How to hack a router remotely – millions of routers still vulnerable 2016

A router is a gateway that connects a device to the internet with certain protocols. Hacking a router can be really serious, the attacker can take control over the whole network setup. Even in this 2016 millions routers are vulnerable to remote authentication. This is actually not a vulnerability but, a feature that can turn into hacker’s pathway to your network if its unsecured. In many router’s port 80 is forwarded by default to the public and setup for remote authentication. Typing the IP 192.168.1.1 on browser will take you to the admin login panel. If this is accessible with you public IP then the router can be controlled remotely. The username and password will be “admin” by default. You can also bruteforce the username and password using THC-HYDRA or exploit a rom0 vulnerability. A router has a rom file that stores login credentials and settings, this can be downloaded and use the credentials to login. Rom file is compressed and you need to decompress the rom0. It can be done with a decompression tool or you can use online services. After accessing a router’s control panel you can change the DNS, ISP login credentials, change wifi password. To do these all you want to get is the target’s public IP address. This a dead simple process. Since many routers can be taken through this method you can hack into thousands of routers and make a botnet. This can be done on both windows and linux. Follow the  steps.

 

 

 

Demo video

Scanning the IP

You can attack a specific target or a random target as i’m doing. There are many command line tools available in kali linux but, here i’m using a GUI  tool angry ip scanner. This tool is available for both windows and linux. This tool has a pretty good interface and easy to use. Download and open the tool, in settings enable web detect. You can scan all the neighbouring devices in your network. First find your public ip by googling and paste it in the angry ip scanner. In the first column replace the last secton with 0 and in the second colum replace it with 255. (eg: if your ip is 117.213.80.32 in the first column use 117.213.80.0 and 117.213.80.255 in second). This will scan for all 255 IP and retrieve the the live device details marked as green. Sort the result by webetect. You can find micro_httpd and RomPager these are the live routers in your public network, choose a random target and copy its IP. Open a browser and paste and go, use “admin” as username and password. If that didn’t work go for bruteforcing or decompress rom0.

Decompressing Rom0

As i said before not all routers are vulnerable to this attack. In some routers we can bypass authentication and get the rom file from url /rom0. go to browser and enter the url http://”ip_address”/rom-0 or use online service to test the ulnetability visit rom-0.cz . You can input the target ip and test the vulnerability. Once you got the rom0 file decompress it and extract the password by using the online service routerpwn.comupload the rom file and decompress and use the strings to login.

You may be asking “what can i do after hacking a router?” you can simply forward all the sensitive ports and launch attacks like ssh, ftp or Route to a fake DNS server. Best thing you can do is set a fake dns for google, youtube and facebook so that you can create a phishing page and fetch login credentials. The crazy thing you can do is create a fake google search page and when the user clicks the search button the malicious file will be downloaded. I’m not exposing the full details here, just use your own skills in creating a phishing page.Any doubts or questions? post it on the comment section below. If you like this blog give me a like on facebook and add me on google plus. Subscribe my youtube channel for video tutorials.

susmith HCK

susmith HCK

I’m a computer enthusiast basically and i love to write blogs on tech issues and cyber security. I started penetration testing at the age of 16 and i would like to explore security vulnerabilities and latest tech news and wanna share with you. If you like all these stuffs add me on Facebook and Google plus.

You may also like...

13 Responses

  1. paolo rossi says:

    Bro good work .. You have one list of vulnerable router ?

  2. YummY says:

    I have access to many routers. But what could i do with it? What are the possibilities?

    • You can change the dns servers and redirect it to hacker’s dns server to fetch login credentials by creating fake pages. You can forward sensitive ports and directly attack the connected system.

  3. Anonymous says:

    Hey. I’ve a D-Link router under control. I’ve setup remote management, so I am always able to login into the router remotely from my home as well (I know the public IP address of router). So, what I have is the complete router page access. How do I go about attacks like DNS spoofing to spoof a particular site (say google.com) to another IP address? I can only see options like Primary DNS Server: 8.8.8.8 and like that. Can you help?

  4. Mk says:

    I believe I’ve been subjected to an attack like this…How do I check? And how do I secure my router

  5. walkyrie says:

    hi bro, thankx for all… i’ve one question please. i’ve netgear router under control over internet. but when i’m connected to router, i not have all autorisations( NAT, DNS… are disable). how can i solve this?

  6. walk says:

    when i connected to NETGEAR router interface over internet some options( NAT, DNS….) are disabled. how can i solve this?

  7. Shane says:

    I started to scan i haven’t find any ips what can i do

  8. Cynthia A Moldaner says:

    I would like to email a document. I have some questions about Tracery command. My tracery on my computer shows hop 1 as 192.168.1.1 which is my router. The 2nd hop shows 10.132.80.1. If I understand this correctly the second hop is another router?

Leave a Reply

Your email address will not be published. Required fields are marked *