Hi everyone,

Just trying to learn a bit about HTTP authentication, using it on my router at home from which I know the password.

I have gone through a lot of reading, and spending my limited time on reading about http authentication and usage of Hydra but I am just stuck.

The problem is Hydra keeps saying all passwords from my created list are correct.

I use the typical command for HTTP-post:

hydra -l admin 192.168.8.1 http-post-form "/login.lp:user=^USER^&password=^PASS^:The username or password you've entered is incorrect. Please check and try again." -P /pentest/passwords/crunch/netvigatorrouterpass -vV -o hydraattack.txt -t 1

I attach the HTTP code at the end so you can be sure I used the right names for PASS & USER.

This command keeps saying all the passwords from the file are all correct. I narrowed it down to 2 possible problems:

a) some error with the "bad password" code, but this is so straightforward I doubt this can be the problem.
b) the authentification seems to be done through a cookie (there is a cookie activated in the webpage named xAuth_SESSION_ID) and there is a function being called in the HTTP that seems to use it. Could this be the reason? how to deal with this cookie/function to get things right?

I appreciate suggestions/solutions/further reading or any tutorials that might be around, I have looked for long time but can't find any.

Thanks,

Andrupow

LOGIN page HTTP code



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Home Gateway - Login</title>
<link rel="stylesheet" type="text/css" href="/styles.css">
</head>
<body height="100%" style="margin:0px;">
<noscript>
<h1>THOMSON - Home Gateway</h1>
<h4>To view the Web interface of your device, JavaScript must be supported and enabled on your browser! <br><br>Please enable scripting and refresh your browser.</h4>
</noscript>

<script type="text/javascript">
//<![CDATA[
function disable_fields(theForm)
{
var len = theForm.elements.length;
for (var i = 0; i < len; i++) {
// Don't disable "hidden" fields
if(theForm.elements[i].type.toLowerCase()!="hidden")
theForm.elements[i].disabled = 1;
}
}

function setLanguage(langCode)
{
document.langSelect.elements[0].value = langCode;
document.langSelect.submit();
disable_fields(document.langSelect);
}

function noenter()
{ return !(window.event && window.event.keyCode == 13); }

var hex_chr = "0123456789abcdef";
function rhex(num)
{
str = "";
for(j = 0; j <= 3; j++)
str += hex_chr.charAt((num >> (j * 8 + 4)) & 0x0F) +
hex_chr.charAt((num >> (j * 8)) & 0x0F);
return str;
}

/*
* Convert a string to a sequence of 16-word blocks, stored as an array.
* Append padding bits and the length, as described in the MD5 standard.
*/
function str2blks_MD5(str)
{
nblk = ((str.length + 8) >> 6) + 1;
blks = new Array(nblk * 16);
for(i = 0; i < nblk * 16; i++) blks[i] = 0;
for(i = 0; i < str.length; i++)
blks[i >> 2] |= str.charCodeAt(i) << ((i % 4) * 8);
blks[i >> 2] |= 0x80 << ((i % 4) * 8);
blks[nblk * 16 - 2] = str.length * 8;
return blks;
}

/*
* Add integers, wrapping at 2^32. This uses 16-bit operations internally
* to work around bugs in some JS interpreters.
*/
function add(x, y)
{
var lsw = (x & 0xFFFF) + (y & 0xFFFF);
var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
return (msw << 16) | (lsw & 0xFFFF);
}

/*
* Bitwise rotate a 32-bit number to the left
*/
function rol(num, cnt)
{
return (num << cnt) | (num >>> (32 - cnt));
}



var realm = "Home Gateway";
var nonce = "3582308:809191:292abca9b586846f450b1c8ed1e6a4 64";
var qop = "auth";
var uri = "/login.lp";

function submitAuthentication()
{
var user = document.getElementById("user").value;
var pwd = document.getElementById("password").value;
document.getElementById("password").disabled = true;
var HA1 = MD5(user + ":" + realm + ":" + pwd);
var HA2 = MD5("GET" + ":" + uri);
document.getElementById("hidepw").value = MD5(HA1 + ":" + nonce +
":" + "00000001" + ":" + "xyz" + ":" + qop + ":" + HA2);
document.authform.submit();
disable_fields(document.authform);
}
//]]>
</script>

<table cellspacing="0" cellpadding="0" border="0" style="margin-top:10px;" height="100%" width="960" align="center">
<tr>
<td colspan="2">
<table cellspacing="0" cellpadding="0" border="0" class="banner" width="100%">
<tr>
<td height="60" width="400" style="background:url(/images/bar_no1_e.jpg) no-repeat top left;vertical-align:top"> &nbsp;</td>
<td class="Menu1" style="text-align:right">
<table height="60" cellspacing="0" cellpadding="0" border="0" align="right">
<tr><td style="vertical-align:top;text-align:right;padding-top:2px;">
<span class="displaySettings" id="displaySettings">
<span class="langSelect" id="langSelect">
<form name="langSelect" action="" method="post"><input type="hidden" name="6" value="en">
<input type="hidden" name="rn" value="-631237841">
Language: <strong>English</strong>&nbsp;&nbsp;<a href="" onClick="setLanguage('zh');return false;" title="中文">中文</a>&nbsp;&nbsp;


<div class='contentcontainer'>
<hr>
<div class='contentitem'>
<table cellspacing='0' cellpadding='0'>
<tr><td class='icon' valign='top' width='100px'><img src='/images/user__xl.gif' alt='Login !'></td>
<td class='data' valign='top'><table cellspacing='0' cellpadding='0'><tr><td align='left'><span class='itemtitle'>Login</span></td><td align='right'></td></tr>
<tr><td colspan='2'>
<p>Enter your username and password to access your Home Gateway.</p>

<p style="color:red">The username or password you've entered is incorrect. Please check and try again.</p>


<form method="post" action="login.lp" name="authform" id="authform">
<input type="hidden" name="rn" value="-1961196096">
<input type="hidden" name="hidepw" id="hidepw" value=""/>

<table width='100%' cellspacing='0' cellpadding='0'>
<tr><td width="40" valign="top"></td>
<td valign="top">
<table width='100%' class="datatable" cellspacing='0' cellpadding='0'>
<tr><td></td><td width='30px'></td><td width='220px'></td><td width='50px'></td></tr>
<tr><td colspan='4' height='7'><img src='/images/spacer.gif' alt='' border='0' height='7' width='1'></td></tr>
<tr>
<td width='120px'>Username:</td>
<td colspan='3'><input type="text" name="user" id="user" style="width: 250px;" onkeypress="return noenter()" maxlength="63" /></td>
</tr>
<tr><td colspan='4' height='7'><img src='/images/spacer.gif' alt='' border='0' height='7' width='1'></td></tr>
<tr>
<td width='120px'>Password:</td>
<td colspan='3'><input type="password" name="password" id="password" maxlength="63" style="width: 250px;" onkeypress="return noenter()" /></td></td>
</tr>
<tr><td colspan='4' height='7'><img src='/images/spacer.gif' alt='' border='0' height='7' width='1'></td></tr>
<tr>
<td colspan="4" align="right">
<input name="ok" type="button" value="OK" onclick='submitAuthentication()' />
<input name="cancel" type="button" value="Cancel" onclick='location.href="/";' />
</td>
</tr>
</table>
</td></tr>
</table>
</form>
</td></tr></table>
</td></tr></table>
</div>

<script type="text/javascript">
//<![CDATA[
document.authform.user.focus();
//]]>