Your path to becoming an Ethical Hacker! Hacking Academy Try It Now!

Exploiting Routers: Hacking into the Internet of Things (IoT) with Routersploit

Search and exploit vulnerabilities in routers and IoT devices with Routersploit, a powerful tool with 121 exploits, 4 scanners, and 165 creds modules.
Welcome back, my new hacker students!

As you may already know, hackers are now focusing on the Internet of Things (IoT) more than ever. The IoT includes devices like routers, webcams, baby monitors, Alexa, Google Home speakers, and even modern kitchen appliances—all of which are connected to the internet.

These devices contain a small, basic computer inside, often running on a version of Linux. While many systems have improved their security measures, these devices are often left vulnerable, with many still using default passwords.

In recent years, attacks like the Mirai DDoS attack have caused major disruptions to the internet, affecting services like Twitter, Netflix, and CNN. Attackers exploit these unprotected devices, compromising millions of them to launch Distributed Denial of Service (DDoS) attacks. With so many devices involved, no server or service is safe from these attacks.

Because these routers and devices have been used so effectively in DDoS attacks, more attention is being paid to their security. To address this, a tool called routersploit was created to bundle together the most effective router exploits, similar to Metasploit. The developers have designed routersploit's interface to resemble Metasploit's, making it easier for those familiar with Metasploit to learn and use routersploit.

Exploiting Routers: Hacking into the Internet of Things (IoT) with Routersploit

Download and Install routersploit

To download and install routersploit, you'll first need to install python3-pip from the Kali repository. Here's how you can do it:

1. Install python3-pip:

apt-get install python3-pip

2. Download and install routersploit from GitHub:

git clone https://www.github.com/threat9/routersploit

3. Change directory to the new routersploit directory:

cd routersploit

4. Use the requirements.txt file to install routersploit requirements from pip:

python3 -m pip install -r requirements.txt

5. Finally, start routersploit by entering:

rsf.py

This should get routersploit up and running on your system.

Exploiting Routers: Hacking into the Internet of Things (IoT) with Routersploit

It's worth noting that routersploit displays its modules across the bottom of the screen, similar to Metasploit. It boasts 127 exploits, 4 scanners, 165 creds, 4 generic, and 21 payload modules.

Explore Routersploit

To explore routersploit, you can use the `show` command, just like in Metasploit. If you want to see the available exploits, you would use the command:

show exploits

Exploiting Routers: Hacking into the Internet of Things (IoT) with Routersploit

As you can see, routersploit's 121 exploit modules are categorized by manufacturer, model, and vulnerability. While this may seem like a large number, considering the numerous router manufacturers and models, it actually amounts to just a few per manufacturer. For example, there are 4 Huawei exploits for models HG866, HG520, HG530, and E5331. It's important to find an exploit that matches your specific manufacturer and model.

To explore the available scanners in routersploit, you would use the command:

show scanners

Exploiting Routers: Hacking into the Internet of Things (IoT) with Routersploit

As you can see, there are just four scanners modules.

Search Function

Like Metasploit, routersploit also has a search function, although it's not as advanced. In routersploit, you can search for modules using keywords, but you can't specify the module type or platform like you can in Metasploit.

To search for modules containing the keyword "creds", you would use the command:

search creds

Exploiting Routers: Hacking into the Internet of Things (IoT) with Routersploit


This command will display all modules with the keyword "creds", as well as some modules that contain the keyword "creds".

While you can't search by type or platform, a keyword search for the manufacturer can be effective. For example, if your target router is manufactured by "Linksys", you can enter the keyword "linksys" after the keyword search to display all creds and exploit modules with "linksys" in their names:

search linksys

Exploiting Routers: Hacking into the Internet of Things (IoT) with Routersploit

Scan for Vulnerabilities

If you're unsure which exploit to use and stealth isn't a concern, routersploit has a module named autopwn that can test the router for vulnerabilities. It's a scanner module. You can load it using the `use` command, just like in Metasploit:

use scanners/autopwn

Exploiting Routers: Hacking into the Internet of Things (IoT) with Routersploit


To view all the options and variables for this module, you can use the `show options` command:

show options

Exploiting Routers: Hacking into the Internet of Things (IoT) with Routersploit


This will show that you need to set the target IP, while leaving everything else to the default settings:

set target 192.168.1.1

Once you've set the target IP address, you can simply enter `run` to execute the scan, similar to Metasploit:

run

Exploiting Routers: Hacking into the Internet of Things (IoT) with Routersploit


In this case, routersploit didn't find any vulnerabilities in the router but did identify and display the default credentials.

Exploiting Routers: Hacking into the Internet of Things (IoT) with Routersploit

Get the Router Credentials

If you can't exploit a vulnerability in the router, you might try getting the credentials instead, as many IoT attacks happen this way due to default credentials being left in place by users.

To see all the credential modules, you can use the command:

show creds

Exploiting Routers: Hacking into the Internet of Things (IoT) with Routersploit


This will display numerous credential modules that target specific router types and services such as FTP, SSH, etc.

Let's try using a brute force creds module for HTTP basic digest authentication to gain access to the router's admin panel:

use creds/generic/http_basic_digest_bruteforce

After loading the module, let's look at the options:

show options

Exploiting Routers: Hacking into the Internet of Things (IoT) with Routersploit


This module requires entering the target IP address and has a built-in password list. We'll use the default settings, but you could use any wordlist from Kali or one you've downloaded by setting the passwords variable to the absolute path to the wordlist.

Set the target IP address:

set target 192.168.1.1

To start the module, enter:

run

Exploiting Routers: Hacking into the Internet of Things (IoT) with Routersploit


The module will begin trying all password combinations with the username "admin". If successful, it will display the username and password, indicating that the default credentials were left in place.

Exploiting Routers: Hacking into the Internet of Things (IoT) with Routersploit

Summary:

Hacking the Internet of Things has become a significant focus for hackers, with routers being a key target. Routersploit offers numerous modules for router exploitation, although its search function could be more effective in finding specific modules. Despite this limitation, Routersploit is a valuable addition to a hacker's toolkit.

It's important to note that hacking into routers or any device without authorization is illegal and unethical. The information provided here is for educational purposes only. Always ensure you have permission before testing or exploiting any system.

إرسال تعليق

Oops!
It seems there is something wrong with your internet connection. Please connect to the internet and start browsing again.
AdBlock Detected!
We have detected that you are using adblocking plugin in your browser.
The revenue we earn by the advertisements is used to manage this website, we request you to whitelist our website in your adblocking plugin.
Cookie Consent
We serve cookies on this site to analyze traffic, remember your preferences, and optimize your experience.