Netgear GUI over encryption (ssh) (SOLVED)

[KW.]

I have question about if it is a way to login to the Netgear GUI over encryption (https).
I’ve implemented SSH on my router (thanks to Kamoj) that feels great.

But dont get the logic behind Netgears implementation for GUI that is done without any layer of encryption (netgearlogin.net) . I understand that what I do is behind the network, but its no guarantee I dont some day have someone/something sniffing inside the network. And it feels like this make the other security functions as SSH obsolete in a way.

I do all my changes in the GUI and am not skilled to use commands in the ssh-console to make my changes so just stop using it is not an option for me.

I want to have the GUI on https is that possible in some way? Cant get what the problem for netgear is on this and I did double check that it’s not just my lack of knowledge that make me react. In netgears forums people with more knowledge been wanting this to be fixed for years.

Is it any do it yourself solution for this?
I use r9000

 

[KW.]

Found this software and wonder if it is possible to something with it. But lack the understanding how to use it really

https://hohnstaedt.de/xca/index.php

 

[KW.]

This looks even more interesting for my setup.

"
SSH allows a further special feature: remote forwarding. Using this, you can disable WAN access to your router entirely, and instead connect over an SSH forward using the -L argument to SSH. Note that how you set up forwards will vary depending on your client software, but for command line SSH this option usually looks something like this:

-L 3443:192.168.1.1:443

This forwards the port 3443 on your local machine to the port 443 on 192.168.1.1 on the server machine's network, where 192.168.1.1 is expected to be that server machine here. This allows you to securely connect to your router via SSH, then use the forward to connect to the interface at the address https://localhost:3443 in your browser without having to have the router's web server open to the internet at large."

Source: https://www.sabaitechnology.com/blog/securing-router-access-inside-the-network-and-out/

But dont know how to do it ether.

 

[R. Gerrits]

well, stock firmware and Voxel firmware does have GUI available over HTTPS (https://www.routerlogin.net).
at least on R7800 it does.
Problem is that Netgear revoked that certificate, so most browsers refuse to connect over SSL.

alternative: if you have your own domain, create a dns-entry in there for your router, request a new certificate via letsencrypt and place your own certificate on the router.

Or perhaps we can look at GPL sources of newer models, to see if perhaps a newer certificate is in those, that hasn't been revoked yet.

 

[R. Gerrits]

interesting related article: https://gist.github.com/nstarke/a611a19aab433555e91c656fe1f030a9
tldr, the fact that the private key of the certificate is in the fireware, anyone can download that firmware and extract that key.
And which that key, anyone can decrypt the SSL traffic, thus making it only marginally better than HTTP.

Anyways, finding a new certificate that is still valid thus is impossible because the moment a security researcher finds such a certificate, it will be revoked again.
And it seems Netgear switched to selfsigned certificates on newer routers.

 

[KW.]

@R.Gerrits thank you so much for your reply. Now I have a better understanding of why it is hard to implement https for Netgear.

It seems that with some more research and time to test I would be able to use Putty to get to the GUI. Would a solution like this make the connection to the GUI encrypted inside my network. Anyway with keys I would not have to send any passwords throu the network at least? So this should solve this case and I get the full benefit of SSH?

"alternative: if you have your own domain, create a dns-entry in there for your router, request a new certificate via letsencrypt and place your own certificate on the router."

This I dont think i will be able to apply due to my lack of skills.

Thank you for your comments R.Gerrits.

 

[R. Gerrits]

Indeed, tunneling your GUI over SSH, would also protect that traffic from being visible on the network.

your example isn't 100% correct. creating a tunnel to 443 would still have the issue that the certificate is not trusted.

just tested this from my mac-book:

ssh -N -L 4334:127.0.0.1:80 root@192.168.1.1

And then while you have the SSH session open, on the same computer you can browse to http://127.0.0.1:3443 to access router gui

(or you can use this if you want to run the tunnel in the background
ssh -N -f -L 3443:127.0.0.1:80 root@192.168.1.1
)

But using Putty from a Windows machine also works.

 

[KW.]

R.Gerrits thank you so much for your help! I've solved it now and got a working SSH tunnel using Putty. But I will have to fine tune it, right now all my traffic is going throu the tunnel (and dies if I turn of the tunnel). I will have to use a dedicated web browser for the GUI (or I have to change the setup manually on the browser all the time that will be a bit of hassle). Whats important is that I have solution that works. That feels great. Allot of thanks for helping me understand it better R.Gerrits.

 

[KW.]

Just want to update this post. I have solved the ssh over GUI now in a more elegant way then tunneling the whole internet connection and have to set up a web browser in proxy mode as I did at first.

It is easy when you get it I share it if it can help someone else that been in my position.

So I use Putty:
In the same putty set up as I have my keys I added a tunnel.

In "tunnel" and the field ”source port” I just type in like

80

or whatever port I want to use.

In the field ”destination” I in this case type in

localhost:80

(or whatever port i used as source port)

Both boxes ”local” and ”destination” is checked.

When this is done and I open the ssh-terminal.

I have set my google chrome to start in incognito mode.

In chrome URL-field i just write

localhost

.

Then i log in.

 

[kamoj]

So why don't you make a step-by-step for "dummies" so even I can make it work?
Please

 

[mith_y2k]

I don’t what you’re achieving here. Are you also disabling the standard GUI available via HTTP? If I understand correctly you are setting up a tunnel on your local computer and then connect to localhost, but what is it that you’re trying to hide or avoid? Someone snooping your communication to the gateway?

 

[KW.]

If I understand correctly you are setting up a tunnel on your local computer and then connect to localhost, but what is it that you’re trying to hide or avoid? Someone snooping your communication to the gateway?

Yes that is exactly what i try to achieve to have secure connection to the router even inside my own network. I have not disabled the standard GUI available via http. How do I do that?

 

[KW.]

Fun to see how it works in real time. I did a login on my routerlogin on http: and suricata IDS picked it up.

With the SSH: tunnel suricata dont pick it up (or dont react) on my network.

I know this is no revelation. Everyone knows that that the password is not encrypted inside the network. But this is the point @mith_y2k why I want to use the tunnel.

From Suricata log:

08/07/2020-18:54:35.789621  [**] [1:2006380:13] ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}