Jump to content

hydra cracking dlink router DIR-853


Recommended Posts

How can i use hydra to bruteforce the login of my router? it only has a box asking for a password, when wrong password is inputted it makes a messagebox(the ones you see on scamming webpages, the address of the website is the title of the message and the body of the messages says invalid password, please try again.) i did firefox network analysis and got this for the request body(method is POST)

<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><Login xmlns="http://purenetworks.com/HNAP1/"><Action>login</Action><Username>Admin</Username><LoginPassword></LoginPassword><Captcha></Captcha></Login></soap:Body></soap:Envelope>

router model: DIR-853/ET

note: the ET is the code for the ISP that has dlink put their router firmware on the router)

router login screenshot:https://www.mediafire.com/view/lxk989wjaep1ufb/Screenshot_at_2022-07-24_12-30-49.png/file#

Link to comment
Share on other sites

Dont bruteforce your router, some routers will lock you out, so that's just stupid.
And, why would you want to ?, If it's your router, you have the password, or access to the device, and can run a hardware reset on it, so no need to bruteforce.

Try the Hydra-Gui, a good wordlist, a good password list, and some patience. One other route to go, is using Burp Suite,to analyze the traffic, and Burp got some tools for bruteforcing wep-apps, like website login forms and routers..

Now im done spoonfeeding you, go practice 😉

Link to comment
Share on other sites

Open wire shark and read the response header. You might see 401 code  Unauthorized you have to learn how the device responds to things like.

Bad user

Good user

Bad password


You can look at other ports that maybe open like telnet. 


Before you can use hydra, knowing the response codes are key.


Some services will tell you if the user is bad or good. This will allow you to brute just the user.


There is also brute force detection that when you are flagged as an attacker then the responce will be false even when the user/pass is correct. 


It is better practice to write a small script to handle all Variables.

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...