How to exploit home routers for anonymity

This article is just a demo for educational purposes. To those who say this sort of information should be censored, I say you can close your eyes and shout, “la-la-la-la-this-doesn’t-exist” all you want but that won’t make practices like those outlined below disappear. Only through awareness can you grow and protect yourself and others.

Download device-pharmer
git clone
Device-pharmer will take advantage of Shodan and concurrently test 1000 hosts from the search results to find open targets. It will print the IP, port, and title of the page if the connection was successful. All successful connections will be logged in _results.txt in the current working directory. Device-pharmer will be included by default in the next update of Kali.

Get a Shodan API key
1) Sign up for a free Shodan account


2) Search Google for one shodan api key
This is not an optimized search. It’s just to give you an idea of how to find this sort of information.

Choose a router model to target
Search Google/Amazon/Cuil for routers with baked in VPN support. Perhaps, “vpn router” might do the trick ;). PPTP and OpenVPN are probably the easiest to set up. We’ll pretend for the rest of this exercise that the common D-Link DIR-300 is a router with baked in PPTP VPN support via stock firmware.

(Optional) Find a free HTTP proxy
git clone
python -s 2
This script scrapes a few reliable proxy sites for only high anonymity public proxies and concurrently tests the results against a few IP checking sites including an HTTPS one. Then it checks the proxy headers to ensure eliteness. It will display the fastest proxies that pass all tests first. -s 2 will show only the top 2 fastest proxies amongst all the results.
Choose Speed: Fast and Connection time: Fast

Search Shodan using device-pharmer
python -s 'dir-300' -a Wutc4c3T78gRIKeuLZesI8Mx2ddOiP4 --proxy --timeout 30

Alternatively if you know the default username/password you can tell the script to attempt to login to each device found:
python -s 'dir-300' -a Wutc4c3T78gRIKeuLZesI8Mx2ddOiP4 --proxy --timeout 30 -u admin -p password

-s: Search Shodan for ‘dir-300’; use single or no quotes
-a: Shodan API key
–proxy: Proxy all requests through this server (optional)
–timeout: By default it’s 12 seconds but since we’re proxying our requests we’re going to want to increase that to account for the lag the proxy is going to introduce (optional)
-u: Try logging in with this username (optional)
-p: Try logging in with this password (optional)

If you have a free account you will only be given one page of results which amounts to 100 hosts. Plenty. If you have a pro account then you can use the -n option to specify how many pages of results you want to run through like “-n 5”.

Example results in the log file dir-300_results.txt without attempting to log in:

Set up dynamic DNS
Register a free account then go to Manage Hosts > Add Host and fill it out. Max of 3 hosts.

Visit one of the results from the log file “dir-300_results.txt” in your browser
1) Look for the dynamic DNS settings (usually under a link like “DDNS”) and set it up with your noip account
2) Look for the PPTP VPN settings once you’re in, enable it if necessary, and create an account for yourself.

Set up network manager
1) apt-get install network-manager-pptp-gnome
Assuming you’re in Kali.

Follow the instructions here.

Clear the router logs
Probably a good idea to do this before and after every session you make to the router. Safety first, of course. Usually you can find the logs in a link like “Settings” or “System” within the router web interface. If you can completely turn off the logs, even better.

Your own hypothetical personal VPN.

Ultimately this is one of the less malicious things you can do with this power. If you really wanted to do harm you could change the DNS to point to a malicious server amongst other things. You’d be pretty careless if you actually performed all the steps above as it’s illegal and not really very anonymous as ISPs have logs too. That being said, it doesn’t take much imagination to use similar steps from above and think of alternate ways to abuse a truly massive amount of internet connected devices. IP cameras, network attached storage devices, watches, phones, power plants, particle accelerators.

As the internet-of-things ramps up the amount of low hanging fruit you can find using methods described here is going to explode like the Cambrian.

Flattr this!

Posted in Python
12 comments on “How to exploit home routers for anonymity
  1. questions says:

    what about routers that only support

    • Option 1: Extremely low stealth; flash their firmware to OpenWRT or Tomato and configure it with OpenVPN or a PPTP VPN.
      Option 2: Google dork a dyndns account. Like maybe, ‘ dyndns password’

      Those are not really the only two options, just a couple things off the top of my head.

      • 5Up Mushroom says:

        Having flashed a few routers to OpenWrt, I’m of the belief that you will need physical access to the router to pull this off. Furthermore, after the flash, you will not have external access to the router unless you were to flash a custom built version that opens a port for administration (whether that be the Web UI, SSH, or *shudder* telnet.

        On top of those nearly overwhelming caveats, the idea here is to be discreet. If you take a router offline for a few minutes, or switch their SSID, the owners are going to be suspicious and may tidy up their security hole.

    • Dade Murphy says:

      I believe that dyndns still offers something like 2 free hosts, but you have to log in to their site once every 30/60/90 days or something like that in order to keep the account active (not just have the router updating the address, but actually log into the site.) Source: I use dyndns to update my dynamic dns settings on my home router, and occasionally if i ignore the warning email about it, then i lose my ability to update the dns settings automatically.

  2. Marcelo says:

    Thank you very much for this post, Dan. I’m bookmarking your site and hope to see many more great posts on this same line of router security.

  3. Jon says:

    If the owners catch on and their ISP gets involved to find you, you could potentially be in a world of hurt. Why not just use a service that’s on the up-and-up?

    I do agree with vocalizing the seriousness of the problem for end-users however.

    • Dylan says:

      If you perform all of this work from behind a good anonymous VPN or even Tor, you’re extremely unlikely to get caught.

  4. Brian says:

    Interesting read but unless you want to end up in pound me in the ass prison one shouldnt try these methods.

  5. ssdws says:

    For highly sensitive stuff you might want to consider wardriving a hotspot b/c even if theres no logs there may be router caching that determined kaw enforcement could use.

  6. If you were to use a vpn acquired in this way with a Tails ISO image on thumbdrive and maybe a proxy anonymizer, wow.. you could virtually be invisible.

    ..and flashing someone’s router wouldn’t be a completely bad idea… You’d have to document the routers current config and restore those settings on a customized rom (containing openvpn and/or noip dyndns] that you flashed. It’s possible…and would allow you temporary use…but you’d be discovered… but this isn’t a bad thing, if you only need it for awhile and want to disappear later. Somethig like that sounds a bit nefarious though. I don’t know anything about that.

Leave a Reply

Your email address will not be published. Required fields are marked *