Router Vulnerability Scan Tool

This project is an extension of the Singularity of Origin tool, which allows you to perform DNS rebinding attacks.
Router Vulnerability Scan Tool performs this type of attack on routers:

• performs DNS rebinding;
• verifies the existence of known vulnerabilities and exploits;
• check the security level of the access credentials.

Setup and Installation

Requirements

• Go version 1.16 or newer;
• Python3.7 or newer;
• Selenium;
• A Linux server with public IP address; the server can be obtained from a hosting providers, such as Linode, Amazon AWS, etc.
• A Domain you can buy it from namecheap, gandi, etc. You need be able to add and edit your own DNS records for your domain.

Setup

DNS configuration

From the DNS management web interface of the domain registrar from which the domain was purchased, the following DNS records must be added:

• Type: "A" Name: "rebinder", IPv4: "youripaddress". This record allows you to access the application also by typing "rebinder.yourdomain".
• Type: "NS" Name: "dynamic", IPv4: "rebinder.yourdomain". This record allows you to access the application through any subdomain of the type ".dynamic.yourdomain.", for example "foo.dynamic.yourdomain".
• Type: "A" Name: "*", IPv4: "youripaddress". This record is required in order to use the browser as a proxy.

Server configuration

Install Golang

Follow the instructions from the official Go Programming Language web site.

Install Python

Install Python3.7 + on the Linux server; you can download Python from the following link.

Install Selenium

Install the Python Selenium package.

Obtain Ruter Vulnerability Scan Tool

To download the application you need to clone the repository with the following command:

$ git clone https://github.com/peace27-96/Router-Vulnerability-Scan-Tool.git

Compile

To compile the application, you need to run the following commands:

$ cd Router-Vulnerability-Scan-Tool/router-vulnerability-scan-tool/cmd/singularity-server
$ go build

Deploy

To deploy the application, run the following commands from the directory ~/Router-Vulnerability-Scan-Tool/router-vulnerability-scan-tool/cmd/singularity-server.

$ mkdir -p ~/Router-Vulnerability-Scan-Tool/router-vulnerability-scan-tool/html
$ cp singularity-server ~/Router-Vulnerability-Scan-Tool/router-vulnerability-scan-tool/
$ cp -r ../../html/* ~/Router-Vulnerability-Scan-Tool/router-vulnerability-scan-tool/html/

Run

Run the following commands:

$ cd ~/Router-Vulnerability-Scan-Tool/router-vulnerability-scan-tool/
$ sudo ./singularity-server --HTTPServerPort 80

The application uses UDP port 53, therefore it is necessary to "kill" the server processes listening on this port. On Ubuntu 18.04 LTS, by default, systemd-resolved is listening on UDP port 53. To be able to "kill" this process, run the following command:

$ sudo systemctl disable --now systemd-resolved.service

Then edit the /etc/resolv.conf file, delete 127.0.0.53 and replace it with the IP address of a DNS server, for example 8.8.8.8 the IP address of the Google DNS server.

Testing

To verify that the setup and installation of the application have been successful, it is advisable to run a test, not directly to your router, but on a specially created web server running on your machine.

• Run the application;
• Creation of the web server on your machine: to create and start the web server execute the following command: $ python -c 'import BaseHTTPServer as bhs, Sim-pleHTTPServer as shs; bhs.HTTPServer(("127.0.0.1",80), shs.SimpleHTTPRequestHandler).serve_forever()' from a directory on your machine that contains some files;
• Connect with the browser to the application;
• Enter "dynamic.yourdomain" in the attack host domain;
• Enter "youripaddress" in the attack host domain;
• Enter "127.0.0.1" in the attack host domain;
• Run the test;
• The contents of the web server directory should appear in the application console.

External brute force credential module

The application implements an external module that can be downloaded to your device to brute force the credentials of your router.

• Download the dictionary-attack-module folder on your device;
• install Python and Selenium on your device as described above;
• make the Python script executable by typing the following command:

$ chmod + x dictionary-attack.py

• run the python script:

$ ./dictionary-attack.py

Add new credentials to test

To brute force the router's credentials, the application tests the username and password combinations stored in the files:

• ~/Router-Vulnerability-Scan-Tool/router-vulnerability-scan-tool/python/resources/users.txt
• ~/Router-Vulnerability-Scan-Tool/router-vulnerability-scan-tool/python/resources/passwords.txt

Just edit these files to add new credentials to test.

Add a new router

To add a new router to be tested you need to modify the file ~/router-vulnerability-scan-tool/html/resources/router-config.json which contains a list of router objects, each router is defined as follows:

• brand: name of the company that manufactures the router;
• model: string that identifies the model of the router;
• identificationKeys: set of strings that appear in the html of the router's web page. They are used to automatically identify the router from the system;
• username: XPath rule to intercept the username input field in the router web page;
• password: XPath rule to intercept the password input field in the router web page.

The configuration file is easily extendable, to add a new router just edit the file and enter the information described above.


For further details and information consult the detailed documentation on the wiki pages of Singularity of Origin.