Follow by Email

Search This Blog

RouterSploit guide

The RouterSploit Framework is an open-source exploitation framework dedicated to embedded devices.
Share it:
RouterSploit sounds a bit like Metasploit ... right? . RouterSploit is an exploitation framework for peripherals and in particular for routers. Many people protect their computers and even their phones, but often leave other network components and IoT devices unsecured. RouterSploit has been created so that you as an administrator can discover these devices and patch, upgrade or replace them if necessary. As always, the software can (and will) be used maliciously. So first, a disclaimer:
Router Exploitation Framework




    it's not for nothing that RouterSploit sounds a bit like "Metasploit". It shows a lot of similarities such as the fact that the code is open source, command-line navigation and the structure of the commands. If you are if you are familiar with Metasploit then RouterSploit is no problem for you.

    RouterSploit is a Python based application for which everyone can easily develop their own modules. In this way you can help develop the RouterSploit software. It is recommended to update RouterSploit very regularly because new modules are added almost daily.

    Routers (and other devices such as IoT and webcams) are an easy target for hackers but also for security services. As is known, the CIA and NSA have complete networks of infected routers so that all devices can be eavesdropped easily. Your router is often provided with special firmware after the hack, which means that it is no longer possible for the user to do a firmware update. We call this "rootkitting". CherryBlossom is one of these rootkits used by the CIA and leaked in the WikiLeaks documents.
    RouterSploit
    If the CIA and the NSA can do this, then who says that hackers can't. Prevent your router from participating in a criminal network and being used to send malicious data (proxies). So also periodically scan your own network. RouterSploit is extremely suitable for this. Of course there are other tools (with GUI) such as RouterScan from "Stas'M" but that's why we focus on RouterSploit.

    Routersploit modules

    RouterSploit, just like Metasploit, is made up of various modules such as exploits, payloads, scanners and creds. There are also so-called "generic" modules.

    Exploits
    Exploits are used to exploit vulnerabilities in the router in order to gain access.

    Payloads
    The actual payload / data. So the code used to infect / rewrite an exploited router.

    Scanners
    This module scans the network and / or a device to see whether it is potentially susceptible to an exploit (and therefore whether a vulnerability is present).

    Creds
    The "Creds" or "credentials" module is used to test credentials on the different devices. With the creds module you can perform dictionary attack on various network protocols such as:
    • FTP
    • SSH
    • Telnet
    • HTTP Basic
    • HTTP Form
    Generic
    Modules that perform generic actions such as various code improvements.

    Routersploit installation

    The installation of RouterSploit is simple. RouterSploit can be installed on Kali, Ubintu, OSX and Docker. Of course I use my beloved Kali for this demo. Because RouterSploit is a Python module, Python3 and Python PIP (for installing Python modules) must also be present on the computer. If these are not yet present, we install them as follows:
    apt-get install python3-pip requests paramiko beautifulsoup4 pysnmp
    In addition to the above applications, a number of packages must also be downloaded. We can do this automatically from a supplied "requirements" file. To fully install RouterSploit we use:
    git clone https://github.com/threat9/RouterSploit
     CD RouterSploit
    python3 -m pip install  -r requirements.txt
    To also enable Bluetooth low-energy support, we need to install libglib2 and bluepy:
    apt-get install libglib2.0-dev
    python3 -m pip install bluepy
    To then start RouterSploit, we navigate to the RouterSploit directory and start the application as follows (RSF stands for RouterSploit Framework, of course):
    python3 ./rsf.py
    As you can see, the appearance looks a lot like Metasploit. The banner, version, module counters and the prompt:
    Routersploit installation
    To update RouterSploit you can simply (from the RouterSploit directory) download the latest version from GitHub:
    git pull
    Routersploit Scanners First, let's see what kind of scanners we have on board:
    search scanner
    Routersploit Scanners
    We have a router scanner, camera scanner, misc scanner and the autopwn scanner. Since in this example I know exactly what kind of router I want to scan, I choose the router scanner.
    use scanners/routers/router_scan
    Before we can run the scan we must set a few options:
    show options
    router_scan
    As you can see, after choosing a module, the name of the module changes to red just like in…. You guessed it…. In Metasploit. As you can see we still have to enter a target. The other options such as the ports are OK.
    set target 192.168.0.1

    Now that the target has been set, we launch the scan with the "run" command.
    run
    The scanner will now test the target for all vulnerabilities:
    RouterSploit set target

    As you can see in the image above, RouterSploit has not found any vulnerabilities, but default credentials were found.
    To close the module and return to the RouterSploit homepage, use the "back" command.
    back

    Routersploit Autopwn module

    If stealth is not a requirement then you can use the "autopwn" module. This module not only tests for vulnerabilities but will also attempt to exploit them automatically. This works in the same way.
    use scanners/autopwn
    Here too we must enter the target and run the scanner:
    run
    And of course the outcome with our test router is the same.

    Routersploit Brutal force

    We can now still try to use the "creds" module to make a brutal force attack. We start the "creds" module as follows:
    use creds/routers/fortinet/ftp_default_creds
    The "show options" command gives us the following options:
    Routersploit Brutal force

    As you can see here are 2 important fields which we have to check. First of all we set the target again:
    set target 192.168.0.1
    And then we have to enter the username + password combinations which RouterSploit should try. We can do this by entering it manually in the form username: password or by specifying a password file.
    Let's specify a password file:
    set defaults file: ///root/newrockyou.txt 
    And to run the brutal force we of course use the "Run" command.
    This attack (of course staged) has more effect and credentials have been found with which we can log in via FTP.
    Routersploit FTP

    Routersploit exploit

    What if the scanner had now revealed that the router did have vulnerabilities. Then we could have exploited this. The exploit process works roughly the same as the scan process. First we choose an exploit:
    use exploits/routers/fortinet/fortigate_os_backdoor
    Then we look at the options. In this case again only the target is needed.
    set target 192.168.0.1
    Then we can do a double check to see if the target is susceptible to the chosen exploit:
    check
    And if the target is susceptible, we perform the exploit:
    run
    If the exploit is successful then what happens next depends on the chosen exploit. Sometimes you can change the configuration or inject code or view the router password. Whatever happens, they are all weaknesses in the network that need to be resolved.

    CONCLUSION

    RouterSploit is a wonderful tool to integrate into your Kali OS. security specialists (and hackers) are generally familiar with Metasploit and so RouterSploit will not be a problem in terms of operation and navigation. RouterSploit is actively developed and supported by the community and it is fairly easy to contribute to this yourself. Definitely a nice tool but as always no panacea for every environment or situation.
    DISCLAIMER: This post has been published for educational purposes. I am not responsible for potential damage or fraudulent practices applied with this knowledge. If you continue reading, you agree to use this information only for ethical matters. If not, stop reading now and close this page!
    Share it:

    Penetration Testing Tools

    Post A Comment:

    0 comments: