Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

More on HNAP - What is it, How to Use it, How to Find it

Published: 2014-02-15
Last Updated: 2014-02-15 14:40:40 UTC
by Rob VandenBrink (Version: 1)
5 comment(s)

We've had a ton of discussion on the most recent set of home router vulnerabilities based on the HNAP protocol (see Thursday's story posted by Johannes: https://isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary%3A+What+we+know+so+far/17633) .  But what is the HNAP protocol for, and why is it so persistently enabled?

HNAP (Home Network Administration Protocol) is a network device management protocol, useful for anyone, but I think meant primarily for ISPs to manage fleets of devices deployed as part of your internet subscription.  It's covered in US Patent 20070130286 (http://www.google.com/patents/US20070130286), and is nicely described in a Cisco doc found here http://www.cisco.com/web/partners/downloads/guest/hnap_protocol_whitepaper.pdf

The protocol was patented originally by Pure Networks, but the protocol is now owned by and the implementation has been carried forward by Cisco.

So for devices that might potentially be deployed and managed by an ISP, or even by a corporation to remote sites, you want a management protocol that is on by default, and is difficult for the remote user to turn off.  Or from some reports, on some devices this protocol stays enabled even after your turn it off (oops, a little too persist there).

And yes, the irony of someone "in the biz" deciding in 2007 that we need yet another clear-text network management protocol does not escape me.  Since HNAP uses SOAP, you can use HTTPS as a transport, but the vulnerabilities to date have been mostly clear text, and the basic device info query is in clear text.

As Johannes described yesterday, an easy Linux / OS X way to test for HNAP is:

echo "GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n" | nc routerip 8080

What else can you do with HNAP?  You can also just pull the basic "get device info" page using a browser client, wget or curl (you can get both of these tools for windows)

wget http://routerip/HNAP1/
or curl http://routerip/HNAP1
or just point your browser to http://routerip/HNAP1

I prefer using curl for this.  Easy to script, and since HNAP is SOAP based, you can do SOAP requests (using POST instead of GET) using curl (-X POST -H "whatever your soap string is")

What output do you get from this simple query command?  You get the basic device information, as well as the list of other valid SOAP commands you can send to your specific device:

C:\ > curl http://192.168.1.1/HNAP1

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="
http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/en
velope/">
<soap:Body>
<GetDeviceSettingsResponse xmlns="http://purenetworks.com/HNAP1/">
<GetDeviceSettingsResult>OK</GetDeviceSettingsResult>
<Type>GatewayWithWiFi</Type>
<DeviceName>Cisco40033</DeviceName>
<VendorName>Linksys</VendorName>
<ModelDescription>Linksys E4200</ModelDescription>
<ModelName>E4200</ModelName>
<FirmwareVersion>1.0.04 build 11</FirmwareVersion>
<PresentationURL>http://192.168.1.1/</PresentationURL>
<SOAPActions>
<string>http://purenetworks.com/HNAP1/IsDeviceReady</string>
<string>http://purenetworks.com/HNAP1/GetDeviceSettings</string>
<string>http://purenetworks.com/HNAP1/SetDeviceSettings</string>
<string>http://purenetworks.com/HNAP1/GetDeviceSettings2</string>
<string>http://purenetworks.com/HNAP1/SetDeviceSettings2</string>
<string>http://purenetworks.com/HNAP1/Reboot</string>
<string>http://purenetworks.com/HNAP1/RestoreFactoryDefaults</string>
<string>http://purenetworks.com/HNAP1/RenewWanConnection</string>
<string>http://purenetworks.com/HNAP1/GetWanSettings</string>
<string>http://purenetworks.com/HNAP1/SetWanSettings</string>
<string>http://purenetworks.com/HNAP1/GetRouterLanSettings2</string>
<string>http://purenetworks.com/HNAP1/SetRouterLanSettings2</string>
<string>http://purenetworks.com/HNAP1/GetWanInfo</string>
<string>http://purenetworks.com/HNAP1/GetPortMappings</string>
<string>http://purenetworks.com/HNAP1/AddPortMapping</string>
<string>http://purenetworks.com/HNAP1/DeletePortMapping</string>
<string>http://purenetworks.com/HNAP1/GetMACFilters2</string>
<string>http://purenetworks.com/HNAP1/SetMACFilters2</string>
<string>http://purenetworks.com/HNAP1/GetConnectedDevices</string>
<string>http://purenetworks.com/HNAP1/GetNetworkStats</string>
<string>http://purenetworks.com/HNAP1/GetClientStats</string>
<string>http://purenetworks.com/HNAP1/GetWLanRadios</string>
<string>http://purenetworks.com/HNAP1/GetWLanRadioSettings</string>
<string>http://purenetworks.com/HNAP1/SetWLanRadioSettings</string>
<string>http://purenetworks.com/HNAP1/GetWLanRadioSecurity</string>
<string>http://purenetworks.com/HNAP1/SetWLanRadioSecurity</string>
<string>http://purenetworks.com/HNAP1/GetRouterSettings</string>
<string>http://purenetworks.com/HNAP1/SetRouterSettings</string>
<string>http://purenetworks.com/HNAP1/GetFirmwareSettings</string>
<string>http://purenetworks.com/HNAP1/FirmwareUpload</string>
<string>http://purenetworks.com/HNAP1/DownloadSpeedTest</string>
<string>http://cisco.com/HNAPExt/HND/GetPolicySettings</string>
<string>http://cisco.com/HNAPExt/HND/SetPolicySettings</string>
<string>http://cisco.com/HNAPExt/HND/GetDefaultPolicySetting</string>
<string>http://cisco.com/HNAPExt/HND/SetDefaultPolicySetting</string>
<string>http://cisco.com/HNAPExt/HND/GetTMSSSLicense</string>
<string>http://cisco.com/HNAPExt/HND/ActivateTMSSS</string>
<string>http://cisco.com/HNAPExt/HND/GetTMSSSSettings</string>
<string>http://cisco.com/HNAPExt/HND/SetTMSSSSettings</string>
<string>http://cisco.com/HNAPExt/HND/GetPolicySettingsCapabilities</string>
<string>http://cisco.com/HNAPExt/HotSpot/GetDeviceInfo</string>
<string>http://cisco.com/HNAPExt/HotSpot/SetDeviceInfo</string>
<string>http://cisco.com/HNAPExt/HotSpot/GetGuestNetwork</string>
<string>http://cisco.com/HNAPExt/HotSpot/SetGuestNetwork</string>
<string>http://cisco.com/HNAPExt/HotSpot/GetGuestNetworkLANSettings</string>
<string>http://cisco.com/HNAPExt/HotSpot/SetDefaultWireless</string>
<string>http://cisco.com/HNAPExt/HotSpot/GetWANAccessStatuses</string>
<string>http://cisco.com/HNAPExt/HotSpot/AddWebGUIAuthExemption</string>
<string>http://cisco.com/HNAPExt/HotSpot/CheckParentalControlsPassword</string>
<string>http://cisco.com/HNAPExt/HotSpot/GetParentalControlsResetQuestion</string>
<string>http://cisco.com/HNAPExt/HotSpot/HasParentalControlsPassword</string>
<string>http://cisco.com/HNAPExt/HotSpot/ResetParentalControlsPassword</string>
<string>http://cisco.com/HNAPExt/HotSpot/SetParentalControlsPassword</string>
<string>http://cisco.com/HNAPExt/HotSpot/SetParentalControlsResetQuestion</string>
<string>http://cisco.com/HNAPExt/HotSpot/GetSwitchPortLEDSettings</string>
<string>http://cisco.com/HNAPExt/HotSpot/SetSwitchPortLEDSettings</string>
<string>http://cisco.com/HNAPExt/HotSpot/GetUSBCapability</string>
<string>http://cisco.com/HNAPExt/HotSpot/GetUSBPortSettings</string>
<string>http://cisco.com/HNAPExt/HotSpot/SetUSBPortSettings</string>
<string>http://cisco.com/HNAPExt/HotSpot/DisconnectVirtualUSB</string>
</SOAPActions>
<SubDeviceURLs></SubDeviceURLs>
<Tasks>
<TaskExtension>
<Name>Status Page</Name>
<URL>/Status_Router.asp</URL>
<Type>Browser</Type>
</TaskExtension>
<TaskExtension>
<Name>Basic Wireless Settings</Name>
<URL>/Wireless_Basic.asp</URL>
<Type>Browser</Type>
</TaskExtension>
<TaskExtension>
<Name>Linksys E4200</Name>
<URL>http://www.linksys.com/support/E4200</URL>
<Type>Browser</Type>
</TaskExtension>
</Tasks>
</GetDeviceSettingsResponse>
</soap:Body>
</soap:Envelope>

Most of these other HNAP commands require authentication and in many cases HTTPS encryption (depending on the device implementation), but the default credentials for home routers are well known and your chances of success are good if you are scanning using these - in most cases self-signed certs are in play, even if you are a "man in the middle" sniffing legit traffic with a tool like ettercap, chances are you will be successful.  And of course the HNAP exploits don't bother with silly things like credentials at all.

Exploits against HNAP are not new - they go back to the 2010 paper at www.sourcesec.com/Lab/dlink_hnap_captcha.pdf, which describes hacking dlink routers.

So, what's the easiest way to enumerate a network for HNAP devices?  For instance if you want to scan your home or work network for unknown / unauthorized HNAP services?  The HNAP1 query of course will get you what you want, we can use what we've learned so far to write a quick "chkhost.cmd" batch script for windows:

@echo off
REM SYNTAX: chkhost.cmd host.ip.add.ress
ping -n 2 %1 | findstr "time=" > nul
if errorlevel==1 goto endend
REM Host is up, now check for HNAP
curl -s http://%1/HNAP1 | findstr "HNAP" > nul
if errorlevel==1 goto endend
echo Host %1 has HNAP enabled
:endend

Wrap this up in a FOR /L loop in "chknet.cmd" to scan a /24 subnet:

@echo off
REM SYNTAX: chknet.cmd sub.net.address  (3 octets only)

echo Scanning Network %1.0
for /L %%G IN (1,1,254) DO call chkhost %1.%%G

Running it will find everything on that net (my test network just has the one router we've been playing with):

C:\> chknet 192.168.1
Scanning Network 192.168.1.0
Host 192.168.1.1 has HNAP enabled

But this is  a pretty crude method, and it takes quite a while for a /24 subnet.  Is there an easy tool that'll do the job?  I was very surprised to find that there wasn't an NMAP nse script for this.. However NESSUS does have a plugin for HNAP service identification under Service Detection / HNAP Detection (dating back to April of 2011 - http://www.tenable.com/blog/plugin-spotlights-new-nessus-os-identification-plugins)

As always, remember that scanning infrastructure that you do not own without permission is illegal.  These methods are intended to help scan networks you own and have permission to scan - your home network or the network at work for instance (note that you still require permission to scan your work network).

===============
Rob VandenBrink
Metafore

Keywords: HNAP scanning
5 comment(s)
Diary Archives