Merge branch 'master' of https://github.com/reverse-shell/routersploit

Upgrading forked repository

README.md

@@ -14,8 +14,9 @@ It consists of various modules that aids penetration testing operations:
 
 # Installation
 
-	sudo apt-get install python-requests python-paramiko python-netsnmp
 	git clone https://github.com/reverse-shell/routersploit
+	cd routersploit
+	pip install -r requirements.txt
 	./rsf.py
 
 # Update

routersploit/interpreter.py

@@ -86,7 +86,7 @@ class BaseInterpreter(object):
                 command_handler(args)
             except RoutersploitException as err:
                 utils.print_error(err)
-            except KeyboardInterrupt:
+            except (KeyboardInterrupt, EOFError):
                 print()
                 utils.print_status("routersploit stopped")
                 break

routersploit/modules/creds/http_form_bruteforce.py

@@ -34,8 +34,9 @@ class Exploit(exploits.Exploit):
     threads = exploits.Option(8, 'Number of threads')
     usernames = exploits.Option('admin', 'Username or file with usernames (file://)')
     passwords = exploits.Option(wordlists.passwords, 'Password or file with passwords (file://)')
-    form = exploits.Option('auto', 'Post Data: auto or in form login={{LOGIN}}&password={{PASS}}&submit')
+    form = exploits.Option('auto', 'Post Data: auto or in form login={{USER}}&password={{PASS}}&submit')
     path = exploits.Option('/login.php', 'URL Path')
+    form_path = exploits.Option('same', 'same as path or URL Form Path')
     verbosity = exploits.Option('yes', 'Display authentication attempts')
 
     credentials = []
@@ -46,9 +47,15 @@ class Exploit(exploits.Exploit):
         self.credentials = []
         self.attack()
 
+    def get_form_path(self):
+        if self.form_path == 'same':
+            return self.path
+        else:
+            return self.form_path
+
     @multi
     def attack(self):
-        url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
+        url = sanitize_url("{}:{}{}".format(self.target, self.port, self.get_form_path()))
 
         try:
             requests.get(url, verify=False)
@@ -61,11 +68,15 @@ class Exploit(exploits.Exploit):
 
         # authentication type
         if self.form == 'auto':
-            self.data = self.detect_form()
+            form_data = self.detect_form()
 
-            if self.data is None:
+            if form_data is None:
                 print_error("Could not detect form")
                 return
+
+            (form_action, self.data) = form_data
+            if form_action:
+                self.path = form_action
         else:
             self.data = self.form
 
@@ -116,7 +127,7 @@ class Exploit(exploits.Exploit):
                 self.invalid["max"] = l
 
     def detect_form(self):
-        url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
+        url = sanitize_url("{}:{}{}".format(self.target, self.port, self.get_form_path()))
         r = requests.get(url, verify=False)
         soup = BeautifulSoup(r.text, "lxml")
 
@@ -125,20 +136,22 @@ class Exploit(exploits.Exploit):
         if form is None:
             return None
 
+        action = form.attrs.get('action', None)
+
         if len(form) > 0:
             res = []
             for inp in form.findAll("input"):
                 if 'name' in inp.attrs.keys():
-                    if inp.attrs['name'].lower() in ["username", "user", "login"]:
+                    if inp.attrs['name'].lower() in ["username", "user", "login", "username_login"]:
                         res.append(inp.attrs['name'] + "=" + "{{USER}}")
-                    elif inp.attrs['name'].lower() in ["password", "pass"]:
+                    elif inp.attrs['name'].lower() in ["password", "pass", "password_login"]:
                         res.append(inp.attrs['name'] + "=" + "{{PASS}}")
                     else:
                         if 'value' in inp.attrs.keys():
                             res.append(inp.attrs['name'] + "=" + inp.attrs['value'])
                         else:
                             res.append(inp.attrs['name'] + "=")
-        return '&'.join(res)
+        return (action, '&'.join(res))
 
     def target_function(self, running, data):
         module_verbosity = boolify(self.verbosity)

routersploit/modules/creds/http_form_default.py

@@ -32,8 +32,9 @@ class Exploit(exploits.Exploit):
     port = exploits.Option(80, 'Target port')
     threads = exploits.Option(8, 'Number of threads')
     defaults = exploits.Option(wordlists.defaults, 'User:Pass or file with default credentials (file://)')
-    form = exploits.Option('auto', 'Post Data: auto or in form login={{LOGIN}}&password={{PASS}}&submit')
+    form = exploits.Option('auto', 'Post Data: auto or in form login={{USER}}&password={{PASS}}&submit')
     path = exploits.Option('/login.php', 'URL Path')
+    form_path = exploits.Option('same', 'same as path or URL Form Path')
     verbosity = exploits.Option('yes', 'Display authentication attempts')
 
     credentials = []
@@ -44,9 +45,15 @@ class Exploit(exploits.Exploit):
         self.credentials = []
         self.attack()
 
+    def get_form_path(self):
+        if self.form_path == 'same':
+            return self.path
+        else:
+            return self.form_path
+
     @multi
     def attack(self):
-        url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
+        url = sanitize_url("{}:{}{}".format(self.target, self.port, self.get_form_path()))
 
         try:
             requests.get(url, verify=False)
@@ -59,11 +66,15 @@ class Exploit(exploits.Exploit):
 
         # authentication type
         if self.form == 'auto':
-            self.data = self.detect_form()
+            form_data = self.detect_form()
 
-            if self.data is None:
+            if form_data is None:
                 print_error("Could not detect form")
                 return
+
+            (form_action, self.data) = form_data
+            if form_action:
+                self.path = form_action
         else:
             self.data = self.form
 
@@ -109,7 +120,7 @@ class Exploit(exploits.Exploit):
                 self.invalid["max"] = l
 
     def detect_form(self):
-        url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
+        url = sanitize_url("{}:{}{}".format(self.target, self.port, self.get_form_path()))
         r = requests.get(url, verify=False)
         soup = BeautifulSoup(r.text, "lxml")
 
@@ -118,20 +129,22 @@ class Exploit(exploits.Exploit):
         if form is None:
             return None
 
+        action = form.attrs.get('action', None)
+
         if len(form) > 0:
             res = []
             for inp in form.findAll("input"):
                 if 'name' in inp.attrs.keys():
-                    if inp.attrs['name'].lower() in ["username", "user", "login"]:
+                    if inp.attrs['name'].lower() in ["username", "user", "login", "username_login"]:
                         res.append(inp.attrs['name'] + "=" + "{{USER}}")
-                    elif inp.attrs['name'].lower() in ["password", "pass"]:
+                    elif inp.attrs['name'].lower() in ["password", "pass", "password_login"]:
                         res.append(inp.attrs['name'] + "=" + "{{PASS}}")
                     else:
                         if 'value' in inp.attrs.keys():
                             res.append(inp.attrs['name'] + "=" + inp.attrs['value'])
                         else:
                             res.append(inp.attrs['name'] + "=")
-        return '&'.join(res)
+        return (action, '&'.join(res))
 
     def target_function(self, running, data):
         module_verbosity = boolify(self.verbosity)

routersploit/modules/scanners/autopwn.py

@@ -17,9 +17,9 @@ class Exploit(exploits.Exploit):
     __info__ = {
         'name': 'AutoPwn',
         'description': 'Scanner module for all vulnerabilities.',
-        'author': [
+        'authors': [
             'Marcin Bury <marcin.bury[at]reverse-shell.com>',  # routersploit module
-         ],
+        ],
     }
 
     target = exploits.Option('', 'Target IP address e.g. 192.168.1.1')  # target address

routersploit/modules/scanners/dlink_scan.py

@@ -17,7 +17,7 @@ class Exploit(exploits.Exploit):
     __info__ = {
         'name': 'D-Link Scanner',
         'description': 'Scanner module for D-Link devices',
-        'author': [
+        'authors': [
             'Marcin Bury <marcin.bury[at]reverse-shell.com>',  # routersploit module
         ],
     }

routersploit/utils.py

@@ -314,7 +314,7 @@ def pprint_dict_in_order(dictionary, order=None):
         prettyprint(rest_keys, dictionary[rest_keys])
 
 
-def random_text(length, alph=string.letters+string.digits):
+def random_text(length, alph=string.ascii_letters+string.digits):
     """ Random text generator. NOT crypto safe.
     
     Generates random text with specified length and alphabet.

routersploit/wordlists/defaults.txt

@@ -166,6 +166,7 @@ admin:rmnetlm
 admin:root
 admin:secure
 admin:setup
+admin:sky
 admin:smallbusiness
 admin:smcadmin
 admin:superuser

routersploit/wordlists/passwords.txt

@@ -3,22 +3,40 @@ $chwarzepumpe
 $secure$
 (brak)
 0
+000000
 0P3N
 10023
+102030
 1064
-Test1234!
 1111
+111111
+11111111
+112233
+121212
 123
+123123
+123123123
+123321
 1234
 12345
 123456
+1234567
+12345678
+123456789
+1234567890
 1234admin
+123654
+123qwe
 12871
 1502
 166816
+1q2w3e
+1q2w3e4r
+1qaz2wsx
 21241036
 2222
 22222
+222222
 240653C9467E45
 266344
 31994
@@ -29,12 +47,18 @@ Test1234!
 456
 4getme2
 4tas
+555555
 561384
 5678
 56789
 5777364
+654321
+666666
+753951
+7777777
 8111
 8429
+987654321
 9999
 @dsl_xilno
 ADMINISTRATOR
@@ -122,6 +146,7 @@ RSX
 SECURITY
 SERVICE
 SESAME
+sky
 SKY_FOX
 SMDR
 SSA
@@ -140,6 +165,7 @@ TELESUP
 TENmanUFactOryPOWER
 TJM
 Telecom
+Test1234!
 UI-PSWD-01
 UI-PSWD-02
 User
@@ -148,7 +174,11 @@ WORD
 Wireless
 XLSERVER
 _Cisco
+aaaaaa
+abc
 abc123
+abcd1234
+abcdef
 acc
 access
 adfexc
@@ -163,6 +193,9 @@ adress
 adslolitec
 adslroot
 adtran
+alexander
+andrea
+andrew
 anicust
 any@
 apc
@@ -170,12 +203,19 @@ articon
 asante
 ascend
 asd
+asdasd
+asdfasdf
+asdfgh
+asdfghj
+asdfghjkl
 at4400
 atc123
 atlantis
 attack
+azerty
 backdoor
 barricade
+baseball
 bciimpw
 bcimpw
 bcmspw
@@ -186,6 +226,7 @@ blank
 blender
 bluepw
 browsepw
+buster
 cacadmin
 calvin
 cascade
@@ -195,6 +236,8 @@ cgadmin
 changeme
 changeme(exclamation)
 changeme2
+charlie
+chocolate
 cisco
 citel
 client
@@ -202,6 +245,7 @@ cmaker
 cms500
 col1ma
 comcomcom
+computer
 connect
 corecess
 craft
@@ -211,6 +255,7 @@ custpw
 d1scovery
 dadmin01
 danger
+daniel
 davox
 default
 detmond
@@ -219,6 +264,7 @@ dhs3mt
 dhs3pms
 diamond
 draadloos
+dragon
 e250changeme
 e500changeme
 engineer
@@ -228,16 +274,22 @@ epicrouter
 expert
 expert03
 extendnet
+fdsa
 field
 fivranne
+football
+freedom
 friend
+fuckyou
 ganteng
 gen1
 gen2
 ggdaseuaimhrke
+ginger
 guest
 h179350
 hagpolm1
+hannah
 hawk201
 hello
 help
@@ -247,6 +299,7 @@ hp.com
 hs7mwxkk
 hsadb
 iDirect
+iloveyou
 images
 imss7.0
 inads
@@ -256,11 +309,17 @@ initpw
 installer
 intel
 intermec
+internet
 ironport
 isee
 isp
 jannie
+jennifer
+jessica
+jordan
+joshua
 kermit
+killer
 kilo1987
 l2
 l3
@@ -271,6 +330,7 @@ letmein
 leviton
 linga
 live
+liverpool
 llatsni
 locatepw
 looker
@@ -278,18 +338,23 @@ lp
 lucenttech1
 lucenttech2
 m1122
+maggie
 maint
 maintpw
 manager
 master
 masterkey
+matrix
 mediator
 medion
 mercury
+michael
 michelangelo
+michelle
 microbusiness
 mlusr
 monitor
+monkey
 mono
 motorola
 mtch
@@ -304,6 +369,7 @@ netgear1
 netman
 netopia
 netscreen
+nicole
 nimdaten
 nmspw
 nokai
@@ -324,15 +390,21 @@ passwort
 patrol
 pbxk1064
 pento
+pepper
 permit
 pfsense
 pilou
 piranha
+princess
 private
 public
 public/private/secret
+purple
 pwp
 q
+qazwsx
+qwerty
+qwertyuiop
 r@p8p0r+
 radius
 radware
@@ -348,6 +420,7 @@ router
 rw
 rwa
 rwmaint
+samsung
 scmchangeme
 scout
 secret
@@ -356,18 +429,24 @@ security
 serial#
 service
 setup
+shadow
 sitecom
 smallbusiness
 smcadmin
 smile
 snmp-Trap
+snoopy1
+soccer
 software01
 specialist
 speedxess
 star
 stratauser
 su@psir
+summer
+sunshine
 super
+superman
 superuser
 supervisor
 support
@@ -387,14 +466,18 @@ tech
 telco
 telecom
 tellabs#1
+test
+thomas
 tiaranet
 tiger123
+tigger
 timely
 tini
 tivonpw
 tlah
 trancell
 truetime
+trustno1
 tslinux
 tuxalize
 ubnt
@@ -406,7 +489,9 @@ w0rkplac3rul3s
 w2402
 wampp
 webadmin
+welcome
 wg
+whatever
 winterm
 wlsedb
 wlsepassword
@@ -418,4 +503,5 @@ xbox
 xd
 xdfk9874t3
 xxyyzz
-zoomadsl
+zoomadsl
\ No newline at end of file
+zxcvbnm