Pandora Boz

Hey, Thank you so much for the help. You got me going in the right direction there. So I've been able to create the right post request and get the right responses. hydra works in a way. Why I say that is because when i individually try passwords out everything goes fine. ie. hydra -p "admin" or hydra -p "admin123". But when i use hydra -P to point to a file and make it work, hydra iterates through each of the password list but fails to make a match. So I figured it could be because the router is unable to handle the requests from multiple threads for some reason (beacuase its working with hydra -p "password"). So I used hydra -t 1 flag along with the command so as to keep the parallel threads to 1. Yet I'm unable to recursively read and bruteforce through a password list given to hydra. Or may be the router is locking me out after consecutive attempts ? I'm not sure. May be I should go through the packets again and see if there are any responses that are missing. or if nothing works I guess a bash script that sleeps and invokes hydra would help out. It'll be slow though I'll let you know. But have you heard of any bugs within hydra similar to this ? Here's the command that worked for me: hydra -t 1 -l "" -p "admin" 192.168.1.1 http-post-form "/cgi-bin/webproc:getpage=html%2Findex.html&errorpage=html%2Fmain.html&var%3Amenu=setup&var%3Apage=wizard&obj-action=auth&%3Ausername=admin&%3Apassword=^PASS^&%3Aaction=login:login failed" -V or even hydra -t 1 -l "" -p "admin" 192.168.1.1 http-post-form "/cgi-bin/webproc:getpage=html%2Findex.html&errorpage=html%2Fmain.html&var%3Amenu=setup&var%3Apage=wizard&obj-action=auth&%3Ausername=admin&%3Apassword=^PASS^&%3Aaction=S=step-by-step instructions" -V Also, one more question. If a router does lock us down after 'n' number of attempts, is there a way we can work around this and still proceed with the bruteforcing ? Cheers!

Okay I'll start think on those lines. This is a cleaner output than intercept from burp-suit actually. If you do get the time, here are the files I've recorded for post request and server response for a single failed login attempt through the web browser : tcp-post-request tcp-server-response I need to get a better understanding of the structures of post requests to get this going. I'll be on that now. If you could do look through these files and any guidance would be really great. Thank you...

I checked out the intruder lab. Looks more complex than the command line. Makes a lot of sense what you say about writing a custom bruteforcer but would really like to try my hands with these tools to get a larger understanding of the process I guess. I'll look more into intruder lab and its options. Do let me know if you can help out with finding the write command arguments for hydra. Everyone brags about its flexibility everywhere!

Hi, I had not escaped the ":" with "\". So I ran the following command on hydra and captured the tcp stream . hydra -l "" -P "/root/pass.txt" 192.168.1.1 http-post-form "/cgi-bin/webproc:%3Ausername=^USER^&%3Apassword=^PASS^&%3Aaction=Login:S=?getpage=html/index.html&errorpage=html/main.html&var\:language=en_us&var\:menu=setup&varage=wizard:H=Cookie: %3Asessionid=68b3e673" Here's the capture : tcp-wireshark-cap.pcap Looks like both GET and POST are getting a bad response. I'm doing something terribly wrong here...

Hey Guys, I'm stuck up with this for a long time now. I've just started out on learning various basic techniques used for navigating around various security mechanisms. I referred a number of posts around the web about brute forcing routers with Hydra. Most of the articles are focused on beating the basic authentication provided by HTTP. And the links that describe brute forcing web logins do not seem to work when I've tried. My router is a DLINK DSL2750U ADSL Router left aside for testing purposes. Even most of other routers I tried consists of such web interface which is first loaded and a custom authentication web form using HTTP POST. I used this link as my main reference in understanding the process of bruteforcing. Here's a snapshot of my router's web based login page. As you see, a login form is presented and the username is given as a drop down consisting of only one element "admin". Also the login page is at 192.168.1.1/cgi-bin/webproc. Here is the source of the login page: router-login.source.txt To build up the command to execute hydra on this web form, I used BurpSuite. On intercepting the bad response, this is what I get : Once a wrong password is entered, the error message displayed is as below : The link does not change on the error message and the error message itself comes as a pop-up. Right clicking on the screen is set to off as well. At first, I ran my hydra command as below: hydra -l "" -P "/root/pass.txt" 192.168.1.1 http-post-form "/cgi-bin/webproc:%3Ausername=^USER^&%3Apassword=^PASS^&%3Aa ction=Login:"Username or Password wrong:H=Cookie: %3Asessionid=68b3e673" This gives the hydra output as matching ALL passwords as correct in the dictionary. So I figure my incorrect/fail section for hydra is not right. Since my routers failed login does not give out any proper information, I tried looking at the "S=" option for the incorrect/fail section of hydra. I noticed that on successfully logging in I'm being redirected to link given below: http://192.168.1.1/cgi-bin/webproc?getpage=html/index.html&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:page=wizard So I modified my hydra command to the following : hydra -l "" -P "/root/pass.txt" 192.168.1.1 http-post-form "/cgi-bin/webproc:%3Ausername=^USER^&%3Apassword=^PASS^&%3Aa ction=Login:S=?getpage=html/index.html&errorpage=html/main.html&var:language=en_us&var:menu=setup&varage=wizard:H=Cookie: %3Asessionid=68b3e673" Now the output of hydra does not match any password in the list file. I've been trying many ways to get this done but am stuck up. Any help pointing towards the right direction would be helpful. If there's any more information you would want to know to help me out, please let me know. Looking to solving this somehow!! :(:( please help me. Now I'm just trying many permutations and combinations with the hydra arguments.Still no progress!