DEV Community

Cover image for Hacking embedded systems using the routersploit tool
Grzegorz Piechnik
Grzegorz Piechnik

Posted on • Edited on

Hacking embedded systems using the routersploit tool

It is natural that routers or cameras, depending on the version and publisher, have their own flawed versions and software vulnerabilities. For vulnerability detection and exploitation of embedded systems there is a framework called routersploit. In this article we will look at its capabilities.

The tool consists of five modules responsible, in turn, for exploiting the device, testing authorization data, vulnerability scans, generating payloads and modules responsible for generic attacks.

Let's move on to practice. To install the tool, we refer you to documentation.

Vulnerability scan

The most commonly used functionality of routersploit is vulnerability scanning. To do this, we first launch the tool, and then set our scanner autopwn with the command:

use scanners/autopwn
Enter fullscreen mode Exit fullscreen mode

Let's check the settings of our module.

rsf (AutoPwn) > show options

Target options:

   Name       Current settings     Description                     
   ----       ----------------     -----------                     
   target                          Target IPv4 or IPv6 address     


Module options:

   Name           Current settings     Description                           
   ----           ----------------     -----------                           
   vendor         any                  Vendor concerned (default: any)       
   http_use       true                 Check HTTP[s] service: true/false     
   http_ssl       false                HTTPS enabled: true/false             
   ftp_use        true                 Check FTP[s] service: true/false      
   ftp_ssl        false                FTPS enabled: true/false              
   ssh_use        true                 Check SSH service: true/false         
   telnet_use     true                 Check Telnet service: true/false      
   snmp_use       true                 Check SNMP service: true/false        
   threads        8                    Number of threads                     
Enter fullscreen mode Exit fullscreen mode

We can see that our target is not yet defined. Since we care about checking our router, we specify the ip of the network gateway (gateway) through the set target IP command. Now it remains to run the vulnerability scan.

rsf (AutoPwn) > run
[*] Running module scanners/autopwn...

[*] 192.168.1.254 Starting vulnerablity check...
[-] 192.168.1.254:80 http exploits/generic/heartbleed is not vulnerable
[-] 192.168.1.254:80 http exploits/routers/zte/f460_f660_backdoor is not vulnerable
[-] 192.168.1.254:80 http exploits/routers/zte/zxhn_h108n_wifi_password_disclosure is not vulnerable
[-] 192.168.1.254:80 http exploits/routers/multi/misfortune_cookie is not vulnerable
[-] 192.168.1.254:80 http exploits/routers/zte/zxv10_rce is not vulnerable
[-] 192.168.1.254:80 http exploits/routers/multi/rom0 is not vulnerable
(...)
Enter fullscreen mode Exit fullscreen mode

If something is detected, you will receive a notification in the console.

Passive vulnerability checking

Another interesting advantage provided by routersploit is a passive scan. Instead of running autopwn as in the previous case, we select one of the vulnerabilities (their list can be checked with the search exploit command) and then use the check command.

rsf (AutoPwn) > use exploits/cameras/grandstream/gxv3611hd_ip_camera_sqli\
rsf (Grandsteam GXV3611 HD – SQL Injection) > check\
[-] Target is not vulnerable
Enter fullscreen mode Exit fullscreen mode

Bruteforce

Routersploit also provides the ability to bruteforce attack network services including, among others, protocols: HTTP, FTP or Telnet. We can check their full list via the search bruteforce command.

rsf > search bruteforce
creds/generic/telnet_bruteforce
creds/generic/http_basic_digest_bruteforce
creds/generic/ssh_bruteforce
creds/generic/snmp_bruteforce
creds/generic/ftp_bruteforce
Enter fullscreen mode Exit fullscreen mode

Suppose we would like to use the creds/generic/http_basic_digest_bruteforce module.

rsf > use creds/generic/http_basic_digest_bruteforce
rsf (HTTP Basic/Digest Bruteforce) > run
[*] Running module...
[*] Elapsed time:  1.97385120392 seconds
[+] Credentials found!

   Target          Port     Login     Password
   ------          ----     -----     --------
   192.168.1.254    80      admin     password
Enter fullscreen mode Exit fullscreen mode

After running, the results will be displayed in the console.

Sources

https://github.com/threat9/routersploit
https://www.kali.org/tools/routersploit/
https://kalitut.com/routersploit/

Top comments (0)