no one is safe ...

Metasploit Updates with some Home Network Horror stuff

The last two updates from #Metasploit include some new stuff to test your home network devices within your pentests.

You could find the original text of the following paragraph over here.

Consumer-Grade Hacking

Last month, I talked about community contributor Michael @m-1-k-3 Messner's nifty D-Link authentication bypass, and made the case that having Metasploit modules for consumer-grade access points is, in fact, useful and important.

Well, this week's update has a pile of new modules from m-1-k-3, all of which are targeting these kinds of consumer-grade networked devices: We now have a Linksys E1500 / E2500 remote command exec exploit, a Linksys 1500 directory traversal exploit, a directory traversal module for TP-Link's TL-WA701ND access point, a password extractor for the DLink DIR-645, and a directory traversal module for NetGear's weird single-purpose cordless phone device.

That's right, we have a Metasploit module for a cordless phone. The era of there being a difference between your "electronic devices" and your "computer devices" is coming to a close. What I said last month about these sorts of devices being in scope for a pen-test still stands -- if they're not in scope today, they really ought to be, at least for key personnel. Criminals don't particularly care about your scope doc.

You could find the original text of the following paragraph over here.

D-Link DIR-300 and DIR-600 Auth Bypass

I won't lie, I love authentication bypass modules. No no tricky offsets to calculate, no bad chars to figure out, no NX or DEP or anything to mitigate -- just straight up exercise-the-functionality style of exposure and exploitation. This week's update includes an "exploit" for D-Link routers, which are pretty common in home and small business environments, courtesy of Metasploit community contributor Michael @m-1-k-3 Messner. Turns out, the shipping command.php webapp on D-Link DIR-300 and DIR-600 routers doesn't actually require authentication. Whoops.

Sure, this is a home device, consumer gear. So who cares? Well, what kind of gear does your CFO use at home? Unless she's a super nerd that likes managing her own complicated subnetted home network, I'm guessing that high-value human targets use consumer gear with pretty default-ish configurations.

Now, these kinds of targets are often not in scope -- but one of the goals of Metasploit is to be able to simulate what a real attacker would do, and I guarantee you that Unit 61398 doesn't care about your stated and agreed upon scope. Modules like this should be used to at least start that conversation with your pentesting clients about this sort of vector.

New modules

  • D-Link DIR-600 / DIR-300 Unauthenticated Remote Command Execution by Michael Messner exploits OSVDB-89861
  • DLink DIR 645 Password Extractor by Michael Messner and Roberto Paleari exploits OSVDB-90733
  • Linksys E1500/E2500 Remote Command Execution by Michael Messner exploits OSVDB-89912
  • Linksys E1500 Directory Traversal Vulnerability by Michael Messner exploits OSVDB-89911
  • Netgear SPH200D Directory Traversal Vulnerability by Michael Messner exploits BID-57660
  • TP-Link Wireless Lite N Access Point Directory Traversal Vulnerability by Michael Messner exploits CVE-2012-5687

We are working on some more very cool stuff. Stay tuned for some shells :)

Best,
Mike