Remote credential and configuration disclosure of Huawei HG5XX devices using Nmap.Remote credential and configuration disclosure of Huawei HG5XX devices using Nmap.
I have added a NSE script called "http-huawei-hg5xx-vuln" which exploits a couple of vulnerabilities found in Huawei HG5XX modems.
The first vulnerability which allows an attacker to extract the router's configuration file, was found by Pedro Joaquín of Websec. The second vulnerability lets the attacker extract the PPPoE password and was reported by ADiaz.
The information extracted by "http-huawei-hg5xx-vuln" is:
- PPPoE credentials
- Model
- Firmware version
- Gateway IP
- DNS 1 and 2
- Network segment
- Active Ethernet and WiFi connections
- BSSID
To obtain the Huawei HG5XX's PPPoE credentials and configuration file with Nmap we can use the following command:
$nmap -p80 --script http-huawei-hg5xx-vuln <IP>
If the device is vulnerable:
Here you can see a video demonstrating "http-huawei-hg5xx-vuln" in action:
References
- http://websec.ca/advisories/view/Huawei-HG520c-3.10.18.x-information-disclosure
- http://seclists.org/nmap-dev/2012/q2/346
- http://routerpwn.com/#huawei
tags:Security huawei Nmap NSE disclosure
YOUTUBE
TWITTER
FACEBOOK
BLOG
EMAIL US