Difference between revisions of "HNAP0wn: The Home Network Administration Protocol Owner"
Jump to navigation
Jump to search
m (Add syntaxhighlight) |
m (Minor: Bug fixes.) |
||
| Line 1: | Line 1: | ||
██╗ ██╗███╗ ██╗ █████╗ ██████╗ ██████╗ ██╗ ██╗███╗ ██╗ | <div style="max-width: 970px; text-align: justify"> | ||
<nowiki>██╗ ██╗███╗ ██╗ █████╗ ██████╗ ██████╗ ██╗ ██╗███╗ ██╗ | |||
██║ ██║████╗ ██║██╔══██╗██╔══██╗██╔═████╗██║ ██║████╗ ██║ | |||
███████║██╔██╗ ██║███████║██████╔╝██║██╔██║██║ █╗ ██║██╔██╗ ██║ | |||
██╔══██║██║╚██╗██║██╔══██║██╔═══╝ ████╔╝██║██║███╗██║██║╚██╗██║ | |||
██║ ██║██║ ╚████║██║ ██║██║ ╚██████╔╝╚███╔███╔╝██║ ╚████║ | |||
╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚═╝ ╚═════╝ ╚══╝╚══╝ ╚═╝ ╚═══╝</nowiki> | |||
<div class="toccolours mw-collapsible mw-collapsed" style="border-color: lightgrey; background-color: white; overflow:auto;"> | <div class="toccolours mw-collapsible mw-collapsed" style="border-color: lightgrey; background-color: white; overflow:auto;"> | ||
| Line 10: | Line 12: | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
__TOC__ | __TOC__ | ||
</div> | </div> | ||
</div> | </div> | ||
< | <h1>Summary</h1> | ||
<p style="text-align: justify">HNAP0wn is a graphical tool that allows us to find devices that use the Home Network Administration Protocol (HNAP) <b>([[File:HNAP Protocol.pdf]])</b>, collect information about them, and inject commands. These instructions will get you a copy of the project up and running on your local machine for development and testing purposes. See [[#Requirements |deployment]] for notes on how to deploy the project on a live system.</p> | <p style="text-align: justify">HNAP0wn is a graphical tool that allows us to find devices that use the Home Network Administration Protocol (HNAP) <b>([[File:HNAP Protocol.pdf]])</b>, collect information about them, and inject commands. These instructions will get you a copy of the project up and running on your local machine for development and testing purposes. See [[#Requirements |deployment]] for notes on how to deploy the project on a live system.</p> | ||
< | <h1>Home Network Administration Protocol (HNAP)</h1> | ||
<p style="text-align: justify">HNAP is a network device management protocol that allows network devices to be silently managed and administered. HNAP is based on SOAP. HNAP was designed to be a simple, lightweight protocol that is easy to implement inside of small cost-constrained hardware such as the devices used in this examination. Cisco promised three high-level benefits to vendors for implementing HNAP in a network device <sup>[https://www.cisco.com/web/partners/downloads/guest/hnap_protocol_whitepaper.pdf]</sup>:</p> | <p style="text-align: justify">HNAP is a network device management protocol that allows network devices to be silently managed and administered. HNAP is based on SOAP. HNAP was designed to be a simple, lightweight protocol that is easy to implement inside of small cost-constrained hardware such as the devices used in this examination. Cisco promised three high-level benefits to vendors for implementing HNAP in a network device <sup>[https://www.cisco.com/web/partners/downloads/guest/hnap_protocol_whitepaper.pdf]</sup>:</p> | ||
<ol> | <ol> | ||
<li><u>Accurate topology discovery</u>: A network device can accurately describe itself to applications that support HNAP and show detailed information about the device.</li> | |||
<li><u>Custom task extensibility</u>: For example, when a device with HNAP support is selected in an application, tasks related to that device can be displayed.</li> | |||
<li><u>Programmable API</u>: The fully programmable API suite allows devices’ network connections to be remotely managed and administered.</li> | |||
</ol> | </ol> | ||
<p style="text-align: justify">The participants in any HNAP interaction define the two roles – an HNAP server and an HNAP client. HNAP servers are typically implemented inside of networking devices to be managed. HNAP clients are usually software applications residing on PCs or other devices that can interact with an HNAP server in order to manage it, and ultimately, the device. <sup>[https://www.cisco.com/web/partners/downloads/guest/hnap_protocol_whitepaper.pdf]</sup> A typical client-server interaction begins when a client has discovered an HNAP server on a network. It issues an HNAP discovery command in order to determine the capabilities of the device. A client then proceeds to make one or more HNAP requests to the server, which performs the desired action and returns the response.</p> | <p style="text-align: justify">The participants in any HNAP interaction define the two roles – an HNAP server and an HNAP client. HNAP servers are typically implemented inside of networking devices to be managed. HNAP clients are usually software applications residing on PCs or other devices that can interact with an HNAP server in order to manage it, and ultimately, the device. <sup>[https://www.cisco.com/web/partners/downloads/guest/hnap_protocol_whitepaper.pdf]</sup> A typical client-server interaction begins when a client has discovered an HNAP server on a network. It issues an HNAP discovery command in order to determine the capabilities of the device. A client then proceeds to make one or more HNAP requests to the server, which performs the desired action and returns the response.</p> | ||
| Line 32: | Line 33: | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
<div style="font-size: 10px !important"> | <div style="font-size: 10px !important"> | ||
<nowiki> | |||
<?xml version="1.0" encoding="UTF-8"?> | <?xml version="1.0" encoding="UTF-8"?> | ||
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> | <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> | ||
<soap:Body> | |||
<GetDeviceSettingsResponse xmlns="http://purenetworks.com/HNAP1/"> | |||
<GetDeviceSettingsResult>OK</GetDeviceSettingsResult> | |||
<Type>ConnectedHomeClient</Type> | |||
<DeviceName>MotionSensorDLink</DeviceName> | |||
<VendorName>D-Link</VendorName> | |||
<ModelDescription>D-Link Motion Detector</ModelDescription> | |||
<ModelName>DCH-S150</ModelName> | |||
<DeviceMacId>C4:12:F5:1C:8E:4C</DeviceMacId> | |||
<FirmwareVersion>1.23</FirmwareVersion> | |||
<FirmwareRegion>Default</FirmwareRegion> | |||
<LatestFirmwareVersion/> | |||
<HardwareVersion>A1</HardwareVersion> | |||
<HNAPVersion>0124</HNAPVersion> | |||
<PresentationURL>http://dch.local</PresentationURL> | |||
<CAPTCHA></nowiki><b style="color: lightblue">false</b><nowiki></CAPTCHA> | |||
<ModuleTypes> | |||
<string>Motion Sensor</string> | |||
</ModuleTypes> | |||
<SOAPActions> | |||
<string>http://purenetworks.com/HNAP1/Reboot</string> | |||
<string>http://purenetworks.com/HNAP1/SetFactoryDefault</string> | |||
<string>http://purenetworks.com/HNAP1/IsDeviceReady</string> | |||
<string>http://purenetworks.com/HNAP1/GetDeviceSettings</string> | |||
<string>http://purenetworks.com/HNAP1/SetDeviceSettings</string> | |||
<string>http://purenetworks.com/HNAP1/GetDeviceSettings2</string> | |||
<string>http://purenetworks.com/HNAP1/SetDeviceSettings2</string> | |||
<string>http://purenetworks.com/HNAP1/GetGroupSettings</string> | |||
<string>http://purenetworks.com/HNAP1/SetGroupSettings</string> | |||
<string>http://purenetworks.com/HNAP1/GetSystemLogs</string> | |||
<string>http://purenetworks.com/HNAP1/CleanSystemLogs</string> | |||
<string>http://purenetworks.com/HNAP1/GetModuleSchedule</string> | |||
<string>http://purenetworks.com/HNAP1/SetModuleSchedule</string> | |||
<string>http://purenetworks.com/HNAP1/GetModuleEnabled</string> | |||
<string>http://purenetworks.com/HNAP1/SetModuleEnabled</string> | |||
<string>http://purenetworks.com/HNAP1/GetModuleProfile</string> | |||
<string>http://purenetworks.com/HNAP1/SetModuleProfile</string> | |||
<string>http://purenetworks.com/HNAP1/GetModuleSOAPActions</string> | |||
<string>http://purenetworks.com/HNAP1/GetTimeSettings</string> | |||
<string>http://purenetworks.com/HNAP1/SetTimeSettings</string> | |||
<string>http://purenetworks.com/HNAP1/GetModuleGroup</string> | |||
<string>http://purenetworks.com/HNAP1/SetModuleGroup</string> | |||
<string>http://purenetworks.com/HNAP1/GetScheduleSettings</string> | |||
<string>http://purenetworks.com/HNAP1/SetScheduleSettings</string> | |||
<string>http://purenetworks.com/HNAP1/GetRecursiveSchedule</string> | |||
<string>http://purenetworks.com/HNAP1/SetRecursiveSchedule</string> | |||
<string>http://purenetworks.com/HNAP1/GetFirmwareStatus</string> | |||
<string>http://purenetworks.com/HNAP1/GetFirmwareValidation</string> | |||
<string>http://purenetworks.com/HNAP1/StartFirmwareDownload</string> | |||
<string>http://purenetworks.com/HNAP1/PollingFirmwareDownload</string> | |||
<string>http://purenetworks.com/HNAP1/CheckNewFirmware</string> | |||
<string>http://purenetworks.com/HNAP1/SettriggerADIC</string> | |||
<string>http://purenetworks.com/HNAP1/GetInternetSettings</string> | |||
<string>http://purenetworks.com/HNAP1/GetCurrentInternetStatus</string> | |||
<string>http://purenetworks.com/HNAP1/GetWLanRadios</string> | |||
<string>http://purenetworks.com/HNAP1/SetTriggerWirelessSiteSurvey</string> | |||
<string>http://purenetworks.com/HNAP1/GetSiteSurvey</string> | |||
<string>http://purenetworks.com/HNAP1/SetAPClientSettings</string> | |||
<string>http://purenetworks.com/HNAP1/GetAPClientSettings</string> | |||
</SOAPActions> | |||
<SubDeviceURLs/> | |||
</GetDeviceSettingsResponse> | |||
</soap:Body> | |||
</soap:Envelope> | </soap:Envelope> | ||
</ | </nowiki> | ||
</div> | </div> | ||
</div> | </div> | ||
</div> | </div> | ||
< | <h1>Requirements</h1> | ||
* PHP 5 Server or newer | * PHP 5 Server or newer | ||
* ECMAScript 6 [[#Compatible Browsers|Compatible Browser]] | * ECMAScript 6 [[#Compatible Browsers|Compatible Browser]] | ||
* Optional: Nmap | * Optional: Nmap | ||
< | <h1>Deployment</h1> | ||
Get your copy from [[#GitLab|GitLab]]. Start the local PHP server using the <i>run.sh</i> script and open this link in browser: http://127.0.0.1:8080 | Get your copy from [[#GitLab|GitLab]]. Start the local PHP server using the <i>run.sh</i> script and open this link in browser: http://127.0.0.1:8080 | ||
sudo bash HNAP0wn/run.sh | |||
<div style="border: 1px solid #31708f; background-color: #d9edf7; color: #31708f; padding: 5px 10px; margin-bottom: 5px; text-align: justify"><b>Note</b>: Port 8080 may differ if already in use. Check run.sh stdout to get the assigned port.</div> | <div style="border: 1px solid #31708f; background-color: #d9edf7; color: #31708f; padding: 5px 10px; margin-bottom: 5px; text-align: justify"><b>Note</b>: Port 8080 may differ if already in use. Check run.sh stdout to get the assigned port.</div> | ||
< | <h1>Usage</h1> | ||
[[file:HNAP0wn.png|400px|right|thumb|Example Usage]] | [[file:HNAP0wn.png|400px|right|thumb|Example Usage]] | ||
< | <h2>Scan Network</h2> | ||
<p style="text-align: justify">Executes an underlying Nmap scan and displays HNAP enabled hosts together with additional information.</p> | <p style="text-align: justify">Executes an underlying Nmap scan and displays HNAP enabled hosts together with additional information.</p> | ||
* Located in the Sidebar. (<i>Green</i>) | * Located in the Sidebar. (<i>Green</i>) | ||
* Provides different Scan modes. (<code>Fast</code>, <code>Slow</code>, <code>Custom</code>) | * Provides different Scan modes. (<code>Fast</code>, <code>Slow</code>, <code>Custom</code>) | ||
<b> | <div style="border: 1px solid #31708f; background-color: #d9edf7; color: #31708f; padding: 5px 10px; margin-bottom: 5px; text-align: justify; width: calc( 100% - 450px )"><b>Note</b>: The <code>Custom</code> scan mode gives the possibility to define Nmap parameters.</div> | ||
<hr> | |||
< | <h2>Target Device</h2> | ||
<p style="text-align: justify">Gather information about a HNAP enabled device.</p> | <p style="text-align: justify">Gather information about a HNAP enabled device.</p> | ||
* Located in the Sidebar. (<i>Green</i>) | * Located in the Sidebar. (<i>Green</i>) | ||
* Provides an input field for the target IP address | * Provides an input field for the target IP address | ||
* Provides two modes. (<code>Get Device Settings</code>, <code>Brute Force Password</code>) | * Provides two modes. (<code>Get Device Settings</code>, <code>Brute Force Password</code>) | ||
<b> | <div style="border: 1px solid #31708f; background-color: #d9edf7; color: #31708f; padding: 5px 10px; margin-bottom: 5px; text-align: justify"><b>Note</b>: <code>Target IP</code> address needs to be set! No <code>Password</code> nor <code>Username</code> needed at this point.</div> | ||
< | <h3>Get Device Settings</h3> | ||
<p style="text-align: justify">Displays device information gathered via <code><nowiki>http://$IP/HNAP1/</nowiki></code> and extends the sidebar by all supported HNAP actions available executables for the target device.</p> | <p style="text-align: justify">Displays device information gathered via <code><nowiki>http://$IP/HNAP1/</nowiki></code> and extends the sidebar by all supported HNAP actions available executables for the target device.</p> | ||
< | <h3>Brute Force Password</h3> | ||
<p style="text-align: justify">Tries all numeric combinations from <code>000000</code> to <code>999999</code> until a HNAP login was succesfull.</p> | <p style="text-align: justify">Tries all numeric combinations from <code>000000</code> to <code>999999</code> until a HNAP login was succesfull.</p> | ||
< | <div style="border: 1px solid #31708f; background-color: #d9edf7; color: #31708f; padding: 5px 10px; margin-bottom: 5px; text-align: justify"><b>Note</b>: The Username <code>Admin</code> and Password <code>000000</code> is used to initialize if none was set manually.</div> | ||
< | <div style="border: 1px solid #31708f; background-color: #d9edf7; color: #31708f; padding: 5px 10px; margin-bottom: 5px; text-align: justify"><b>Note</b>: The keyspace of <code>^[0-9]{6}$</code> is adapted for use with [[Examination_of_mydlink™_home_devices|mydlink™ home devices]].</div> | ||
<hr> | |||
< | <h2>Exploit</h2> | ||
<p style="text-align: justify">Area to define <code>Username</code> and <code>Password</code>. These credentials are used to inject HNAP Actions discovered via <code>Get Device Settings</code>.</p> | <p style="text-align: justify">Area to define <code>Username</code> and <code>Password</code>. These credentials are used to inject HNAP Actions discovered via <code>Get Device Settings</code>.</p> | ||
* Located in the Sidebar. (<i>Green</i>) | * Located in the Sidebar. (<i>Green</i>) | ||
* Provides an input field for the <code>Username</code> and <code>Password</code>. | * Provides an input field for the <code>Username</code> and <code>Password</code>. | ||
< | <div style="border: 1px solid #31708f; background-color: #d9edf7; color: #31708f; padding: 5px 10px; margin-bottom: 5px; text-align: justify"><b>Note</b>: If <code>Brute Force Password</code> was previously run with success, then <code>Username</code> and <code>Password</code> are already set.</div> | ||
< | <h3>HNAP Actions</h3> | ||
<p style="text-align: justify">Loaded after successfully executing <code>Get Device Settings</code>. Grouped into different groups. (<code>Method</code>, <code>Getter</code>, <code>Setter</code>, <code>Getter & Setter</code>)</p> | <p style="text-align: justify">Loaded after successfully executing <code>Get Device Settings</code>. Grouped into different groups. (<code>Method</code>, <code>Getter</code>, <code>Setter</code>, <code>Getter & Setter</code>)</p> | ||
* Loaded at the bottom of the Sidebar. (<i>Green</i>) | * Loaded at the bottom of the Sidebar. (<i>Green</i>) | ||
* Provides a button for every available action. | * Provides a button for every available action. | ||
<b> | <div style="border: 1px solid #31708f; background-color: #d9edf7; color: #31708f; padding: 5px 10px; margin-bottom: 5px; text-align: justify"><b>Note</b>: Non-working HNAP actions may need a more complex SOAP action syntax, which could not be generated dynamically. In these cases use the <code>Custom</code> mode. Information about the correct syntax may be found here: [[File:HNAP Protocol.pdf]]</div> | ||
< | <h3>Simple</h3> | ||
Simple actions executed once clicked on the according button in the sidebar. Results are displayed in the main container. (<i>Grey</i>) | Simple actions executed once clicked on the according button in the sidebar. Results are displayed in the main container. (<i>Grey</i>) | ||
Simple actions span over the following the groups: <code>Method</code>, <code>Getter</code>, <code>Setter</code> | Simple actions span over the following the groups: <code>Method</code>, <code>Getter</code>, <code>Setter</code> | ||
<b> | <div style="border: 1px solid #31708f; background-color: #d9edf7; color: #31708f; padding: 5px 10px; margin-bottom: 5px; text-align: justify"><b>Note</b>: <code>Reboot</code> and <code>SetFactoryDefaults</code> require confirmation.</div> | ||
< | <h3>Getter / Setter</h3> | ||
When executing this kind of action, the <code>Getter</code> action is executed on click, while the resulting table gives the possibility to change its values and send the update via the matching <code>Setter</code> action. | When executing this kind of action, the <code>Getter</code> action is executed on click, while the resulting table gives the possibility to change its values and send the update via the matching <code>Setter</code> action. | ||
<b> | <div style="border: 1px solid #31708f; background-color: #d9edf7; color: #31708f; padding: 5px 10px; margin-bottom: 5px; text-align: justify"><b>Note</b>: The result of a <code>Getter</code> is considered as a template to use it with its <code>Setter</code>.</div> | ||
< | <h3>Custom</h3> | ||
More complex HNAP actions can be executed here. Set HNAP action and parameters manually. | More complex HNAP actions can be executed here. Set HNAP action and parameters manually. | ||
<b> | <div style="border: 1px solid #31708f; background-color: #d9edf7; color: #31708f; padding: 5px 10px; margin-bottom: 5px; text-align: justify"><b>Note</b>: For advanced users experienced with the HNAP xmlns.</div> | ||
< | <hr> | ||
<h2>Terminal</h2> | |||
Terminal emulation. Commands are executed by the local PHP server as sudoer and results are returned. | Terminal emulation. Commands are executed by the local PHP server as sudoer and results are returned. | ||
* Located at the bottom. (<i>Black</i>) | * Located at the bottom. (<i>Black</i>) | ||
| Line 178: | Line 185: | ||
* Arrow up and down to navigate through the history. | * Arrow up and down to navigate through the history. | ||
<b> | <div style="border: 1px solid #31708f; background-color: #d9edf7; color: #31708f; padding: 5px 10px; margin-bottom: 5px; text-align: justify"><b>Note</b>: Use deterministic commands only. Timeout after 30s execution time.</div> | ||
< | <h1>Additional Information</h1> | ||
< | <h2>GitLab</h2> | ||
* https://git.fh-campuswien.ac.at/JPDoe/hnap0wn | * https://git.fh-campuswien.ac.at/JPDoe/hnap0wn | ||
< | <h2>Demo</h2> | ||
<div class="toccolours mw-collapsible mw-collapsed" style="border-color: #eaecf0; background-color: white; calc(100% - 12px); overflow:auto;"> | <div class="toccolours mw-collapsible mw-collapsed" style="border-color: #eaecf0; background-color: white; calc(100% - 12px); overflow:auto;"> | ||
<div style="line-height:1.6;">ⓘ <b>Part 1</b>: Structure and Implementation</div> | <div style="line-height:1.6;">ⓘ <b>Part 1</b>: Structure and Implementation</div> | ||
| Line 190: | Line 197: | ||
<div style="font-size: 12px !important"> | <div style="font-size: 12px !important"> | ||
[[File:HNAP0wn Structure and Execution.mp4|1080px]] | [[File:HNAP0wn Structure and Execution.mp4|1080px]] | ||
<div style="border: 1px solid #31708f; background-color: #d9edf7; color: #31708f; padding: 5px 10px; margin-bottom: 5px; text-align: justify"><b>Note</b>: The folders /mov, /bak, /cap are not present when cloning the code from the HNAP0wn GitLab master branch.</div> | <div style="border: 1px solid #31708f; background-color: #d9edf7; color: #31708f; padding: 5px 10px; margin-bottom: 5px; text-align: justify"><b>Note</b>: The folders /mov, /bak, /cap are not present when cloning the code from the HNAP0wn GitLab master branch.</div> | ||
<div style="border: 1px solid #31708f; background-color: #d9edf7; color: #31708f; padding: 5px 10px; margin-bottom: 5px; text-align: justify"><b>Note</b>: Port 8080 may differ if already in use. Check run.sh stdout to get the assigned port.</div> | <div style="border: 1px solid #31708f; background-color: #d9edf7; color: #31708f; padding: 5px 10px; margin-bottom: 5px; text-align: justify"><b>Note</b>: Port 8080 may differ if already in use. Check run.sh stdout to get the assigned port.</div> | ||
<div style="background-color: #fcf8e3; border: 1px solid #8a6d3b; color: #8a6d3b; padding: 5px 10px; margin-bottom: 5px"><b>Warning</b>: Running the Terminal application as root is dangerous.</div> | <div style="background-color: #fcf8e3; border: 1px solid #8a6d3b; color: #8a6d3b; padding: 5px 10px; margin-bottom: 5px"><b>Warning</b>: Running the Terminal application as root is dangerous.</div> | ||
| Line 212: | Line 219: | ||
<div style="font-size: 12px !important"> | <div style="font-size: 12px !important"> | ||
[[File:HNAP0wn Terminal Interface.mp4|1080px]] | [[File:HNAP0wn Terminal Interface.mp4|1080px]] | ||
<div style="border: 1px solid #31708f; background-color: #d9edf7; color: #31708f; padding: 5px 10px; margin-bottom: 5px; text-align: justify"><b>Note</b>: The commands are executed by the local PHP server.</div> | <div style="border: 1px solid #31708f; background-color: #d9edf7; color: #31708f; padding: 5px 10px; margin-bottom: 5px; text-align: justify"><b>Note</b>: The commands are executed by the local PHP server.</div> | ||
</div> | </div> | ||
</div> | </div> | ||
| Line 254: | Line 261: | ||
<div style="font-size: 12px !important"> | <div style="font-size: 12px !important"> | ||
[[File:HNAP0wn Automated Method Injection.mp4|1080px]] | [[File:HNAP0wn Automated Method Injection.mp4|1080px]] | ||
</div> | </div> | ||
</div> | </div> | ||
| Line 264: | Line 270: | ||
<div style="font-size: 12px !important"> | <div style="font-size: 12px !important"> | ||
[[File:HNAP0wn Manual Method Injection.mp4|1080px]] | [[File:HNAP0wn Manual Method Injection.mp4|1080px]] | ||
</div> | </div> | ||
</div> | </div> | ||
| Line 274: | Line 279: | ||
<div style="font-size: 12px !important"> | <div style="font-size: 12px !important"> | ||
[[File:HNAP0wn HNAP Client.mp4|1080px]] | [[File:HNAP0wn HNAP Client.mp4|1080px]] | ||
</div> | </div> | ||
</div> | </div> | ||
| Line 281: | Line 285: | ||
<div style="border: 1px solid #31708f; background-color: #d9edf7; color: #31708f; padding: 5px 10px; margin-bottom: 5px; text-align: justify"><b>Note</b>: Video quality and speed are adapted to apply to the maximum upload size restrictions..</div> | <div style="border: 1px solid #31708f; background-color: #d9edf7; color: #31708f; padding: 5px 10px; margin-bottom: 5px; text-align: justify"><b>Note</b>: Video quality and speed are adapted to apply to the maximum upload size restrictions..</div> | ||
< | <h2>License</h2> | ||
This project is licensed under the MIT License. | This project is licensed under the MIT License. | ||
< | <h2>Compatible Browsers</h2> | ||
* Chrome: ≥58 | * Chrome: ≥58 | ||
* Edge: ≥14 | * Edge: ≥14 | ||
* Firefox: ≥54 | * Firefox: ≥54 | ||
* Safari: ≥10 | * Safari: ≥10 | ||
* Opera: ≥55 | * Opera: ≥55 | ||
< | <h2>Development Environment</h2> | ||
< | <h3>Localhost</h3> | ||
* MacOS Mojave 10.14.4 (18E226) | * MacOS Mojave 10.14.4 (18E226) | ||
* Darwin Kernel 18.5.0 x86_64 | * Darwin Kernel 18.5.0 x86_64 | ||
| Line 299: | Line 303: | ||
* Nmap 7.70 | * Nmap 7.70 | ||
< | <h3>Tested devices</h3> | ||
<ul> | <ul> | ||
<li>[[D-LINK® DCH-G020 Gateway Connected Home Hub|D-Link® DCH-G020 Gateway Connected Home Hub]]</li> | |||
<li>[[D-Link® DCH-S150 Home Wi-Fi Motion Sensor, Bewegungssensor|D-Link® DCH-S150 Home Wi-Fi Motion Sensor]]</li> | |||
</ul> | </ul> | ||
< | <h1>Related Articles</h1> | ||
<ul> | <ul> | ||
<li>[[Examination_of_mydlink™_home_devices|Examination of mydlink™ home devices]]</li> | |||
</ul> | </ul> | ||
</div> | |||
[[Category:Documentation]] | [[Category:Documentation]] | ||
Latest revision as of 15:12, 19 June 2020
██╗ ██╗███╗ ██╗ █████╗ ██████╗ ██████╗ ██╗ ██╗███╗ ██╗ ██║ ██║████╗ ██║██╔══██╗██╔══██╗██╔═████╗██║ ██║████╗ ██║ ███████║██╔██╗ ██║███████║██████╔╝██║██╔██║██║ █╗ ██║██╔██╗ ██║ ██╔══██║██║╚██╗██║██╔══██║██╔═══╝ ████╔╝██║██║███╗██║██║╚██╗██║ ██║ ██║██║ ╚████║██║ ██║██║ ╚██████╔╝╚███╔███╔╝██║ ╚████║ ╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚═╝ ╚═════╝ ╚══╝╚══╝ ╚═╝ ╚═══╝
ⓘ Table of Contents
Summary
HNAP0wn is a graphical tool that allows us to find devices that use the Home Network Administration Protocol (HNAP) (File:HNAP Protocol.pdf), collect information about them, and inject commands. These instructions will get you a copy of the project up and running on your local machine for development and testing purposes. See deployment for notes on how to deploy the project on a live system.
Home Network Administration Protocol (HNAP)
HNAP is a network device management protocol that allows network devices to be silently managed and administered. HNAP is based on SOAP. HNAP was designed to be a simple, lightweight protocol that is easy to implement inside of small cost-constrained hardware such as the devices used in this examination. Cisco promised three high-level benefits to vendors for implementing HNAP in a network device [1]:
- Accurate topology discovery: A network device can accurately describe itself to applications that support HNAP and show detailed information about the device.
- Custom task extensibility: For example, when a device with HNAP support is selected in an application, tasks related to that device can be displayed.
- Programmable API: The fully programmable API suite allows devices’ network connections to be remotely managed and administered.
The participants in any HNAP interaction define the two roles – an HNAP server and an HNAP client. HNAP servers are typically implemented inside of networking devices to be managed. HNAP clients are usually software applications residing on PCs or other devices that can interact with an HNAP server in order to manage it, and ultimately, the device. [2] A typical client-server interaction begins when a client has discovered an HNAP server on a network. It issues an HNAP discovery command in order to determine the capabilities of the device. A client then proceeds to make one or more HNAP requests to the server, which performs the desired action and returns the response.
One can simply query all supported HNAP actions from a device by requesting the URL http://$DEVICE_IP/HNAP1/ from a web client. Since HNAP is encapsulated in HTTP, it is also the best way to determine if a device is HNAP-enabled since such devices need to reply to this request. In case of the DCH-S150 Motion Sensor the output of that link is listed below. There may be more or less SOAPactions available depending on the devices' configuration.
ⓘ http://DCH-S150/HNAP1/
<?xml version="1.0" encoding="UTF-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <GetDeviceSettingsResponse xmlns="http://purenetworks.com/HNAP1/"> <GetDeviceSettingsResult>OK</GetDeviceSettingsResult> <Type>ConnectedHomeClient</Type> <DeviceName>MotionSensorDLink</DeviceName> <VendorName>D-Link</VendorName> <ModelDescription>D-Link Motion Detector</ModelDescription> <ModelName>DCH-S150</ModelName> <DeviceMacId>C4:12:F5:1C:8E:4C</DeviceMacId> <FirmwareVersion>1.23</FirmwareVersion> <FirmwareRegion>Default</FirmwareRegion> <LatestFirmwareVersion/> <HardwareVersion>A1</HardwareVersion> <HNAPVersion>0124</HNAPVersion> <PresentationURL>http://dch.local</PresentationURL> <CAPTCHA>false</CAPTCHA> <ModuleTypes> <string>Motion Sensor</string> </ModuleTypes> <SOAPActions> <string>http://purenetworks.com/HNAP1/Reboot</string> <string>http://purenetworks.com/HNAP1/SetFactoryDefault</string> <string>http://purenetworks.com/HNAP1/IsDeviceReady</string> <string>http://purenetworks.com/HNAP1/GetDeviceSettings</string> <string>http://purenetworks.com/HNAP1/SetDeviceSettings</string> <string>http://purenetworks.com/HNAP1/GetDeviceSettings2</string> <string>http://purenetworks.com/HNAP1/SetDeviceSettings2</string> <string>http://purenetworks.com/HNAP1/GetGroupSettings</string> <string>http://purenetworks.com/HNAP1/SetGroupSettings</string> <string>http://purenetworks.com/HNAP1/GetSystemLogs</string> <string>http://purenetworks.com/HNAP1/CleanSystemLogs</string> <string>http://purenetworks.com/HNAP1/GetModuleSchedule</string> <string>http://purenetworks.com/HNAP1/SetModuleSchedule</string> <string>http://purenetworks.com/HNAP1/GetModuleEnabled</string> <string>http://purenetworks.com/HNAP1/SetModuleEnabled</string> <string>http://purenetworks.com/HNAP1/GetModuleProfile</string> <string>http://purenetworks.com/HNAP1/SetModuleProfile</string> <string>http://purenetworks.com/HNAP1/GetModuleSOAPActions</string> <string>http://purenetworks.com/HNAP1/GetTimeSettings</string> <string>http://purenetworks.com/HNAP1/SetTimeSettings</string> <string>http://purenetworks.com/HNAP1/GetModuleGroup</string> <string>http://purenetworks.com/HNAP1/SetModuleGroup</string> <string>http://purenetworks.com/HNAP1/GetScheduleSettings</string> <string>http://purenetworks.com/HNAP1/SetScheduleSettings</string> <string>http://purenetworks.com/HNAP1/GetRecursiveSchedule</string> <string>http://purenetworks.com/HNAP1/SetRecursiveSchedule</string> <string>http://purenetworks.com/HNAP1/GetFirmwareStatus</string> <string>http://purenetworks.com/HNAP1/GetFirmwareValidation</string> <string>http://purenetworks.com/HNAP1/StartFirmwareDownload</string> <string>http://purenetworks.com/HNAP1/PollingFirmwareDownload</string> <string>http://purenetworks.com/HNAP1/CheckNewFirmware</string> <string>http://purenetworks.com/HNAP1/SettriggerADIC</string> <string>http://purenetworks.com/HNAP1/GetInternetSettings</string> <string>http://purenetworks.com/HNAP1/GetCurrentInternetStatus</string> <string>http://purenetworks.com/HNAP1/GetWLanRadios</string> <string>http://purenetworks.com/HNAP1/SetTriggerWirelessSiteSurvey</string> <string>http://purenetworks.com/HNAP1/GetSiteSurvey</string> <string>http://purenetworks.com/HNAP1/SetAPClientSettings</string> <string>http://purenetworks.com/HNAP1/GetAPClientSettings</string> </SOAPActions> <SubDeviceURLs/> </GetDeviceSettingsResponse> </soap:Body> </soap:Envelope>
Requirements
- PHP 5 Server or newer
- ECMAScript 6 Compatible Browser
- Optional: Nmap
Deployment
Get your copy from GitLab. Start the local PHP server using the run.sh script and open this link in browser: http://127.0.0.1:8080
sudo bash HNAP0wn/run.sh
Note: Port 8080 may differ if already in use. Check run.sh stdout to get the assigned port.
Usage
Scan Network
Executes an underlying Nmap scan and displays HNAP enabled hosts together with additional information.
- Located in the Sidebar. (Green)
- Provides different Scan modes. (
Fast,Slow,Custom)
Note: The
Custom scan mode gives the possibility to define Nmap parameters.Target Device
Gather information about a HNAP enabled device.
- Located in the Sidebar. (Green)
- Provides an input field for the target IP address
- Provides two modes. (
Get Device Settings,Brute Force Password)
Note:
Target IP address needs to be set! No Password nor Username needed at this point.Get Device Settings
Displays device information gathered via http://$IP/HNAP1/ and extends the sidebar by all supported HNAP actions available executables for the target device.
Brute Force Password
Tries all numeric combinations from 000000 to 999999 until a HNAP login was succesfull.
Note: The Username
Admin and Password 000000 is used to initialize if none was set manually.Note: The keyspace of
^[0-9]{6}$ is adapted for use with mydlink™ home devices.Exploit
Area to define Username and Password. These credentials are used to inject HNAP Actions discovered via Get Device Settings.
- Located in the Sidebar. (Green)
- Provides an input field for the
UsernameandPassword.
Note: If
Brute Force Password was previously run with success, then Username and Password are already set.HNAP Actions
Loaded after successfully executing Get Device Settings. Grouped into different groups. (Method, Getter, Setter, Getter & Setter)
- Loaded at the bottom of the Sidebar. (Green)
- Provides a button for every available action.
Note: Non-working HNAP actions may need a more complex SOAP action syntax, which could not be generated dynamically. In these cases use the
Custom mode. Information about the correct syntax may be found here: File:HNAP Protocol.pdfSimple
Simple actions executed once clicked on the according button in the sidebar. Results are displayed in the main container. (Grey)
Simple actions span over the following the groups: Method, Getter, Setter
Note:
Reboot and SetFactoryDefaults require confirmation.Getter / Setter
When executing this kind of action, the Getter action is executed on click, while the resulting table gives the possibility to change its values and send the update via the matching Setter action.
Note: The result of a
Getter is considered as a template to use it with its Setter.Custom
More complex HNAP actions can be executed here. Set HNAP action and parameters manually.
Note: For advanced users experienced with the HNAP xmlns.
Terminal
Terminal emulation. Commands are executed by the local PHP server as sudoer and results are returned.
- Located at the bottom. (Black)
- Locally catched commands:
history,clear,!^[0-9]$ - Arrow up and down to navigate through the history.
Note: Use deterministic commands only. Timeout after 30s execution time.
Additional Information
GitLab
Demo
ⓘ Part 1: Structure and Implementation
Note: The folders /mov, /bak, /cap are not present when cloning the code from the HNAP0wn GitLab master branch.
Note: Port 8080 may differ if already in use. Check run.sh stdout to get the assigned port.
Warning: Running the Terminal application as root is dangerous.
ⓘ Part 2: Web Interface
Note: The current version supports multiple scanning modes.
ⓘ Part 3: Terminal Interface
Note: The commands are executed by the local PHP server.
ⓘ Part 4: Network Scanning
Note: HNAP enabled devices are highlighted in the list of online devices.
Note: NMAP is needed. The local PHP server will execute the scan.
Note: The current version supports multiple scanning modes.
ⓘ Part 5: Get Device Settings
Note: Supported methods are dynamically loaded based on the GetDeviceSettings response.
ⓘ Part 6: Brute Force Password
Note: Only brute-forcing Pins between 000000 and 999999 are currently supported. Wordlists are easily addable!
ⓘ Part 7: Automated Method Injection
ⓘ Part 8: Manual Method Injection
ⓘ Part 9: HNAP Client
Note: Video quality and speed are adapted to apply to the maximum upload size restrictions..
License
This project is licensed under the MIT License.
Compatible Browsers
- Chrome: ≥58
- Edge: ≥14
- Firefox: ≥54
- Safari: ≥10
- Opera: ≥55
Development Environment
Localhost
- MacOS Mojave 10.14.4 (18E226)
- Darwin Kernel 18.5.0 x86_64
- Chrome 75.0.3770.142 (Official Build) (64-bit)
- PHP 7.1.23 Development Server
- Nmap 7.70