Script http-vuln-wnr1000-creds

Script types: portrule
Categories: exploit, vuln, intrusive
Download: https://svn.nmap.org/nmap/scripts/http-vuln-wnr1000-creds.nse

Script Summary

A vulnerability has been discovered in WNR 1000 series that allows an attacker to retrieve administrator credentials with the router interface. Tested On Firmware Version(s): V1.0.2.60_60.0.86 (Latest) and V1.0.2.54_60.0.82NA

Vulnerability discovered by c1ph04.

Script Arguments

http-vuln-wnr1000-creds.uri

URI path where the passwordrecovered.cgi script can be found. Default: /

creds.[service], creds.global

See the documentation for the creds library.

vulns.short, vulns.showall

See the documentation for the vulns library.

slaxml.debug

See the documentation for the slaxml library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

Example Usage

nmap -sV --script http-vuln-wnr1000-creds <target> -p80

Script Output

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-vuln-wnr1000-creds:
|   VULNERABLE:
|   Netgear WNR1000v3 Credential Harvesting Exploit
|     State: VULNERABLE (Exploitable)
|     IDs:  None, 0-day
|     Description:
|       A vulnerability has been discovered in WNR 1000 series that allows an attacker
|       to retrieve administrator credentials with the router interface.
|       Tested On Firmware Version(s): V1.0.2.60_60.0.86 (Latest) and V1.0.2.54_60.0.82NA
|     Disclosure date: 26-01-2014
|     References:
|_      http://packetstormsecurity.com/files/download/124759/netgearpasswd-disclose.zip

Requires

• http
• shortport
• stdnse
• string
• vulns
• creds

---

Authors:

• Paul AMAR <aos.paul@gmail.com>
• Rob Nicholls

License: Same as Nmap--See https://nmap.org/book/man-legal.html