Routersploit: Hacking the Internet of Things (IoT)

Bug Bounty Cybersecurity Hacking

Welcome back, my hacker novitiates!

As you have probably already know, the Internet of Things (IoT) has become one of the most important targets for hackers in recent years. The Internet of Things includes just about any device that has an Internet connection such as routers, web cams, baby monitors, Alexa and Google home speakers, and even our new kitchen appliances.

These devices have a small, simple computer embedded in them, usually with a form of Linux as an operating system. While so many of our systems have implemented more secure protocols and procedures, these devices have been left largely unprotected, many of them with default passwords left in place.

In recent years, attacks such the Mirai DDoS attack t knocked out large portions of the internet including Twitter, Netflix and CNN and other attacks have used these largely unprotected devices. Attackers compromise millions of these devices and then use them to launch Distributed Denial of Service (DDoS) attacks. With this many devices, no server or service is safe!

Now that these routers and other devices have been used so effectively to DDoS nearly any entire nation, more attention is being turned to their security. As a result, a tool known as the routersploit was developed to package together the best known router exploits, similar to Metasploit. In fact, the developers have tried to make the interface of routersploit similar to Metasploit. This should make getting familiar with routersploit a shorter learning curve for those already familiar with the widely used Metasploit.

Let’s get started hacking some routers!

Step #1: Download and Install routersploit

The first step, of course, is to download and install routersploit and it’s requirements. Before we can do that we need to install python3-pip from the Kali repository.

kali > apt-get install python3-pip

Then, we download and install routersploit from github.com.

kali > git clone https://www.github.com/threat9/routersploit

Next, we change directory to the new routersploit directory.

kali > cd routersploit

Now, we can use the requirements.txt file in that directory to download the routersploit requirements from pip.

python3 -m pip install -r requirements

Once we have completed all these steps, we simply need to enter rsf.py (routersploit framework) and we will be greeted by the routersploit splash screen seen below.

rsf.py >

Note that routersploit displays its modules across the bottom of the screen similar to Metasploit. It has 127 exploits, 4 scanners , 165 creds, 4 generic and 21 payload modules.

Step #2: Explore Routersploit

Now that we have routersploit up and running, let’s explore it a bit. Just like Metasploit, we can use the show command to have routersploit retrieve modules for us and display them on screen. Let’s first look at the exploits.

rsf > show exploits

As you can see, routersploit has 121 exploit modules that are categorized by manufacturer, model and the vulnerability. Although this may seem like quite a few, there are dozens of router manufacturers and hundreds of models, so these exploits amount to just a few per manufacturer. For instance, there are 4 Huawei exploits for models HG866, HG520, HG530 and E5331. Of course, you will need to find an exploit that works for your particular manufacturer and model.

Now, let’s do the same for scanners

rsf > show scanners

As you can see, there are just four scanners modules.

Step #3: Search Function

Once again, like the Metasploit Framework, routersploit has a search function, but not quite as effective and powerful as Metasploit’s (and Metasploit’s search function is pretty rudimentary). Unlike Metasploit, the search function doesn’t enable us to search by module type or platform, we are simply limited to keyword searches.

For instance, if we want to see all the modules with the keyword “creds”, we can enter;

rsf > search creds

It will display all the “creds” module as well as a few modules that contain the keyword “creds”

Although we can’t search by type or platform, a keyword search for manufacturer can be effective. For instance, my target router is manufactured by “Linksys” . When I enter the keyword linksys after the keyword search, routersploit displays all the creds and exploit modules with the word linksys in them.

rsf > search linksys

Step #4: Scan for Vulnerabilities

If we aren’t sure which exploit to use and we are not concerned with stealth, routersploit has a module named autopwn that will test the router for vulnerabilities. It’s scanner module. We load it just the same as we would in Metasploit with the use command followed by the name of the module.

rsf > use scanners/autopwn

Just like in Metasploit, we can use the show options command to display all the options and variables for this module.

rsf > show options

This display above makes it clear that we need to set the target IP and everything else can be left to the default settings.

rsf > set target 192.168.1.1

Once we have set the target IP address, we just enter run similar to Metasploit.

rsf > run

In this case, routersploit was not able to identify any vulnerabilities in this router, but did find and display the default credentials.

Step #5: Get the Router Credentials

If we can’t exploit a vulnerability in the router, we may want to simply try to get the credentials of the router and take control of it that way. In most cases, this is how many of the IoT attacks have taken place in recent years, due to the fact so many people leave the default credentials in place.

We can see all the credentials modules by entering;

rsf > show creds

Note that there are numerous credential modules that target a particular router type and a particular service such as FTP, SSH, etc.

In this case, let’s try using a brute force creds module for HTTP basic digest authentication to gain access to the router’s admin panel.

rsf > use creds/generic/http_basic_digest_bruteforce

Once we load the module, let’s look at the options similar to how we use Metasploit.

rsf > show options

As you can see, this module simply requires that we enter the target IP address and it has a built in password list at /root/routersploit/routersploit/resources/wordlist. Let’s leave that default setting, but we could use any wordlist from Kali or one we have downloaded by simply setting the passwords variable to the absolute path to the wordlist.

In addition, this module uses a default username of “admin”. We could also set this variable to a file of usernames, but for now let’s just use this default.

rsf > set target 192.168.1.1

To start the module, simply enter run.

rsf > run

This module will then begin to try all password combinations with the username “admin”.

When it completes, it displays that the username of the router is “admin” and the password is “admin”. The user of this router had left in place the default credentials! Now we own this router!

Summary

Hacking the Internet of Things has become one of the hottest areas of hacking in recent years. Routersploit has many useful modules for router exploitation, but could use a better search function to find a particular module for the job. Despite this, Routersploit should become one more tool in the hacker’s tool set.