Good Morning friends. AirOS is the firmware maintained by Ubiquiti Networks for its airMAX products which include routers and switches. This firmware is Linux based. This module exploits a file upload vulnerability existing in the firmware to install a new root user to /etc/passwd and an SSH key to /etc/dropbear/authorized_keys. So let’s see hacking Ubiquiti AirOS. Start Metasploit and load the exploit as shown below. Type command “show options” to see what options we need to set.
The only option we need to set is our target IP address. If you have followed my previous howto’s you already know how to find the vulnerable targets. Set the target IP address as shown below. This module does not support check. No problem. Type command “show payloads” to see the payloads we can use with this exploit. We normally have only one i.e interacting with the target’s shell. Set the payload.
Type “run” to execute our exploit. We will get the command shell of our target as shown below.
Let’s check it. Type command “ls” to get contents of the present directory.
This is the passwd file of our target which has been overwritten by our exploit.
Good Evening friends. Today we will see how to hack passwords of Dlink routers on the internet and we are not talking about password cracking although we will see that also in the future. Uffff, that was a very long sentence. Ok , now let’s see how to hack passwords of remote Dlink routers, but wait there’s a catch. This howto will only work on Dlink routers having version dir 645. Now if you’re thinking who still uses that version, then you should just shhhhooodaaaan. Start Metasploit and load the “auxiliary/admin/http/dlink_dir_645_password_extractor” exploit as shown below.
It’s always good to see the information about our exploit as shown below.
Now set the RHOST option( i.e the IP address of our target, you will get this from shodan). Change the port to 8080.
Now execute the exploit by typing command “run”. The exploit will run as shown below. Don’t worry about the errors we get as our exploit has already finished its job and saved the passwords of routers into a file.
Now let’s open the file. Copy the path of the file from above. Use any text editor to open the file. Below I have used gedit.
The file will open as shown below. We can see the credentials underlined ( by me ). So it says the username is admin and password is empty. Now let’s check it out.
Open your browser and go the router address as shown below. The router login page should open.
Without entering any password, click on Login. You should get access to the router as shown below.