Jump to content

How to capture router ADMIN password hash?


Recommended Posts

Hi all,

I have myself a stack of various routers; an old BT Hub 2, Hub 6, an original TALKTALK router, some random router that looks like it's from the 90's (I forget the model), etc. People give me their old stuff to play with because they know I'm a massive nerd in my spare time :lol:

Pentesting the router password hash is easy enough with Aircrack, however I can't find much information about how one goes about capturing the admin password hash of a router (or plain text, if it's old and crappy like the random router I suspect may be!)

So a basic question; What tools / methods are used for capturing admin router passwords? I plan on having a play with each router over the weekend.

I did an online search for information, but the search just yielded lots of rubbish news articles with no actual useful information.

Thanks guys.

Edited by haze1434
Link to comment
Share on other sites

Are we talking the admin password for logging into the routers management side? If it's not configured for HTTPS then you can load wireshark and see it in plain text, but you would more than likely need to MITM the "victim" or target machine logging into the router's admin page. If it's SSL (most routers can do both, but you can choose both, one or the other) and only SSL, SSl strip attacks won't generally work, but forcing the victim off the router and then faking the login process over HTTP, will nab you the same thing, plain text creds. Not sure where the "password hash" is in play. What is stored on the routers themselves may not even be stored securely and could even be stored on the router in plain text. If the router has any vulns, you can often dump entire configurations which will show the admin password, and WPA2 passwords and all settings, regardless of whether it's setup with HTTP or HTTPS, since you do the attack from the web page interface directly via some URL manipulations. 

Many older unpatched routers have lots of web based vulnerabilities, such as LFI and even RFI, where the LFI can do things like dump an /etc/passwd file or the config itself. If remote admin login is enabled, this then becomes even worse, since anyone who finds if from the WAN side, can often do the same thing, which is a good reason to always 1, disable remote administration, and 2, disable HTTP, and 3, always update the firmware when possible, or upgrade to a better router when EOL happens on older hardware.


Example of an older router vuln - 


Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...