MegaMech Posted October 5, 2016 Share Posted October 5, 2016 Hello, I'm trying to hack into my router (Not doing anything nefarious) Can I get some help with the '/login.cgi' part? hydra 192.168.1.254 http-form-post "/login.cgi:sessionKey=177691457&inputUserName=^USER^&inputPassword=^PASS^:err" -L admin -P pass.txt -t 10 -w 30 -o hydra-http-post-attack.txt I'm guessing that in the current state even if hydra was to get the password correct it would still respond in "msg=err". Because I need to have a proper session key. Also any idea what "nothankyou=1" is? Do I need to have that in the command? Is there like a cookie file I have to use to generate session keys? Also ":err" is like a . "If response is not 'err' then that was a correct password" Is this piece correct? The browser returns "http://192.168.1.254/index.html?msg=err" Should it be ":msg=err"? Thanks for your help. POST http://192.168.1.254:80/login.cgi HTTP/1.1 Host: 192.168.1.254 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.254/ Cookie: Telus=T1200H-31.128L.07 Connection: keep-alive Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-length: 68 sessionKey=1286954970&inputUserName=as&inputPassword=fd¬hankyou=1 Quote Link to comment Share on other sites More sharing options...
pentestgeek Posted October 5, 2016 Share Posted October 5, 2016 For brute forcing web applications I recommend using Burp Suite. You would simply capture an attempt to login with any password (like the one you've already shared), then right click on the POST and send it to the Intruder tab. Highlight the password field and then import your password list as the payload injections. Since this is your Router I'm assuming you already know the password and are simply trying this as an exercise. You could log in with the correct password and use Burp to tell you what a correct response looks like. Then you can tailor your Intruder advanced options to check specifically for the correct response. Hope that helps. Quote Link to comment Share on other sites More sharing options...
MegaMech Posted October 5, 2016 Author Share Posted October 5, 2016 Alright, Burp Suite it is. I was experimenting with thc while burp was downloading. Does the session key matter? Thanks for your help, it's appreciated. Quote Link to comment Share on other sites More sharing options...
digip Posted October 6, 2016 Share Posted October 6, 2016 (edited) Hydra works fine, and I use it all the time, but look at your syntax, i think you have http-form-post wrong, should try "http-post-form" like so: hydra -l admin -P pass.txt 192.168.1.254 http-post-form "/login.cgi:sessionKey=177691457&inputUserName=^USER^&inputPassword=^PASS^:F=err:" -o hydra-http-post-attack.txt If your router uses https, change it to "https-post-form" Also, if you are specifying the user, use lowercase l not capital. capital L is for wordlist of user names. You can in most cases omit the session key, but if it uses specific hard coded cookies you should try to pass the cookie using the :H cookie='cookieinfo': Edited October 6, 2016 by digip Quote Link to comment Share on other sites More sharing options...
pentestgeek Posted October 6, 2016 Share Posted October 6, 2016 On 10/5/2016 at 9:17 AM, pentestgeek said: For brute forcing web applications I recommend using Burp Suite. You would simply capture an attempt to login with any password (like the one you've already shared), then right click on the POST and send it to the Intruder tab. Highlight the password field and then import your password list as the payload injections. Since this is your Router I'm assuming you already know the password and are simply trying this as an exercise. You could log in with the correct password and use Burp to tell you what a correct response looks like. Then you can tailor your Intruder advanced options to check specifically for the correct response. Hope that helps. Again since this is in fact your router as you say and you know the password you can find out if sessionkey is required or not. Simply replay the POST with only the "inputUserName" and "inputPassword" parameters and see if you get a successful response. Quote Link to comment Share on other sites More sharing options...
digip Posted October 7, 2016 Share Posted October 7, 2016 11 hours ago, kdodge said: is thc open source? hydra is the tool name in Kali really, although thc-hydra is it's full name, you invoke it with hydra. It is open source. Home page: https://www.thc.org/thc-hydra/ Git page: https://github.com/vanhauser-thc/thc-hydra Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.