credentials! The credentials are already stored in the ISP router! They had been uploaded to the router when the ISP employee sent its MAC address to the HQ. The HQ, using the router's management interface (which I think was on VLAN 100 or something), ran some sort of code and uploaded the credentials to it. Hence, whenever the device loses its WAN connectivity, the PPPoE client tries to reconnect with the ISP PPPoE server.
So the pfSense solution is fairly simple:
Run a bogus PPPoE server on one of the enabled ports, connect the ISP router's WAN to the said port and watch the PPPoE server log. Everything should be there.I have not had the pleasure of trying it myself but I'm sure it will work. Could someone try that and confirm?
-
You might need to set a server ID of some sort for the client to accept it. I don't think pfSense exposed that as configurable for it's server config.
-
@stephenw10 Yes, you were right; it is not in the PPPoE Server log. It is in the packet sent by the PPPoE Client:
I had to configure
FreeRADIUSand then listen usingtcpdump.Edit: I have not tried but maybe you don't even need
FreeRADIUS. My guess is that the client has to send the password in clear text because there is no other way the server can authenticate. -
Yup for PAP it's in clear text. If it was CHAP you wouldn't see it there.
-
@stephenw10 Yes, the
FreeRADIUSmessages did not show it in clear text. But on the other hand, it was the PPPoE server that sent it toFreeRADIUS, not the client.Edit: You don't need
FreeRADIUS, but you do need the PPPoE server. -
@scilek said in How do I discover ISP's PPPoE credentials and connection settings?:
modem/router he is provided
Well you never mentioned what modem/router your ISP is providing. But for some of them are hacks available to read the in it stored credentials in clear text.
One example for this Router are the in Germany most popular Fritz!Box, no matter Fiber, DSL or Cable. Those allow to create backupfiles (in case a factory reset is needed) of its configs and export that to you local devices. All credentials in this export-file are encrypted. But with a small php-tool its possible to decrypt it and have it in a clear text file.
-
@eagle61 said in How do I discover ISP's PPPoE credentials and connection settings?:
Well you never mentioned what modem/router your ISP is providing. But for some of them are hacks available to read the in it stored credentials in clear text.
That does not really matter, does it? All routers are basically the same, maybe with the exception of Cisco, perhaps. They all run some variant of Linux or BSD and the same basic networking tools and utilities.
@eagle61 said in How do I discover ISP's PPPoE credentials and connection settings?:
One example for this Router are the in Germany most popular Fritz!Box, no matter Fiber, DSL or Cable. Those allow to create backupfiles (in case a factory reset is needed) of its configs and export that to you local devices. All credentials in this export-file are encrypted. But with a small php-tool its possible to decrypt it and have it in a clear text file.
Good for them! Long live Germany and their liberal and user-friendly ISPs!
