A router is a gateway that connects a device to the internet with certain protocols. Hacking a router can be really serious, the attacker can take control over the whole network setup. Even in this 2016 millions routers are vulnerable to remote authentication. This is actually not a vulnerability but, a feature that can turn into hacker’s pathway to your network if its unsecured. In many router’s port 80 is forwarded by default to the public and setup for remote authentication. Typing the IP 192.168.1.1 on browser will take you to the admin login panel. If this is accessible with you public IP then the router can be controlled remotely. The username and password will be “admin” by default. You can also bruteforce the username and password using THC-HYDRA or exploit a rom0 vulnerability. A router has a rom file that stores login credentials and settings, this can be downloaded and use the credentials to login. Rom file is compressed and you need to decompress the rom0. It can be done with a decompression tool or you can use online services. After accessing a router’s control panel you can change the DNS, ISP login credentials, change wifi password. To do these all you want to get is the target’s public IP address. This a dead simple process. Since many routers can be taken through this method you can hack into thousands of routers and make a botnet. This can be done on both windows and linux. Follow the steps.
Scanning the IP
You can attack a specific target or a random target as i’m doing. There are many command line tools available in kali linux but, here i’m using a GUI tool angry ip scanner. This tool is available for both windows and linux. This tool has a pretty good interface and easy to use. Download and open the tool, in settings enable web detect. You can scan all the neighbouring devices in your network. First find your public ip by googling and paste it in the angry ip scanner. In the first column replace the last secton with 0 and in the second colum replace it with 255. (eg: if your ip is 220.127.116.11 in the first column use 18.104.22.168 and 22.214.171.124 in second). This will scan for all 255 IP and retrieve the the live device details marked as green. Sort the result by webetect. You can find micro_httpd and RomPager these are the live routers in your public network, choose a random target and copy its IP. Open a browser and paste and go, use “admin” as username and password. If that didn’t work go for bruteforcing or decompress rom0.
As i said before not all routers are vulnerable to this attack. In some routers we can bypass authentication and get the rom file from url /rom0. go to browser and enter the url http://”ip_address”/rom-0 or use online service to test the ulnetability visit rom-0.cz . You can input the target ip and test the vulnerability. Once you got the rom0 file decompress it and extract the password by using the online service routerpwn.com. upload the rom file and decompress and use the strings to login.