Security analysis of a TP Link tl-wr841n router.
This project is maintained by KostasEreksonas
Security analysis of TP Link TL-WR841N router.
Github Pages version of this analysis can be found by following this link
The plan of TP Link TL-WR841N router cybersecurity analysis is as follows:
OpenWRT
as the router’s firmware.In this section I will present the technical and network information that I have gathered about tested TP Link TP-WR841N router. This section includes information about: 1. Finding open TCP ports. 2. Finding open UDP ports. 3. Detection of the Operating System (OS) within the TP Link TL-WR841M router. 4. Detection of the version of the OS that is running within the TP Link TL-WR841M router.
In this subsection of Technical information gathering section I am presenting the results of a port scan that I have done on the tested router. For all the further scans nmap
tool was used.
As mentioned before, for finding open TCP ports and services that are running on top of them, nmap
tool was used. The command for this specific scan was nmap -v -sS -sV -sC -p- X.X.X.X
, where X.X.X.X
is IP address of the TP Link router. Short description of every used flag is presented below:
-v Verbosity. Gives more information about what the scan is doing.
-sS Stealth scan. Fast, accurate and non-intrusive test of a selected target.
-sV Version scan. Used to detect versions of services running on specific open ports of IP Camera.
-sC Scripts scan. Uses a default set of most common `nmap` scripts.
-p- Check all 65535 TCP ports for if they are open.
Results of this scan are presented below:
PORT STATE SERVICE VERSION
22/tcp open ssh Dropbear sshd 2012.55 (protocol 2.0)
| ssh-hostkey:
| 1024 2d:20:4b:ed:24:f6:13:5d:32:af:44:88:35:5b:04:de (DSA)
|_ 1040 df:61:f7:f5:bc:aa:e6:9a:2d:6a:20:cc:98:38:68:38 (RSA)
80/tcp open http TP-LINK WR841N WAP http config
|_http-title: TL-WR841N
1900/tcp open upnp ipOS upnpd (TP-LINK TL-WR841N WAP 11.0; UPnP 1.0)
49152/tcp open http Huawei HG8245T modem http config
|_http-title: Site doesn't have a title.
Nmap scan found 4 TCP ports whose numbers are 22
, 80
, 1900
and 49152
. Some details about each port are presented below:
22
is a standart port for ssh
service and on top of this port Dropbear sshd 2012.55 service is running. Also a couple of ssh hostkeys were discovered.80
is a standard http
port and is controlled by TP-LINK WR841N WAP http config software.1900
is an upnp
or universal plug and play port and is controlled by ipOS upnpd service.49152
is a port for alternate http service and is controlled by Huawei HG8245T modem http config service. It looks like a different built-in module within the router for connecting to some kind of http services.After finding TCP ports I have conducted a search for UDP ports. Same nmap
tool was used, although this time -sU
flag for UDP scan was used insead of TCP stealth scan (-sS). The full command for this scan was nmap -v -sU -sV X.X.X.X
, where X.X.X.X
is IP address for the TP Link router. Results for this scan are presented below:
PORT STATE SERVICE VERSION
53/udp open domain ISC BIND 9.10.3-P4 (Debian Linux)
| dns-nsid:
|_ bind.version: 9.10.3-P4-Debian
|_dns-recursion: Recursion appears to be enabled
67/udp open|filtered dhcps
1900/udp open|filtered upnp
Nmap scan found 3 open UDP ports with numbers 53
, 67
and 1900
. Some details about each port are presented below:
53
has a domain
service controlled by ISC BIND 9.10.3-P4 and it is used for some DNS related stuff. Also DNS recursion seems to be enabled. Further reading needs to be done to fully understand what it is used for and what could potential risks of this service be.67
is controlled by dhcps
or Dynamic Host Configuration Protocol service and could be used for automatic IP network configuration.1900
is used for upnp
or universal plug and play service, same as it’s TCP counterpart.To determine type and version of the OS installed within the TP Link router, nmap
tool with -O
flag was used. The full command was nmap -v -sS -sV -O X.X.X.X
, where X.X.X.X is an IP address of TP Link router. The results of this scan are presented below:
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS deta Linux 2.6.17 - 2.6.36
The router is recognized as a general purpose
device and it is running a Linux 2.6
operating system with likely version ranging from 2.6.17
to 2.6.36
.
In this section I will present an in-depth analysis of couple exploits for TP LINK TL-WR841N router that I have found in exploit-db page. These exploits are:
I will start with Authentication Bypass Exploit and later go to analyze Command Injection Exploit.
This exploit, found on Exploit-db was written by BlackFog team at SecureLayer7.net. If the Referer Header is set as http://192.168.0.1/mainFrame.htm
, then no authentication is needed for following commands. Although, this exploit did not work for my router.
For now I have tried to run the Python script found in the Exploit-db link but it did not work.
In this section I will analyze the Index page source code and linked encryption file javascript code files.