REXT - Router Exploitation Toolkit

REXT - Router Exploitation Toolkit

REXT is a toolkit for easy creation and usage of various python scripts that work with embedded devices.

Requirements:

  • requests
  • paramiko
  • beautifulsoup4

Installation:

Git clone REXT repository (this is the recommended way if you wish for REXT update command to work)
$ git clone https://github.com/j91321/rext.git
or download REXT
$ wget https://github.com/j91321/rext/archive/master.zip
$ unzip master.zip


Install requests dependency:
Using pip:
$ pip install requests
$ pip install paramiko
$ pip install beautifulsoup4

or on Ubuntu:
$ sudo apt-get install python3-requests

$ sudo apt-get install python3-paramiko

$ sudo apt-get install python3-bs4

Running REXT

Start REXT console:
$ python3 rext.py

Usage:

After starting REXT you are introduced to REXT console interface.
REXT:Router EXploitation Toolkit
Author:Ján Trenčanský
Email:jan.trencansky(at)gmail.com
Twitter:@j91321
Version:0.0
License:GNU GPL v3
================================
>

You can type help get list about available commands or help to get information and example usage on specific command.
>help

Documented commands (type help <topic>):
========================================
exit  help  load  show  unload  update

>help update
Help: update REXT functionality
Usage: update <argument>
Available arguments:
	no argument
		update REXT using git
	oui
		update MAC vendor database
	force
		do git reset --hard and update

>

Command show will print list of directories or modules in current depth.
decryptors/zyxel/>show
rom-0_decrypt
decryptors/zyxel/>

You can press tab to autocomplete your command or tab tab to show available options. E.g. command load tab-tab will print all available modules disregarding your current path. 
misc/>load 
decryptors/draytek/vigor_config_old
decryptors/draytek/vigor_fw_decompress
decryptors/zyxel/rom-0_decrypt
exploits/linksys/ea6100_auth_bypass
exploits/netgear/n300_auth_bypass
exploits/zyxel/rom-0
harvesters/airlive/WT2000ARM
misc/accton/switch_backdoor_gen
misc/adb/a1_default_wpa_key
misc/adb/alice_cpe_backdoor
misc/arris/dg860a_mac2wps
misc/arris/tm602a_password_day
misc/belkin/mac2wps
misc/cobham/admin_reset_code
misc/draytek/vigor_master_key
misc/huawei/hg520_mac2wep
misc/huawei/hg8245_mac2wpa
misc/pirelli/drg_a255_mac2wpa
misc/sagem/fast_telnet_password
misc/sitecom/wlr-400X_mac2wpa
misc/vodafone/easybox_wpa2_keygen
scanners/allegrosoft/misfortune_cookie
misc/>load

You can use load command to start a specific module of REXT. When loading module not just changing directory new sub-console is actually created. You can see that by typing help command. The list of available commands changed. REXT modules always follow the same convention for paths type/vendor/module.
misc/>load misc/arris/dg860a_mac2wps
misc/arris/dg860a_mac2wps>help

Documented commands (type help <topic>):
========================================
exit  help  mac  run  set

misc/arris/dg860a_mac2wps>

Typing info when module is loaded will print basic information about module and its options.
misc/arris/dg860a_mac2wps>info

Name:ARRIS DG860A WPS PIN Generator
File:dg860a_mac2wps.py
Author:Ján Trenčanský
License: GNU GPL v3
Created: 23.7.2015
Description: Generates WPS pin for Arris DG860A router based on mac
Based on: Work of Justin Oberdorf 
https://packetstormsecurity.com/files/123631/ARRIS-DG860A-WPS-PIN-Generator.html

Options:
    Name        Description

    mac         MAC address used as input for WPS pin generation
misc/arris/dg860a_mac2wps>

Here you can use command mac to print current MAC address or use the command set to set new MAC address. After you are done with the configuration of module properties you can execute it with run command (this applies for all modules disregarding of their type). Some basic validations are in place that will prevent you in setting incorrect values.
misc/arris/dg860a_mac2wps>mac
00:00:00:00:00
misc/arris/dg860a_mac2wps>set mac 11:22:33:44:55
Error: please provide valid MAC address
misc/arris/dg860a_mac2wps>set mac 00:50:56:C0:00:08
MAC set to: 00:50:56:C0:00:08 (VMware, Inc.)
misc/arris/dg860a_mac2wps>run
Success: 
WPS PIN: 62175401

Now that the module was executed you may wish to load different module. You can do this by typing back command. This command will exit only the current module and return you to the main REXT console. If you type exit it will exit REXT.

You can use unload command to get to REXT root directory. But this is not necessary since load command works with absolute paths you can use.
misc/arris/dg860a_mac2wps>back
misc/arris/>unload
>show
exploits
misc
harvesters
scanners
decryptors
>exit
Bye!


