Categories: exploit, vuln, intrusive
A vulnerability has been discovered in WNR 1000 series that allows an attacker to retrieve administrator credentials with the router interface. Tested On Firmware Version(s): V18.104.22.168_60.0.86 (Latest) and V22.214.171.124_60.0.82NA
Vulnerability discovered by c1ph04.
URI path where the passwordrecovered.cgi script can be found. Default: /
creds.[service], creds.globalSee the documentation for the creds library.
vulns.short, vulns.showallSee the documentation for the vulns library.
slaxml.debugSee the documentation for the slaxml library.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusernameSee the documentation for the smbauth library.
http.host, http.max-cache-size, http.max-pipeline, http.pipeline, http.useragentSee the documentation for the http library.
nmap -sV --script http-vuln-wnr1000-creds <target> -p80
PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-vuln-wnr1000-creds: | VULNERABLE: | Netgear WNR1000v3 Credential Harvesting Exploit | State: VULNERABLE (Exploitable) | IDs: None, 0-day | Description: | A vulnerability has been discovered in WNR 1000 series that allows an attacker | to retrieve administrator credentials with the router interface. | Tested On Firmware Version(s): V126.96.36.199_60.0.86 (Latest) and V188.8.131.52_60.0.82NA | Disclosure date: 26-01-2014 | References: |_ http://packetstormsecurity.com/files/download/124759/netgearpasswd-disclose.zip
License: Same as Nmap--See https://nmap.org/book/man-legal.html