As you probably already know, the Internet of Things (IoT) has become one of the most important targets for hackers in recent years. The Internet of Things includes just about any device that has an Internet connection such as routers, web cams, baby monitors, Alexa & Google home speakers, and even our new kitchen appliances.
These devices have a small, simple computer embedded in them, usually with a form of Linux as an operating system. While so many of our systems have implemented more secure protocols and procedures, these devices have been left largely unprotected, many of them with default passwords left in place.
In recent years, attacks such the Mirai DDoS attack that knocked out large portions of the internet including Twitter, Netflix and CNN and other attacks have used these largely unprotected devices. Attackers thus compromise millions of these devices and then use them to launch Distributed Denial of Service (DDoS) attacks. With this many devices, no server or service is safe…
Now that these routers and other devices have been used so effectively to DDoS nearly any entire country, more attention is being turned to their security. As a result, a tool known as the routersploit was developed to package together the best known router exploits, similar to Metasploit. In fact, the developers have tried to make the Distributed interface of routersploit similar to Metasploit. This should make getting familiar with routersploit a shorter learning curve for those already familiar with the widely used Metasploit.
Now, let’s get started hacking some routers…
Step #1: Download and Install routersploit
The first step, of course, is to download and install routersploit and it’s requirements. Before we can do that we need to install python3-pip from the Kali repository.
kali > apt-get install python3-pip
Then, we download and install routersploit from github.com.
kali > git clone https://www.github.com/threat9/routersploit
Next, we change directory to the new routersploit directory.
kali > cd routersploit
Now, we can use the requirements.txt file in that directory to download the routersploit requirements from pip.
python3 -m pip install -r requirements
Once we have completed all these steps, we simply need to enter rsf.py (routersploit framework) and we will be greeted by the routersploit splash screen seen below.
Note that routersploit displays its modules across the bottom of the screen similar to Metasploit. It has 127 exploits, 4 scanners , 165 creds, 4 generic and 21 payload modules.
Step #2: Explore Routersploit
Now that we have routersploit up and running, let’s explore it a bit. Just like Metasploit, we can use the show command to have routersploit retrieve modules for us and display them on screen. Let’s first look at the exploits.
rsf > show exploits
As you can see, routersploit has 121 exploit modules that are categorized by manufacturer, model and the vulnerability. Although this may seem like quite a few, there are dozens of router manufacturers and hundreds of models, so these exploits amount to just a few per manufacturer. For instance, there are 4 Huawei exploits for models HG866, HG520, HG530 and E5331. Of course, you will need to find an exploit that works for your particular manufacturer and model.
Now, let’s do the same for scanners
rsf > show scanners
As you can see, there are just four scanners modules.
Step #3: Search Function
Once again, like the Metasploit Framework, routersploit has a search function, but not quite as effective and powerful as Metasploit’s (and Metasploit’s search function is pretty rudimentary). Unlike Metasploit, the search function doesn’t enable us to search by module type or platform, we are simply limited to keyword searches.
For instance, if we want to see all the modules with the keyword “creds”, we can enter;
rsf > search creds
It will display all the “creds” module as well as a few modules that contain the keyword “creds”
Although we can’t search by type or platform, a keyword search for manufacturer can be effective. For instance, my target router is manufactured by “Linksys” . When I enter the keyword linksys after the keyword search, routersploit displays all the creds and exploit modules with the word linksys in them.
rsf > search linksys
Step #4: Scan for Vulnerabilities
If we aren’t sure which exploit to use and we are not concerned with stealth, routersploit has a module named autopwn that will test the router for vulnerabilities. It’s scanner module. We load it just the same as we would in Metasploit with the use command followed by the name of the module.
rsf > use scanners/autopwn
Just like in Metasploit, we can use the show options command to display all the options and variables for this module.
rsf > show options
This display above makes it clear that we need to set the target IP and everything else can be left to the default settings.
rsf > set target 192.168.1.1
Once we have set the target IP address, we just enter run similar to Metasploit.
rsf > run
In this case, routersploit was not able to identify any vulnerabilities in this router, but did find and display the default credentials.
Step #5: Get the Router Credentials
If we can’t exploit a vulnerability in the router, we may want to simply try to get the credentials of the router and take control of it that way. In most cases, this is how many of the IoT attacks have taken place in recent years, due to the fact so many people leave the default credentials in place.
We can see all the credentials modules by entering;
rsf > show creds
Note that there are numerous credential modules that target a particular router type and a particular service such as FTP, SSH, etc.
In this case, let’s try using a brute force creds module for HTTP basic digest authentication to gain access to the router’s admin panel.
rsf > use creds/generic/http_basic_digest_bruteforce
Once we load the module, let’s look at the options similar to how we use Metasploit.
rsf > show options
As you can see, this module simply requires that we enter the target IP address and it has a built in password list at /root/routersploit/routersploit/resources/wordlist. Let’s leave that default setting, but we could use any wordlist from Kali or one we have downloaded by simply setting the passwords variable to the absolute path to the wordlist.
In addition, this module uses a default username of “admin”. We could also set this variable to a file of usernames, but for now let’s just use this default.
rsf > set target 192.168.1.1
To start the module, simply enter run.
rsf > run
This module will then begin to try all password combinations with the username “admin”.
When it completes, it displays that the username of the router is “admin” and the password is “admin”. The user of this router had left in place the default credentials! Now we own this router!
Hacking the Internet of Things has become one of the hottest areas of hacking in recent years. Routersploit has many useful modules for router exploitation, but could use a better search function to find a particular module for the job. Despite this, Routersploit should become one more tool in the hacker’s tool set.