module

Netgear Unauthenticated SOAP Password Extractor

Disclosed
Feb 11, 2015
Created
May 30, 2018

Description

This module exploits an authentication bypass vulnerability in different Netgear devices.
It allows to extract the password for the remote management interface. This module has been
tested on a Netgear WNDR3700v4 - V1.0.1.42, but other devices are reported as vulnerable:
NetGear WNDR3700v4 - V1.0.0.4SH, NetGear WNDR3700v4 - V1.0.1.52, NetGear WNR2200 - V1.0.1.88,
NetGear WNR2500 - V1.0.0.24, NetGear WNDR3700v2 - V1.0.1.14 (Tested by Paula Thomas),
NetGear WNDR3700v1 - V1.0.16.98 (Tested by Michal Bartoszkiewicz),
NetGear WNDR3700v1 - V1.0.7.98 (Tested by Michal Bartoszkiewicz),
NetGear WNDR4300 - V1.0.1.60 (Tested by Ronny Lindner),
NetGear R6300v2 - V1.0.3.8 (Tested by Robert Mueller),
NetGear WNDR3300 - V1.0.45 (Tested by Robert Mueller),
NetGear WNDR3800 - V1.0.0.48 (Tested by an Anonymous contributor),
NetGear WNR1000v2 - V1.0.1.1 (Tested by Jimi Sebree),
NetGear WNR1000v2 - V1.1.2.58 (Tested by Chris Boulton),
NetGear WNR2000v3 - v1.1.2.10 (Tested by h00die)

Authors

Peter Adkins peter.adkins@kernelpicnic.net
Michael Messner devnull@s3cur1ty.de
h00die mike@shorebreaksecurity.com

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


msf > use auxiliary/admin/http/netgear_soap_password_extractor
msf auxiliary(netgear_soap_password_extractor) > show actions
...actions...
msf auxiliary(netgear_soap_password_extractor) > set ACTION < action-name >
msf auxiliary(netgear_soap_password_extractor) > show options
...show and set options...
msf auxiliary(netgear_soap_password_extractor) > run

Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.