How to hack a router remotely – millions of routers still vulnerable 2016

A router is a gateway that connects a device to the internet with certain protocols. Hacking a router can be really serious, the attacker can take control over the whole network setup. Even in this 2016 millions routers are vulnerable to remote authentication. This is actually not a vulnerability but, a feature that can turn into hacker’s pathway to your network if its unsecured. In many router’s port 80 is forwarded by default to the public and setup for remote authentication. Typing the IP 192.168.1.1 on browser will take you to the admin login panel. If this is accessible with you public IP then the router can be controlled remotely. The username and password will be “admin” by default. You can also bruteforce the username and password using THC-HYDRA or exploit a rom0 vulnerability. A router has a rom file that stores login credentials and settings, this can be downloaded and use the credentials to login. Rom file is compressed and you need to decompress the rom0. It can be done with a decompression tool or you can use online services. After accessing a router’s control panel you can change the DNS, ISP login credentials, change wifi password. To do these all you want to get is the target’s public IP address. This a dead simple process. Since many routers can be taken through this method you can hack into thousands of routers and make a botnet. This can be done on both windows and linux. Follow the  steps.

 

 

 

Demo video

Scanning the IP

You can attack a specific target or a random target as i’m doing. There are many command line tools available in kali linux but, here i’m using a GUI  tool angry ip scanner. This tool is available for both windows and linux. This tool has a pretty good interface and easy to use. Download and open the tool, in settings enable web detect. You can scan all the neighbouring devices in your network. First find your public ip by googling and paste it in the angry ip scanner. In the first column replace the last secton with 0 and in the second colum replace it with 255. (eg: if your ip is 117.213.80.32 in the first column use 117.213.80.0 and 117.213.80.255 in second). This will scan for all 255 IP and retrieve the the live device details marked as green. Sort the result by webetect. You can find micro_httpd and RomPager these are the live routers in your public network, choose a random target and copy its IP. Open a browser and paste and go, use “admin” as username and password. If that didn’t work go for bruteforcing or decompress rom0.

Decompressing Rom0

As i said before not all routers are vulnerable to this attack. In some routers we can bypass authentication and get the rom file from url /rom0. go to browser and enter the url http://”ip_address”/rom-0 or use online service to test the ulnetability visit rom-0.cz . You can input the target ip and test the vulnerability. Once you got the rom0 file decompress it and extract the password by using the online service routerpwn.comupload the rom file and decompress and use the strings to login.

You may be asking “what can i do after hacking a router?” you can simply forward all the sensitive ports and launch attacks like ssh, ftp or Route to a fake DNS server. Best thing you can do is set a fake dns for google, youtube and facebook so that you can create a phishing page and fetch login credentials. The crazy thing you can do is create a fake google search page and when the user clicks the search button the malicious file will be downloaded. I’m not exposing the full details here, just use your own skills in creating a phishing page.Any doubts or questions? post it on the comment section below. If you like this blog give me a like on facebook and add me on google plus. Subscribe my youtube channel for video tutorials.
susmith HCK

susmith HCK

I’m a computer enthusiast basically and i love to write blogs on tech issues and cyber security. I started penetration testing at the age of 16 and i would like to explore security vulnerabilities and latest tech news and wanna share with you. If you like all these stuffs add me on Facebook and Google plus.

6 thoughts on “How to hack a router remotely – millions of routers still vulnerable 2016

  • July 21, 2016 at 10:36 pm
    Permalink

    Bro good work .. You have one list of vulnerable router ?

    Reply
    • susmith HCK
      July 22, 2016 at 10:45 am
      Permalink

      You cannot simply create a list of targets the IP will change on each reboot you have to find it by scanning every time.

      Reply
  • August 25, 2016 at 4:13 pm
    Permalink

    I have access to many routers. But what could i do with it? What are the possibilities?

    Reply
    • susmith HCK
      August 25, 2016 at 9:06 pm
      Permalink

      You can change the dns servers and redirect it to hacker’s dns server to fetch login credentials by creating fake pages. You can forward sensitive ports and directly attack the connected system.

      Reply
  • February 8, 2017 at 2:29 pm
    Permalink

    Hey. I’ve a D-Link router under control. I’ve setup remote management, so I am always able to login into the router remotely from my home as well (I know the public IP address of router). So, what I have is the complete router page access. How do I go about attacks like DNS spoofing to spoof a particular site (say google.com) to another IP address? I can only see options like Primary DNS Server: 8.8.8.8 and like that. Can you help?

    Reply
    • susmith HCK
      February 11, 2017 at 10:40 am
      Permalink

      You can change the whole DNS server and not for a single website. Make a fake DNS server with your targeted sites pointing fake ip’s. This is the only way.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *