Hydra in BT5r3

[Bountyhunter50]

Yo Hak5 Comm! Hope everyone is well.

So I have a confession to make: I forgot my router login credentials.

That having been said , I have a plan of attack: Backtrack 5r3 in VM ware on my iMac (that is hardlined ) to my Century Link all in one (I know I know )

Is there any reason Hydra can't bruit force a Century Link router? I think it's still an https protocol so I personally don't see why not. BUT I wanna make sure from those who have more experience than I.

Also Hydra can accept .txt lists right? Or does it really need something like a .lst format?

Thanks as always!! B)

Edited September 16, 2013 by Bountyhunter50

[digininja]

Does the router use basic/digest authentication or forms based? If it uses forms does it do a direct HTTP(S) post or does it mangle the credentials before sending them? You have to make sure you specify the right one when running Hydra.

Also, the word list you are using, would you have chosen a password that is in that list? If not then don't bother using it as you won't get in.

As it is your router then probably the easiest thing to do is just hit the reset button and start again.

[Bountyhunter50]

Very good question! By what I see, it's a form based, I'm going to look into if it's direct HTTP(S) or not too.

The list I'm wanting to use I made of all the possible passwords I could have used. I know the reset button makes life much better but that's just too easy :P (plus I can also get some of my Pentesting practice on within a controlled environment)

Everyone would also be VERY proud to know the username is NOT "admin", lol!

Edited September 16, 2013 by Bountyhunter50

[Bountyhunter50]

So here's one:

I was poke-poking around in xHydra, and I got this:

ERROR Compiled without LIBAFP support, module not available!

Anyone know if this is as simple as using apt-get to fix this?

[digininja]

If you want to practice your skills then I wouldn't use Hydra to attack a web app, I'd personally use Burp but I don't think the free version has Intruder so you can't use it so you'd need to use ZAP instead, the fuzzer in there would do a good job of it.

And for the AFP question, when the binary is compiled it has certain features built in, your copy wasn't built with AFP support so no matter what you add to your machine it will never have it. If you want to add it you'll need to set up the build environment and built it yourself. Just make sure that you have all the other libraries you need so that you don't lose any other features.

[Bountyhunter50]

Cool! Thanks for the good advice there :)

Yeah I had a feeling I'd just have to build a specific environment. Wanted to see if there was something else before immediately going to that. Good deal, thanks man!

[triphazard]

So you say it's form based eh? Before you go all nutty bruteforcing, you might as well poke around a bit and see what it'll let you access without auth. I had an old belkin a while back that I could gain access to with....wget -r, and a little bit of grep. The really sad part is, after I knew what I was looking for, I found that particular line that mattered was actually loaded into the browser in a login.stm. Line began with " var password = " followed by an md5 hash of the password. Cool right? Then I found that all I needed to do was use tamper data and copy and paste and that was it. Routers suck sometimes. I doubt yours has this particular flaw, it looked like it was made in house. But you might learn more from poking around at it.

I hydra completely broke on your machine, or are you just missing some protocols?

[Bountyhunter50]

So i can essentially wget -r (routerIP) and grep to an output file?

Im not sure whats up with Hydra, never saw this error before. No luck resolving it direct so far

[triphazard]

the lines I used was something like

wget -r (ip)

cd (ip) # it created a directory with the ip address as the name

cat * | grep -i 'pw\|pass'

I might have grepped for a few more things, but I remember it popping right up

[Bountyhunter50]

Im driving home from work to try this

****

Ok now that I have tried this:

It downloaded 136 files (WOW! I learned something new) but it looks like the CSS , Images , JS items with the index and login.html files. That's it. Did the grep and only brought up the js for the login.html

**

Looked in the login.html

- Username in plain text HOWEVER, the password is protected:

" The support console is password protected and for support personal use only"

Edited September 17, 2013 by Bountyhunter50

[Bountyhunter50]

Hang on...

It's running micro_httpd. Can that make a huge difference? I think it does

[digininja]

unless that specific version of micro_httpd has published vulnerabilities then it doesn't make any difference

[Bountyhunter50]

unless that specific version of micro_httpd has published vulnerabilities then it doesn't make any difference

O-o Hmm, Time for some research!