Shulou(Shulou.com)06/01 Report--

Dolphin, Beijing, 20150703

First, background introduction

Router Scan is a router security testing tool developed by a Russian security tester named Stas'M. The latest version of the tool is V2.51, which was updated on February 21, 2015. I have used two versions of this tool, one is the most popular version of V2.44, and the other is, of course, the latest version. Let me first talk about the difference between the latest version and V2.44.

Update content:

1. Of course, it has joined the scan to support more brand models of routers.

2. A new function section of Search Results has been added to the main function page, which allows you to filter out the host information you care about from the search results more quickly and display it directly on the tool without having to convert files.

3. The user operation manual has been added to the main program, which has two versions, one in English and the other in Russian.

4, the new program setting function "Setting and Teaks", in the previous version, it is not possible to set other functions of the program, which is a major highlight.

5. Add a new PIN calculator, "WPS PIN Companion", which is a great feature for those who love WiFi security testing. Great!

6. add a timing function, which is very practical for researchers who want to evaluate the efficiency of the software or the efficiency of statistical work.

Introduction of functions and methods of use

2.1 Router scanning function

RouterScan v2.51 is the easiest, most effective and most comprehensive tool I have ever used for router scanning, with a success rate of 90%, which is very suitable for beginners and script boys. As a router security testing tool, its core function is of course scanning in the router.

Currently supported brand routers are: @ irLAN, 3Com, AirTies, AnyData, AnyGate, ASUS, Belkin, C-motech

、 Cisco 、 Conel 、 D-Link 、 DrayTek 、 ECI 、 EDIMAX 、 Gigabyte 、 GlobespanVirata 、 Huawei 、 Intercross 、 LevelOne 、 Motorola Mobility 、 NETGEAR 、 Netis 、 NeoPort 、 PacketFront 、 Pozitron 、 SI2000 、 Seowon Intech 、 SerComm 、 Tenda 、 Thomson 、 TOTOLINK 、 TP-LINK 、 TRENDnet 、 Upvel 、 Verizon 、 Vertex Wireless 、 ZTE 、 ZyXEL 、 Other/Various

With the exception of a few domestic router brands that are not supported, 90% of the router brands on the market are included.

Figure 1 main interface of router

By scanning the test router, we can get the following information from the results: 1, open port; 2, login user name and password; 3, router name or brand model information; 4, wireless signal name (SSID); 5, wireless connection password (KEY); 6, wireless encryption method; 7, PIN code; 8, intranet ip and other valuable information.

Its use is very simple, only a simple two-step operation, you can easily scan: 1, enter the IP address or address field you want to test; 2, click the "Start scan" button in the upper left corner; you can start the test journey.

There is a progress bar at the bottom of the interface (part 8 of figure 1), and the currently completed progress will be filled in green so that you can know where your test progress is. In part 9 of figure 1, this shows the current state of the program: 1, Ready indicates that the program is ready; 2, Scanning now indicates that the program is scanning; 3, Scanning finished indicates that the scan is completed; 4, Waiting for stopping threads... Indicates that you have clicked to terminate the scan during the scanning process, but the scanning process has not yet come and ended.

In part 10 of the interface: Active threads indicates how many active processes are currently in use; part 11 of the main interface: Total found indicates how many living hosts have been scanned currently; part 12 of the main interface: Good found refers to the number of routers that have successfully tested the login username and password of the router. Part 13 of the main interface: indicates how long it has taken since the scan started, and how much time you have spent on multiple scans.

After the test is complete, the scan results will be displayed in part 14 of the main interface.

2.2 result filtering function

The function of this function is to display only the results you are interested in, and other scan results will be automatically filtered out. In part 5 of the main interface, we can enter the keyword we want to find in the Text to search text box and click the Search all button. The search results will be output on the "Search Results" tab. For example, if we want to find a router with TP-LINK in the result, we can use the input keyword to find it, as shown in the figure:

Figure 2 query function interface

2.3 scanning module

In v2.44, there are only four functional options for the scanning module, while in the latest version, a new router scanning module "Router Scan (main)" is added, as shown in figure 3.

Figure 3 scanning module

There are five functional options in the scanning module, namely: 1, Router Scan (main); 2, Detect proxy servers; 3, Use HNAP 1. 0; 4, SQLite Manager RCE; 4, Hudson Java Servlet.

The Router Scan (main) module is selected to run by default in the new version. If you want to do fast detection, you can select this function module alone, but its disadvantage is that the probability of successfully obtaining authentication accounts and passwords will be reduced, because many routers cannot rely on brute force alone.

Detect proxy servers, literally means to detect the proxy server, but its specific role, I have not yet figured out, but also asked the master to come out to point one or two. I think it should be a host where scanning and detection can be used as an agent to facilitate the erection of your own.

Use HNAP 1. 0 uses vulnerabilities in the HNAP protocol to detect the security of the router. HANP is

The abbreviation of Home Network Administration Protocol is Home Network Management Protocol. It is a network management protocol based on HTTP-SOAP, which has the same characteristics of most other network management protocols: remote authentication login, remote configuration, information acquisition, configuration execution and so on. This protocol allows equipment manufacturers to remotely manage and configure their own devices through the protocol, so as to facilitate better management of their own devices and provide better technical support to consumer users. But some router manufacturers have also exposed vulnerabilities because of this protocol: HNAP command remote privilege escalation vulnerability. This scanning tool integrates the POC of this vulnerability and successfully improves the success rate of router explosion. after selecting this module, some passwords that are not in the dictionary can also be captured directly!

SQLite Manager RCE, using SQLite Manager to remotely connect the database in the equipment, to retrieve the configuration information, in order to achieve the purpose of blasting.

Hudson Java Servlet. This feature has not been tested, so the exact role is unknown. Generally use the above functions, its blasting success rate has been as high as 80%, much better than many scanners on the market, can be called an artifact!

2.4 Port scan

Because of its specific function, this software tool scans routers by default at ports 80 or 8080, but it can also be used as a scanner to scan other WEB service ports to help you quickly find hosts that may have security vulnerabilities. For example, you can add port 443 of HTTPS service to scan, and then use other more professional vulnerability scanning software to scan for vulnerabilities on hosts with ports 443. To provide a basis for repairing vulnerabilities, so as to better protect their own company's network. Of course, it is recommended to scan the ports related to the WEB service, because the port scanning is based on the establishment of a TCP connection. Scanning too many ports may trigger an alarm for devices such as a firewall, which will affect the final scan result.

III. Actual combat cases

3.1 case 1: router security testing

1. Set software parameters. The maximum number of threads can be set to the default value of 3000.It is recommended that the scan success rate be between 100and 3000.Of course, this is also related to the configuration and bandwidth of your personal computer. If the configuration bandwidth is very high, it can be appropriately increased. Set the timeout time and use the default 2000. Scan port: 80, 8080, 1080. Scanning modules: Router Scan (main), Use HNAP 1. 0, just check these two. Finally, set up an address field that you want to test, and set the parameters. As shown in the figure:

Figure 4 Parameter setting

2. After setting the parameters, you can click the Star scan button to start the security test. The next step is to quietly wait for the scan results, as shown in the picture.

Figure 5 scan results

3. With the scan results, we can log in manually according to the results to verify whether the results are correct. I randomly selected a router to log in, and the interface is as follows:

Figure 6 Router login interface

At this point, the router security test has been declared successful, is it very simple, very stupid? Start to test whether your router is so easy to break, hurry up to change the default password!

3.2 case 2: make your own free × × ×, and realize the × × × function.

1. The setting is the same as the previous case, except that when setting the IP address field, set the IP address field to the foreign IP address field to scan the foreign router hosts that can be used as your own. Foreign IP address segments can be collected by search engines such as Baidu and Google.

2. After scanning the results, you can log in to the router to see if there is a Dynamic DNS, that is, dynamic DNS function. If so, simply set it up. As shown in the figure:

Figure 7 DDNS Settings

This DDNS setting requires you to register an account and sub-domain name on the www.DynDNS.org website before it is available. Once configured, click apply. Then configure the × × connection on our computer side.

Figure 8 × × domain name settings

Figure 9 × × login user name and password

As shown in the figure, fill in the host name we applied for on the DynDDNS.org website at the address, and just fill in the user name and password we applied for. In this way, even if the router is rebooted and different IP addresses are reassigned, we will still be able to make a dial-up connection through it! Mom doesn't have to worry that I can't access Youtube anymore, oh yeah!

3.3 case 3: who is watching me ~

The tool can scan not only the router, but also all the webcams exposed on the network, as long as the network can reach it. Most webcams on the network use a weak password, or the default password of the product, so that some people can easily enter the control panel and they can spy on everything you do!

Fig. 10 picture of a surveillance camera

Now do you think this is an excellent tool? Very useful! At the same time, through these cases, we should also improve our awareness of network security! Otherwise, the environment you build will be convenient for others to use to do bad things, please be careful!

IV. Means of defense

In order to prevent our equipment from being used by others, we should do the following for simple defense:

1. Do not use the default password and weak password of the product

2. Change the administrative password regularly

3. The firmware version of the device should be regularly checked for updates and updated to the latest version in time to prevent vulnerabilities from being exploited.

Note: this article is only used for the study and communication of safety testing, please do not use it for illegal purposes, otherwise you will bear the consequences!

Related literature and materials:

1. Router Scan v2.51 official website and download

Http://stascorp.com/load/1-1-0-56

2. HNAP ProtocolVulnerabilities-Pushing The "Easy" Button

Http://www.tenable.com/blog/hnap-protocol-vulnerabilities-pushing-the-easy-button

3. Multiple HNAP command remote privilege escalation vulnerabilities of D-Link products

Http://www.linuxidc.com/Linux/2015-04/116572.htm

4. Home Network Administration Protocol (HNAP) Whitepaper

Http://wenku.baidu.com/link?url=e6_txALodIvFMDwK6eDrYeps5nJpXDC1QaF8ORqBtDhR0aIcybg7kecu0tYTbSqCdZAmBL26TJe_pQ355CKyTOqdjcvY5qbu27Ab65FVjVm

5. Use Router Scan to access the Internet.

Http://www.wufuli.com/2081.html

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.