How to hack routers in Windows (Router Scan by Stas’M)

0 45

Get real time updates directly on you device, subscribe now.

Router Scan can find and identify a variety of devices from a large number of known routers. The most important thing is to get from them useful information, in particular the characteristics of the wireless network: a method of protecting the access point (encryption), access point name (SSID) and access point key (passphrase).

Also, it receives information about the WAN connection (useful when scanning a local network) and shows the model of the router.

- Advertisement -

Getting information occurs in two possible ways:

  1. The program will try to guess a pair of usernames/passwords to the router from a list of standard passwords, thereby getting access.
  2. Or the vulnerabilities (bugs) will be used against the router model, allowing us to get the necessary information and/or bypass the authorization process.

Wireless network detection and audit were added beginning with version 2.60, including 802.11a/b/g/n standards; you will need an integrated or external Wi-Fi interface to use these functions.

3WiFi service functions were also added to achieve the best wireless audit results, WPA/WPA2 network key brute-force, WPS PIN audit, and Pixie Dust attack.

How to hack routers in Windows (Router Scan by Stas’M)

The program runs on Windows, but it can be run on Linux via Wine. You can download the program on the authors’ site. Password for the archive:

1Stas'M Corp.

At the first start, the program will ask whether we want to send the received scan results to a shared database:

How to hack routers in Windows (Router Scan by Stas’M)

After version 2.53, Router Scan is integrated with the 3WiFi cloud services. It implements automated uploading of wireless access points from the scan results to the server.

3WiFi database is used by the Router Scan Community to research new router vulnerabilities, WPS pin generation algorithms, and more. The program creator also monitors and detects scan issues in real-time.

Do you allow automatic uploading? This option can be changed later in the program settings.

Scanning local and global networks

  • The network interface with the global IP address connects to the Internet directly without intermediaries, and everyone with the Internet can connect.
  • The remaining IP addresses are private.

Of the approximately four billion addresses defined in IPv4, three ranges are reserved for use in private networks. Packet addresses in these ranges are not routable on the public Internet because they are ignored by all public routers. Therefore, private hosts cannot directly communicate with public networks but require network address translation at a routing gateway.

Address RangeNumber of addressesClassful descriptionLargest CIDR block – Class A10.0.0.0/8 – range of 16 Class B blocks172.16.0.0/12 – range of 256 Class C blocks192.168.0.0/16

An example of interesting finds in my local network:

How to hack routers in Windows (Router Scan by Stas’M)

How to compose required IP ranges

In detail about compiling various ranges for Internet providers and geographical places, I have written in the article ‘How to collect Location, Country or ISP IP Ranges‘. Since the guide is intended for Linux users, using the online service could be more convenient for you:

IP Range Syntax

Router Scan supports several types of ranges:

1. A single IP address – only one address per line.


2. Normal range – specify the start and end addresses, separated by a hyphen (minus).


– 254 addresses will be scanned.


– 10 addresses will be scanned.

3. Range with bitmask – indicates the IP address of the network and the number of fixed bits (network mask); they are separated by a slash.


– The first 24 bits of the address do not change; there are 32 – 24 = 8 free bits.

– 28 = 256 addresses will be scanned.


– The first 12 bits of the address do not change; there are 32 – 12 = 20 free bits.

– 220 = 1048576 addresses will be scanned.

More information about such ranges can be read on Wikipedia.

4. Octet range in the Nmap style – individual octets of the IP address can be specified in the form of ranges through a hyphen or as a comma-separated list.


– 254 addresses will be scanned, from to

Example: 10.0.2,4.1

– 2 addresses, and, will be scanned.

Router Scan Anonymous scanning via Tor

Router Scan supports proxy traffic through HTTP/HTTPS, HTTP CONNECT, SOCKS4, SOCKS4a, and SOCKS5. We can also use Tor as a proxy, extracting all the attendant benefits: IP hiding, free, stable connection, and traffic encryption.

Note: If you are using an HTTP/HTTPS type proxy server, it will only be used to send HTTP requests and responses, attempts to connect to ports, and socket data transfers bypassing the proxy server. To proxy socket connections, use either HTTP CONNECT or SOCKS proxy.

Tor setup on Windows

Go to the downloads section of the Tor project site and select download the Expert Bundle. Not the Tor browser; we need an Expert Bundle for our purposes.

Download the unpacked folder to any location. Tor can be installed as a Windows service. This is a convenient option because you do not need to run it every time and do not need to enter commands. But now, we manually start the Tor process with default options for speed and clarity.

Open the Windows PowerShell (admin) prompt and drag the file tor.exe from the downloaded archive; wait until Tor completes its business:

How to hack routers in Windows (Router Scan by Stas’M)
How to hack routers in Windows (Router Scan by Stas’M)

This window does not need to be closed! Otherwise, communication with the Tor network will cease.

Now go to the Router Scan settings: < Main Menu >, Settings and Tweaks, then HTTP Client. In the Proxy Server group, in the Type drop-down list, select SOCKS5. As the IP, enter, and as Port – 9050.

How to hack routers in Windows (Router Scan by Stas’M)

Now the Scan must be performed via Tor.

NOTE: You cannot scan private networks via Tor!

Configuring and running Router Scan

The main button is multifunctional. When you start the Scan, it is divided into two buttons: stop and pause the Scan. But it can also perform several other functions:

  • [Start scan] – starts the process of scanning IP ranges.
  • [Stop scan] – stops the Scan.
  • [||] – sets the Scan to pause.
  • [>>] – resume scanning.
  • [Force stop] – Forcibly stops scanning.
  • [Stop import] – interrupts the import of the file into the table.
  • [Stop upload] – interrupts the upload of data to the 3WiFi database (with automatic unloading after the Scan is complete).

Max. threads

This parameter sets the maximum number of threads: how many devices can be scanned in parallel and simultaneously.


Sets the connection waiting threshold for the device in milliseconds.

Note: Depending on the Internet service provider, speed, and stability of the connection, these parameters will have to be modified intuitively to obtain stable scan results without loss of connection. If you think the program does not use enough threads and your system can give more resources, try changing the scan mode in the program settings.

Scan ports

Determines which TCP ports will be scanned when scanning IP ranges.

  • [+] allows you to add a new port to the end of the list.
  • [-] removes the selected port from the list.

All ports are scanned using the standard HTTP/1.0 protocol, except ports 443, 4343, and 8443 – they are scanned over HTTPS using the OpenSSL library.

To increase the viewing angle in the network, you can also add to the list ports 81, 88, 8000, 8081, 8082, 8088, 8888, and the like.

You can also change the list of ports by editing the ports.txt file.

Autosave scan results to hard drive

This function periodically automatically saves the contents of the table selected for saving. To select a saved table, use the appropriate option. Adjustable parameters:

  • Interval – the interval with which to save (in seconds).
  • Format – in which format to save the file.

Supported file formats:

  • XML 2003 Table – the XML format used by Microsoft Office 2003 (export only).
  • CSV Table – text format CSV (import/export).
  • Tab-delimited Text File – text format TXT with tab delimiters (import/export).
  • IP: Port List – address list in IP address format: port (export only).
  • JavaScript Object Notation is a JSON format that many interpreters and development environments accept (export only).

All files are saved in the program folder in UTF-8 encoding (without BOM). File names correspond to the date and time of export.

It is recommended to use the TXT format or XML to store, post-process, or re-import the data.

IP or IP ranges that you want to scan, enter in the ‘Enter IP ranges to scan’ field:

How to hack routers in Windows (Router Scan by Stas’M)
  • [E] opens a window of the IP range editor.
  • [+] allows you to add one new range to the end of the list.
  • [-] Deletes the selected range from the list.
  • [x] completely erases the entire range list, including comments (beware, this is an irreversible action!).

Scanning Modules

  • Router Scan (main) – the main scanning module is responsible for cracking a password for the device’s web interface and obtaining information.
  • Detect proxy servers – detects HTTP proxy servers and notifies in case of luck – in the column name/device type, the ‘proxy server’ will be added in parentheses, and in the WAN column IP Address – the real external address of the proxy server. To indicate the record in the table of successful results, the text ‘Proxy Good Check’ will be written to the DNS column.
  • Use HNAP 1.0 – checks the host for the presence of support for the protocol Home Network Administration Protocol v1.0 and its vulnerabilities. If it finds support, it will write ‘HNAP Info’ in the name/device type column. If the vulnerability is detected, it will write down the text ‘HNAP bypass auth’ in the authorization column and the received wireless network settings. Note: If the main module has successfully picked up the authorization password before, the HNAP module will not be used. Disable the main module and scan the device to force the HNAP vulnerability to be checked.

The following modules are added as a bonus, and the routers have no direct relationship.

  • SQLite Manager RCE – defines vulnerable SQLite servers in which there is a vulnerability in executing arbitrary PHP code. If the SQLite Manager is found on the node, a link to it will be written in the comment column. The result of the vulnerability check will be displayed in the name column/device type. If the vulnerability is detected, the text ‘SQLite Good Check’ will be written to the DNS column to indicate the record in the table of successful results.
  • Hudson Java Servlet – Identifies vulnerable Hudson CI servers (as well as Jenkins CI) in which there is a vulnerability in executing arbitrary Java code. If the Hudson/Jenkins CI is found on the node, a link to it will be written in the comment column. The result of the vulnerability check will be displayed in the name column/device type. If the vulnerability is detected, the text ‘Hudson Good Check’ will be written to the DNS column to indicate the record in the table of successful results.
  • phpMyAdmin RCE – searches for phpMyAdmin on the scanned node and then checks it for vulnerability to execute arbitrary PHP code (exploit). If phpMyAdmin is found on the node, a link to it will be written in the comment column. The result of the vulnerability check will be displayed in the name column/device type. If the vulnerability is detected, the text “PMA Good Check” will be written in the DNS column to indicate the record in the table of successful results.

Also, it’s important to know that the modules work one after another – they can overwrite the information in the previous module’s columns.

Port Scanner Settings

Scan Mode

Depending on the speed of your Internet connection and available PC resources, you can choose different scanning modes:

  • () Normal – it is optimized for work through a wireless network (i.e. when you are connected via Wi-Fi); it also does not clog the channel connections and is convenient when you need to use the Internet during scanning.

Technical characteristics: a delay of 15 ms between each IP/port pair.

  • () Fast Scan – optimized for operation via Ethernet (connected by cable). This mode can cause problems when you use Wi-Fi as the primary connection.

Technical characteristics: a delay of 15 ms between each IP address; all these ports are checked simultaneously.

  • () Ultra Fast – can be used for high-speed connections (1 Gb/s or higher) on high-performance machines. Use this mode at your own risk on an inappropriate system configuration; it can break the connection to the Internet for a long time, cause a denial of service to your Internet provider, or harm the network adapter.

Technical characteristics: without delays, all available threads are used at once.

SYN send times

This option is recommended to change only if you experience connection problems. It allows you to specify how often to send a TCP SYN packet (request to connect to a port) and wait for a response.

The function can be useful when working under a VPN with conflicting routes or an unstable connection.

On scan finish, do

You might need this feature if you run the Scan for a long period. You can select the following actions:

  • Do nothing
  • Close program
  • Log off user – exit the user’s session.
  • Shutdown – turn off the PC.
  • Suspend – put the PC in a sleep state (if the function is available on the system).
  • Hibernate – perform hibernation and shut down the PC (if the function is available on the system).

If you have disabled the automatic saving of results, you will be prompted to enable it, so you do not lose the scan results.

‘Silent Mode

This mode allows you to open the program without a window and immediately start the Scan. This will bring up an icon in the system tray; click it to display the main window.

The results will be saved to the file when scanning is complete, even if auto-saving is disabled.

Note: You must restart the program to enable or disable this option.

Thread timeout

Sets the thread lifetime in minutes, i.e. the waiting threshold for processing the device. If the processing process does not succeed in meeting the specified time, it is forcibly terminated by the program, and the Timed out mark appears in the status column.

You can also turn off the waiting threshold by setting the Unlimited check box, but the scanning process can be delayed forever, waiting for the hanging threads to end.

Saving results in Excel format

If you save it as a .csv file and open the result of scanning in MS Excel, then some data is corrupted. For example, the number 818445915008 (the password for one of the Wi-Fi networks) after re-saving the file will look like 8,18446E+11.

Using Router Scan Results

Separate articles are devoted to these questions:

Briefly, access to network equipment allows an attacker to manipulate traffic, including making attacks aimed at stealing passwords from sites, redirecting to fraudulent sites, blocking Internet connections, and infecting malicious programs. The attacker even has the opportunity to change the firmware of the router.

Protection from Router Scan

The principle of Router Scan is based on checking routers’ default passwords and on using vulnerabilities in their firmware. Therefore, protection is obvious:

  • change factory passwords to enter the Admin panel
  • update firmware of the device regularly
  • change passwords for FTP, Telnet, SSH, or disable these services if you do not use them

Download Router Scan Latest Version

Router Scan ChangeLog

Version 2.53

  1. Added router models: (for a complete list, see the documentation)
  2. Updated parsers:
  3. (see the documentation for the full list)
  4. Added the ability to configure the table of successful results (selection by successful authorization, wireless or wired devices, as well as additional information) use of resources)
  5. Fixed a line break bug when copying device information
  6. The range editor can now extract an IP address from a URL address
  7. Improved loading of program settings – if there are no settings files, they will be created with default parameters
  8. Slightly improved utilization threads on timeout or forced stop
  9. Added the ability to exclude certain IP addresses with ports from scanning
  10. Now you can select all records in the selected table at once by pressing Ctrl + A
  11. Added support for loading found access points into the 3WiFi database
  12. Fixed a bug with UTF-8 encoding when exporting reports
  13. The HNAP module will now skip the Scan if the main module has successfully received all the information before (to force the HNAP vulnerability check – disable the main module)
  14. Fixed a hang bug when the Scan is paused frequently
  15. The number of active threads in the status bar is now displayed in two numbers – active ports scanner and handler threads
  16. HTTP headers like Referer are now sent automatically
  17. Fixed last column import CSV bug
  18. Added function of debugging recording of TCP packets
  19. Added D-Link DAP-1360 exploit to bypass authorization and get the administrator password
  20. Updated authorization dictionaries
  21. Reports in TXT and CSV formats now support only encoding UTF-8 (export/import)
  22. The position and dimensions of the window are now saved in settings
  23. Fixed a bug by changing the interval for automatically saving results in the settings
  24. Added an exploit Micro DSL (Sagemcom) to get the administrator password (https://www.exploit
  25. Fixed CSV import bug with double quotes at the end of the field
  26. Added exploit for ASUS Boa ADSL (service account)
  27. Tab characters are now filtered when entering ranges
  28. WPS PIN Companion can now import a list of BSSIDs from JumpStart Wireless (also known as TP-LINK QSS)
  29. Fixed a bug in checking for IP exclusions from scanning
  30. Improved usage and utilization of scan streams now the program consumes fewer system resources
  31. The set of APIs provided by LibRouter has changed; when using the library in your applications, see the updates in the guide
  32. Port 4343 has been added to the list of HTTPS ports
  33. An exploit has been added to get the administrator name and password on Realtek eCos devices’ Webs
  34. Added an exploit to get the administrator name and password on D-Link COMM firmware
  35. Fixed a bug with automatically setting the definition page on the initial redirect
  36. Added the ability to import reports by adding them to existing data in the table
  37. Added the ability to set comments for several rows at once
  38. Added the ability to delete rows in the main table and search results
  39. When a stream is stopped, all connections opened by it are automatically terminated
  40. When Watchdog is enabled, the IP address, during the Scan of which problems with the connection were found, will be logged
  41. Now in the range editor, you can double-click by mistake to highlight the problematic line
  42. Added an exploit to obtain data from some points NETGEAR access without authorization
  43. Added an exploit to get the name and password of some D-Link access points without authorization
  44. Fixed a bug in the HTTP client when processing a redirect to HTTPS
  45. Added a license agreement and improved the documentation for the program

Get real time updates directly on you device, subscribe now.

Leave A Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More