Enable Telnet Access For Netgear Wireless Router DGND3700 [ N600 ]

Neggear DGND3700 is an all-in-one router with built-in ADSL2+ modem and WAN gigabit Ethernet port for cable/fiber combined with a wireless router create the integrated home gateway. How do I enable telnet access on this router under Linux or OS X operating systems?

Tutorial details
Difficulty	Easy
Root privileges	Yes
Requirements	Netgear DGND3700/N600 router

This router ( NETGEAR N600 ) is wireless dual band gigabit ADSL2+ modem router. It offers concurrent dual band technology, as well as wireless access from your computer to USB printers. However, telnet access is locked down by default. You can enable it easily as follows.

Find out information about open port

My router has 192.168.1.2 ip address. Open a terminal and type the following command to see all open ports:
$ nmap 192.168.1.2
Sample outputs:

Starting Nmap 5.00 ( http://nmap.org ) at 2012-08-11 16:17 IST
Interesting ports on 192.168.1.2:
Not shown: 997 closed ports
PORT   STATE SERVICE
23/tcp open  telnet
53/tcp open  domain
80/tcp open  http
 
Nmap done: 1 IP address (1 host up) scanned in 0.70 second

Try connecting using telnet, run:
$ telnet 192.168.1.2
Sample outputs:

Trying 192.168.1.2...
Connected to 192.168.1.2.
Escape character is '^]'.

You will not able to access telnet as it is locked down by vendor.

Say hello to telnetenable.py

Netgear provides a developer tool for unlocking the console access from a Windows client. However, Unix / Linux user can use python script to sends the router magic packets to enable the telnet interface. You can download program by visiting this url:

Install python-crypto

First, you need to install python-crypto package which provides cryptographic algorithms and protocols for Python. Type the following command under Debian / Ubuntu Linux, enter:
# apt-get install python-crypto
Type the following command to grab telnetenable.py using wget command, enter:
$ wget http://netgear-telnetenable.googlecode.com/files/netgear-telnetenable-0.1.zip
Sample outputs:

--2012-08-11 16:34:37--  http://netgear-telnetenable.googlecode.com/files/netgear-telnetenable-0.1.zip
Resolving nas02... 192.168.1.11
Connecting to nas02|192.168.1.11|:3128... connected.
Proxy request sent, awaiting response... 200 OK
Length: 2323 (2.3K) [application/x-zip]
Saving to: `netgear-telnetenable-0.1.zip'

100%[==========================================================>] 2,323       --.-K/s   in 0s      

2012-08-11 16:34:37 (156 MB/s) - `netgear-telnetenable-0.1.zip' saved [2323/2323]

To unzip netgear-telnetenable-0.1.zip, enter:
$ unzip netgear-telnetenable-0.1.zip

How do I use telnetenable.py?

The syntax is:

python telnetenable.py 192.168.1.2 $(/usr/sbin/arp -n | awk "/192.168.1.2/"'  { gsub(/:/, "", $3); print toupper($3)}') Gearguy Geardog

Sample outputs:

Sent telnet enable payload to '192.168.1.2:23'

Make sure you replace the router IP 192.168.1.2 with your actual IP address.

Test it

Type the following command to access router via telnet:
$ telnet 192.168.1.2
Sample outputs:

Trying 192.168.1.2...
Connected to 192.168.1.2.
Escape character is '^]'.
 
 
BusyBox v1.00 (2011.10.21-00:18+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
 
~#

WARNING! These examples may crash your router if not executed with proper care.

To see information about your router type:
# routerinfo
Sample outputs:

Release version : Netgear Wireless Router DGND3700
                  U12L14401/V1.0.0.17/1.0.17
           Time : Oct 21 2011 08:07:44
    CFE version : N/A
WSC PIN - 52135095
LAN mac address - 7444014057FB
WAN mac address - 7444014057FC
WLAN mac address - 7444014057FB
Board ID - U12L144T01_NETGEAR_NEWLED
serial number - 2XXXXXXXXXYZ

To see CPU info, enter:
# cat /proc/cpuinfo
Sample outputs:

system type             : 96368MVWG
processor               : 0
cpu model               : BMIPS 4350 V3.1
BogoMIPS                : 398.95
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : no
hardware watchpoint     : no
ASEs implemented        :
VCED exceptions         : not available
VCEI exceptions         : not available

unaligned exceptions            : 21822527

References:

Unlocking the netgear telnet console – from the OpenWrt wiki page.
netgear-telnetenable – A simple python implementation of telnetenable for enabling telnet on many Netgear devices.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Your support makes a big difference:

I have a small favor to ask. More people are reading the nixCraft. Many of you block advertising which is your right, and advertising revenues are not sufficient to cover my operating costs. So you can see why I need to ask for your help. The nixCraft takes a lot of my time and hard work to produce. If everyone who reads nixCraft, who likes it, helps fund it, my future would be more secure. You can donate as little as $1 to support nixCraft:

3 comment

I have two devices with 192.168.0.1* ip, 192.168.0.1 is the router and 192.168.0.148 is a nas, i don’t know the reason why but your script detect both of them and feed the wrong MAC to telnetenable.py. I don’t know how to debug it so i can’t help you, i resolved manually giving the correct MAC.
Sorry about my broken english.
Thank you very much.

Just wanted to say thank you for this great guide. Id tried everything. THIS, actually got it working! Thank you!!

thanks, finally after a downgrade of the firmware (WGR614v9) I got in.

first output;

Starting Nmap 6.40 ( http://nmap.org ) at 2016-02-10 22:08 CET
Nmap scan report for 192.168.1.1
Host is up (0.0058s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
23/tcp open telnet
53/tcp open domain
80/tcp open http
5000/tcp open upnp

but when I;

telnet 192.168.1.1
Trying 192.168.1.1…
Connected to 192.168.1.1.
Escape character is ‘^]’.

I don ‘t come further than this???
I ‘m not reaching shell
Please could You help?

regards, Koen.

Fabio says:
January 5, 2016 at 7:53 am
I have two devices with 192.168.0.1* ip, 192.168.0.1 is the router and 192.168.0.148 is a nas, i don’t know the reason why but your script detect both of them and feed the wrong MAC to telnetenable.py. I don’t know how to debug it so i can’t help you, i resolved manually giving the correct MAC.
Sorry about my broken english.
Thank you very much.
Adam S says:
January 14, 2016 at 10:00 pm
Just wanted to say thank you for this great guide. Id tried everything. THIS, actually got it working! Thank you!!
Koen says:
February 10, 2016 at 9:17 pm
thanks, finally after a downgrade of the firmware (WGR614v9) I got in.
first output;
Starting Nmap 6.40 ( http://nmap.org ) at 2016-02-10 22:08 CET
Nmap scan report for 192.168.1.1
Host is up (0.0058s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
23/tcp open telnet
53/tcp open domain
80/tcp open http
5000/tcp open upnp
but when I;
telnet 192.168.1.1
Trying 192.168.1.1…
Connected to 192.168.1.1.
Escape character is ‘^]’.
I don ‘t come further than this???
I ‘m not reaching shell
Please could You help?
regards, Koen.

Have a question? Post it on our forum!