Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: yet another hydra post (driving me crazy)

  1. #1
    Senior Member
    Join Date
    Jan 2011
    Location
    over the under
    Posts
    197

    Default yet another hydra post (driving me crazy)

    It seems no matter what I try I cant get this tool to crack my router login.
    To begin yes I know the easiest method is resetting the router, however I know my password off the top of my head so there's no need for all of that, I'm just very adamant about learning how to use this tool.

    I know this has to be something dumb that I'm just overlooking but at the same time I feel like I've tried everything

    *My Research*
    googled... a lot
    man hydra... no manual page for hydra
    read almost every post on this forum that had hydra in the title
    the docs that come with the tool
    the website http://www.thc.org/thc-hydra/
    read tutorials and watched other peoples videos to check their syntax

    The problem I seem to be running into is that It just keeps giving me false positives... It tells me that the first few passwords in my word list are all the correct passwords, which is obviously wrong.

    Code:
    root@bt:~# hydra -l Admin -P /media/KEEPERS/wordlists/rockyou.txt -o /root/valid.txt -t8 -f -v 192.168.0.1 http-get http://192.168.0.1/login_auth.asp
    Hydra v5.9 (c) 2010 by van Hauser / THC - use allowed only for legal purposes.
    Hydra (http://www.thc.org) starting at 2011-04-06 05:10:13
    [DATA] 8 tasks, 1 servers, 14344405 login tries (l:1/p:14344405), ~1793050 tries per task
    [DATA] attacking service http-get on port 80
    [VERBOSE] Resolving addresses ... done
    [80][www] host: 192.168.0.1   login: Admin   password: princess
    [STATUS] attack finished for 192.168.0.1 (valid pair found)
    [80][www] host: 192.168.0.1   login: Admin   password: 1234567
    [80][www] host: 192.168.0.1   login: Admin   password: rockyou
    Hydra (http://www.thc.org) finished at 2011-04-06 05:10:15
    *Things I've tried*
    checked to make sure my password was in my dictionary... it is.

    changing http-get to http-head

    all variations of the specific option including http://192.168.0.1, http://192.168.0.1/, http:192.168.0.1/login_auth.asp, http://192.168.0.1/192.168.0.1/login_auth.asp/ /login_auth.asp, //192.168.0.1, /, etc

    for the login name even though on the form I have to manually select "Admin" from a drop down I've tried changing that to "admin" "ADMIN" and I've also tried using "" for a blank password field.

    I've tried removing the -t -f -v and -o flags to remove variables and further simplify things.

    I've tried adjusting the number of tasks

    tried download and compiling the newest version, (6.1)... same results.

    *interesting note*
    no matter what I use for the service option I always get the same results for instance I used /192.168.0.1/ezxdw and it still told me the first few passwords in my wordlist were correct. One theory this leads me to is that im not finding my router and its just trying to crack something that isn't there im just running out of options to try for this field

    the only other thought I have is maybe this attack is unsuccessful because of the drop-down style user name field on the login form

    any help or advice is greatly appreciated.

  2. #2
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: yet another hydra post (driving me crazy)

    1) I'm not sure if this works with hydra specifically, as an alternative to man -h, -?, and --help are good things to try as well.
    2) You should look at the actual login form (view source) and see what method is used there is basically zero reason for it to be HEAD, it "could" be GET, but is likely POST. It could also be basic or digest auth and not use a form at all.
    3) Is 'Admin' the actual username? When you say you have to select it from a dropdown do you mean a dropdown implemented by the browser's auto-complete or a dropdown which is actually part of the login webpage? If the later then the value you need to provide to hydra might not actually be "admin", you'll have to understand HTML look at the page source to find the actual value.
    4) You could fireup wireshark or ettercap and capture a known good login sequence and then you'd know specifically what's sent back and forth when you login.
    5) When you fail to login via the browser are you simply redirect back to the login page or is there an error? Does it generate a 403 forbidden (or similar), give a 200, or one of the redirect response codes?
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  3. #3
    Senior Member
    Join Date
    Jan 2011
    Location
    over the under
    Posts
    197

    Default Re: yet another hydra post (driving me crazy)

    thorin, great post and much appreciated
    1) tried --help that is the first screen that comes up when you type hydra into the command line
    2) page source idea was awesome I'm looking at it right now... definitely not the greatest with html but I know a little
    3) when i say a drop-down menu I mean on the actual webpage. It gives me the choice between "Admin" and "User" but what I can already see from the source is it's "admin" with a lowercase "a"
    4) ettercap/wireshark... again another awesome idea that I failed to think of. I'll try that out asap also.
    5)when I fail a login it redirects me back and says "Invalid password please try again"

    thanks again thorin great post!

    I'm going to try all of this again with all the new info and I'll post back.
    Last edited by 2901119; 04-06-2011 at 04:50 PM.

  4. #4
    Senior Member
    Join Date
    May 2010
    Posts
    198

    Default Re: yet another hydra post (driving me crazy)

    I only have this issue with routers that use java script. Is this a D-link router by chance (192.168.0.1)? I think I almost have it solved.
    "Never do anything against conscience -- even if the state demands it."
    -- Albert Einstein

  5. #5
    Senior Member
    Join Date
    Jan 2011
    Location
    over the under
    Posts
    197

    Default Re: yet another hydra post (driving me crazy)

    So I used Wireshark to record a login and unfortunately I don't know enough about tcp/ip to come to a solid conclusion based upon the info I gathered, if anything it just further confused me. Within 10-15 seconds wireshark gathered like a hundred packets all pertaining to that one logon. Some of the headers said "GET" some said "POST" sometimes the referrer field said "login.cgi" and sometimes it said "index.asp" when the actual login page says "login_auth.asp" so I'm really not sure what I should be putting in these fields for hydra. I tried http-post-form and got similar results.

    scamentology- yes this is a dlink dir-615 router and I did see some java references in the page source.

    Another interesting note... I just tried this attack against a linksys router and it worked flawlessly, on the first try.

    I'm still interested in trying to troubleshoot why I can't get this to work against my dlink router though, so if anyone has any ideas I'd love to hear them.

    Thanks guys!

  6. #6
    Senior Member
    Join Date
    Jan 2011
    Location
    over the under
    Posts
    197

    Default Re: yet another hydra post (driving me crazy)

    ok so I see where youre going with the whole dlink, java thing scamentology. My problem seems to be somthing pertaining to the following part of the hydra docs

    http[s]-{get|post}-form
    specifies the page and the parameters for the web form.
    the keyword "^USER^" is replaced with the login and
    ^PASS^ with the password. The parameters are seperated
    by a colon.
    syntax: <url>:<form parameters>:<failure string>
    e.g.: /login.php:user=^USER^&pass=^PASS^&mid=123:incorrec t
    and also this post--> http://www.backtrack-linux.org/forum...ntication.html

    so this is as far as I've gotten
    Code:
    hydra -l admin -P /media/KEEPERS/wordlists/top_50000.txt -vV -t 8 192.168.0.1 http-post-form /login.cgi:login_n=^USER^&log_pass=^PASS^&submit=login:Invalid
    by using /login.cgi as the action, it finally starts working as expected.
    my problem now is it blows right by my password and just keeps going without even recognizing it.
    Last edited by 2901119; 04-09-2011 at 06:50 AM.

  7. #7
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: yet another hydra post (driving me crazy)

    This won't get hydra working for you but for the router in question you might want to checkout:
    http://www.sourcesec.com/Lab/dlink_hnap_captcha.pdf
    http://dl.packetstormsecurity.net/10...vD_uk_hnap.pdf
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  8. #8
    Senior Member
    Join Date
    Jan 2011
    Location
    over the under
    Posts
    197

    Default Re: yet another hydra post (driving me crazy)

    Interesting reading thorin, Thanks!

  9. #9
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: yet another hydra post (driving me crazy)

    No problem. Sorry I can't help further but without a dir-615 in front of me so that I could look at the page source etc I don't really have a means by which to figure out the missing or malfunctioning detail for hydra.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  10. #10
    Senior Member
    Join Date
    Jan 2011
    Location
    over the under
    Posts
    197

    Default Re: yet another hydra post (driving me crazy)

    Yeah I know, I tried to post the page source a couple times but kept getting a 404 error with a big picture of a crazy looking cat. I imagine something to do with the javascript in the source.

Page 1 of 2 12 LastLast

Similar Threads

  1. Passive War Driving
    By Sniffing4Prison in forum OLD Newbie Area
    Replies: 7
    Last Post: 11-12-2009, 03:01 PM
  2. Replies: 3
    Last Post: 08-06-2009, 09:21 AM
  3. hydra 5.4 http-post-form free() patch, help
    By rma88 in forum OLD Latest Public Release - BackTrack4 Beta
    Replies: 2
    Last Post: 04-19-2009, 09:04 AM
  4. Linksys WUSB54GC is driving me mad
    By Shaamaan in forum OLD Newbie Area
    Replies: 19
    Last Post: 01-13-2008, 06:08 PM
  5. THC-Hydra http-post-form
    By Drav3n in forum OLD Newbie Area
    Replies: 0
    Last Post: 08-12-2007, 09:02 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •