yet another hydra post (driving me crazy)

[2901119]

It seems no matter what I try I cant get this tool to crack my router login.
To begin yes I know the easiest method is resetting the router, however I know my password off the top of my head so there's no need for all of that, I'm just very adamant about learning how to use this tool.

I know this has to be something dumb that I'm just overlooking but at the same time I feel like I've tried everything

*My Research*
googled... a lot
man hydra... no manual page for hydra
read almost every post on this forum that had hydra in the title
the docs that come with the tool
the website http://www.thc.org/thc-hydra/
read tutorials and watched other peoples videos to check their syntax

The problem I seem to be running into is that It just keeps giving me false positives... It tells me that the first few passwords in my word list are all the correct passwords, which is obviously wrong.

Code:

root@bt:~# hydra -l Admin -P /media/KEEPERS/wordlists/rockyou.txt -o /root/valid.txt -t8 -f -v 192.168.0.1 http-get http://192.168.0.1/login_auth.asp
Hydra v5.9 (c) 2010 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2011-04-06 05:10:13
[DATA] 8 tasks, 1 servers, 14344405 login tries (l:1/p:14344405), ~1793050 tries per task
[DATA] attacking service http-get on port 80
[VERBOSE] Resolving addresses ... done
[80][www] host: 192.168.0.1   login: Admin   password: princess
[STATUS] attack finished for 192.168.0.1 (valid pair found)
[80][www] host: 192.168.0.1   login: Admin   password: 1234567
[80][www] host: 192.168.0.1   login: Admin   password: rockyou
Hydra (http://www.thc.org) finished at 2011-04-06 05:10:15

*Things I've tried*
checked to make sure my password was in my dictionary... it is.

changing http-get to http-head

all variations of the specific option including http://192.168.0.1, http://192.168.0.1/, http:192.168.0.1/login_auth.asp, http://192.168.0.1/192.168.0.1/login_auth.asp/ /login_auth.asp, //192.168.0.1, /, etc

for the login name even though on the form I have to manually select "Admin" from a drop down I've tried changing that to "admin" "ADMIN" and I've also tried using "" for a blank password field.

I've tried removing the -t -f -v and -o flags to remove variables and further simplify things.

I've tried adjusting the number of tasks

tried download and compiling the newest version, (6.1)... same results.

*interesting note*
no matter what I use for the service option I always get the same results for instance I used /192.168.0.1/ezxdw and it still told me the first few passwords in my wordlist were correct. One theory this leads me to is that im not finding my router and its just trying to crack something that isn't there im just running out of options to try for this field

the only other thought I have is maybe this attack is unsuccessful because of the drop-down style user name field on the login form

any help or advice is greatly appreciated.

[thorin]

1) I'm not sure if this works with hydra specifically, as an alternative to man -h, -?, and --help are good things to try as well.
2) You should look at the actual login form (view source) and see what method is used there is basically zero reason for it to be HEAD, it "could" be GET, but is likely POST. It could also be basic or digest auth and not use a form at all.
3) Is 'Admin' the actual username? When you say you have to select it from a dropdown do you mean a dropdown implemented by the browser's auto-complete or a dropdown which is actually part of the login webpage? If the later then the value you need to provide to hydra might not actually be "admin", you'll have to understand HTML look at the page source to find the actual value.
4) You could fireup wireshark or ettercap and capture a known good login sequence and then you'd know specifically what's sent back and forth when you login.
5) When you fail to login via the browser are you simply redirect back to the login page or is there an error? Does it generate a 403 forbidden (or similar), give a 200, or one of the redirect response codes?

[2901119]

thorin, great post and much appreciated
1) tried --help that is the first screen that comes up when you type hydra into the command line
2) page source idea was awesome I'm looking at it right now... definitely not the greatest with html but I know a little
3) when i say a drop-down menu I mean on the actual webpage. It gives me the choice between "Admin" and "User" but what I can already see from the source is it's "admin" with a lowercase "a"
4) ettercap/wireshark... again another awesome idea that I failed to think of. I'll try that out asap also.
5)when I fail a login it redirects me back and says "Invalid password please try again"

thanks again thorin great post!

I'm going to try all of this again with all the new info and I'll post back.

[Scamentology]

I only have this issue with routers that use java script. Is this a D-link router by chance (192.168.0.1)? I think I almost have it solved.

[2901119]

So I used Wireshark to record a login and unfortunately I don't know enough about tcp/ip to come to a solid conclusion based upon the info I gathered, if anything it just further confused me. Within 10-15 seconds wireshark gathered like a hundred packets all pertaining to that one logon. Some of the headers said "GET" some said "POST" sometimes the referrer field said "login.cgi" and sometimes it said "index.asp" when the actual login page says "login_auth.asp" so I'm really not sure what I should be putting in these fields for hydra. I tried http-post-form and got similar results.

scamentology- yes this is a dlink dir-615 router and I did see some java references in the page source.

Another interesting note... I just tried this attack against a linksys router and it worked flawlessly, on the first try.

I'm still interested in trying to troubleshoot why I can't get this to work against my dlink router though, so if anyone has any ideas I'd love to hear them.

Thanks guys!

[2901119]

ok so I see where youre going with the whole dlink, java thing scamentology. My problem seems to be somthing pertaining to the following part of the hydra docs

http[s]-{get|post}-form
specifies the page and the parameters for the web form.
the keyword "^USER^" is replaced with the login and
^PASS^ with the password. The parameters are seperated
by a colon.
syntax: <url>:<form parameters>:<failure string>
e.g.: /login.php:user=^USER^&pass=^PASS^&mid=123:incorrec t

and also this post--> http://www.backtrack-linux.org/forum...ntication.html

so this is as far as I've gotten

Code:

hydra -l admin -P /media/KEEPERS/wordlists/top_50000.txt -vV -t 8 192.168.0.1 http-post-form /login.cgi:login_n=^USER^&log_pass=^PASS^&submit=login:Invalid

by using /login.cgi as the action, it finally starts working as expected.
my problem now is it blows right by my password and just keeps going without even recognizing it.

[thorin]

This won't get hydra working for you but for the router in question you might want to checkout:
http://www.sourcesec.com/Lab/dlink_hnap_captcha.pdf
http://dl.packetstormsecurity.net/10...vD_uk_hnap.pdf

[2901119]

Interesting reading thorin, Thanks!

[thorin]

No problem. Sorry I can't help further but without a dir-615 in front of me so that I could look at the page source etc I don't really have a means by which to figure out the missing or malfunctioning detail for hydra.

[2901119]

Yeah I know, I tried to post the page source a couple times but kept getting a 404 error with a big picture of a crazy looking cat. I imagine something to do with the javascript in the source.