It is natural that routers or cameras, depending on the version and publisher, have their own flawed versions and software vulnerabilities. For vulnerability detection and exploitation of embedded systems there is a framework called routersploit. In this article we will look at its capabilities.
The tool consists of five modules responsible, in turn, for exploiting the device, testing authorization data, vulnerability scans, generating payloads and modules responsible for generic attacks.
Let's move on to practice. To install the tool, we refer you to documentation.
Vulnerability scan
The most commonly used functionality of routersploit is vulnerability scanning. To do this, we first launch the tool, and then set our scanner autopwn
with the command:
use scanners/autopwn
Let's check the settings of our module.
rsf (AutoPwn) > show options
Target options:
Name Current settings Description
---- ---------------- -----------
target Target IPv4 or IPv6 address
Module options:
Name Current settings Description
---- ---------------- -----------
vendor any Vendor concerned (default: any)
http_use true Check HTTP[s] service: true/false
http_ssl false HTTPS enabled: true/false
ftp_use true Check FTP[s] service: true/false
ftp_ssl false FTPS enabled: true/false
ssh_use true Check SSH service: true/false
telnet_use true Check Telnet service: true/false
snmp_use true Check SNMP service: true/false
threads 8 Number of threads
We can see that our target is not yet defined. Since we care about checking our router, we specify the ip of the network gateway (gateway) through the set target IP
command. Now it remains to run the vulnerability scan.
rsf (AutoPwn) > run
[*] Running module scanners/autopwn...
[*] 192.168.1.254 Starting vulnerablity check...
[-] 192.168.1.254:80 http exploits/generic/heartbleed is not vulnerable
[-] 192.168.1.254:80 http exploits/routers/zte/f460_f660_backdoor is not vulnerable
[-] 192.168.1.254:80 http exploits/routers/zte/zxhn_h108n_wifi_password_disclosure is not vulnerable
[-] 192.168.1.254:80 http exploits/routers/multi/misfortune_cookie is not vulnerable
[-] 192.168.1.254:80 http exploits/routers/zte/zxv10_rce is not vulnerable
[-] 192.168.1.254:80 http exploits/routers/multi/rom0 is not vulnerable
(...)
If something is detected, you will receive a notification in the console.
Passive vulnerability checking
Another interesting advantage provided by routersploit is a passive scan. Instead of running autopwn
as in the previous case, we select one of the vulnerabilities (their list can be checked with the search exploit
command) and then use the check
command.
rsf (AutoPwn) > use exploits/cameras/grandstream/gxv3611hd_ip_camera_sqli\
rsf (Grandsteam GXV3611 HD – SQL Injection) > check\
[-] Target is not vulnerable
Bruteforce
Routersploit also provides the ability to bruteforce attack network services including, among others, protocols: HTTP, FTP or Telnet. We can check their full list via the search bruteforce
command.
rsf > search bruteforce
creds/generic/telnet_bruteforce
creds/generic/http_basic_digest_bruteforce
creds/generic/ssh_bruteforce
creds/generic/snmp_bruteforce
creds/generic/ftp_bruteforce
Suppose we would like to use the creds/generic/http_basic_digest_bruteforce
module.
rsf > use creds/generic/http_basic_digest_bruteforce
rsf (HTTP Basic/Digest Bruteforce) > run
[*] Running module...
[*] Elapsed time: 1.97385120392 seconds
[+] Credentials found!
Target Port Login Password
------ ---- ----- --------
192.168.1.254 80 admin password
After running, the results will be displayed in the console.
Sources
https://github.com/threat9/routersploit
https://www.kali.org/tools/routersploit/
https://kalitut.com/routersploit/
Top comments (0)