Results 1 to 9 of 9

Thread: Cracking FiOs Router Login:Pass

Hybrid View

  1. #1
    Good friend of the forums Eatme's Avatar
    Join Date
    Aug 2009
    Location
    Socks5
    Posts
    308

    Default Cracking FiOs Router Login:Pass

    I tried cracking my new fios router "Actiontec MI424WR" with medusa and Hydra. But both failed.

    These routers have the ability to randomly change text when entering the password in the password field.

    Ex: If i enter "passw1" which is 6 dots. Instead 13 dots will show.
    Wiffy-Auto-Cracker - was the best thing that ever happen to me. :) Wo0oT :)
    AWUSO36H_500mW_5dBi Antenna

  2. #2
    Good friend of the forums gunrunr's Avatar
    Join Date
    Jan 2010
    Location
    shining my spoon
    Posts
    265

    Default Re: Cracking FiOs Router Login:Pass

    it just does that so someone who is shoulder surfing cannot estimate the length of your password, it shouldn't interfere with http brute forcing
    Wielder of the spoon of doom
    Summercon, Toorcon, Defcon, Bsides, Derbycon, Shmoocon oh my
    Come hang out with hackers on twitter @gunrunr556

  3. #3
    Good friend of the forums Eatme's Avatar
    Join Date
    Aug 2009
    Location
    Socks5
    Posts
    308

    Default Re: Cracking FiOs Router Login:Pass

    yes, im aware. But hydra and medusa always return with "admin" : " " - correct password. Which it isn't.
    Wiffy-Auto-Cracker - was the best thing that ever happen to me. :) Wo0oT :)
    AWUSO36H_500mW_5dBi Antenna

  4. #4
    Just burned his ISO dawpa2000's Avatar
    Join Date
    Dec 2010
    Posts
    5

    Lightbulb Re: Cracking FiOs Router Login:Pass

    Have you tried looking at the source code for the page?

    I have looked at the HTML and the JavaScript code. You will notice that the Verizon firmware uses an HTTP web form, and there are multiple INPUT fields. The firmware will check these multiple INPUT fields. In addition, the Verizon firmware generates different sessions and different session numbers and uses those as the INPUT field names / values, so you probably won't know the exact field beforehand.

    For example, there are 3 password INPUT fields: passwordmask_1416335159, passwd1, and md5_pass. The first passwordmask INPUT field has a different number each time in its name. In this case, you can't just supply the password field name as a parameter in hydra because it might change later on. The passwd1 INPUT field is shown (not hidden), and this textbox is what you see changing the length of the password as you enter it. The md5_pass INPUT field stores the MD5 calculation.

    In the MD5 calculation, look at the SendPassword() function of the JavaScript code.

    Code:
    function SendPassword()
    {
        var tmp;
        document.form_contents.elements['md5_pass'].value=document.form_contents.elements['passwordmask_1416335159'].value+document.form_contents.elements['auth_key'].value
        tmp=hex_md5(document.form_contents.elements['md5_pass'].value);
        document.form_contents.elements['md5_pass'].value=tmp;
        document.form_contents.elements['passwordmask_1416335159'].value="";
        mimic_button('submit_button_login_submit: ..', 1);
    }
    What is auth_key? It is a new field! For example, the auth_key value is 332937039.

    First, the value of the passwordmask_1416335159 and the auth_key fields are combined. Then, the combination is set to md5_pass value.
    Next, the function calls another function to calculate the MD5 value of the previous combination, then stores it to a temporary variable, and stores the MD5 calculation to md5_pass value.
    The passwordmask_1416335159 value is set to "".
    Finally, the function submits the form.

    From there, the Verizon firmware checks the MD5 calculations of the combined values. If they do not match, then the password fails.

    As you can see, you have to take into account these session values and different INPUT fields and their names, as well as MD5 calculations. I don't think hydra or medusa have been designed for this scenario.
    If this is true, then someone would have to re-write the code for this type of authentication.

    Also, if you try to login too fast or create new sessions, you will get an error message:
    "No more than 5 sessions at a time are allowed. Please wait until open sessions expire."

    Then, you must wait a few minutes for the open sessions to expire.

  5. #5
    Good friend of the forums Eatme's Avatar
    Join Date
    Aug 2009
    Location
    Socks5
    Posts
    308

    Default Re: Cracking FiOs Router Login:Pass

    good, i guess Fi0s is secured from BT hurray!!
    Last edited by Eatme; 01-08-2011 at 06:46 AM.
    Wiffy-Auto-Cracker - was the best thing that ever happen to me. :) Wo0oT :)
    AWUSO36H_500mW_5dBi Antenna

  6. #6
    Just burned his ISO dawpa2000's Avatar
    Join Date
    Dec 2010
    Posts
    5

    Default Re: Cracking FiOs Router Login:Pass

    Quote Originally Posted by Eatme View Post
    good, i guess Fi0s is secured from BT hurray!!
    Actually, instead of modifying the source code of hydra or medusa, someone could write a small script that retrieves the login page and posts an HTTP web form with the correct fields. In that script, it could load a passwords list and tries logging in, like a bruteforce or dictionary attack.

    Also, if you have not noticed, sometime in Fall 2010, Verizon has remotely logged into its customers' routers and changed everyone's default password to the serial number.

    If someone were to attack a Verizon ActionTec router and the router credentials were once default, then the attacker would also have to keep in mind the 14-character serial number of the router.

    Verizon Forums - Actiontec password rejection:
    http://forums.verizon.com/t5/FiOS-In...ion/m-p/238033

    Slashdot - Verizon Changing Users Router Passwords:
    http://tech.slashdot.org/story/10/08...uter-Passwords

    DSL Reports - Router password change?:
    http://www.dslreports.com/forum/r245...ssword-change-

  7. #7
    Just burned his ISO
    Join Date
    Apr 2011
    Posts
    2

    Default Re: Cracking FiOs Router Login:Pass

    Here's a script I wrote to bruteforce the FiOS router password using a dictionary. I tested it with my router just to be sure it could login.

    http://code.google.com/p/joelisester...downloads/list

  8. #8
    Just burned his ISO
    Join Date
    Apr 2011
    Posts
    1

    Default Re: Cracking FiOs Router Login:Pass

    @pcdude2143 So how do u use the script with Xhyrda do u open it in the password list?

  9. #9
    Just burned his ISO
    Join Date
    Apr 2011
    Posts
    2

    Default

    It's a Python script. Notice the py at the end of the file name. You'll need Python and python-mechanize to run it.

    It's a Python script. Run it with a Python install that has Mechanize.
    Last edited by Archangel-Amael; 05-07-2011 at 08:29 AM.

Similar Threads

  1. PortFwd without Router Login?
    By wolf17 in forum OLD Newbie Area
    Replies: 15
    Last Post: 06-29-2009, 12:42 PM
  2. login e pass su versione 4
    By franz62 in forum Supporto Software
    Replies: 4
    Last Post: 06-24-2009, 06:11 PM
  3. Router Bruteforce (admin/pass)
    By fossilk1 in forum OLD Newbie Area
    Replies: 8
    Last Post: 02-16-2009, 10:00 PM
  4. How do i get the router login
    By Kuroneku in forum OLD Wireless
    Replies: 17
    Last Post: 11-25-2008, 08:18 AM
  5. Cracking Wep key - i dont find the pass ?
    By beantje in forum OLD Newbie Area
    Replies: 7
    Last Post: 01-09-2008, 06:29 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •