Cracking FiOs Router Login:Pass

[Eatme]

I tried cracking my new fios router "Actiontec MI424WR" with medusa and Hydra. But both failed.

These routers have the ability to randomly change text when entering the password in the password field.

Ex: If i enter "passw1" which is 6 dots. Instead 13 dots will show.

[gunrunr]

it just does that so someone who is shoulder surfing cannot estimate the length of your password, it shouldn't interfere with http brute forcing

[Eatme]

yes, im aware. But hydra and medusa always return with "admin" : " " - correct password. Which it isn't.

[dawpa2000]

Have you tried looking at the source code for the page?

I have looked at the HTML and the JavaScript code. You will notice that the Verizon firmware uses an HTTP web form, and there are multiple INPUT fields. The firmware will check these multiple INPUT fields. In addition, the Verizon firmware generates different sessions and different session numbers and uses those as the INPUT field names / values, so you probably won't know the exact field beforehand.

For example, there are 3 password INPUT fields: passwordmask_1416335159, passwd1, and md5_pass. The first passwordmask INPUT field has a different number each time in its name. In this case, you can't just supply the password field name as a parameter in hydra because it might change later on. The passwd1 INPUT field is shown (not hidden), and this textbox is what you see changing the length of the password as you enter it. The md5_pass INPUT field stores the MD5 calculation.

In the MD5 calculation, look at the SendPassword() function of the JavaScript code.

Code:

function SendPassword()
{
    var tmp;
    document.form_contents.elements['md5_pass'].value=document.form_contents.elements['passwordmask_1416335159'].value+document.form_contents.elements['auth_key'].value
    tmp=hex_md5(document.form_contents.elements['md5_pass'].value);
    document.form_contents.elements['md5_pass'].value=tmp;
    document.form_contents.elements['passwordmask_1416335159'].value="";
    mimic_button('submit_button_login_submit: ..', 1);
}

What is auth_key? It is a new field! For example, the auth_key value is 332937039.

First, the value of the passwordmask_1416335159 and the auth_key fields are combined. Then, the combination is set to md5_pass value.
Next, the function calls another function to calculate the MD5 value of the previous combination, then stores it to a temporary variable, and stores the MD5 calculation to md5_pass value.
The passwordmask_1416335159 value is set to "".
Finally, the function submits the form.

From there, the Verizon firmware checks the MD5 calculations of the combined values. If they do not match, then the password fails.

As you can see, you have to take into account these session values and different INPUT fields and their names, as well as MD5 calculations. I don't think hydra or medusa have been designed for this scenario.
If this is true, then someone would have to re-write the code for this type of authentication.

Also, if you try to login too fast or create new sessions, you will get an error message:
"No more than 5 sessions at a time are allowed. Please wait until open sessions expire."

Then, you must wait a few minutes for the open sessions to expire.

[Eatme]

good, i guess Fi0s is secured from BT hurray!!

[dawpa2000]

good, i guess Fi0s is secured from BT hurray!!

Actually, instead of modifying the source code of hydra or medusa, someone could write a small script that retrieves the login page and posts an HTTP web form with the correct fields. In that script, it could load a passwords list and tries logging in, like a bruteforce or dictionary attack.

Also, if you have not noticed, sometime in Fall 2010, Verizon has remotely logged into its customers' routers and changed everyone's default password to the serial number.

If someone were to attack a Verizon ActionTec router and the router credentials were once default, then the attacker would also have to keep in mind the 14-character serial number of the router.

Verizon Forums - Actiontec password rejection:
http://forums.verizon.com/t5/FiOS-In...ion/m-p/238033

Slashdot - Verizon Changing Users Router Passwords:
http://tech.slashdot.org/story/10/08...uter-Passwords

DSL Reports - Router password change?:
http://www.dslreports.com/forum/r245...ssword-change-

[pcdude2143]

Here's a script I wrote to bruteforce the FiOS router password using a dictionary. I tested it with my router just to be sure it could login.

http://code.google.com/p/joelisester...downloads/list

[echelon83]

@pcdude2143 So how do u use the script with Xhyrda do u open it in the password list?

[pcdude2143]

It's a Python script. Notice the py at the end of the file name. You'll need Python and python-mechanize to run it.

It's a Python script. Run it with a Python install that has Mechanize.