Router Security | HNAP |
Website by Michael Horowitz |
HNAP is not something you want on your router.
HNAP, or the Home Network Administration Protocol, is a network device management protocol dating back to 2007. Cisco, took over the protocol from Pure Networks in 2008. It allows network devices (routers, NAS devices, network cameras, etc.) to be silently managed and administered. This lets someone or something malicious make changes such as adding port forwarding to a router. No thanks, it is an accident waiting to happen.
HNAP also has had a long history of buggy implementations. And, it has been abused, more than once, by bad guys to learn the technical details of a router, making it easier for them to find an appropriate vulnerability to attack. Worse still, the fact that a router supports HNAP may not be visible in the administrative interface and you may not be able to disable HNAP in a router.
Years ago, I owned a Linksys WRT54GL router that supported HNAP. After an HNAP flaw made the news, and I realized I could not disable HNAP, I bought a new router.
The good news is that HNAP seems to be dying out. There used to be an hnap.org website, but no more. It was part of a software product called Network Magic that Cisco discontinued in 2012. In November 2016, D-Link said they have stopped using it.
There is a section on testing if a router supports HNAP on the Test Your Router page. If HNAP is enabled, try to disable it in the router administrative interface. If you can't disable it (there may be no option for this), then try updating the firmware. Maybe, the router vendor removed HNAP in later firmware. If all this fails, then a decision is needed. The secure option is to get a new router.
Over 25,000 Linksys Smart Wi-Fi routers vulnerable to sensitive information disclosure flaw by Troy Mursch May 13, 2019. Thirty three Linksys Smart Wi-Fi routers are buggy and Linksys will not fix it. They tried to fix it five years ago (see CVE-2014-824 below), but they screwed that up. The bug allows unauthenticated remote access to sensitive information and its easily exploited by bad guys with little technical knowledge. The routers leak information both about themselves and about every (yes, every) device that has ever connected to them. For connected devices, Linksys always leaks the MAC address, Device name ("Troys iPad") and Operating system. Sometimes it also leaks the device type, model number, and a description of the attached device. As for router information, it leaks the model number, hardware version, serial number, firmware release level, MAC address, the LAN side IP address, WAN settings, firewall status and DDNS settings. Data provided by BinaryEdge, shows that 25,617 Linksys Smart Wi-Fi routers are currently leaking sensitive information to the public. Among the 33 buggy models are the E4200, EA2700, EA5800, EA6900, EA7300, EA8500, EA9200, WRT1900AC, WRT3200ACM, XAC1900 and WHW03 Velop. The bug can also reveal if a router is using the default password (thousands are) without even trying to login. The worst part is that Linksys tried to fix this five years ago but clearly screwed that up. Then, when contacted about it recently, they had no interest in fixing it properly. Yes, if you disable remote web access you block the information leak. However, Linksys Smart Wi-Fi routers require remote access for the Linksys App to function.
Masuta : Satori Creators' Second Botnet Weaponizes A New Router Exploit. by Ankit Anubhav of NewSky Security Jan. 23, 2018. A bug in HNAP on D-Link routers is being exploited by a botnet. The bug was first discovered back in 2015.
September 12, 2017: Enlarge your botnet with: top D-Link routers by security firm Embedi. They found three flaws in the D-Link DIR890L, DIR885L, DIR895L and, most likely, other DIR8xx routers. One of them was that a malicious request sent to http:// 192.168.0.1/HNAP1/ can cause a stack overflow that allows for the execution of shell commands with root privileges.
D-Link DIR-850L web admin interface contains a stack-based buffer overflow vulnerability by US-CERT March 8, 2017. As bad as it gets: an unauthenticated attacker can run arbitrary code as root. Vulnerable on LAN side for sure and remotely if remote admin is enabled. Other D-Link models may also be affected. The vulnerability is in the HNAP service. A bad guy can send a specially crafted POST request to http://routerIPaddress/HNAP1/ that causes a buffer overflow.
Another HNAP flaw in D-Link routers by me November 11, 2016. A HNAP flaw got publicity after being ignored for months. Shortly thereafter, D-Link started releasing fixes.
D-Link Router : HNAP Privilege Escalation - Command Injection D-Link fixes an HNAP flaw. April 2015. More on this bug is on the bugs page in the April 2015 section. One critical point, you can't disable HNAP.
Bizarre attack infects Linksys routers with self-replicating malware. HNAP is abused by TheMoon worm. Feb. 2014
More on HNAP - What is it, How to Use it, How to Find it by Rob VandenBrink Feb. 2014
Linksys Worm "TheMoon" Summary: What we know so far by Johannes B. Ullrich, Feb. 2014
CVE-2014-824 from November 2014 affects Linksys SMART WiFi routers (EA2700, EA3500, EA4500 and many more). It lets remote attackers see sensitive information or modify data via a JNAP action in a JNAP/ HTTP request. In May 2019, we learned this bug was not correctly fixed.
HNAP Protocol Vulnerabilities - Pushing The "Easy" Button by Paul Asadoorian February 2010. Griping about HNAP. He claims that buggy versions had been in D-Link routers since 2006.
Hacking D-Link Routers With HNAP by SourceSec Security Research. 2010. The earliest HNAP flaw that I am aware of to get any publicity.
D-Link Issues Fixes for Router Vulnerabilities by Jeremy Kirk of IDG News Service January 2010
Home Network Administration Protocol at Wikipedia
Linksys-JNAP-Siphon at GitHub. Last Updated May 2016. On Linksys EA series Routers with SMART Wifi firmware, certain JNAP HTTP requests can allow remote attackers to obtain sensitive information or even modify data. This small bash script tests for information disclosure.