Categories: exploit, vuln, intrusive
A vulnerability has been discovered in WNR 1000 series that allows an attacker to retrieve administrator credentials with the router interface. Tested On Firmware Version(s): V220.127.116.11_60.0.86 (Latest) and V18.104.22.168_60.0.82NA
Vulnerability discovered by c1ph04.
URI path where the passwordrecovered.cgi script can be found. Default: /
slaxml.debugSee the documentation for the slaxml library.
http.max-cache-size, http.max-pipeline, http.pipeline, http.useragentSee the documentation for the http library.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusernameSee the documentation for the smbauth library.
vulns.showallSee the documentation for the vulns library.
nmap -sV --script http-vuln-wnr1000-creds <target> -p80
PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-vuln-wnr1000-creds: | VULNERABLE: | Netgear WNR1000v3 Credential Harvesting Exploit | State: VULNERABLE (Exploitable) | IDs: None, 0-day | Description: | A vulnerability has been discovered in WNR 1000 series that allows an attacker | to retrieve administrator credentials with the router interface. | Tested On Firmware Version(s): V22.214.171.124_60.0.86 (Latest) and V126.96.36.199_60.0.82NA | Disclosure date: 26-01-2014 | References: |_ http://packetstormsecurity.com/files/download/124759/netgearpasswd-disclose.zip
Author: Paul AMAR <firstname.lastname@example.org>, Rob Nicholls
License: Same as Nmap--See https://nmap.org/book/man-legal.html