How to capture router ADMIN password hash?

[0phoi5]

Hi all,

I have myself a stack of various routers; an old BT Hub 2, Hub 6, an original TALKTALK router, some random router that looks like it's from the 90's (I forget the model), etc. People give me their old stuff to play with because they know I'm a massive nerd in my spare time

Pentesting the router password hash is easy enough with Aircrack, however I can't find much information about how one goes about capturing the admin password hash of a router (or plain text, if it's old and crappy like the random router I suspect may be!)

So a basic question; What tools / methods are used for capturing admin router passwords? I plan on having a play with each router over the weekend.

I did an online search for information, but the search just yielded lots of rubbish news articles with no actual useful information.

Thanks guys.

Edited September 22, 2017 by haze1434

[digip]

Are we talking the admin password for logging into the routers management side? If it's not configured for HTTPS then you can load wireshark and see it in plain text, but you would more than likely need to MITM the "victim" or target machine logging into the router's admin page. If it's SSL (most routers can do both, but you can choose both, one or the other) and only SSL, SSl strip attacks won't generally work, but forcing the victim off the router and then faking the login process over HTTP, will nab you the same thing, plain text creds. Not sure where the "password hash" is in play. What is stored on the routers themselves may not even be stored securely and could even be stored on the router in plain text. If the router has any vulns, you can often dump entire configurations which will show the admin password, and WPA2 passwords and all settings, regardless of whether it's setup with HTTP or HTTPS, since you do the attack from the web page interface directly via some URL manipulations. 

Many older unpatched routers have lots of web based vulnerabilities, such as LFI and even RFI, where the LFI can do things like dump an /etc/passwd file or the config itself. If remote admin login is enabled, this then becomes even worse, since anyone who finds if from the WAN side, can often do the same thing, which is a good reason to always 1, disable remote administration, and 2, disable HTTP, and 3, always update the firmware when possible, or upgrade to a better router when EOL happens on older hardware.

 

Example of an older router vuln -