invalid_identity Posted July 24, 2022 Share Posted July 24, 2022 How can i use hydra to bruteforce the login of my router? it only has a box asking for a password, when wrong password is inputted it makes a messagebox(the ones you see on scamming webpages, the address of the website is the title of the message and the body of the messages says invalid password, please try again.) i did firefox network analysis and got this for the request body(method is POST) <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><Login xmlns="http://purenetworks.com/HNAP1/"><Action>login</Action><Username>Admin</Username><LoginPassword></LoginPassword><Captcha></Captcha></Login></soap:Body></soap:Envelope> router model: DIR-853/ET note: the ET is the code for the ISP that has dlink put their router firmware on the router) router login screenshot:https://www.mediafire.com/view/lxk989wjaep1ufb/Screenshot_at_2022-07-24_12-30-49.png/file# Link to comment Share on other sites More sharing options...
dark_pyrro Posted July 24, 2022 Share Posted July 24, 2022 Why not try to use HNAP to reset the current password? Link to comment Share on other sites More sharing options...
NoExecute Posted July 25, 2022 Share Posted July 25, 2022 Dont bruteforce your router, some routers will lock you out, so that's just stupid. And, why would you want to ?, If it's your router, you have the password, or access to the device, and can run a hardware reset on it, so no need to bruteforce. Try the Hydra-Gui, a good wordlist, a good password list, and some patience. One other route to go, is using Burp Suite,to analyze the traffic, and Burp got some tools for bruteforcing wep-apps, like website login forms and routers.. Now im done spoonfeeding you, go practice 😉 Link to comment Share on other sites More sharing options...
g0tmilk Posted July 26, 2022 Share Posted July 26, 2022 Open wire shark and read the response header. You might see 401 code Unauthorized you have to learn how the device responds to things like. Bad user Good user Bad password  You can look at other ports that maybe open like telnet.  Before you can use hydra, knowing the response codes are key.  Some services will tell you if the user is bad or good. This will allow you to brute just the user.  There is also brute force detection that when you are flagged as an attacker then the responce will be false even when the user/pass is correct.  It is better practice to write a small script to handle all Variables. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.