How do I discover ISP's PPPoE credentials and connection settings?

scilek

@Gblenn
Some guy managed to retrieve the PPPoE credentials using an off-the-shelf router. (I do not want to mention from what vendor.) As it happens, there is no VLAN. I was able to connect without even cloning the MAC. I guess they put too much trust in their setup.

We should be able to do the same on pfSense too.

stephenw10

I assume you have no access to the ISP device config interface? What device is that exactly?

You can put a switch that supports port mirroring upstream of it and capture the PPPoE connection. The ISP doesn't have to use encryption for the credentials, but they probably do.

The ISP doesn't actually have to use individual credentials at all. BT in the UK for example use the same login for all devices. They know who you are by what line you're connecting on.

You could probably also bridge some ports in pfSense and use that instead of the switch mirror port to pcap on.

scilek

@stephenw10 said in How do I discover ISP's PPPoE credentials and connection settings?:

I assume you have no access to the ISP device config interface? What device is that exactly?

The site is in another city, but I guess it's a ZTE. It allows access on the LAN, but you cannot configure WAN, or view configuration.

@stephenw10 said in How do I discover ISP's PPPoE credentials and connection settings?:

The ISP doesn't actually have to use individual credentials at all. BT in the UK for example use the same login for all devices. They know who you are by what line you're connecting on.

This one does use credentials. But they probably know who you are by the line.

@stephenw10 said in How do I discover ISP's PPPoE credentials and connection settings?:

You could probably also bridge some ports in pfSense and use that instead of the switch mirror port to pcap on.

That was my thinking exactly. I'll try that the next time. I cannot call and ask them to undo what they've just done.

scilek

I think I've solved the riddle.

I have had this issue in my mind for a long time and the revelation came when I watched a short Youtube tutorial in which the presenter connects the ISP router's WAN to a certain router's 4th port and retrieves the credentials.

That got me thinking... Why the 4th port? Well, because it runs the PPPoE server on that port when it is asked to retrieve the credentials! The credentials are already stored in the ISP router! They had been uploaded to the router when the ISP employee sent its MAC address to the HQ. The HQ, using the router's management interface (which I think was on VLAN 100 or something), ran some sort of code and uploaded the credentials to it. Hence, whenever the device loses its WAN connectivity, the PPPoE client tries to reconnect with the ISP PPPoE server.

So the pfSense solution is fairly simple:
Run a bogus PPPoE server on one of the enabled ports, connect the ISP router's WAN to the said port and watch the PPPoE server log. Everything should be there.

I have not had the pleasure of trying it myself but I'm sure it will work. Could someone try that and confirm?

stephenw10

You might need to set a server ID of some sort for the client to accept it. I don't think pfSense exposed that as configurable for it's server config.

scilek

@stephenw10 Yes, you were right; it is not in the PPPoE Server log. It is in the packet sent by the PPPoE Client:

I had to configure FreeRADIUS and then listen using tcpdump.

Edit: I have not tried but maybe you don't even need FreeRADIUS. My guess is that the client has to send the password in clear text because there is no other way the server can authenticate.

stephenw10

Yup for PAP it's in clear text. If it was CHAP you wouldn't see it there.

scilek

@stephenw10 Yes, the FreeRADIUS messages did not show it in clear text. But on the other hand, it was the PPPoE server that sent it to FreeRADIUS, not the client.

Edit: You don't need FreeRADIUS, but you do need the PPPoE server.

eagle61

@scilek said in How do I discover ISP's PPPoE credentials and connection settings?:

modem/router he is provided

Well you never mentioned what modem/router your ISP is providing. But for some of them are hacks available to read the in it stored credentials in clear text.

One example for this Router are the in Germany most popular Fritz!Box, no matter Fiber, DSL or Cable. Those allow to create backupfiles (in case a factory reset is needed) of its configs and export that to you local devices. All credentials in this export-file are encrypted. But with a small php-tool its possible to decrypt it and have it in a clear text file.

scilek

@eagle61 said in How do I discover ISP's PPPoE credentials and connection settings?:

Well you never mentioned what modem/router your ISP is providing. But for some of them are hacks available to read the in it stored credentials in clear text.

That does not really matter, does it? All routers are basically the same, maybe with the exception of Cisco, perhaps. They all run some variant of Linux or BSD and the same basic networking tools and utilities.

@eagle61 said in How do I discover ISP's PPPoE credentials and connection settings?:

One example for this Router are the in Germany most popular Fritz!Box, no matter Fiber, DSL or Cable. Those allow to create backupfiles (in case a factory reset is needed) of its configs and export that to you local devices. All credentials in this export-file are encrypted. But with a small php-tool its possible to decrypt it and have it in a clear text file.

Good for them! Long live Germany and their liberal and user-friendly ISPs!