Lost Router Password

[Sparky911]

Ok so I already know whats going to be offered, use the reset button. The only problem is this is the router we are using on our company server, the password was changed by one of our techs whom no longer works with us and can't remember the password he set anyways. We don't want to reset the router because we don't have a list of all the configuration settings that were set either and its kind of a time critical thing. My question is, other then replacing or resetting the router is there a way to crack the admin password. I am aware that this would most likely be a time consuming process because if router configs were that easy to crack then everyone would be unsafe haha. We do eventually plan on replacing the router (a Dlink 655) with a dual WAN port one but thats not for another month yet. Any help would be appreciated.

We already tried a brute force type attempt but after 10 attempts the router forces you to reload the web config page or something on that line one of our other techs said.

[bobbyb1980]

If it's a dlink try the HNAP exploit, it might work.

[Jason Cooper]

Depending on the device and its set up you might be able to get some information out of it via SNMP. Probably not the password but there is a chance that you can get the configuration or perhaps the firmware version of the device which you can then use to look for exploits.

Failing that it could be a good time to bring the replacement of the router forward and replace it.

[Mr-Protocol]

If it is a professional say Cisco router. Use a serial cable.

If it is a linksys or dlink... why the hell are you using that for business?

If it is one of those home routers. You need to either get crafty with packets and program yourself up a brute force or use things that already exist. (Hydra, etc...)

Also you should make it a policy to have critical passwords documented so these such situations don't happen.

And if it is a home router, you only have so many options for configuration so you might just want to 30/30/30 and reconfigure anyways. Would save lots of time.

Edited November 9, 2011 by Mr-Protocol

[Morfir]

Would save lots of time.

Hes right. Make sure you don't spend too much time on it, if time is a issue. You could probably forget the config file and start new, in the time it would take you to get the password for the admin account with that limit on attempts.

[Mr-Protocol]

Hes right. Make sure you don't spend too much time on it, if time is a issue. You could probably forget the config file and start new, in the time it would take you to get the password for the admin account with that limit on attempts.

I think that limit on attempts is when you failed login X times, it no longer pops up the login box but a 403 Forbidden page then you have to refresh the page and keep trying.

If you make a script (python or whatever) to brute it, just make a new connection each time and no issue there. Typically the passwords are BASE64 encoded so making one from scratch isn't too difficult.

You could also try and find an exploitable service and try to get in with an attack vector but you risk more damage and possible further service interruption that way.

[digip]

How about the easy route. Call the old tech. If he was an employee, should not be hard to ask him for the password. No business should have 1 person in charge of passwords either. If its an IT department, documentation should be in place on who to call for access and above all else, more than one person should know the password. If no help from former employee, wait the month to upgrade, or bite the bullet and hit that damn reset button on a night when the office is done for the day, configuration or not, if you know your topology, you should be able to set things up without any problems.

[Sparky911]

Thanks for the help guys. Its not a time issue, the replacement router with dual WAN is about a month away. I agree Cisco better for business but we're doing just fine with our affordable D-link's right now lol ;) As for the "old employee" we did contact him, he doesn't remember the password and normally these are documented on a master list but that one was missed. We think we found the configuration settings we need so come new router time we should be ok. I was just curious if it was possible for future reference is all. I did start poking into Hydra a bit but don't have a lot of time to learn something new to me right now. It does look promising though and may ponder with it more some other time. Again thank you all and I am sure glad I found this community!

[int0x80]

Give the HNAP exploit a try at least, unless your firmware is 1.33NA or newer (fixed 01/28/2010).

Here are a list of strings in the .bin that's compressed in the firmware image: http://slexy.org/view/s2iTxmDC7j

Sometimes routers have backdoor admin accounts, you may get lucky looking through the strings.