How to hack routers in Windows (Router Scan by Stas’M manual)
What is Router Scan for?
To tell short, Router Scan by Stas’M scans subnets and hacks found routers. It uses brute-force and exploits vulnerabilities.
Router Scan is able to find and identify a variety of devices from large number of known routers and that the most important thing is to get from them useful information, in particular the characteristics of the wireless network: a method of protecting the access point (encryption), access point name (SSID) and access point key (passphrase).
Also it receives information about the WAN connection (useful when scanning a local network) and show the model of router.
Getting information occurs in two possible ways:
- The program will try to guess a pair of username/password to the router from a list of standard passwords, thereby get access.
- Or the vulnerabilities (bugs) will be used against the router model, allowing to get the necessary information and/or bypass the authorization process.
Wireless network detection and audit were added beginning with the version 2.60 including 802.11a/b/g/n standarts, you will need either an integrated or external Wi-Fi interface to use these functions.
3WiFi service functions were also added to achieve best wireless audit results, WPA/WPA2 network key brute-force and WPS PIN audit along with Pixie Dust attack.
The program runs on Windows, but it is possible to run it on Linux via Wine. You can download the program on the authors' site. Password for the archive:
At the first start the program will ask whether we want to send the received scan results to a shared database:
Beginning with the version 2.53 Router Scan is integrated with the 3WiFi cloud services. It implements automated uploading of wireless access points from the scan results to the server.
3WiFi database is used by the Router Scan Community to research new router vulnerabilities, WPS pin generation algorithms and more, and also by the program creator to monitor and detect scan issues in real time.
Do you allow automatic uploading? This option can be changed later in the program settings.
Scanning local and global networks
- The network interface with the global IP address connects to the Internet directly without intermediaries, and everyone who has the Internet can connect to it.
- The remaining IP addresses are private.
Of the approximately four billion addresses defined in IPv4, three ranges are reserved for use in private networks. Packets addresses in these ranges are not routable in the public Internet, because they are ignored by all public routers. Therefore, private hosts cannot directly communicate with public networks, but require network address translation at a routing gateway for this purpose.
|Address range||Number of addresses||Classful description||Largest CIDR block|
|10.0.0.0 – 10.255.255.255||16777216||Single Class A||10.0.0.0/8|
|172.16.0.0 – 172.31.255.255||1048576||Contiguous range of 16 Class B blocks||172.16.0.0/12|
|192.168.0.0 – 192.168.255.255||65536||Contiguous range of 256 Class C blocks||192.168.0.0/16|
An example of interesting finds in my local network:
How to compose required IP ranges
In detail about compiling various ranges for Internet providers and geographical places, I have written in the article ‘How to collect Location, Country or ISP IP Ranges’. Since the guide is intended for Linux users, to use the online service suIP.biz could be more convenient for you:
IP Range Syntax
Router Scan supports several types of ranges:
1. A single IP address - only one address per line.
2. Normal range - specify the start and end addresses, separated by a hyphen (minus).
- 254 addresses will be scanned.
- 10 addresses will be scanned.
3. Range with bitmask - indicates the IP address of the network and the number of fixed bits (network mask), they are separated by a slash.
- The first 24 bits of the address do not change, there are 32 - 24 = 8 free bits.
- 28 = 256 addresses will be scanned.
- The first 12 bits of the address do not change, there are 32 - 12 = 20 free bits.
- 220 = 1048576 addresses will be scanned.
More information about such ranges can be read on Wikipedia.
4. Octet range in the Nmap style - individual octets of the IP address can be specified in the form of ranges through a hyphen, or as a comma-separated list.
- 254 addresses will be scanned, from 10.0.0.1 to 10.0.0.254.
- 2 addresses, 10.0.2.1 and 10.0.4.1 will be scanned.
Router Scan Anonymous scanning via Tor
Router Scan supports proxy traffic through HTTP/HTTPS, HTTP CONNECT, SOCKS4, SOCKS4a, SOCKS5. We can also use Tor as a proxy, extracting all the attendant benefits: IP hiding, free, stable connection, traffic encryption.
Note: If you are using a HTTP/HTTPS type proxy server, it will only be used to send HTTP requests and responses, attempts to connect to ports and socket data transfers are bypassing the proxy server. To proxy socket connections, use either HTTP CONNECT or SOCKS proxy.
Tor setup on Windows
Go to the downloads section of the Tor project site, select to download the Expert Bundle. Not the Tor browser, for our purposes we need Expert Bundle.
Download the unpacked folder to any location. Tor can be installed as a Windows service. This is a convenient option, because you do not need to run it every time, you do not need to enter commands. But now for speed and clarity, we manually start the Tor process with default options.
Open the Windows PowerShell (admin) prompt and drag the file tor.exe from the downloaded archive, wait until Tor completes its business:
This window does not need to be closed! Otherwise, communication with the Tor network will cease.
Now go to the Router Scan settings: < Main Menu >, then Settings and Tweaks, then HTTP Client. In the Proxy Server group, in the Type drop-down list, select SOCKS5. As the IP, enter 127.0.0.1, and as Port - 9050.
Now the scan must be performed via Tor.
NOTE: You cannot scan private networks via Tor!
Configuring and running Router Scan
The main button is multifunctional. When you start the scan, it is divided into two buttons - to stop and pause the scan. But it can also perform a number of other functions:
- [Start scan] - starts the process of scanning IP ranges.
- [Stop scan] - stops the scan.
- [||] - sets the scan to pause.
- [>>] - resumes scanning.
- [Force stop] - Forcibly stops scanning.
- [Stop import] - interrupts the import of the file into the table.
- [Stop upload] - interrupts the upload of data to the 3WiFi database (with automatic unloading after the scan is complete).
This parameter sets the maximum number of threads, that is, how many devices can be scanned in parallel and simultaneously.
Sets the connection waiting threshold for the device in milliseconds.
Note: Depending on the Internet service provider, speed and stability of the connection, these parameters will have to be modified intuitively, to obtain stable scan results without loss of connection. If you think that the program does not use enough threads, and your system can give more resources, try changing the scan mode in the program settings.
Determines which TCP ports will be scanned when scanning IP ranges.
- [+] allows you to add a new port to the end of the list.
- [-] removes the selected port from the list.
All ports are scanned using the standard HTTP/1.0 protocol, with the exception of ports 443, 4343 and 8443 - they are scanned over HTTPS using the OpenSSL library.
To increase the viewing angle in the network, you can also add to the list ports 81, 88, 8000, 8081, 8082, 8088, 8888, and the like.
You can also change the list of ports by editing the ports.txt file.
Auto save scan results to hard drive
This function periodically automatically saves the contents of the table selected for saving. To select a saved table, use the appropriate option. Adjustable parameters:
- Interval - the interval with which to save (in seconds).
- Format - in which format to save the file.
Supported file formats:
- XML 2003 Table - the XML format used by Microsoft Office 2003 (export only).
- CSV Table - text format CSV (import/export).
- Tab-delimited Text File - text format TXT with tab delimiters (import/export).
- IP: Port List - address list in IP address format: port (export only).
All files are saved in the program folder, in UTF-8 encoding (without BOM). File names correspond to the date and time of export.
To store, postprocess, or re-import the data, it is recommended to use the TXT format, or XML.
IP or IP ranges that you want to scan, enter in the ‘Enter IP ranges to scan’ field:
- [E] opens window of the IP range editor.
- [+] allows you to add one new range to the end of the list.
- [-] Deletes the selected range from the list.
- [x] completely erases the entire range list, including comments (beware, this is an irreversible action!).
- Router Scan (main) - the main scanning module, is responsible for cracking a password for the web interface of the device, and for obtaining information.
- Detect proxy servers - detects HTTP proxy servers, and notifies in case of luck - in the column name/device type, the ‘proxy server’ will be added in parentheses, and in the WAN column IP Address - the real external address of the proxy server. To indicate the record in the table of successful results, the text ‘Proxy Good Check’ will be written to the DNS column.
- Use HNAP 1.0 - checks the host for the presence of support for the protocol Home Network Administration Protocol v1.0 and the vulnerabilities in it. If it finds support, it will write ‘HNAP Info’ in the name/device type column. If the vulnerability is detected, it will write down the text ‘HNAP bypass auth’ in the authorization column, as well as the received wireless network settings. Note: If the main module has successfully picked up the authorization password before, the HNAP module will not be used. To force the HNAP vulnerability to be checked, disable the main module and scan the device.
The following modules are added as a bonus, and to the routers have no direct relationship.
- SQLite Manager RCE - defines vulnerable SQLite servers in which there is a vulnerability in executing arbitrary PHP code. If the SQLite Manager is found on the node, a link to it will be written to the comment column. The result of the vulnerability check will be displayed in the name column/device type. If the vulnerability is detected, the text ‘SQLite Good Check’ will be written to the DNS column to indicate the record in the table of successful results.
- Hudson Java Servlet - Identifies vulnerable Hudson CI servers (as well as Jenkins CI) in which there is a vulnerability in executing arbitrary Java code. If the Hudson/Jenkins CI is found on the node, a link to it will be written in the comment column. The result of the vulnerability check will be displayed in the name column/device type. If the vulnerability is detected, the text ‘Hudson Good Check’ will be written to the DNS column to indicate the record in the table of successful results.
- phpMyAdmin RCE - searches for phpMyAdmin on the scanned node, and then checks it for vulnerability to execute arbitrary PHP code (exploit). If phpMyAdmin is found on the node, a link to it will be written in the comment column. The result of the vulnerability check will be displayed in the name column/device type. If the vulnerability is detected, the text "PMA Good Check" will be written in the DNS column to indicate the record in the table of successful results.
Also, it's important to know that the modules work one after another - they can overwrite the information in the columns that the previous module received.
Port Scanner Settings
Depending on the speed of your Internet connection and available PC resources, you can choose different scanning modes:
- () Normal - it is optimized for work through a wireless network (i.e. when you are connected via Wi-Fi); it also does not clog the channel connections and is convenient when you need to use the Internet during scanning.
Technical characteristics: a delay of 15 ms between each IP/port pair.
- () Fast Scan - optimized for operation via Ethernet (when connected by cable). This mode can cause problems when you use Wi-Fi as the primary connection.
Technical characteristics: a delay of 15 ms between each IP-address, all these ports are checked at one time.
- () Ultra Fast - can be used for high-speed connections (1 Gb/s or higher) on high-performance machines. Use this mode at your own risk on an inappropriate system configuration, it can break the connection to the Internet for a long time, cause a denial of service to your Internet provider, or harm the network adapter.
Technical characteristics: without delays, all available threads are used at once.
SYN send times
This option is recommended to change only if you experience connection problems. It allows you to specify how many times to send a TCP SYN packet (request to connect to a port) and wait for a response.
The function can be useful when working under VPN with conflicting routes, or with an unstable connection.
On scan finish do
If you ran the scan for a long period of time, you might need this feature. You can select the following actions:
- Do nothing
- Close program
- Logoff user - exit the user's session.
- Shutdown - turn off the PC.
- Suspend - put the PC in sleep state (if the function is available on the system).
- Hibernate - perform hibernation and shut down the PC (if the function is available on the system).
If you have disabled automatic saving of results, you will be prompted to enable it so that you do not lose the scan results.
This mode allows you to open the program without a visible window, and immediately start the scan. This will bring up an icon in the system tray, click it to display the main window.
When scanning is complete, the results will be saved to the file, even if auto-saving is disabled.
Note: You must restart the program to enable or disable this option.
Sets the thread lifetime in minutes, i.e. the waiting threshold for processing the device. If the processing process did not succeed in meeting the specified time, it is forcibly terminated by the program, and the Timed out mark appears in the status column.
You can also turn off the waiting threshold by setting the Unlimited check box, but then the scanning process can be delayed forever, waiting for the hanging threads to end.
Saving results in Excel format
If you choose to save as a .csv file and open the result of scanning in MS Excel, then some data is corrupted. For example, the number 818445915008 (the password for one of the Wi-Fi networks) after re-saving the file will look like 8,18446E+11.
Using Router Scan Results
Separate articles are devoted to these questions:
Briefly, access to network equipment settings allows an attacker to manipulate traffic, including making attacks aimed at stealing passwords from sites, redirecting to fraudulent sites, blocking Internet connections, and infecting malicious programs. The attacker even has the opportunity to change the firmware of the router.
Protection from Router Scan
The principle of Router Scan is based on checking the default passwords of routers and on the use of vulnerabilities in their firmware. Therefore, protection is obvious:
- change factory passwords to enter the Admin panel
- update firmware of the device regularly
- change passwords for FTP, Telnet, SSH or disable these services if you do not use them
- RouterSploit User Manual (57.1%)
- Concealed control of a Windows-based computer (using Metasploit) (42.5%)
- How to use sqlmap for injection in address of a web site page (URI). Arbitrary injection points (42.4%)
- badKarma: Advanced Network Reconnaissance Assistant (40.8%)
- TIDoS-Framework: Web Application Information Gathering and Manual Scanning Platform (40.8%)
- Automated Pixie Dust Attack: receiving WPS PINs and Wi-Fi passwords without input any commands (RANDOM - 6.6%)