Menu
homeBios

Router Scan by Stas’M on Kali Linux (hacking of routers and Wi-Fi on an industrial scale)

Router Scan is able to find and identify various devices from a large number of well-known routers and, most importantly, extract useful information from them, in particular the characteristics of the wireless network: the method of protecting the access point (encryption), the access point name () and the access point key ( passphrase). It also receives information about the WAN connection (convenient when scanning a local network) and displays the brand and model of the router. Information is obtained in two possible ways: the program will try to guess the login/password pair for the router from the list of standard passwords, as a result of which it will gain access. Or will be used non-destructive vulnerabilities (or bugs) for a specific router model that allow you to obtain the necessary information and/or bypass the authorization process.

Version 2.51

1. Added router models:
— @irLAN:
R04P (wired)
- 3Com:
OfficeConnect (in development)
— Boa ADSL:
Sitecom Wireless 300N
— Cisco:
WAP4410N
- D-Link:
DES-2108 (wired)
DVG-N5402GF
DVG-N5402SP
— :
@irLAN WR150
-ECI:
B-FOCuS (wired)
- EVDO 3G Firmware:
Shenzhen AirTouch 3G Wireless Router
— Huawei:
HG8240 (wired)
HG8240R (wired)
HG8245T
WS319
- Micro DSL:
Eltex NTP-RG-1402G-W
Eltex NTP-RG-1402G-W Rev. C
Siemens ADSL SL2-141
TP-LINK TD-W8960N V4
- NETGEAR:
WNDR3700
— ONT GPON Home Gateway:
Cambridge Wireless Router
- OpenWrt LuCI:
TP-LINK TL-WR841N/ND v9
- OpenWrt X-Wrt:
Eltex NTE-RG-1402F (wired)
Eltex NTE-RG-1402G (wired)
Eltex NTE-RG-1402G-W
— Thomson:
Firmware STCF.01.16
Firmware STCF.07.02
Firmware STED.07.01
- TP-LINK:
TL-MR3020
- ZyNOS ADSL:
Kraun Wireless Router ADSL2/2+
—Other:
Verizon Jetpack MiFi (in development)
ZyNOS/TP-LINK (in development)
MikroTik Router (in development, there may be bugs)

2. Updated parsers: OpenWrt LuCI, D-Link DSR, D-Link VoIP, Huawei Tech 1, Huawei Tech 2, Thomson/Technicolor, GPON ONT, EVDO 3G, Micro DSL, DD-WRT, NETGEAR WNR

3. Added exploitation of a vulnerability for D-Link DSR routers with old firmware - bypassing authorization and obtaining the administrator password (http://www.exploit-db.com/papers/30061/)

4. Fixed a bug in saving XML with disabled columns (all are saved with the correct column width)

5. Added exploitation of vulnerability for ECI B-FOCuS switches - obtaining administrator name and password

6. Fixed a bug when copying a host URL with port 443 (HTTPS link) to the clipboard
7. Partially fixed a design bug - the size of the scroll slider in tables
8. Fixed the procedure for checking authorization (Use credentials function)
9. Fixed a bug in determining the authorization type during initial redirection
10. Fixed processing of Huawei HG8245H router
11. Most parsers have been converted to a new format, there may be degradations and bugs, testing is required
12. Now the state of the main window is saved in the settings (normal or maximized to full screen)
13. Fixed time display (hours were displayed more than 24)
14. Table contents now move when dragging sliders
15. Added exploitation of vulnerability for Boa ADSL / Ralink firmware - obtaining administrator name and password
16. Added support for rebranded DD-WRT WISPR / Optisprint
17. Fixed a bug in copying device information
18. Added exploitation of vulnerability for Technicolor / Thomson - obtaining network settings without authorization
19. Added a request when stopping scanning (useful, because in some cases you can click it accidentally)
20. Added exploitation of vulnerabilities for NETGEAR - obtaining the administrator password, as well as network settings (http://cxsecurity.com/issue/WLB-2015020059)

Demonstration of the program.

Router Scan is an application that can be downloaded absolutely free. It scans routers if they are within range of the Wi-Fi adapter. This adapter is required for this utility. It won't work without it. But not all adapters will fit. If they are connected with a USB cable, there may be some compatibility issues when connecting.

Functions

Most often, the Router Scan utility is used to obtain information about the router manufacturer, network strength in decibels, and information about WAN connections. But this is not all that can be learned using this program. The user can also find out information about the SSID of access points, key phrase, and other information about the security mechanism. This is information about WPA, or WPA 2.

Router Scan is also suitable for hacking routers. If you have a Wi-Fi adapter and this program, you can find out the password for the router. This process is called brute. To carry it out, the program uses a built-in dictionary. The words are replaced one by one, trying to find the key. To be honest, this type of hacking does not have a high success rate. But besides the dictionary, there is a second hacking method. For this purpose, the program uses some vulnerabilities present in the router security system. This is a more reliable tool, but it is only suitable for some router models.

Additional tools

The application has some additional features. They are needed to provide greater user convenience. For example, you can create a CSV table. This table is required for convenient storage of the received data. These tables can later be filtered. There is also a debug recording of TCP packets. You can also import data that other programs provide.

The program is constantly being improved. The developer adds new dictionaries to increase the chance of hacking. Information about new vulnerabilities of routers is also added.

Key Features

  • Thanks to the application, the user can obtain information about nearby access points;
  • Can hack some routers;
  • We have our own database with recorded vulnerabilities of some routers for hacking them. But the number of routers that can be hacked is still not very large;
  • You can conveniently place the received data in tables and filter them later;
  • Router Scan can be downloaded for free.

Description:
Router Scan is able to find and identify various devices from a large number of well-known routers and, most importantly, extract useful information from them, in particular the characteristics of the wireless network: the method of protecting the access point (encryption), the access point name (SSID) and the access point key (passphrase).

Additional Information:
It also receives information about the WAN connection (convenient when scanning a local network) and displays the brand and model of the router. Information is obtained in two possible ways: the program will try to guess the login/password pair for the router from the list of standard passwords, as a result of which it will gain access. Or, non-destructive vulnerabilities (or bugs) for a specific router model will be used to obtain the necessary information and/or bypass the authorization process.
The program will help you remember your login/password to enter the settings of your router, as well as the security key for your Wi-Fi network.
The program finds its router in 2-3 seconds, and after 20-40 minutes of scanning, it finds other devices. If you need to find data about your device, then after 10 seconds. The program can be stopped and turned off.

What's new in version 2.53:
(build 04.11.2015)
1. Added router models: (see the documentation for the full list)
2. Parsers have been updated: (see the documentation for the full list)
3. Added the ability to customize the table of successful results (selection by successful authorization, wireless or wired devices, as well as additional information)
4. Added selection of generation mode: off, automatic, or always on (automatic mode checks delays and can turn off generation when resources are intensively used)
5. Fixed a line break bug when copying device information
6. The range editor can now extract an IP address from a URL
7. Improved loading of program settings - if there are no settings files, they will be created with default parameters
8. Slightly improved disposal of threads during timeout or forced stop
9. Added the ability to exclude certain IP addresses and ports from scanning
10. Now you can select all records in the selected table at once by pressing Ctrl+A
11. Added support for loading found access points into the 3WiFi database
12. Fixed a UTF-8 encoding bug when exporting reports
13. The HNAP module will now skip the check if the main module has successfully received all the information before (to force a HNAP vulnerability check, disable the main module)
14. Fixed a bug that caused freezing when pausing scanning frequently.
15. The number of active threads in the status bar is now displayed in two numbers - active threads of the port scanner and handler
16. HTTP headers like Referer are now sent automatically
17. Fixed a bug in importing the last CSV column
18. Added function for debug recording of TCP packets
19. Added D-Link DAP-1360 exploit to bypass authorization and obtain administrator password
20. Authorization dictionaries have been updated
21. Reports in TXT and CSV formats now only support UTF-8 encoding (export/import)
22. Window position and size are now saved in settings
23. Fixed a bug changing the interval for automatically saving results in the settings
24. Added Micro DSL (Sagemcom) exploit to obtain administrator password (https://www.exploit-db.com/exploits/37801/)
25. Fixed a bug in CSV import with double quotes at the end of the field
26. Added exploit for ASUS Boa ADSL (service account)
27. Tab characters are now filtered when entering ranges
28. WPS PIN Companion can now import BSSID list from JumpStart Wireless (also known as TP-LINK QSS)
29. Fixed a bug in checking IP exclusions from scanning
30. Improved use and utilization of scan threads, now the program consumes less system resources
31. The set of provided LibRouter APIs has changed; when using the library in your applications, check out the updates in the manual
32. Port 4343 added to the list of HTTPS ports
33. Added exploit to obtain administrator username and password on Realtek eCos Webs devices
34. Added an exploit to obtain the administrator name and password on D-Link COMM firmware
35. Fixed a bug with automatic installation of the definition page during the initial redirection
36. Added the ability to import reports by adding them to existing data in the table
37. Added the ability to set a comment for several lines at once
38. Added the ability to delete rows in the main table and search results
39. When a thread stops, all connections it opened are automatically terminated
40. When Watchdog is enabled, the IP address will be logged, during scanning of which connection problems were detected
41. Now in the range editor you can double-click on a problematic line by mistake
42. Added an exploit to obtain data from some NETGEAR access points without authorization
43. Added an exploit to obtain the name and password of some D-Link access points without authorization
44. Fixed a bug in the HTTP client when processing a redirect to HTTPS
45. Added license agreement and improved documentation for the program

Portable Features:
Portable version of the program, works without installation on a computer.

Description:
Router Scan is able to find and identify various devices from a large number of well-known routers and, most importantly, extract useful information from them, in particular the characteristics of the wireless network: the method of protecting the access point (encryption), the access point name (SSID) and the access point key (passphrase).

Additional Information:
It also receives information about the WAN connection (convenient when scanning a local network) and displays the brand and model of the router. Information is obtained in two possible ways: the program will try to guess the login/password pair for the router from the list of standard passwords, as a result of which it will gain access. Or, non-destructive vulnerabilities (or bugs) for a specific router model will be used to obtain the necessary information and/or bypass the authorization process.
The program will help you remember your login/password to enter the settings of your router, as well as the security key for your Wi-Fi network.
The program finds its router in 2-3 seconds, and after 20-40 minutes of scanning, it finds other devices. If you need to find data about your device, then after 10 seconds. The program can be stopped and turned off.

What's new in version 2.53:
(build 04.11.2015)
1. Added router models: (see the documentation for the full list)
2. Parsers have been updated: (see the documentation for the full list)
3. Added the ability to customize the table of successful results (selection by successful authorization, wireless or wired devices, as well as additional information)
4. Added selection of generation mode: off, automatic, or always on (automatic mode checks delays and can turn off generation when resources are intensively used)
5. Fixed a line break bug when copying device information
6. The range editor can now extract an IP address from a URL
7. Improved loading of program settings - if there are no settings files, they will be created with default parameters
8. Slightly improved disposal of threads during timeout or forced stop
9. Added the ability to exclude certain IP addresses and ports from scanning
10. Now you can select all records in the selected table at once by pressing Ctrl+A
11. Added support for loading found access points into the 3WiFi database
12. Fixed a UTF-8 encoding bug when exporting reports
13. The HNAP module will now skip the check if the main module has successfully received all the information before (to force a HNAP vulnerability check, disable the main module)
14. Fixed a bug that caused freezing when pausing scanning frequently.
15. The number of active threads in the status bar is now displayed in two numbers - active threads of the port scanner and handler
16. HTTP headers like Referer are now sent automatically
17. Fixed a bug in importing the last CSV column
18. Added function for debug recording of TCP packets
19. Added D-Link DAP-1360 exploit to bypass authorization and obtain administrator password
20. Authorization dictionaries have been updated
21. Reports in TXT and CSV formats now only support UTF-8 encoding (export/import)
22. Window position and size are now saved in settings
23. Fixed a bug changing the interval for automatically saving results in the settings
24. Added Micro DSL (Sagemcom) exploit to obtain administrator password (https://www.exploit-db.com/exploits/37801/)
25. Fixed a bug in CSV import with double quotes at the end of the field
26. Added exploit for ASUS Boa ADSL (service account)
27. Tab characters are now filtered when entering ranges
28. WPS PIN Companion can now import BSSID list from JumpStart Wireless (also known as TP-LINK QSS)
29. Fixed a bug in checking IP exclusions from scanning
30. Improved use and utilization of scan threads, now the program consumes less system resources
31. The set of provided LibRouter APIs has changed; when using the library in your applications, check out the updates in the manual
32. Port 4343 added to the list of HTTPS ports
33. Added exploit to obtain administrator username and password on Realtek eCos Webs devices
34. Added an exploit to obtain the administrator name and password on D-Link COMM firmware
35. Fixed a bug with automatic installation of the definition page during the initial redirection
36. Added the ability to import reports by adding them to existing data in the table
37. Added the ability to set a comment for several lines at once
38. Added the ability to delete rows in the main table and search results
39. When a thread stops, all connections it opened are automatically terminated
40. When Watchdog is enabled, the IP address will be logged, during scanning of which connection problems were detected
41. Now in the range editor you can double-click on a problematic line by mistake
42. Added an exploit to obtain data from some NETGEAR access points without authorization
43. Added an exploit to obtain the name and password of some D-Link access points without authorization
44. Fixed a bug in the HTTP client when processing a redirect to HTTPS
45. Added license agreement and improved documentation for the program

Portable Features:
Portable version of the program, works without installation on a computer.

New 2019:

Beta version 2.60 has been released with wireless network audit capabilities, if you have problems downloading, use Download Master, or a browser plugin friGate.

What's new:

Version 2.53

1. Added router models:

2. Parsers have been updated:

(see documentation for full list)

3. Added the ability to customize the table of successful results (selection by successful authorization, wireless or wired devices, as well as additional information)
4. Added selection of generation mode: off, automatic, or always on (automatic mode checks delays and can turn off generation when resources are intensively used)
5. Fixed a line break bug when copying device information
6. The range editor can now extract an IP address from a URL
7. Improved loading of program settings - if there are no settings files, they will be created with default parameters
8. Slightly improved disposal of threads during timeout or forced stop
9. Added the ability to exclude certain IP addresses and ports from scanning
10. Now you can select all records in the selected table at once by pressing Ctrl+A
11. Added support for loading found access points into the 3WiFi database
12. Fixed a UTF-8 encoding bug when exporting reports
13. The HNAP module will now skip the check if the main module has successfully received all the information before (to force a HNAP vulnerability check, disable the main module)
14. Fixed a bug that caused freezing when pausing scanning frequently.
15. The number of active threads in the status bar is now displayed in two numbers - active threads of the port scanner and handler
16. HTTP headers like Referer are now sent automatically
17. Fixed a bug in importing the last CSV column
18. Added function for debug recording of TCP packets
19. Added D-Link DAP-1360 exploit to bypass authorization and obtain administrator password
20. Authorization dictionaries have been updated
21. Reports in TXT and CSV formats now only support UTF-8 encoding (export/import)
22. Window position and size are now saved in settings
23. Fixed a bug changing the interval for automatically saving results in the settings
24. Added Micro DSL (Sagemcom) exploit to obtain administrator password (https://www.exploit-db.com/exploits/37801/)
25. Fixed a bug in CSV import with double quotes at the end of the field
26. Added exploit for ASUS Boa ADSL (service account)
27. Tab characters are now filtered when entering ranges
28. WPS PIN Companion can now import BSSID list from JumpStart Wireless (also known as TP-LINK QSS)
29. Fixed a bug in checking IP exclusions from scanning
30. Improved use and utilization of scan threads, now the program consumes less system resources
31. The set of provided LibRouter APIs has changed; when using the library in your applications, check out the updates in the manual
32. Port 4343 added to the list of HTTPS ports
33. Added exploit to obtain administrator username and password on Realtek eCos Webs devices
34. Added an exploit to obtain the administrator name and password on D-Link COMM firmware
35. Fixed a bug with automatic installation of the definition page during the initial redirection
36. Added the ability to import reports by adding them to existing data in the table
37. Added the ability to set a comment for several lines at once
38. Added the ability to delete rows in the main table and search results
39. When a thread stops, all connections it opened are automatically terminated
40. When Watchdog is enabled, the IP address will be logged, during scanning of which connection problems were detected
41. Now in the range editor you can double-click on a problematic line by mistake
42. Added an exploit to obtain data from some NETGEAR access points without authorization
43. Added an exploit to obtain the name and password of some D-Link access points without authorization

44. Fixed a bug in the HTTP client when processing a redirect to HTTPS
45. Added license agreement and improved documentation for the program

Router Scan can find and identify various devices from a large number of known routers and, most importantly, extract useful information from them, in particular the characteristics of the wireless network: the method of protecting the access point (encryption), the access point name (SSID) and the key access points (passphrase). It also receives information about the WAN connection (convenient when scanning a local network) and displays the brand and model of the router. Information is obtained in two possible ways: the program will try to guess the login/password pair for the router from the list of standard passwords, as a result of which it will gain access. Or will be used non-destructive vulnerabilities (or bugs) for a specific router model that allow you to obtain the necessary information and/or bypass the authorization process.