Open WAN-to-LAN proxy on AT&T routers - Metasploit

This page contains detailed information about how to use the auxiliary/scanner/wproxy/att_open_proxy metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Module Overview

---

Name: Open WAN-to-LAN proxy on AT&T routers
Module: auxiliary/scanner/wproxy/att_open_proxy
Source code: modules/auxiliary/scanner/wproxy/att_open_proxy.py
Disclosure date: 2017-08-31
Last modification time: 2022-01-23 15:28:32 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 49152
List of CVEs: CVE-2017-14117

This module is also known as SharknAT&To or sharknatto.

The Arris NVG589 and NVG599 routers configured with AT&T U-verse firmware 9.2.2h0d83 expose an un-authenticated proxy that allows connecting from WAN to LAN by MAC address.

Module Ranking and Traits

---

Module Ranking:

• normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

---

This module is a scanner module, and is capable of testing against multiple hosts.

msf > use auxiliary/scanner/wproxy/att_open_proxy
msf auxiliary(att_open_proxy) > show options
    ... show and set options ...
msf auxiliary(att_open_proxy) > set RHOSTS ip-range
msf auxiliary(att_open_proxy) > exploit

Other examples of setting the RHOSTS option:

Example 1:

msf auxiliary(att_open_proxy) > set RHOSTS 192.168.1.3-192.168.1.200 

Example 2:

msf auxiliary(att_open_proxy) > set RHOSTS 192.168.1.1/24

Example 3:

msf auxiliary(att_open_proxy) > set RHOSTS file:/tmp/ip_list.txt

Required Options

---

• RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'

• rhosts: The target address

Go back to menu.

Msfconsole Usage

---

Here is how the scanner/wproxy/att_open_proxy auxiliary module looks in the msfconsole:

msf6 > use auxiliary/scanner/wproxy/att_open_proxy

msf6 auxiliary(scanner/wproxy/att_open_proxy) > show info

       Name: Open WAN-to-LAN proxy on AT&T routers
     Module: auxiliary/scanner/wproxy/att_open_proxy
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2017-08-31

Provided by:
  Joseph HutchinsJon Hart <jon_hart[AT]rapid7.com>
  Adam Cammack <adam_cammack[AT]rapid7.com>

Check supported:
  No

Basic options:
  Name        Current Setting  Required  Description
  ----        ---------------  --------  -----------
  RHOSTS                       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  THREADS     1                yes       The number of concurrent threads (max one per host)
  batch_size  200              no        Number of hosts to run in each batch
  rhosts                       yes       The target address
  rport       49152            yes       The target port

Description:
  The Arris NVG589 and NVG599 routers configured with AT&T U-verse 
  firmware 9.2.2h0d83 expose an un-authenticated proxy that allows 
  connecting from WAN to LAN by MAC address.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2017-14117
  https://www.nomotion.net/blog/sharknatto/
  https://blog.rapid7.com/2017/09/07/measuring-sharknat-to-exposures/#vulnerability5port49152tcpexposure

Also known as:
  SharknAT&To
  sharknatto

Module Options

---

This is a complete list of options available in the scanner/wproxy/att_open_proxy auxiliary module:

msf6 auxiliary(scanner/wproxy/att_open_proxy) > show options

Module options (auxiliary/scanner/wproxy/att_open_proxy):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   RHOSTS                       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   THREADS     1                yes       The number of concurrent threads (max one per host)
   batch_size  200              no        Number of hosts to run in each batch
   rhosts                       yes       The target address
   rport       49152            yes       The target port

Advanced Options

---

Here is a complete list of advanced options supported by the scanner/wproxy/att_open_proxy auxiliary module:

msf6 auxiliary(scanner/wproxy/att_open_proxy) > show advanced

Module advanced options (auxiliary/scanner/wproxy/att_open_proxy):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   ShowProgress         true             yes       Display progress messages during a scan
   ShowProgressPercent  10               yes       The interval in percent that progress should be shown
   VERBOSE              false            no        Enable detailed status messages
   WORKSPACE                             no        Specify the workspace for this module

Auxiliary Actions

---

This is a list of all auxiliary actions that the scanner/wproxy/att_open_proxy module can do:

msf6 auxiliary(scanner/wproxy/att_open_proxy) > show actions

Auxiliary actions:

   Name  Description
   ----  -----------

Evasion Options

---

Here is the full list of possible evasion options supported by the scanner/wproxy/att_open_proxy auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(scanner/wproxy/att_open_proxy) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Related Pull Requests

---

• #10570 Merged Pull Request: AKA Metadata Refactor
• #9733 Merged Pull Request: Change External Module Type Names
• #9424 Merged Pull Request: Add SharknAT&To scanner

References

---

• CVE-2017-14117
• https://www.nomotion.net/blog/sharknatto/
• https://blog.rapid7.com/2017/09/07/measuring-sharknat-to-exposures/#vulnerability5port49152tcpexposure

See Also

---

Check also the following modules related to this module:

• auxiliary/parser/unattend
• auxiliary/scanner/http/open_proxy
• auxiliary/server/jsse_skiptls_mitm_proxy
• auxiliary/server/openssl_altchainsforgery_mitm_proxy
• auxiliary/server/socks_proxy
• exploit/multi/misc/weblogic_deserialize_badattr_extcomp
• exploit/multi/misc/weblogic_deserialize_badattrval
• exploit/unix/webapp/wp_holding_pattern_file_upload
• exploit/windows/browser/mozilla_attribchildremoved
• exploit/windows/fileformat/lattice_pac_bof
• exploit/windows/fileformat/realplayer_ver_attribute_bof
• exploit/windows/local/ppr_flatten_rec
• exploit/windows/misc/fb_isc_attach_database
• exploit/windows/misc/fb_svc_attach
• exploit/windows/misc/ib_isc_attach_database
• exploit/windows/misc/ib_svc_attach
• exploit/windows/pop3/seattlelab_pass
• exploit/windows/tftp/attftp_long_filename
• post/windows/gather/enum_unattend
• exploit/windows/proxy/qbik_wingate_wwwproxy
• exploit/linux/proxy/squid_ntlm_authenticate
• exploit/windows/proxy/bluecoat_winproxy_host
• exploit/windows/proxy/ccproxy_telnet_ping
• exploit/windows/proxy/proxypro_http_get
• auxiliary/scanner/etcd/open_key_scanner
• auxiliary/scanner/http/es_file_explorer_open_port
• auxiliary/scanner/http/openmind_messageos_login
• auxiliary/scanner/openvas/openvas_gsad_login
• auxiliary/scanner/openvas/openvas_omp_login
• auxiliary/scanner/openvas/openvas_otp_login
• auxiliary/scanner/ssl/openssl_ccs
• auxiliary/scanner/ssl/openssl_heartbleed
• auxiliary/scanner/x11/open_x11
• auxiliary/scanner/http/exchange_proxylogon
• auxiliary/scanner/http/rewrite_proxy_bypass

Authors

---

• Joseph HutchinsJon Hart <jon_hart[AT]rapid7.com>
• Adam Cammack <adam_cammack[AT]rapid7.com>

Version

---

This page has been produced using Metasploit Framework version 6.2.29-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.