How to Seize Control of a Router with RouterSploit
A router is the core of anyone's internet experience, but sadly most people don't spend much time setting up this critical piece of hardware. Old firmware, default passwords, and other configuration issues continue to haunt many organizations. Exploiting the poor, neglected computer inside these routers has become so popular and easy that automated tools have been created to make the process a breeze.
In this hacking tutorial, we'll learn how to use RouterSploit, a tool for automating the process of router exploitation. But before we dive right in, let's get a little background information on the tools available and why router exploitation is so big.
Router exploitation works by breaching the Wi-Fi security of a router, bypassing the administrative login page, and accessing administrative features. A skilled attacker can then target the existing firmware that runs the router in a practice called "rootkitting" in which a custom firmware is dropped into the router to enable advanced malicious features.
Depending on the goals and resources of an attacker, this can include spying on the user and any connected devices, injecting malware into the browser to exploit connected devices, enabling advanced spear phishing attacks, and routing illegal traffic for criminal activities through exploited routers.
Government agencies like the NSA and CIA hoard exploits for routers, and the ShadowBrokers have threatened to release these exploits on the heels of the Windows SMB leaks that spawned WanaCry (or WannaCry). If they follow through with the threats to leak router exploits in June, tools like Cherry Blossom could become mainstream.
These tools from the NSA and CIA control entire networks of infected routers, transforming them into advanced, on-site wireless espionage devices. Why plant a fancy spying device when you can just turn a home router into one?
Cherry Blossom is a rootkitting master framework, in which routers are automatically exploited and converted into "flytraps." A flytrap is a router that has been compromised and updated with special firmware that prevents the user from updating or modifying the new firmware.
The flytrap establishes a "beacon" back to a command-and-control server called "Cherryweb," and is then assigned "missions" by an operator via an encrypted VPN tunnel. Advanced modules, like "Windex," which performs a drive-by malware injection attack against any connected target, can turn a flytrap into an advanced remote espionage platform capable of being controlled from anywhere.
Aside from the espionage application the CIA focuses on, exploitable routers and IoT devices are commonly targeted because of their routing ability. RouterSploit, the tool we're working with today, doesn't just compromise routers, it can also go after webcams and other connected devices.
While the CIA uses VPN connections to hide traffic to and from command-and-control servers, cyber criminals will use these devices to proxy malicious traffic to avoid detection. In fact, networks of these infected routers and IoT devices are sold as black market proxies for hiding illegal activity like credit card theft, darknet transactions, and DDoS attacks. By failing to secure your router, you could be signing up to relay traffic for criminal hacking enterprises.
While simply trying the default password is the first step towards router exploitation, more advanced frameworks exist even for beginners. Why would a beginner want to exploit a router? On a local level, if you fully compromise the router, you will have complete access to the network. This allows you to control and route the target's internet experience to wherever or whatever you want or forward ports for remote access.
You should consider a router as an early and productive target to take on during the stages of an engagement. Even if you're a beginner, simply running the Autopwn scanner on RouterSploit will automatically test a range of vulnerabilities against a target IP address, reducing the process of finding a potential exploit to a matter of seconds.
RouterSploit is a handy Python program which automates most of the tasks associated with compromising a router. Modeled after Metasploit, its commands will be familiar to anyone used to the Metasploit framework. It contains scanning and exploit modules and is available for Kali Linux (and macOS or Mac OS X if you want).
Once you associate to a target network, running a scan will reveal whether a router can be easily exploited through the framework. Today, we will be going over the Autopwn feature to quickly identify vulnerabilities on routers and connected devices.
RouterSploit is great because it runs on Kali Linux, our Kali Raspberry Pi, macOS or Mac OS X, Windows, and even on an unrooted Android phone. To start, we'll need to take care of some dependencies and ensure Python is installed. Aside from that, compromising a router has never been easier from any device you have handy.
To proceed, we'll need to ensure we have Python installed. You'll need the following packages:
- Gnureadline (macOS / Mac OS X only)
You can install them all by typing:
apt-get install requests paramiko beautifulsoup4 pysnmp
To install on Kali Linux, open a terminal window and type:
git clone https://github.com/reverse-shell/routersploit
On macOS or Mac OS X, the method is similar. In a terminal window, type:
git clone https://github.com/reverse-shell/routersploit
sudo easy_install pip
sudo pip install -r requirements.txt
For our first run, connect your computer to a network with a router you'd like to scan. Navigate to the RouterSploit folder and run RouterSploit by typing:
sudo python ./rsf.py
The RouterSploit framework bears a striking similarity to the Metasploit framework, both in interface style and workflow. A command-line interface lets you input simple commands to scan and exploit routers, and you can see everything RouterSploit has to offer by typing:
Lots of exploits, default creds, and scanners! How fun. To begin, we'll start with a scan against a target router, which will check to see if each and every vulnerability might work against it. It will return a list at the end of the scan with every exploit that will work against the target — no research required.
We will be using Autopwn scanner to find any vulnerabilities that apply to our target. Locate the IP address of the router, and save it, because we'll need it to input it shortly. Most of the time, the router is at 192.168. 0.1, but this can change. You can use Fing or ARP-scan to find the IP address if you don't know it.
After starting RouterSploit, enter the Autopwn module by typing:
This is very similar to Metasploit. To get around, type use and then whatever module you want to use, show options to show the variables of that module you've selected, set to set any of the variables you see from the show options command, and finally, run to execute the module. Pretty simple. To close out of the module and take you to the main screen, type exit.
In this case, we will set the target to the IP address of the router. Type set target and then the IP address of the router, then press enter. Finally, type run to begin the scan.
After the scan is complete, we'll be left with a list of vulnerabilities it finds. We can pick from this list to decide which exploit best suits our needs.
Here, we see a router with many vulnerabilities. Let's start with a simple exploit, some revealing information disclosure.
To use this exploit, we'll enter the following:
A list of the variables will come up, and you'll be able to set your target by typing:
set target <target router IP>
This will set the target and confirm it is vulnerable.
The target looks good and vulnerable. To fire the payload, type run.
If the exploit is successful, you should be greeted with internal configuration settings that can leak the login and password of users, default passwords, and device serial number, among other settings that allow you to compromise the router. Other modules allow you to remotely inject code or directly disclose the router password. Which you can run depends on what the target router is vulnerable to.
This intro should get you familiar with running RouterSploit to compromise a router, now you can start using other modules and experimenting with different kinds of exploits. Although Autopwn is a convenient feature, it tries a lot of different exploits and thus is very noisy on the network. The preferred option is to scan your target, do some recon, and only run the relevant modules for the manufacturer of the target router. While exploiting routers might be trendy, keep in mind doing so on someone else's router without permission is a crime. Unless you're the CIA.