Which Restclient are you using?
`require': cannot load such file -- restclient (LoadError)
gem install restclient doesn't help

Ran PoC against a device I had lying around and it listed admin password, ssid, wpa key, model number, serial number, firmware version, and attached devices.

Model Number: WNR1000v2
Firmware: V1.0.1.1

Regards,
Jimi Sebree

Hello, I ran SOAPWNDR.rb against a Netgear DGND3700 v.1 N600 Wireless Dual Band Gigabit ADSL2+ Modem Router and the output was:

[!] Attempting to extract information from http://192.168.0.1:80/
[!] Failed to query remote host.

My NetGear WNDR3300 running Firmware V1.0.45 is vulnerable similar to my R6300 (#3) on the UPnP port (5000) using the path http://ROUTER-IP-ADDR:5000/soap/server_sa/.

I had UPnP enabled on my WNDR3300 and after turning it off it was no longer vulnerable as port 5000 was closed.
I never had UPnP enabled on my R6300 and even after enabling and disabling UPnP, port 5000 is still open and the router vulnerable.

Regards,
Robert Müller

Require: restclient - outdated
replace with restup

Hi,
Just tested this on WNR2200 and is working, default run - no special paramters.

[*] Model Number: wnr2200
[*] Firmware Version: V1.0.1.76

Best regards.

Hi!
as I did not find an option to send you an email I'll do it this way...
I have a WNDR4300 and your skript printed the correct wpa name/key, admin password, serial number and firmware version (1.0.1.60, latest).
I wrote to the netgear support with a link to this repository, maybe it works when many people open a ticket?

Thanks for finding this!
Ronny Lindner

Hi,

I own the router in the title, and I just tried the new metasploit module, and I was successful at pulling the credentials with this exploit.

It's vulnerable on port 80.

P.S. if you wish to give attribute (not necessary), my full name is Shelby Spencer

Hi Darkarnium

I was wondering if you could provide me some usage instructions for SOAPWNDR?

Thanks

Whilst running the PoC against my vulnerable WNDR3700v4 and WNR1000v2 routers, I noticed that the Admin Password reported wasn't always correct. My password happens to include an "&" ampersand character so I wonder if that is the issue?
For example setting the WNDR3700v4 admin password to "qwerty&123" the PoC code reports just "qwerty123". Or setting the admin password to "abcd&DEFG" the PoC reports just "abcd".
Regards,
Chris

Sending a post request with the header SOAPAction: urn:NETGEAR-ROUTER:service:LANConfigSecurity:1#GetInfo (using the Firefox HttpRequester add-on) to http://ROUTER-IP-ADDR:5000/soap/server_sa/ resulted in the server returning my device's password in cleartext.

My Router is a NetGear R6300v2 running Firmware V1.0.3.8_1.0.60.

Regards,
Robert Müller