Website by |
HNAP is not something you want on your router.
HNAP, or the Home Network Administration Protocol, is a network device management protocol dating back to 2007. Cisco, took over the protocol from Pure Networks in 2008. It allows network devices (routers, NAS devices, network cameras, etc.) to be silently managed and administered. This lets someone or something malicious make changes such as adding port forwarding to a router. No thanks, it is an accident waiting to happen.
HNAP also has had a long history of buggy implementations. And, it has been abused, more than once, by bad guys to learn the technical details of a router, making it easier for them to find an appropriate vulnerability to attack. Worse still, the fact that a router supports HNAP may not be visible in the administrative interface and you may not be able to disable HNAP in a router.
Years ago, I owned a Linksys WRT54GL router that supported HNAP. After an HNAP flaw made the news, and I realized I could not disable HNAP, I bought a new router.
The good news is that HNAP seems to be dying out. There used to be an hnap.org website, but no more. It was part of a software product called Network Magic that Cisco discontinued in 2012. In November 2016, D-Link said they have stopped using it.
There is a section on testing if a router supports HNAP on the Test Your Router page. If HNAP is enabled, try to disable it in the router administrative interface. If you can't disable it (there may be no option for this), then try updating the firmware. Maybe, the router vendor removed HNAP in later firmware. If all this fails, then a decision is needed. The secure option is to get a new router.
September 12, 2017: Enlarge your botnet with: top D-Link routers by security firm Embedi. They found three flaws in the D-Link DIR890L, DIR885L, DIR895L and, most likely, other DIR8xx routers. One of them was that a malicious request sent to http:// 192.168.0.1/HNAP1/ can cause a stack overflow that allows for the execution of shell commands with root privileges.
D-Link DIR-850L web admin interface contains a stack-based buffer overflow vulnerability by US-CERT March 8, 2017. As bad as it gets: an unauthenticated attacker can run arbitrary code as root. Vulnerable on LAN side for sure and remotely if remote admin is enabled. Other D-Link models may also be affected. The vulnerability is in the HNAP service. A bad guy can send a specially crafted POST request to http://routerIPaddress/HNAP1/ that causes a buffer overflow.
Another HNAP flaw in D-Link routers by me November 11, 2016. A HNAP flaw got publicity after being ignored for months. Shortly thereafter, D-Link started releasing fixes.
D-Link Router : HNAP Privilege Escalation - Command Injection D-Link fixes an HNAP flaw. April 2015. More on this bug is on the bugs page in the April 2015 section. One critical point, you can't disable HNAP.
Bizarre attack infects Linksys routers with self-replicating malware. HNAP is abused by TheMoon worm. Feb. 2014
More on HNAP - What is it, How to Use it, How to Find it by Rob VandenBrink Feb. 2014
Linksys Worm "TheMoon" Summary: What we know so far by Johannes B. Ullrich, Feb. 2014
HNAP Protocol Vulnerabilities - Pushing The "Easy" Button by Paul Asadoorian February 2010. Griping about HNAP. He claims that buggy versions had been in D-Link routers since 2006.
Hacking D-Link Routers With HNAP by SourceSec Security Research. 2010. The earliest HNAP flaw that I am aware of to get any publicity.
D-Link Issues Fixes for Router Vulnerabilities by Jeremy Kirk of IDG News Service January 2010
Home Network Administration Protocol at Wikipedia