ACS
The ACS is the Auto Configuration Server / Service and the service that uses the infamous TR-069 protocol. Officially it uses the port 7547 / TCP, but may vary depending on the environment. One notable aspect is the fact, that an ACS cannot push configuration to the CPE. Following the standards it can only request a callback which triggers the client to fetch / deliver information. On many devices the callback trigger is protected by some form of authentication (i.e. digest auth).
TR-069
The TR-069 protocol was defined by the broadband forum 2004. It is a simple protocol based on SOAP / XML. It offers access to all possible settings on a CPE and my be extended by the device vendor / operator.
GenieACS
Installation
Best follow the instructions in the GenieACS docs. The install from git is quick and stable. It will fully run using the default configuration.
Running
You will have to start the following binaries:
genieacs/bin/genieacs-cwmpgenieacs/bin/genieacs-fsgenieacs/bin/genieacs-nbi
For the GUI / webinterface you will have to run rails is the genieacs-gui folder.
Getting started
For getting started I’d recommend using an AVM FritzBox and configure it as described here. From there on one has a functioning TR-069 client which can easily be controlled from the ACS. Thus any kind of fuzzing and injection can be performed.
AVM offers the configuration of FritzBoxes using the TR-064 protocol. They offer a very detailed documentation of the interface. One of the documents there covers the TR-069 configuration.
Set ACS
import requests
url = 'http://192.168.178.1:49000'
path = '/upnp/control/mgmsrv'
service = 'ManagementServer:1'
action = 'SetManagementServerURL'
#parameters = '<NewURL>http://192.168.58.5/tr069</NewURL>'
parameters = '<NewURL>http://192.168.58.4:7547</NewURL>'
payload= '<?xml version="1.0"?>'\
'<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">'\
'<s:Body>'\
'<u:' + action + ' xmlns:u="urn:dslforum-org:service:' + service + '">'\
'' + parameters + ''\
'</u:' + action + '>'\
'</s:Body>'\
'</s:Envelope>'
headers = {
'SOAPACTION' : 'urn:dslforum-org:service:' + service + '#' + action,
'USER-AGENT' : 'Evil Hacker',
'CONTENT-TYPE' : 'text/xml; charset="utf-8"',
}
resp = requests.post(url+path,headers=headers,data=payload)
print resp.text
Enable TR-069
import requests
url = 'http://192.168.178.1:49000'
path = '/upnp/control/mgmsrv'
service = 'ManagementServer:1'
action = 'X_SetTR069Enable'
parameters = '<NewTR069Enabled>1</NewTR069Enabled>'
payload= '<?xml version="1.0"?>'\
'<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">'\
'<s:Body>'\
'<u:' + action + ' xmlns:u="urn:dslforum-org:service:' + service + '">'\
'' + parameters + ''\
'</u:' + action + '>'\
'</s:Body>'\
'</s:Envelope>'
headers = {
'SOAPACTION' : 'urn:dslforum-org:service:' + service + '#' + action,
'USER-AGENT' : 'Evil Hacker',
'CONTENT-TYPE' : 'text/xml; charset="utf-8"',
}
resp = requests.post(url+path,headers=headers,data=payload)
print resp.text
Disable TR-069
import requests
url = 'http://192.168.178.1:49000'
path = '/upnp/control/mgmsrv'
service = 'ManagementServer:1'
action = 'X_SetTR069Enable'
parameters = '<NewTR069Enabled>0</NewTR069Enabled>'
payload= '<?xml version="1.0"?>'\
'<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">'\
'<s:Body>'\
'<u:' + action + ' xmlns:u="urn:dslforum-org:service:' + service + '">'\
'' + parameters + ''\
'</u:' + action + '>'\
'</s:Body>'\
'</s:Envelope>'
headers = {
'SOAPACTION' : 'urn:dslforum-org:service:' + service + '#' + action,
'USER-AGENT' : 'Evil Hacker',
'CONTENT-TYPE' : 'text/xml; charset="utf-8"',
}
resp = requests.post(url+path,headers=headers,data=payload)
print resp.text