Help please! Bruteforcing a DLINK DSL2750U ADSL Router with Hydra

Pandora Boz · December 22, 2016

Hey Guys,

I'm stuck up with this for a long time now. I've just started out on learning various basic techniques used for navigating around various security mechanisms. I referred a number of posts around the web about brute forcing routers with Hydra. Most of the articles are focused on beating the basic authentication provided by HTTP. And the links that describe brute forcing web logins do not seem to work when I've tried. My router is a DLINK DSL2750U ADSL Router left aside for testing purposes. Even most of other routers I tried consists of such web interface which is first loaded and a custom authentication web form using HTTP POST. I used this link as my main reference in understanding the process of bruteforcing.

Here's a snapshot of my router's web based login page.

As you see, a login form is presented and the username is given as a drop down consisting of only one element "admin". Also the login page is at 192.168.1.1/cgi-bin/webproc.

Here is the source of the login page: router-login.source.txt

To build up the command to execute hydra on this web form, I used BurpSuite. On intercepting the bad response, this is what I get :

Once a wrong password is entered, the error message displayed is as below :

The link does not change on the error message and the error message itself comes as a pop-up. Right clicking on the screen is set to off as well.

At first, I ran my hydra command as below:

hydra -l "" -P "/root/pass.txt" 192.168.1.1 http-post-form "/cgi-bin/webproc:%3Ausername=^USER^&%3Apassword=^PASS^&%3Aa ction=Login:"Username or Password wrong:H=Cookie: %3Asessionid=68b3e673"

This gives the hydra output as matching ALL passwords as correct in the dictionary. So I figure my incorrect/fail section for hydra is not right. Since my routers failed login does not give out any proper information, I tried looking at the "S=" option for the incorrect/fail section of hydra. I noticed that on successfully logging in I'm being redirected to link given below:
http://192.168.1.1/cgi-bin/webproc?getpage=html/index.html&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:page=wizard

So I modified my hydra command to the following :

hydra -l "" -P "/root/pass.txt" 192.168.1.1 http-post-form "/cgi-bin/webproc:%3Ausername=^USER^&%3Apassword=^PASS^&%3Aa ction=Login:S=?getpage=html/index.html&errorpage=html/main.html&var:language=en_us&var:menu=setup&varage=wizard:H=Cookie: %3Asessionid=68b3e673"

Now the output of hydra does not match any password in the list file.

I've been trying many ways to get this done but am stuck up. Any help pointing towards the right direction would be helpful. If there's any more information you would want to know to help me out, please let me know. Looking to solving this somehow!! :(:(

please help me. Now I'm just trying many permutations and combinations with the hydra arguments.Still no progress!

i8igmac · December 22, 2016

Can you provide tcp stream of hydra single login attempt? The post request and the server response.

You might also try using burp as the brute force tool. Try the intruder tab...

I have better luck building a brute force from scratch...

Pandora Boz · December 22, 2016

Hi,

I had not escaped the ":" with "\". So I ran the following command on hydra and captured the tcp stream .

hydra -l "" -P "/root/pass.txt" 192.168.1.1 http-post-form "/cgi-bin/webproc:%3Ausername=^USER^&%3Apassword=^PASS^&%3Aaction=Login:S=?getpage=html/index.html&errorpage=html/main.html&var\:language=en_us&var\:menu=setup&varage=wizard:H=Cookie: %3Asessionid=68b3e673"

Here's the capture : tcp-wireshark-cap.pcap

Looks like both GET and POST are getting a bad response. I'm doing something terribly wrong here... :blink: :wacko:

Pandora Boz · December 22, 2016

I checked out the intruder lab. Looks more complex than the command line. Makes a lot of sense what you say about writing a custom bruteforcer but would really like to try my hands with these tools to get a larger understanding of the process I guess. I'll look more into intruder lab and its options. Do let me know if you can help out with finding the write command arguments for hydra. Everyone brags about its flexibility everywhere! :dry:

i8igmac · December 22, 2016

ill provide 2 commands you should run in 2 seperate consoles. First install the tool... `sudo apt-get install tcpick`

Console 1

Sudo tcpick -i wlan0 -bPS -C

console 2

sudo tcpick -i wlan0 -bPC -C

It will help if you close down all applications that maybe streaming data...

now submit your login from the browser, both screens should now show your Post request in one console and your server response in the next consol... press ctrl-c to stop the stream's and paste this information in 2 separate text editor...

You may already have this information. But now you have 2 consoles that you can use to quickly see a separate live stream ... keep at it, first you have to focus on getting hydra to produce a proper post request and see a identical server response...

Pandora Boz · December 23, 2016

Okay I'll start think on those lines. This is a cleaner output than intercept from burp-suit actually. If you do get the time, here are the files I've recorded for post request and server response for a single failed login attempt through the web browser :

tcp-post-request

tcp-server-response

I need to get a better understanding of the structures of post requests to get this going. I'll be on that now. If you could do look through these files and any guidance would be really great. :grin: Thank you...

Pandora Boz · December 23, 2016

Hey,

Thank you so much for the help. You got me going in the right direction there. So I've been able to create the right post request and get the right responses. hydra works in a way. Why I say that is because when i individually try passwords out everything goes fine. ie. hydra -p "admin" or hydra -p "admin123". But when i use hydra -P to point to a file and make it work, hydra iterates through each of the password list but fails to make a match. So I figured it could be because the router is unable to handle the requests from multiple threads for some reason (beacuase its working with hydra -p "password"). So I used hydra -t 1 flag along with the command so as to keep the parallel threads to 1. Yet I'm unable to recursively read and bruteforce through a password list given to hydra. Or may be the router is locking me out after consecutive attempts ? I'm not sure. May be I should go through the packets again and see if there are any responses that are missing. or if nothing works I guess a bash script that sleeps and invokes hydra would help out. It'll be slow though I'll let you know. But have you heard of any bugs within hydra similar to this ?

Here's the command that worked for me:

hydra -t 1 -l "" -p "admin" 192.168.1.1 http-post-form "/cgi-bin/webproc:getpage=html%2Findex.html&errorpage=html%2Fmain.html&var%3Amenu=setup&var%3Apage=wizard&obj-action=auth&%3Ausername=admin&%3Apassword=^PASS^&%3Aaction=login:login failed" -V

or even

hydra -t 1 -l "" -p "admin" 192.168.1.1 http-post-form "/cgi-bin/webproc:getpage=html%2Findex.html&errorpage=html%2Fmain.html&var%3Amenu=setup&var%3Apage=wizard&obj-action=auth&%3Ausername=admin&%3Apassword=^PASS^&%3Aaction=S=step-by-step instructions" -V

Also, one more question. If a router does lock us down after 'n' number of attempts, is there a way we can work around this and still proceed with the bruteforcing ?

Cheers! :wub:

i8igmac · December 25, 2016

Maybe your wordlist file has issues? look at the tcp stream for ugly characters in the password/user string...

understanding the firewall is like poking around with your eyes closed. this firewall if it even exist or provides any brute force prevention, may respond in several ways...

Below is a video of a custom brute force I built to crack cpanel... from lfi to brute force... some firewall functions I experience... I instlled a cpanel OS in vm, I expect most admins will rely on the default firewall settings/functions of the installed software...

A service may respond with a header 401=unauthorized, 403=forbidden or 200=ok... look up http status codes...

I started off by creating a password... I tested 9 failed logins and the 10th was the correct attempt , but the header still responds with 401...

So, this basic firewall function will detect a username fails X times in a row and too quickly... so the service continues to respond with the same 401 header a total of 10 times in a row... the attacker will think its password list was missing the correct creds witch I thought was clever!

So I changed my local ip address from 192.168.0.100 to 192.168.0.101...

now i made 8 fail logins with the 9th being the correct credz...

I repeated this process until I reached the conclusion that if the correct creds was on the 6th attempt I would receive a 200 header response...

There is a identical process that I used to find the TIME-in-between fails that triggers ip banning was around 60 seconds. I would need to sleep 60 seconds before each login...

I could ramble on with all my findings, ill try and get to the tactic I used...

change My ip after each request. With my attack I also changed username every attempt but that wont work for your situation...

I had planned on creating local proxy service that would provide a new ipaddress after each request.

everything I ran into required so much extra evasive function I had to build my own tool for the job...

you should continue with hydra. but start thinking about what security maybe implanted...

I had scraped a huge list of default router passwords but I don't know where it is...

i8igmac · December 25, 2016