A router is a gateway that connects a device to the internet with certain protocols. Hacking a router can be really serious, the attacker can take control over the whole network setup. Even in this 2016 millions routers are vulnerable to remote authentication. This is actually not a vulnerability but, a feature that can turn into hacker’s pathway to your network if its unsecured. In many router’s port 80 is forwarded by default to the public and setup for remote authentication. Typing the IP on browser will take you to the admin login panel. If this is accessible with you public IP then the router can be controlled remotely. The username and password will be “admin” by default. You can also bruteforce the username and password using THC-HYDRA or exploit a rom0 vulnerability. A router has a rom file that stores login credentials and settings, this can be downloaded and use the credentials to login. Rom file is compressed and you need to decompress the rom0. It can be done with a decompression tool or you can use online services. After accessing a router’s control panel you can change the DNS, ISP login credentials, change wifi password. To do these all you want to get is the target’s public IP address. This a dead simple process. Since many routers can be taken through this method you can hack into thousands of routers and make a botnet. This can be done on both windows and linux. Follow the  steps.




Demo video

Scanning the IP

You can attack a specific target or a random target as i’m doing. There are many command line tools available in kali linux but, here i’m using a GUI  tool angry ip scanner. This tool is available for both windows and linux. This tool has a pretty good interface and easy to use. Download and open the tool, in settings enable web detect. You can scan all the neighbouring devices in your network. First find your public ip by googling and paste it in the angry ip scanner. In the first column replace the last secton with 0 and in the second colum replace it with 255. (eg: if your ip is in the first column use and in second). This will scan for all 255 IP and retrieve the the live device details marked as green. Sort the result by webetect. You can find micro_httpd and RomPager these are the live routers in your public network, choose a random target and copy its IP. Open a browser and paste and go, use “admin” as username and password. If that didn’t work go for bruteforcing or decompress rom0.

Decompressing Rom0

As i said before not all routers are vulnerable to this attack. In some routers we can bypass authentication and get the rom file from url /rom0. go to browser and enter the url http://”ip_address”/rom-0 or use online service to test the ulnetability visit rom-0.cz . You can input the target ip and test the vulnerability. Once you got the rom0 file decompress it and extract the password by using the online service routerpwn.comupload the rom file and decompress and use the strings to login.

You may be asking “what can i do after hacking a router?” you can simply forward all the sensitive ports and launch attacks like ssh, ftp or Route to a fake DNS server. Best thing you can do is set a fake dns for google, youtube and facebook so that you can create a phishing page and fetch login credentials. The crazy thing you can do is create a fake google search page and when the user clicks the search button the malicious file will be downloaded. I’m not exposing the full details here, just use your own skills in creating a phishing page.Any doubts or questions? post it on the comment section below. If you like this blog give me a like on facebook and add me on google plus. Subscribe my youtube channel for video tutorials.

Categories: Hacking

Susmith Krishnan

I’m a computer enthusiast basically and i love to write blogs on tech issues and cyber security. I started penetration testing at the age of 16 and i would like to explore security vulnerabilities and latest tech news and wanna share with you


paolo rossi · July 21, 2016 at 10:36 pm

Bro good work .. You have one list of vulnerable router ?

    susmith HCK · July 22, 2016 at 10:45 am

    You cannot simply create a list of targets the IP will change on each reboot you have to find it by scanning every time.

YummY · August 25, 2016 at 4:13 pm

I have access to many routers. But what could i do with it? What are the possibilities?

    susmith HCK · August 25, 2016 at 9:06 pm

    You can change the dns servers and redirect it to hacker’s dns server to fetch login credentials by creating fake pages. You can forward sensitive ports and directly attack the connected system.

Anonymous · February 8, 2017 at 2:29 pm

Hey. I’ve a D-Link router under control. I’ve setup remote management, so I am always able to login into the router remotely from my home as well (I know the public IP address of router). So, what I have is the complete router page access. How do I go about attacks like DNS spoofing to spoof a particular site (say google.com) to another IP address? I can only see options like Primary DNS Server: and like that. Can you help?

    susmith HCK · February 11, 2017 at 10:40 am

    You can change the whole DNS server and not for a single website. Make a fake DNS server with your targeted sites pointing fake ip’s. This is the only way.

Mk · April 27, 2017 at 2:29 am

I believe I’ve been subjected to an attack like this…How do I check? And how do I secure my router

walkyrie · April 30, 2017 at 11:21 pm

hi bro, thankx for all… i’ve one question please. i’ve netgear router under control over internet. but when i’m connected to router, i not have all autorisations( NAT, DNS… are disable). how can i solve this?

walk · May 1, 2017 at 12:04 am

when i connected to NETGEAR router interface over internet some options( NAT, DNS….) are disabled. how can i solve this?

Shane · May 13, 2017 at 7:57 am

I started to scan i haven’t find any ips what can i do

Cynthia A Moldaner · September 14, 2017 at 5:43 am

I would like to email a document. I have some questions about Tracery command. My tracery on my computer shows hop 1 as which is my router. The 2nd hop shows If I understand this correctly the second hop is another router?

Hack ISP · February 5, 2018 at 12:57 pm

That’s a nice discussion. It is helpful for the newbie like me. Your visitor is benefited when you put a video tutorial. I look forward to a more resourceful article on your website.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.