Rapid7 Vulnerability & Exploit Database

Moxa Device Credential Retrieval

Back to Search

Moxa Device Credential Retrieval



The Moxa protocol listens on 4800/UDP and will respond to broadcast or direct traffic. The service is known to be used on Moxa devices in the NPort, OnCell, and MGate product lines. Many devices with firmware versions older than 2017 or late 2016 allow admin credentials and SNMP read and read/write community strings to be retrieved without authentication. This module is the work of Patrick DeSantis of Cisco Talos and K. Reid Wightman. Tested on: Moxa NPort 6250 firmware v1.13, MGate MB3170 firmware 2.5, and NPort 5110 firmware 2.6.


  • Patrick DeSantis <p@t-r10t.com>
  • K. Reid Wightman <reid@revics-security.com>


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use auxiliary/admin/scada/moxa_credentials_recovery
msf auxiliary(moxa_credentials_recovery) > show actions
msf auxiliary(moxa_credentials_recovery) > set ACTION < action-name >
msf auxiliary(moxa_credentials_recovery) > show options
    ...show and set options...
msf auxiliary(moxa_credentials_recovery) > run 

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security