WEBVTT 0 00:01.980 --> 00:07.740 In the last lecture we've seen what routersloit is, how to install and start it. 1 00:08.340 --> 00:16.300 Now it's time to show you a real exploit on a router and I’ll choose the DG of the LAN. 2 00:16.330 --> 00:23.740 The first step is to find the IP address of the default gateway which is usually the first or the last 3 00:23.740 --> 00:26.020 IP of the subnet. 4 00:26.050 --> 00:33.580 However we could scan the network using nmap or netdiscover. In this example 5 00:33.580 --> 00:39.090 this is the default gateway 192.168.0.1. 6 00:39.100 --> 00:46.350 And I'm starting routersploit. In the routersploit directory 7 00:46.430 --> 00:52.480 Okay, in this one, I am executing Python 3 rsf.py 8 00:55.940 --> 01:02.110 Let's start a module called autopwn used to scan for vulnerabilities. 9 01:02.120 --> 01:09.710 The style of working is the following: to select the module type is and then whatever module you want 10 01:09.740 --> 01:17.280 to use; show options to display the parameters of the module you've selected 11 01:18.650 --> 01:27.260 Set to set any of the parameters you see in the output of show options and finally run to execute the 12 01:27.260 --> 01:27.760 module. 13 01:28.830 --> 01:32.640 Use tab key multiple times for completion. 14 01:32.640 --> 01:36.420 So I'm selecting the auto autopwn module. 15 01:36.420 --> 01:40.060 use scanners/autopwn 16 01:40.320 --> 01:54.060 Use the tab key for auto completion. Now to see the options of the module I execute show options. 17 01:54.170 --> 01:57.470 These are all available options. 18 01:57.470 --> 02:05.590 We notice the target option which is the most important. Let's set that the target as being the default 19 02:05.620 --> 02:08.500 gateway set target 20 02:09.680 --> 02:15.480 and the IP address of the default gateway. 21 02:15.490 --> 02:23.530 The next step is to type run and it will run all the known exploits against the target to see if it's 22 02:23.530 --> 02:25.600 vulnerable to any of them. 23 02:29.660 --> 02:32.120 It's checking for vulnerabilities. 24 02:33.130 --> 02:36.090 We are waiting for it to finish scanning. 25 02:36.190 --> 02:40.720 It takes some time, a minute or two, so I'm gonna post the recording; 26 02:45.890 --> 02:47.410 and it's over. 27 02:47.540 --> 02:55.080 If there is no known vulnerability discovered that's good news; get to the next device and eventually 28 02:55.110 --> 02:56.420 repeated the scan 29 02:56.420 --> 02:58.070 after a while. 30 02:58.070 --> 03:05.360 Keep in mind that there could be other devices on your LAN that are not router and that are vulnerable. 31 03:05.360 --> 03:13.670 My advice is to scan all IoT devices using RouterSploit. You first discover all possible targets 32 03:13.820 --> 03:22.950 like IP cameras using nmap and then you run routersploit against the targets. In our case the 33 03:22.950 --> 03:30.730 router is vulnerable to this exploit .RouterSploit displays the vulnerabilities and I’m gonna 34 03:30.750 --> 03:36.460 select the exploit. If you want to see all available exploits 35 03:36.650 --> 03:44.850 you use exploits and then 2 times the tab key and these are the categories. 36 03:47.510 --> 04:00.140 These are all routersloits and all exploits for tplink and so on. I am selecting the exploit 37 04:00.440 --> 04:01.930 in order to execute it. 38 04:10.020 --> 04:16.890 To see all options of the exploit you execute show options. 39 04:17.160 --> 04:23.430 The next step is to set the target set target and its IP address 40 04:26.310 --> 04:30.040 and I'm running it. Perfect! 41 04:32.500 --> 04:40.600 Now let's see the payloads of the exploit; a payload is a customized piece of code that the attacker 42 04:40.630 --> 04:45.390 will execute on the vulnerable system in order to compromise it. 43 04:45.800 --> 04:47.260 So show payloads 44 04:51.970 --> 04:59.910 A reverse shell is such a payload in which an attacker gains interactive shell access. The target 45 04:59.910 --> 05:07.480 machine initializes a connection to the hacker's machine and the hacker's machine listens for the 46 05:07.480 --> 05:11.080 incoming connections on a specific port. 47 05:11.140 --> 05:14.530 We notice there are two payloads available. Let's 48 05:14.530 --> 05:28.810 select the reverse shell payload! It will send us a reverse shell set payload and the payload. 49 05:29.000 --> 05:36.140 The next step is to set the IP address of the local machine, the one that will receive the shell of the 50 05:36.140 --> 05:36.980 victim. 51 05:36.980 --> 05:39.230 This is our own IP address 52 05:42.610 --> 05:54.040 This is the IP address set lhost and the IP address. 53 05:54.080 --> 06:02.690 The next step is to effectively ran the exploit or fire the payload against the victim; to run the exploit 54 06:02.750 --> 06:05.060 with the selected payload 55 06:05.060 --> 06:07.040 you type and execute 56 06:07.040 --> 06:07.370 run. 57 06:08.420 --> 06:13.510 I won't do it because I don't really want to break the router or anything else 58 06:13.580 --> 06:14.690 with this example. 59 06:18.970 --> 06:25.780 The conclusion of this lecture is that that if you have art out there or an Internet of Things device 60 06:25.990 --> 06:29.580 it is your responsibility to make sure that it runs 61 06:29.590 --> 06:36.790 the latest version of firmware and that the default credentials have been changed; you can discover 62 06:36.790 --> 06:44.440 known vulnerabilities running RouterSploit against the device and then mitigate the possible attacks. 63 06:47.410 --> 06:51.230 Also take a look at at riposte which is a RouterSploit fork. 64 06:51.230 --> 07:01.490 It adds some nice features like wrapping your own applications inside the tailored interactive 65 07:01.490 --> 07:01.870 shell.