Router hacking

Good Morning friends. AirOS is the firmware maintained by Ubiquiti Networks for its airMAX products which include routers and switches. This firmware is Linux based. This module exploits a file upload vulnerability existing in the firmware to install a new root user to /etc/passwd and an SSH key to /etc/dropbear/authorized_keys. So let’s see hacking Ubiquiti AirOS. Start Metasploit and load the exploit as shown below. Type command “show options” to see what options we need to set.

airos1

The only option we need to set is our target IP address. If you have followed my previous howto’s you already know how to find the vulnerable targets. Set the target IP address as shown below. This module does not support check. No problem. Type command “show payloads” to see the payloads we can use with this exploit. We normally have only one i.e interacting with the target’s shell. Set the payload.

 

airos2

Type “run” ┬áto execute our exploit. We will get the command shell of our target as shown below.

airos3

Let’s check it. Type command “ls” to get contents of the present directory.

airos4

This is the passwd file of our target which has been overwritten by our exploit.


airos5

Good Evening friends. Today we will see how to hack passwords of remote Dlink routers on the internet and we are not talking about password cracking although we will see that also in the future. Uffff, that was a very long sentence. Ok , now let’s see how to hack passwords of remote Dlink routers, but wait there’s a catch. This howto will only work on Dlink routers having version dir 645. Now if you’re thinking who still uses that version, then you should just shhhhooodaaaan. Start Metasploit and load the “auxiliary/admin/http/dlink_dir_645_password_extractor” exploit as shown below.

dlinkpe1

It’s always good to see the information about our exploit as shown below.

dlinkpe2

Now set the RHOST option( i.e the IP address of our target, you will get this from shodan). Change the port to 8080.

dlinkpe3

Now execute the exploit by typing command “run”. The exploit will run as shown below. Don’t worry about the errors we get as our exploit has already finished its job and saved the passwords of routers into a file.

dlinkpe4

Now let’s open the file. Copy the path of the file from above. Use any text editor to open the file. Below I have used gedit.

dlinkpe5


The file will open as shown below. We can see the credentials underlined ( by me ). So it says the username is admin and password is empty. Now let’s check it out.

dlinkpe6

Open your browser and go the router address as shown below. The router login page should open.

dlinkpe7

Without entering any password, click on Login. You should get access to the router as shown below.

dlinkpe8

That’s all folks for today. Happy Hacking.