Security analysis of TP Link TL-WR841N router.
Github Pages version of this analysis can be found by following this link
- TP Link TL-WR841N router cybersecurity analysis
- Plan of Analysis
- Technical Information
- Written Exploits
The plan of TP Link TL-WR841N router cybersecurity analysis is as follows:
- Gather of technical and network information about the router.
- Intercept and analyze network traffic of the router.
- Find firmware and a list of software installed within the router.
- Check CVE lists for published known exploits found within the router's software and check their severity score.
- Investigate found exploits and try a practical exploitation of these vulnerabilities on a given TP Link TL-WR841N router (i.e. found or custom made scripts for exploiting a certain vulnerability) for getting a better understanding of potential risks that found vulnerabilities pose.
- Research the possible ways of mitigation for the given the risks.
- Give conclusions of the analysis.
- Research the possibility of using
OpenWRTas the router's firmware.
In this section I will present the technical and network information that I have gathered about tested TP Link TP-WR841N router. This section includes information about: 1. Finding open TCP ports. 2. Finding open UDP ports. 3. Detection of the Operating System (OS) within the TP Link TL-WR841M router. 4. Detection of the version of the OS that is running within the TP Link TL-WR841M router.
In this subsection of Technical information gathering section I am presenting the results of a port scan that I have done on the tested router. For all the further scans nmap tool was used.
As mentioned before, for finding open TCP ports and services that are running on top of them, nmap tool was used. The command for this specific scan was nmap -v -sS -sV -sC -p- X.X.X.X, where X.X.X.X is IP address of the TP Link router. Short description of every used flag is presented below:
-v Verbosity. Gives more information about what the scan is doing.
-sS Stealth scan. Fast, accurate and non-intrusive test of a selected target.
-sV Version scan. Used to detect versions of services running on specific open ports of IP Camera.
-sC Scripts scan. Uses a default set of most common `nmap` scripts.
-p- Check all 65535 TCP ports for if they are open.
Results of this scan are presented below:
PORT STATE SERVICE VERSION
22/tcp open ssh Dropbear sshd 2012.55 (protocol 2.0)
| ssh-hostkey:
| 1024 2d:20:4b:ed:24:f6:13:5d:32:af:44:88:35:5b:04:de (DSA)
|_ 1040 df:61:f7:f5:bc:aa:e6:9a:2d:6a:20:cc:98:38:68:38 (RSA)
80/tcp open http TP-LINK WR841N WAP http config
|_http-title: TL-WR841N
1900/tcp open upnp ipOS upnpd (TP-LINK TL-WR841N WAP 11.0; UPnP 1.0)
49152/tcp open http Huawei HG8245T modem http config
|_http-title: Site doesn't have a title.
Nmap scan found 4 TCP ports whose numbers are 22, 80, 1900 and 49152. Some details about each port are presented below:
- Port
22is a standart port forsshservice and on top of this port Dropbear sshd 2012.55 service is running. Also a couple of ssh hostkeys were discovered. - Port
80is a standardhttpport and is controlled by TP-LINK WR841N WAP http config software. - Port
1900is anupnpor universal plug and play port and is controlled by ipOS upnpd service. - Port
49152is a port for alternate http service and is controlled by Huawei HG8245T modem http config service. It looks like a different built-in module within the router for connecting to some kind of http services.
After finding TCP ports I have conducted a search for UDP ports. Same nmap tool was used, although this time -sU flag for UDP scan was used insead of TCP stealth scan (-sS). The full command for this scan was nmap -v -sU -sV X.X.X.X, where X.X.X.X is IP address for the TP Link router. Results for this scan are presented below:
PORT STATE SERVICE VERSION
53/udp open domain ISC BIND 9.10.3-P4 (Debian Linux)
| dns-nsid:
|_ bind.version: 9.10.3-P4-Debian
|_dns-recursion: Recursion appears to be enabled
67/udp open|filtered dhcps
1900/udp open|filtered upnp
Nmap scan found 3 open UDP ports with numbers 53, 67 and 1900. Some details about each port are presented below:
- Port
53has adomainservice controlled by ISC BIND 9.10.3-P4 and it is used for some DNS related stuff. Also DNS recursion seems to be enabled. Further reading needs to be done to fully understand what it is used for and what could potential risks of this service be. - Port
67is controlled bydhcpsor Dynamic Host Configuration Protocol service and could be used for automatic IP network configuration. - Port
1900is used forupnpor universal plug and play service, same as it's TCP counterpart.
To determine type and version of the OS installed within the TP Link router, nmap tool with -O flag was used. The full command was nmap -v -sS -sV -O X.X.X.X, where X.X.X.X is an IP address of TP Link router. The results of this scan are presented below:
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS deta Linux 2.6.17 - 2.6.36
The router is recognized as a general purpose device and it is running a Linux 2.6 operating system with likely version ranging from 2.6.17 to 2.6.36.
In this section I will present an in-depth analysis of couple exploits for TP LINK TL-WR841N router that I have found in exploit-db page. These exploits are:
I will start with Authentication Bypass Exploit and later go to analyze Command Injection Exploit.
This exploit, found on Exploit-db was written by BlackFog team at SecureLayer7.net. If the Referer Header is set as http://192.168.0.1/mainFrame.htm, then no authentication is needed for following commands. Although, this exploit did not work for my router.
For now I have tried to run the Python script found in the Exploit-db link but it did not work.
In this section I will analyze the Index page source code and linked encryption file javascript code files.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent