RouterSploit
BY.MICKY VERMA
A router is the core of anyone's internet experience, but sadly most people don't spend much time setting up this critical piece of hardware. Old firmware, default passwords, and other configuration issues continue to haunt many organizations. Exploiting the poor, neglected computer inside these routers has become so popular and easy that automated tools have been created to make the process a breeze.
In this hacking tutorial, we'll learn how to use RouterSploit, a tool for automating the process of router exploitation. But before we dive right in, let's get a little background information on the tools available and why router exploitation is so big.
The Basics Behind Router Exploitation
Router exploitation works by breaching the Wi-Fi security of a router, bypassing the administrative login page, and accessing administrative features. A skilled attacker can then target the existing firmware that runs the router in a practice called "rootkitting" in which a custom firmware is dropped into the router to enable advanced malicious features.
Depending on the goals and resources of an attacker, this can include spying on the user and any connected devices, injecting malware into the browser to exploit connected devices, enabling advanced spear phishing attacks, and routing illegal traffic for criminal activities through exploited routers.
Government Router Hacking with Cherry Blossom
Government agencies like the NSA and CIA hoard exploits for routers, and the ShadowBrokers have threatened to release these exploits on the heels of the Windows SMB leaks that spawned WanaCry (or WannaCry). If they follow through with the threats to leak router exploits in June, tools like Cherry Blossom could become mainstream.
These tools from the NSA and CIA control entire networks of infected routers, transforming them into advanced, on-site wireless espionage devices. Why plant a fancy spying device when you can just turn a home router into one?
Cherry Blossom is a rootkitting master framework, in which routers are automatically exploited and converted into "flytraps." A flytrap is a router that has been compromised and updated with special firmware that prevents the user from updating or modifying the new firmware.
The flytrap establishes a "beacon" back to a command-and-control server called "Cherryweb," and is then assigned "missions" by an operator via an encrypted VPN tunnel. Advanced modules, like "Windex," which performs a drive-by malware injection attack against any connected target, can turn a flytrap into an advanced remote espionage platform capable of being controlled from anywhere.
Aside from the espionage application the CIA focuses on, exploitable routers and IoT devices are commonly targeted because of their routing ability. RouterSploit, the tool we're working with today, doesn't just compromise routers, it can also go after webcams and other connected devices.
While the CIA uses VPN connections to hide traffic to and from command-and-control servers, cyber criminals will use these devices to proxy malicious traffic to avoid detection. In fact, networks of these infected routers and IoT devices are sold as black market proxies for hiding illegal activity like credit card theft, darknet transactions, and DDoS attacks. By failing to secure your router, you could be signing up to relay traffic for criminal hacking enterprises.
Beginner Router Hacking
While simply trying the default password is the first step towards router exploitation, more advanced frameworks exist even for beginners. Why would a beginner want to exploit a router? On a local level, if you fully compromise the router, you will have complete access to the network. This allows you to control and route the target's internet experience to wherever or whatever you want or forward ports for remote access.
You should consider a router as an early and productive target to take on during the stages of an engagement. Even if you're a beginner, simply running the Autopwn scanner on RouterSploit will automatically test a range of vulnerabilities against a target IP address, reducing the process of finding a potential exploit to a matter of seconds.
What Is RouterSploit?
RouterSploit is a handy Python program which automates most of the tasks associated with compromising a router. Modeled after Metasploit, its commands will be familiar to anyone used to the Metasploit framework. It contains scanning and exploit modules and is available for Kali Linux (and macOS or Mac OS X if you want).
Getting It Running — What You'll Need
RouterSploit is great because it runs on Kali Linux, our Kali Raspberry Pi, macOS or Mac OS X, Windows, and even on an unrooted Android phone. To start, we'll need to take care of some dependencies and ensure Python is installed. Aside from that, compromising a router has never been easier from any device you have handy.
Step 1Installing Dependencies
To proceed, we'll need to ensure we have Python installed. You'll need the following packages:
- Gnureadline (macOS / Mac OS X only)
- Requests
- Paramiko
- Beautifulsoup4
- Pysnmp
You can install them all by typing:
apt-get install requests paramiko beautifulsoup4 pysnmp
Step 2Installing on OS X, Kali Linux & Others
To install on Kali Linux, open a terminal window and type:
git clone https://github.com/reverse-shell/routersploit
cd routersploit
./rsf.py
On macOS or Mac OS X, the method is similar. In a terminal window, type:
git clone https://github.com/reverse-shell/routersploit
cd routersploit
sudo easy_install pip
sudo pip install -r requirements.txt
Step 3Running RouterSploit
For our first run, connect your computer to a network with a router you'd like to scan. Navigate to the RouterSploit folder and run RouterSploit by typing:
cd
cd routersploit
sudo python ./rsf.py
The RouterSploit framework bears a striking similarity to the Metasploit framework, both in interface style and workflow. A command-line interface lets you input simple commands to scan and exploit routers, and you can see everything RouterSploit has to offer by typing:
show all
Lots of exploits, default creds, and scanners! How fun. To begin, we'll start with a scan against a target router, which will check to see if each and every vulnerability might work against it. It will return a list at the end of the scan with every exploit that will work against the target — no research required.
Step 4Scanning a Target
We will be using Autopwn scanner to find any vulnerabilities that apply to our target. Locate the IP address of the router, and save it, because we'll need it to input it shortly. Most of the time, the router is at 192.168. 0.1, but this can change. You can use Fing or ARP-scan to find the IP address if you don't know it.
After starting RouterSploit, enter the Autopwn module by typing:
use scanners/autopwn
show options
This is very similar to Metasploit. To get around, type use and then whatever module you want to use, show options to show the variables of that module you've selected, set to set any of the variables you see from the show options command, and finally, run to execute the module. Pretty simple. To close out of the module and take you to the main screen, type exit.
In this case, we will set the target to the IP address of the router. Type set target and then the IP address of the router, then press enter. Finally, type run to begin the scan.
Step 5Selecting & Configuring the Exploit
After the scan is complete, we'll be left with a list of vulnerabilities it finds. We can pick from this list to decide which exploit best suits our needs.
Here, we see a router with many vulnerabilities. Let's start with a simple exploit, some revealing information disclosure.
To use this exploit, we'll enter the following:
use exploits/routers/3com/3cradsl72infodisclosure
show options
A list of the variables will come up, and you'll be able to set your target by typing:
set target
check
This will set the target and confirm it is vulnerable.
Step 6Running the Exploit
The target looks good and vulnerable. To fire the payload, type run.
If the exploit is successful, you should be greeted with internal configuration settings that can leak the login and password of users, default passwords, and device serial number, among other settings that allow you to compromise the router. Other modules allow you to remotely inject code or directly disclose the router password. Which you can run depends on what the target router is vulnerable to.
Warnings
This intro should get you familiar with running RouterSploit to compromise a router, now you can start using other modules and experimenting with different kinds of exploits. Although Autopwn is a convenient feature, it tries a lot of different exploits and thus is very noisy on the network. The preferred option is to scan your target, do some recon, and only run the relevant modules for the manufacturer of the target router. While exploiting routers might be trendy, keep in mind doing so on someone else's router without permission is a crime. Unless you're the CIA.
No comments:
Post a Comment