routersploitをインストール on macOS BigSur
更新履歴
- 2022.10.20
はじめに
このドキュメントは.ルータの脆弱性検査ツールのRouterSploitをインストールして実際にスキャンを行ってみる手順をを示したドキュ メ ント.HTTP,SSH,FTP,TELNETでのデフォルトパスワードやブルートフォースでの認証突破検出機能も持っているので,主にネット ワーク機器の脆弱性診断に利用できるでしょう.環境を整える
- このツールはpython3が必要なので,Home Brewでインストールする.
- まずは情報を確認.
$ brew info python3🆑
==> python@3.10: stable 3.10.6 (bottled)
Interpreted, interactive, object-oriented programming language
https://www.python.org/
/usr/local/Cellar/python@3.10/3.10.5 (3,150 files, 57.0MB)
Poured from bottle on 2022-08-04 at 18:18:54
/usr/local/Cellar/python@3.10/3.10.6_2 (3,129 files, 56.8MB) *
Poured from bottle on 2022-09-26 at 16:10:18
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/python@3.10.rb
License: Python-2.0
==> Dependencies
Build: pkg-config ✔
Required: gdbm ✔, mpdecimal ✔, openssl@1.1 ✔, readline ✔, sqlite ✔, xz ✔
==> Caveats
Python has been installed as
/usr/local/bin/python3
Unversioned symlinks `python`, `python-config`, `pip` etc. pointing to
`python3`, `python3-config`, `pip3` etc., respectively, have been installed into
/usr/local/opt/python@3.10/libexec/bin
You can install Python packages with
pip3 install <package>
They will install into the site-package directory
/usr/local/lib/python3.10/site-packages
tkinter is no longer included with this formula, but it is available separately:
brew install python-tk@3.10
See: https://docs.brew.sh/Homebrew-and-Python
==> Analytics
install: 855,627 (30 days), 2,210,167 (90 days), 5,290,618 (365 days)
install-on-request: 366,590 (30 days), 840,499 (90 days), 1,491,904 (365 days)
build-error: 548 (30 days)
$
- インストールを実行.
$ brew install python3🆑
Running `brew update --auto-update`...
ー略ー
- バージョンを確認.
$ python3 --version🆑
Python 3.10.8
$
routersploitをインストー ル
- モジュールはgithubにあるのでcloneする.
$ git clone https://www.github.com/threat9/routersploit🆑
Cloning into 'routersploit'...
warning: redirecting to https://github.com/threat9/routersploit.git/
remote: Enumerating objects: 8538, done.
remote: Counting objects: 100% (2/2), done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 8538 (delta 0), reused 2 (delta 0), pack-reused 8536
Receiving objects: 100% (8538/8538), 1.78 MiB | 8.52 MiB/s, done.
Resolving deltas: 100% (6177/6177), done.
$
- cloneしたディレクトリのファイルを確認.
$ cd routersploit🆑
$ ls -la🆑
total 52
drwxr-xr-x 21 ujpadmin staff 672 10 20 11:07 .
drwxr-xr-x 32 ujpadmin staff 1024 10 20 11:07 ..
-rw-r--r-- 1 ujpadmin staff 58 10 20 11:07 .dockerignore
drwxr-xr-x 12 ujpadmin staff 384 10 20 11:07 .git
drwxr-xr-x 4 ujpadmin staff 128 10 20 11:07 .github
-rw-r--r-- 1 ujpadmin staff 888 10 20 11:07 .gitignore
drwxr-xr-x 4 ujpadmin staff 128 10 20 11:07 .travis
-rw-r--r-- 1 ujpadmin staff 212 10 20 11:07 .travis.yml
-rw-r--r-- 1 ujpadmin staff 1710 10 20 11:07 CONTRIBUTING.md
-rw-r--r-- 1 ujpadmin staff 170 10 20 11:07 Dockerfile
-rw-r--r-- 1 ujpadmin staff 1844 10 20 11:07 LICENSE
-rw-r--r-- 1 ujpadmin staff 175 10 20 11:07 MANIFEST.in
-rw-r--r-- 1 ujpadmin staff 1110 10 20 11:07 Makefile
-rw-r--r-- 1 ujpadmin staff 3515 10 20 11:07 README.md
drwxr-xr-x 3 ujpadmin staff 96 10 20 11:07 docs
-rw-r--r-- 1 ujpadmin staff 154 10 20 11:07 requirements-dev.txt
-rw-r--r-- 1 ujpadmin staff 60 10 20 11:07 requirements.txt
drwxr-xr-x 8 ujpadmin staff 256 10 20 11:07 routersploit
-rwxr-xr-x 1 ujpadmin staff 884 10 20 11:07 rsf.py
-rw-r--r-- 1 ujpadmin staff 1507 10 20 11:07 setup.py
drwxr-xr-x 12 ujpadmin staff 384 10 20 11:07 tests
$
- 追加が必要なモジュールを確認.
$ cat requirements.txt🆑
future
requests==2.21.0
paramiko
pysnmp==4.4.6
pycryptodome
$
- 追加モジュールのインストールを行う.
$ sudo python3 -m pip install -r requirements.txt🆑
Password:🔑WARNING: The directory '/Users/ujpadmin/Library/Caches/pip' or its parent directory is not owned
or is not writable by the current user. The cache has been disabled. Check the permissions and ownerof that directory. If executing pip with sudo, you should use sudo's -H flag.
警告: ディレクトリ '/Users/ujpadmin/Library/Caches/pip' またはその親ディレクトリは、現在のユーザーによって所有されていないか、書き込み可能ではありません。 または現在のユーザーによって書き込み可能ではありません。キャッシュは無効になっています。そのディレクトリの パー ミッションとオーナー
を確認してください。sudoでpipを実行する場合、sudoの-Hフラグ を使用する必要がありま
Collecting future
Downloading future-0.18.2.tar.gz (829 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 829.2/829.2 kB 9.5 MB/s eta 0:00:00
Preparing metadata (setup.py) ... done
Collecting requests==2.21.0
Downloading requests-2.21.0-py2.py3-none-any.whl (57 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 58.0/58.0 kB 13.7 MB/s eta 0:00:00
Collecting paramiko
Downloading paramiko-2.11.0-py2.py3-none-any.whl (212 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 212.9/212.9 kB 11.7 MB/s eta 0:00:00
Collecting pysnmp==4.4.6
Downloading pysnmp-4.4.6-py2.py3-none-any.whl (291 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 291.2/291.2 kB 10.7 MB/s eta 0:00:00
Collecting pycryptodome
Downloading pycryptodome-3.15.0-cp35-abi3-macosx_10_9_x86_64.whl (1.6 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.6/1.6 MB 9.7 MB/s eta 0:00:00
Collecting certifi>=2017.4.17
Downloading certifi-2022.9.24-py3-none-any.whl (161 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 161.1/161.1 kB 11.0 MB/s eta 0:00:00
Collecting chardet<3.1.0,>=3.0.2
Downloading chardet-3.0.4-py2.py3-none-any.whl (133 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 133.4/133.4 kB 10.7 MB/s eta 0:00:00
Collecting idna<2.9,>=2.5
Downloading idna-2.8-py2.py3-none-any.whl (58 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 58.6/58.6 kB 17.0 MB/s eta 0:00:00
Collecting urllib3<1.25,>=1.21.1
Downloading urllib3-1.24.3-py2.py3-none-any.whl (118 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 118.8/118.8 kB 10.5 MB/s eta 0:00:00
Collecting pysmi
Downloading pysmi-0.3.4-py2.py3-none-any.whl (80 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 80.0/80.0 kB 10.9 MB/s eta 0:00:00
Collecting pycryptodomex
Downloading pycryptodomex-3.15.0-cp35-abi3-macosx_10_9_x86_64.whl (1.6 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.6/1.6 MB 9.8 MB/s eta 0:00:00
Collecting pyasn1>=0.2.3
Downloading pyasn1-0.4.8-py2.py3-none-any.whl (77 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 77.1/77.1 kB 11.8 MB/s eta 0:00:00
Collecting pynacl>=1.0.1
Downloading PyNaCl-1.5.0-cp36-abi3-macosx_10_10_universal2.whl (349 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 349.9/349.9 kB 10.2 MB/s eta 0:00:00
Collecting bcrypt>=3.1.3
Downloading bcrypt-4.0.1-cp36-abi3-macosx_10_10_universal2.whl (473 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 473.4/473.4 kB 10.0 MB/s eta 0:00:00
Requirement already satisfied: six in /usr/local/lib/python3.10/site-packages (from paramiko->-r requirements.txt (line 3)) (1.16.0)
Collecting cryptography>=2.5
Downloading cryptography-38.0.1-cp36-abi3-macosx_10_10_x86_64.whl (2.8 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.8/2.8 MB 9.7 MB/s eta 0:00:00
Collecting cffi>=1.12
Downloading cffi-1.15.1-cp310-cp310-macosx_10_9_x86_64.whl (179 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 179.2/179.2 kB 11.2 MB/s eta 0:00:00
Collecting ply
Downloading ply-3.11-py2.py3-none-any.whl (49 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 49.6/49.6 kB 15.1 MB/s eta 0:00:00
Collecting pycparser
Downloading pycparser-2.21-py2.py3-none-any.whl (118 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 118.7/118.7 kB 7.8 MB/s eta 0:00:00
Building wheels for collected packages: future
Building wheel for future (setup.py) ... done
Created wheel for future: filename=future-0.18.2-py3-none-any.whl size=491058 sha256=66a2296ebe9514579aa8e1f47ab7f4f294205920d8d5e3f86ee9fb03b53befc5
Stored in directory: /private/tmp/pip-ephem-wheel-cache-5tuig5tu/wheels/22/73/06/557dc4f4ef68179b9d763930d6eec26b88ed7c389b19588a1c
Successfully built future
Installing collected packages: pyasn1, ply, chardet, urllib3, pysmi, pycryptodomex, pycryptodome, pycparser,
idna, future, certifi, bcrypt, requests, pysnmp, cffi, pynacl, cryptography, paramiko
Successfully installed bcrypt-4.0.1 certifi-2022.9.24 cffi-1.15.1 chardet-3.0.4 cryptography-38.0.1 future-0.18.2
idna-2.8 paramiko-2.11.0 ply-3.11 pyasn1-0.4.8 pycparser-2.21 pycryptodome-3.15.0 pycryptodomex-3.15.0
pynacl-1.5.0 pysmi-0.3.4 pysnmp-4.4.6 requests-2.21.0 urllib3-1.24.3
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the
system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
rootユーザーでpipを実行すると、パーミッションが壊れ、システ ムパッケージ マ ネージャーと矛盾した挙動をすることがあります。
のパッケージマネージャと衝突する可能性が あります。代わりに、仮想環境を使用することをお勧めします。
[notice] A new release of pip available: 22.2.2 -> 22.3
[notice] To update, run: python3.10 -m pip install --upgrade pip
$
- モジュールのインストールは問題ないようだが,pipが古いなどの問題があるので確認する.
pipのアップグレードを行う
$ python3.10 -m pip install --upgrade pip🆑
Requirement already satisfied: pip in /usr/local/lib/python3.10/site-packages (22.2.2)
Collecting pip
Downloading pip-22.3-py3-none-any.whl (2.1 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.1/2.1 MB 8.6 MB/s eta 0:00:00
Installing collected packages: pip
Attempting uninstall: pip
Found existing installation: pip 22.2.2
Uninstalling pip-22.2.2:
Successfully uninstalled pip-22.2.2
Successfully installed pip-22.3
$
- もう1つキャッシュのパーミッションについて確認.
$ ls -la ~/Library/Caches/pip🆑
total 0
drwxr-xr-x 4 ujpadmin staff 128 2 14 2022 .
drwx------+ 119 ujpadmin staff 3808 10 20 11:03 ..
drwxr-xr-x 18 ujpadmin staff 576 2 14 2022 http
drwxr-xr-x 3 ujpadmin staff 96 2 14 2022 selfcheck
$
- 特に問題なさそうなので,継続する.
Routersploitを使う
- インストールしたRoutesploitを使ってみる
$ python3 rsf.py🆑
______ _ _____ _ _ _
| ___ \ | | / ___| | | (_) |
| |_/ /___ _ _| |_ ___ _ __\ `--. _ __ | | ___ _| |_
| // _ \| | | | __/ _ \ '__|`--. \ '_ \| |/ _ \| | __|
| |\ \ (_) | |_| | || __/ | /\__/ / |_) | | (_) | | |_
\_| \_\___/ \__,_|\__\___|_| \____/| .__/|_|\___/|_|\__|
| |
Exploitation Framework for |_| by Threat9
Embedded Devices
Codename : I Knew You Were Trouble
Version : 3.4.1
Homepage : https://www.threat9.com - @threatnine
Join Slack : https://www.threat9.com/slack
Join Threat9 Beta Program - https://www.threat9.com
Exploits: 132 Scanners: 4 Creds: 171 Generic: 4 Payloads: 32 Encoders: 6
rsf >
- 起動した.
- コマンドリストの確認.
rsf > help🆑
Global commands:
help Print this help menu
use <module> Select a module for usage
exec <shell command> <args> Execute a command in a shell
search <search term> Search for appropriate module
exit Exit RouterSploit
rsf >
ルータのTELNETポートに対するデ フォルトパスワードでの接続検証を行う
- ルータにはTELNETでアクセスすることも多いので,ルータがデフォルトパスワードのままの状態かどうかを調べる.
- まずは利用するモジュールを選択.
rsf > use creds/generic/telnet_default
rsf (Telnet Default Creds) >- どのようなリストが使われるかは,以下のコマンドで確認できる.
rsf (Telnet Default Creds) > show wordlists
Wordlist
Path
--------
----
passwords.txt
file:///Users/ujpadmin/bin/routersploit/routersploit/resources/wordlists/passwords.txt
defaults.txt
file:///Users/ujpadmin/bin/routersploit/routersploit/resources/wordlists/defaults.txt
snmp.txt
file:///Users/ujpadmin/bin/routersploit/routersploit/resources/wordlists/snmp.txt
usernames.txt
file:///Users/ujpadmin/bin/routersploit/routersploit/resources/wordlists/usernames.txt
rsf (Telnet Default Creds) >
- 別のシェルを使って,リストの一部を確認してみる.
$ cat /Users/ujpadmin/bin/routersploit/routersploit/resources/wordlists/defaults.txt |head
1111:1111
1234:1234
1502:1502
266344:266344
3comcso:RIP000
4Dgifts:
666666:666666
66666:6666666
888888:888888
ADMINISTRATOR:ADMINISTRATOR
$
- 検査対象のルータのIPアドレスを指定して,チェックする.
rsf (Telnet Default Creds) > set target 192.168.20.1🆑
[+] target => 192.168.20.1
rsf (Telnet Default Creds) > check
[*] Target exposes Telnet service
[+] Target is vulnerable
rsf (Telnet Default Creds)
- ちょっとTarget is vulnerableというのが気になるけれど,「存在確認できた」程度のものでしょう.
- 脆弱性スキャンを実行する.
rsf (Telnet Default Creds) > run🆑
[*] Running module creds/generic/telnet_default...
[*] Target exposes Telnet service
[*] Starting default credentials attack against Telnet service
[-] 192.168.20.1:23 Telnet Error while authenticating to the server telnet connection closed
[-] 192.168.20.1:23 Telnet Error while authenticating to the server telnet connection closed
[-] 192.168.20.1:23 Telnet Error while authenticating to the server telnet connection closed
[-] 192.168.20.1:23 Telnet Error while authenticating to the server telnet connection closed
[-] 192.168.20.1:23 Telnet Error while authenticating to the server telnet connection closed
[-] 192.168.20.1:23 Telnet Authentication Failed - Username: '1502' Password: '1502'
[-] 192.168.20.1:23 Telnet Error while authenticating to the server telnet connection closed
[-] 192.168.20.1:23 Telnet Authentication Failed - Username: '1111' Password: '1111'
[-] 192.168.20.1:23 Telnet Error while authenticating to the server telnet connection closed
[-] 192.168.20.1:23 Telnet Error while authenticating to the server telnet connection closed
[-] 192.168.20.1:23 Telnet Error while authenticating to the server telnet connection closed
[-] 192.168.20.1:23 Telnet Error while authenticating to the server telnet connection closed
[-] 192.168.20.1:23 Telnet Error while authenticating to the server telnet connection closed
ー略ー
[-] 192.168.20.1:23 Telnet Error while authenticating to the server telnet connection closed
[-] 192.168.20.1:23 Telnet Error while authenticating to the server telnet connection closed
[*] Elapsed time: 19.7000 seconds
[-] Credentials not found
rsf (Telnet Default Creds) >
- 今回のターゲットはヤマハのRTX1200だったが,TELNETで接続すると次のように最初に接続ユーザのパスワードを訊いてくる ので,普通のユーザ・パスワードのレスポンスだと全てエラーになる.つまりテストには不向きだったかな.
- エラーの状態をRTX1200での例.
$ telnet 192.168.20.1🆑
Trying 192.168.20.1...
Connected to 192.168.20.1.
Escape character is '^]'.
Password:🆑
Username: yamaha🆑
Password:🔑
RTX1200 Rev.10.01.76 (Fri Apr 13 12:25:45 2018)
Copyright (c) 1994-2018 Yamaha Corporation. All Rights Reserved.
Copyright (c) 1991-1997 Regents of the University of California.
Copyright (c) 1995-2004 Jean-loup Gailly and Mark Adler.
Copyright (c) 1998-2000 Tokyo Institute of Technology.
Copyright (c) 2000 Japan Advanced Institute of Science and Technology, HOKURIKU.
Copyright (c) 2002 RSA Security
- 別の手段を試してみる.
Web管理画面へアクセスしてみる
- ルータではWeb管理画面を持っているものも少なくないので,クレデンシャルアタックを行ってみる.
- 利用するのはhttp_basic_digest_defaultとhttp_basic_digest_bruteforceとい うモジュール.
rsf (Telnet Default Creds) > use creds/generic/http_basic_digest_default🆑
rsf (HTTP Basic/Digest Default Creds) > set target 192.168.20.214
[+] target => 192.168.20.214🆑
rsf (HTTP Basic/Digest Default Creds) > check🆑
[-] Resource / is not protected by Basic/Digest Auth
[-] Target is not vulnerable
rsf (HTTP Basic/Digest Default Creds) >
rsf (HTTP Basic/Digest Default Creds) > run
[*] Running module creds/generic/http_basic_digest_default...
[-] Resource / is not protected by Basic/Digest Auth
rsf (HTTP Basic/Digest Default Creds) > use creds/generic/http_basic_digest_bruteforce🆑
rsf (HTTP Basic/Digest Bruteforce) > check🆑
[-] Resource / is not protected by Basic/Digest Auth
[-] Target is not vulnerable
rsf (HTTP Basic/Digest Bruteforce) >
rsf (HTTP Basic/Digest Bruteforce) > run🆑
[*] Running module creds/generic/http_basic_digest_bruteforce...
[-] Resource / is not protected by Basic/Digest Auth
rsf (HTTP Basic/Digest Bruteforce) >
- 両方のモジュールが対応してない模様でテストさえされなかった.
SSHで管理画面にアクセスしてみる
- RTX1200のSSHログインを有効化し,デフォルトパスワードのリストを使ってログインしてみる.
- まずは,RTX1200にSSHで接続できるアカウントを作成する.
$ telnet 192.168.100.1🆑
Trying 192.168.100.1...
Connected to 192.168.100.1.
Escape character is '^]'.
Password:🔑
RTX1200 Rev.10.01.23 (build 2) (Fri May 28 11:27:30 2010)
Copyright (c) 1994-2009 Yamaha Corporation. All Rights Reserved.
Copyright (c) 1991-1997 Regents of the University of California.
Copyright (c) 1995-2004 Jean-loup Gailly and Mark Adler.
Copyright (c) 1998-2000 Tokyo Institute of Technology.
Copyright (c) 2000 Japan Advanced Institute of Science and Technology, HOKURIKU.
Copyright (c) 2002 RSA Security Inc. All rights reserved.
Copyright (c) 1997-2004 University of Cambridge. All rights reserved.
Copyright (C) 1997 - 2002, Makoto Matsumoto and Takuji Nishimura, All rights reserved.
Copyright (c) 1995 Tatu Ylonen , Espoo, Finland All rights reserved.
Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved.
Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) All rights reserved.
Copyright (c) 2006 Digital Arts Inc. All Rights Reserved.
Memory 128Mbytes, 3LAN, 1BRI
[rtx1200-2]> administrator🆑
Password:🔑
There are changed configuration unsaved in nonvolatile memory!
[rtx1200-2]# login user admin🆑
New_Password:1234🆑便宜的に簡単なパスワードにする
New_Password:1234🆑便宜的に簡単なパスワードにする
[rtx1200-2]# sshd host key generate🆑
Generating public/private dsa key pair ...
|*******
Generating public/private rsa key pair ...
|*******
[rtx1200-2]# sshd service on🆑
[rtx1200-2]#
- adminユーザをパスワード1234で作成.
- sshdサービスを有効化.
- パスワードリストを作成する.
$ cat
/Users/ujpadmin/bin/routersploit/routersploit/resources/wordlists/defaults.txt🆑
admin:1234
- 作成したパスワードリストを使ってログイン試行を行う.
rsf > use creds/generic/ssh_default🆑
rsf (SSH Default Creds) > set target 192.168.100.1🆑
[+] target => 192.168.100.1🆑
rsf (SSH Default Creds) > check🆑
[*] Target exposes SSH service
[+] Target is vulnerable
rsf (SSH Default Creds) > run🆑
[*] Running module creds/generic/ssh_default...
[*] Target exposes SSH service
[*] Starting default credentials attack against SSH service
[+] 192.168.100.1:22 SSH Authentication Successful - Username: 'admin' Password: '1234'
[*] Elapsed time: 0.7500 seconds
[+] Credentials found!
Target Port Service Username Password
------ ---- ------- -------- --------
192.168.100.1 22 ssh admin 1234🈁
rsf (SSH Default Creds) >
Credentials found!となって見つかったパスワードがリストされた.
Netgearの脆弱性に関するスキャ ンを実行してみる
- スキャン対象を絞り込む.
- まずはexploitsまで入力.
rsf > use exploits
- あとはtabキーを押すと候補が出てくる.
- この文書では便宜的にタブキー押下を♐️で表す.
rsf > use exploits/♐️
exploits/cameras/ exploits/generic/ exploits/misc/ exploits/routers/
rsf > use exploits/
- 今回は対象はルータroutersを選択.
rsf > use exploits/routers/♐️
exploits/routers/2wire/ exploits/routers/dlink/ exploits/routers/netgear/🈁
exploits/routers/3com/ exploits/routers/fortinet/ exploits/routers/netsys/
exploits/routers/asmax/ exploits/routers/huawei/ exploits/routers/shuttle/
exploits/routers/asus/ exploits/routers/ipfire/ exploits/routers/technicolor/
exploits/routers/belkin/ exploits/routers/linksys/ exploits/routers/thomson/
exploits/routers/bhu/ exploits/routers/mikrotik/ exploits/routers/tplink/
exploits/routers/billion/ exploits/routers/movistar/ exploits/routers/ubiquiti/
exploits/routers/cisco/ exploits/routers/multi/ exploits/routers/zte/
exploits/routers/comtrend/ exploits/routers/netcore/ exploits/routers/zyxel/
rsf > use exploits/routers/
- うちにはヤマハのルータとネットギアのアクセスポイントしかないが,ヤマハはリストにない模様.
- 今回はnetgearを選択.
rsf > use exploits/routers/netgear/♐️
exploits/routers/netgear/dgn2200_dnslookup_cgi_rce
exploits/routers/netgear/dgn2200_ping_cgi_rce
exploits/routers/netgear/jnr1010_path_traversa
exploits/routers/netgear/multi_password_disclosure-2017-5521
exploits/routers/netgear/multi_rce
exploits/routers/netgear/n300_auth_bypass
exploits/routers/netgear/prosafe_rce
exploits/routers/netgear/r7000_r6400_rce
exploits/routers/netgear/wnr500_612v3_jnr1010_2010_path_traversal🈁
rsf > use exploits/routers/netgear/
- うちにあるNETGEAR WAC510はリストにないのだけれど,以前クロスサイトスクリプティングの脆弱性があった.
- JVNDB-2019-015322 NETGEAR WAC510 デバイスにおけるクロスサイトスクリプティングの脆弱性
- https://jvndb.jvn.jp/ja/contents/2019/JVNDB-2019-015322.html
- 該当しそうなルータは無いので,今回は無差別にwnr500を選択した.
- wnr500を選択した.
rsf (Netgear WNR500/WNR612v3/JNR1010/JNR2010 Path Traversal) > show options🆑
Target options:
Name Current settings Description
---- ---------------- -----------
ssl false SSL enabled: true/false
target Target IPv4 or IPv6 address
port 80 Target HTTP port
Module options:
Name Current settings Description
---- ---------------- -----------
verbosity true Verbosity enabled: true/false
username admin Username to log in
password password Password to log in
filename /etc/shadow File to read
rsf (Netgear WNR500/WNR612v3/JNR1010/JNR2010 Path Traversal) >
- 脆弱性に対して情報を表示する.
rsf (Netgear WNR500/WNR612v3/JNR1010/JNR2010 Path Traversal) > show info🆑
Name:
Netgear WNR500/WNR612v3/JNR1010/JNR2010 Path Traversal
Description:
Module exploits Netgear WNR500/WNR612v3/JNR1010/JNR2010 Path Traversal vulnerability which allows to read any file on the system.
Devices:
- Netgear WNR500
- Netgear WNR612v3
- Netgear JNR1010
- Netgear JNR2010
Authors:
- Todor Donev <todor.donev[at]gmail.com>
- Marcin Bury <marcin[at]threat9.com>
References:
- https://www.exploit-db.com/exploits/40737/
rsf (Netgear WNR500/WNR612v3/JNR1010/JNR2010 Path Traversal) >
- パストラバーサルの脆弱性がある模様.
- 攻撃対象となるNETGEARのAPを指定.
rsf (Netgear WNR500/WNR612v3/JNR1010/JNR2010 Path Traversal) > set target 192.168.20.214🆑
[+] target => 192.168.20.214
rsf (Netgear WNR500/WNR612v3/JNR1010/JNR2010 Path Traversal) >
- 実行するには,runコマンドを投入.
rsf (Netgear WNR500/WNR612v3/JNR1010/JNR2010 Path Traversal) > run🆑
[*] Running module exploits/routers/netgear/wnr500_612v3_jnr1010_2010_path_traversal...
[-] Device seems to be not vulnerable🈁
rsf (Netgear WNR500/WNR612v3/JNR1010/JNR2010 Path Traversal) >
- 多分ルータに対してパス・トラバーサルを試行しているけれど,対象外機器なので攻撃は失敗していると思われる.
- よって脆弱性が見つからないとなる.
メーカや製品名がわからないルータの脆 弱性をスキャンする
- ネットワーク上にあるルータのメーカや製品名がわからない場合にも,router_scan機能を使えば全部試行する模様.
rsf > use scanners/routers/router_scan🆑
rsf (Router Scanner) >🆑
back check exec exit help run search set setg show use
rsf (Router Scanner) > run🆑
[*] Running module scanners/routers/router_scan...
[*] Starting vulnerablity check...
[-] :80 http exploits/generic/heartbleed is not vulnerable
[*] :80 http exploits/routers/billion/billion_5200w_rce Could not be verified
[-] :80 http exploits/routers/billion/billion_7700nr4_password_disclosure is not vulnerable
[-] :80 http exploits/routers/ubiquiti/airos_6_x is not vulnerable
[-] :80 http exploits/generic/shellshock is not vulnerable
[-] :39889 custom/udp exploits/routers/dlink/dwr_932b_backdoor is not vulnerable
[-] :80 http exploits/routers/dlink/dir_825_path_traversal is not vulnerable
[*] :80 http exploits/routers/dlink/dsl_2740r_dns_change Could not be verified
[-] :80 http exploits/routers/thomson/twg850_password_disclosure is not vulnerable
[-] :80 http exploits/routers/comtrend/ct_5361t_password_disclosure is not vulnerable
[-] :80 http exploits/routers/dlink/dir_645_815_rce is not vulnerable
[-] :80 http exploits/routers/dlink/dir_8xx_password_disclosure is not vulnerable
[-] :80 http exploits/routers/dlink/multi_hnap_rce is not vulnerable
[*] :80 http exploits/routers/dlink/dsl_2730b_2780b_526b_dns_change Could not be verified
[-] :80 http exploits/routers/dlink/dir_300_320_600_615_info_disclosure is not vulnerable
[-] :80 http exploits/routers/dlink/dsl_2750b_info_disclosure is not vulnerable
[*] :1900 custom/udp exploits/routers/dlink/dir_815_850l_rce Could not be verified
[-] :80 http exploits/routers/dlink/dir_300_320_615_auth_bypass is not vulnerable
[*] :80 http exploits/routers/dlink/dsl_2640b_dns_change Could not be verified
[-] :80 http exploits/routers/dlink/multi_hedwig_cgi_exec is not vulnerable
[-] :1900 custom/udp exploits/routers/dlink/dir_300_645_815_upnp_rce is not vulnerable
[-] :80 http exploits/routers/dlink/dvg_n5402sp_path_traversal is not vulnerable
[-] :80 http exploits/routers/dlink/dsl_2730_2750_path_traversal is not vulnerable
[-] :80 http exploits/routers/dlink/dir_300_600_rce is not vulnerable
[-] :80 http exploits/routers/dlink/dir_850l_creds_disclosure is not vulnerable
[-] :80 http exploits/routers/dlink/dcs_930l_auth_rce is not vulnerable
[-] :80 http exploits/routers/dlink/dgs_1510_add_user is not vulnerable
[-] :80 http exploits/routers/dlink/dir_645_password_disclosure is not vulnerable
[-] :43690 custom/udp exploits/routers/huawei/hg520_info_disclosure is not vulnerable
[-] :80 http exploits/routers/huawei/e5331_mifi_info_disclosure is not vulnerable
[-] :80 http exploits/routers/dlink/dsp_w110_rce is not vulnerable
[-] :80 http exploits/routers/dlink/dwr_932_info_disclosure is not vulnerable
[*] :80 http exploits/routers/asus/asuswrt_lan_rce Could not be verified
[-] :9999 custom/udp exploits/routers/asus/infosvr_backdoor_rce is not vulnerable
[-] :80 http exploits/routers/dlink/dsl_2750b_rce is not vulnerable
[-] :80 http exploits/routers/dlink/dns_320l_327l_rce is not vulnerable
[-] :80 http exploits/routers/dlink/dwl_3200ap_password_disclosure is not vulnerable
[-] :80 http exploits/routers/zte/zxhn_h108n_wifi_password_disclosure is not vulnerable
[-] :80 http exploits/routers/technicolor/dwg855_authbypass is not vulnerable
[-] :80 http exploits/routers/huawei/hg530_hg520b_password_disclosure is not vulnerable
[-] :21 ftp exploits/routers/technicolor/tg784_authbypass is not vulnerable
[-] :80 http exploits/routers/asus/rt_n16_password_disclosure is not vulnerable
[-] :80 http exploits/routers/ipfire/ipfire_shellshock is not vulnerable
[-] :80 http exploits/routers/ipfire/ipfire_oinkcode_rce is not vulnerable
[-] :80 http exploits/routers/ipfire/ipfire_proxy_rce is not vulnerable
[-] :32764 custom/tcp exploits/routers/multi/tcp_32764_info_disclosure is not vulnerable
[-] :80 http exploits/routers/technicolor/tc7200_password_disclosure_v2 is not vulnerable
[-] :32764 custom/tcp exploits/routers/multi/tcp_32764_rce is not vulnerable
[-] :80 http exploits/routers/zte/zxv10_rce is not vulnerable
[-] :80 http exploits/routers/zte/f460_f660_backdoor is not vulnerable
[-] :80 http exploits/routers/huawei/hg866_password_change is not vulnerable
[-] :8291 custom/tcp exploits/routers/mikrotik/winbox_auth_bypass_creds_disclosure is not vulnerable
[-] :80 http exploits/routers/technicolor/tc7200_password_disclosure is not vulnerable
[-] :80 http exploits/routers/multi/misfortune_cookie is not vulnerable
[-] :80 http exploits/routers/multi/rom0 is not vulnerable
[-] :80 http exploits/routers/belkin/auth_bypass is not vulnerable
[-] :80 http exploits/routers/belkin/g_n150_password_disclosure is not vulnerable
[-] :80 http exploits/routers/belkin/g_plus_info_disclosure is not vulnerable
[-] :80 http exploits/routers/belkin/n150_path_traversal is not vulnerable
[-] :80 http exploits/routers/belkin/n750_rce is not vulnerable
[-] :80 http exploits/routers/belkin/play_max_prce is not vulnerable
[-] :80 http exploits/routers/asmax/ar_1004g_password_disclosure is not vulnerable
[-] :80 http exploits/routers/movistar/adsl_router_bhs_rta_path_traversal is not vulnerable
[-] :69 custom/udp exploits/routers/cisco/ucm_info_disclosure is not vulnerable
[*] :80 http exploits/routers/cisco/secure_acs_bypass Could not be verified
[-] :80 http exploits/routers/cisco/firepower_management60_rce is not vulnerable
[-] :80 http exploits/routers/asmax/ar_804_gu_rce is not vulnerable
[-] :80 http exploits/routers/cisco/ucs_manager_rce is not vulnerable
[*] :23 custom/tcp exploits/routers/cisco/catalyst_2960_rocem Could not be verified
[-] :80 http exploits/routers/cisco/unified_multi_path_traversal is not vulnerable
[*] :80 http exploits/routers/shuttle/915wm_dns_change Could not be verified
[-] :80 http exploits/routers/cisco/firepower_management60_path_traversal is not vulnerable
[-] :80 http exploits/routers/cisco/ios_http_authorization_bypass is not vulnerable
[-] :80 http exploits/routers/netgear/jnr1010_path_traversal is not vulnerable
[*] :80 http exploits/routers/netgear/dgn2200_dnslookup_cgi_rce Could not be verified
[-] :80 http exploits/routers/netgear/dgn2200_ping_cgi_rce is not vulnerable
[-] :80 http exploits/routers/2wire/4011g_5012nv_path_traversal is not vulnerable
[-] :80 http exploits/routers/2wire/gateway_auth_bypass is not vulnerable
[-] :80 http exploits/routers/cisco/dpc2420_info_disclosure is not vulnerable
[-] :80 http exploits/routers/netgear/multi_password_disclosure-2017-5521 is not vulnerable
[-] :80 http exploits/routers/netgear/prosafe_rce is not vulnerable
[-] :80 http exploits/routers/netgear/wnr500_612v3_jnr1010_2010_path_traversal is not vulnerable
[-] :80 http exploits/routers/netgear/multi_rce is not vulnerable
[-] :80 http exploits/routers/netgear/n300_auth_bypass is not vulnerable
[-] :80 http exploits/routers/tplink/wdr740nd_wdr740n_backdoor is not vulnerable
[-] :80 http exploits/routers/netgear/r7000_r6400_rce is not vulnerable
[-] :80 http exploits/routers/tplink/wdr842nd_wdr842n_configure_disclosure is not vulnerable
[-] :22 ssh exploits/routers/mikrotik/routeros_jailbreak is not vulnerable
[-] :80 http exploits/routers/zyxel/d1000_wifi_password_disclosure is not vulnerable
[-] :80 http exploits/routers/tplink/archer_c2_c20i_rce is not vulnerable
[-] :80 http exploits/routers/tplink/wdr740nd_wdr740n_path_traversal is not vulnerable
[-] :80 http exploits/routers/zyxel/p660hn_t_v2_rce is not vulnerable
[-] :80 http exploits/routers/zyxel/zywall_usg_extract_hashes is not vulnerable
[-] :53413 custom/udp exploits/routers/netcore/udp_53413_rce is not vulnerable
[-] :80 http exploits/routers/zyxel/d1000_rce is not vulnerable
[*] :80 http exploits/routers/3com/officeconnect_rce Could not be verified
[-] :80 http exploits/routers/bhu/bhu_urouter_rce is not vulnerable
[-] :80 http exploits/routers/zyxel/p660hn_t_v1_rce is not vulnerable
[-] :80 http exploits/routers/3com/ap8760_password_disclosure is not vulnerable
[-] :80 http exploits/routers/netsys/multi_rce is not vulnerable
[-] :80 http exploits/routers/linksys/1500_2500_rce is not vulnerable
[-] :80 http exploits/routers/linksys/wap54gv3_rce is not vulnerable
[-] :80 http exploits/routers/3com/officeconnect_info_disclosure is not vulnerable
[-] :80 http exploits/routers/linksys/eseries_themoon_rce is not vulnerable
[-] :80 http exploits/routers/linksys/smartwifi_password_disclosure is not vulnerable
[-] :80 http exploits/routers/linksys/wrt100_110_rce is not vulnerable
[-] :80 http exploits/routers/3com/imc_path_traversal is not vulnerable
[-] :22 ssh exploits/routers/fortinet/fortigate_os_backdoor is not vulnerable
[-] :80 http exploits/routers/3com/imc_info_disclosure is not vulnerable
[-] :22 ssh exploits/generic/ssh_auth_keys is not vulnerable
[-] :80 http exploits/routers/multi/gpon_home_gateway_rce is not vulnerable
[-] :22 snmp exploits/routers/thomson/twg849_info_disclosure is not vulnerable
[*] Elapsed time: 15.2400 seconds
[*] Starting default credentials check...
[-] :80 http creds/generic/http_basic_digest_default is not vulnerable
[-] :80 http creds/routers/pfsense/webinterface_http_form_default_creds is not vulnerable
[-] :80 http creds/routers/asmax/webinterface_http_auth_default_creds is not vulnerable
[-] :22 ssh creds/generic/ssh_default is not vulnerable
[-] :23 telnet creds/generic/telnet_default is not vulnerable
[-] :21 ftp creds/generic/ftp_default is not vulnerable
[*] Elapsed time: 0.0000 seconds
[*] Could not verify exploitability:
- :80 http exploits/routers/billion/billion_5200w_rce
- :80 http exploits/routers/dlink/dsl_2740r_dns_change
- :80 http exploits/routers/dlink/dsl_2730b_2780b_526b_dns_change
- :1900 custom/udp exploits/routers/dlink/dir_815_850l_rce
- :80 http exploits/routers/dlink/dsl_2640b_dns_change
- :80 http exploits/routers/asus/asuswrt_lan_rce
- :80 http exploits/routers/cisco/secure_acs_bypass
- :23 custom/tcp exploits/routers/cisco/catalyst_2960_rocem
- :80 http exploits/routers/shuttle/915wm_dns_change
- :80 http exploits/routers/netgear/dgn2200_dnslookup_cgi_rce
- :80 http exploits/routers/3com/officeconnect_rce
[-] Could not confirm any vulnerablity
[-] Could not find default credentials
rsf (Router Scanner) >
- 今回の機器では脆弱性は見つからなかった模様.
FTPやTELNETのデフォルトやブ
ルートフォースでクレデンシャル情報のスキャンを行う
- クレデンシャル情報,つまりユーザIDとパスワードを機器のデフォルトパスワードやブルートフォースによって抽出してみる.
rsf > use creds/generic/🆑
creds/generic/ftp_bruteforce creds/generic/ssh_bruteforce
creds/generic/ftp_default creds/generic/ssh_default
creds/generic/http_basic_digest_bruteforce creds/generic/telnet_bruteforce
creds/generic/http_basic_digest_default creds/generic/telnet_default
creds/generic/snmp_bruteforce
rsf > use creds/generic/ftp_bruteforce🆑
rsf (FTP Bruteforce) > run🆑
[*] Running module creds/generic/ftp_bruteforce...
[-] :21 FTP Error while connecting to the server [Errno 61] Connection refused
[*] Target does not expose FTP service
rsf (FTP Bruteforce) > use creds/generic/telnet_default
rsf (Telnet Default Creds) > run🆑
[*] Running module creds/generic/telnet_default...
[-] :23 Telnet Error while testing connection to the server [Errno 61] Connection refused
[*] Target does not expose Telnet service
rsf (Telnet Default Creds) > use creds/generic/telnet_bruteforce
rsf (Telnet Bruteforce) > run🆑
[*] Running module creds/generic/telnet_bruteforce...
[-] :23 Telnet Error while testing connection to the server [Errno 61] Connection refused
[*] Target does not expose Telnet service
rsf (Telnet Bruteforce) >
この例ではFTPやTELNETサービスが稼働してない.
利用しているワードリストの表示
ブルートフォースやデフォルトユーザで利用しているリストは,次の場所に保管されている.
rsf (Telnet Bruteforce) > show wordlists
Wordlist Path
-------- ----
passwords.txt file:///Users/ujpadmin/bin/routersploit/routersploit/resources/wordlists/passwords.txt
defaults.txt file:///Users/ujpadmin/bin/routersploit/routersploit/resources/wordlists/defaults.txt
snmp.txt file:///Users/ujpadmin/bin/routersploit/routersploit/resources/wordlists/snmp.txt
usernames.txt file:///Users/ujpadmin/bin/routersploit/routersploit/resources/wordlists/usernames.txt
rsf (Telnet Bruteforce) >
- 不足しているものがあればこのリストに追加すれば良いでしょう.
Routersploitを終了する
- ツールを終了する.
rsf (Netgear WNR500/WNR612v3/JNR1010/JNR2010 Path Traversal) > exit🆑
[-] RouterSploit stopped
$
- シェルのプロンプトに戻った
脆弱性情報を更新する
- 脆弱性情報を更新する.
$ git pull🆑
warning: redirecting to https://github.com/threat9/routersploit.git/
Already up to date.
$
- 今回はインストール直後なので更新データは無かったが,随時更新される模様.
