How can I do the hnap1 test to scan my router?
Recently, I saw some strange entries on my local-only webserver. The thing is I don't know if the attack came from outside the network or from an infected machine. I have read up a little on the hnap attack, but I'm still unsure what to do about it. Essentially, Cisco routers have vulnerabilities because of the "home network administration protocol." And from what I've read there is no solution.
If it is an infected system I'd like to pinpoint it by listening to network traffic, but I'm not sure how to do that. I tried using snort and wireshark, but these programs seem pretty advanced. Alternatively, I am thinking that if someone was able to compromise my network by cracking the network key, they could join the network and run whatever scans they want. Otherwise, maybe someone is accessing from outside the local network.
Here are the entries:
[03/Sep/2017 11:35:13] "GET / HTTP/1.1" 400 67505
Invalid HTTP_HOST header: '192.168.yyy.yyy'.
[03/Sep/2017 11:35:33] "GET /HNAP1/ HTTP/1.1" 400 67699
Invalid HTTP_HOST header: '192.168.1.1' (Router IP).
[03/Sep/2017 11:35:33] "GET /HNAP1/ HTTP/1.1" 400 67699
Invalid HTTP_HOST header: '192.168.1.2' (PC IP).
[03/Sep/2017 11:35:33] "GET /HNAP1/ HTTP/1.1" 400 67699
Invalid HTTP_HOST header: '10.1.0.1' (Virtualbox IP on PC).
What can I do to track down the problem? Is there an easy way to listen for more of these requests and pinpoint the source? Are there better malware/spyware scanners that might pick up on a worm?
What you found was that a device connected to your web server and requested /HNAP1 test. HNAP is a protocol for managing devices, so with just this information about potential attacks, my guess is that this has been done by a device on your network that supports this protocol (eg. it may be trying to obtain from your router the public IP address). Your log line should contain the IP address of the client that performed such request,¹ eg:
192.168.123.123 - - [03/Sep/2017 11:35:13] "GET / HTTP/1.1" 400 67505
In this case, the request would have been performed by 192.168.123.123.¹ I am assuming you are using Common Log Format, if you are using a custom format, you should add the remote address somewhere) Regarding your update, the «Invalid HTTP_HOST header» message is mostly irrelevant here. The client connected specifying that it wanted to speak with (192.168.yyy.yyy / 192.168.1.1 / 192.168.1.2 / 10.1.0.1) but your server is not configured with virtual hosts for those. The important piece is the lefthand IP (although if it enumerated both the external and VirtualBox interface, it probably means it came from your PC).