http://forums.remote-exploit.org/sho...ighlight=hydraOriginally Posted by dlink
For your next task, you might want to try to re-invent the wheel, or possibly fire.
Router and http code to test passwords
Hi, i'am trying to write a program to test computers on my lan and i trying to test to see if i can try the default username and password to logon to a broadband and wireless router.
What i've got so far is
Connect to router(192.168.0.1)
connect to port(80)
GET / HTTP/1.1
Then would i do something like
PUT .......
to enter the user and pass .
And how would I know if its succeded, would i have recive, and see if it returns the homepage.
I've tryed to look at the data with wireshark and etthercap but i didn't find the command to add the user and pass.
Thanks in advanced
http://forums.remote-exploit.org/sho...ighlight=hydra
For your next task, you might want to try to re-invent the wheel, or possibly fire.
A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.
I allready know about hydra thanks, but i needed to incorprate it into my program.
Could you help me out in that area.
Just a side topic, but if you can enter username and pass to a feild ,useing the virtual the same commands you should beable to open a port with port forwarding, which hydra doesn't do. If some one can tell me how to enter feilds like user and pass then i could work out how to open fowadring.
I'm not sure what the point of this is but the easiest thing to do would be to right a bash script. input the ip and feed it to the command line version of hydra with a script of default user names and passwords made from the phenolite list. automating the connect seems silly because if you were on a large network with 20 routers you would get 20 browser windows open. If hydra returns a user name and password then you know its vunerable.
Please check RFC2616 for the answers to your questions:
http://www.w3.org/Protocols/rfc2616/rfc2616.html
Then read up on HTML forms:
http://www.google.com/search?q=html+forms
Then read up on HTML form actions:
http://www.google.com/search?q=html+forms+actions
Then read up on HTTP GET and POST:
http://www.google.com/search?q=http+get+post
Now you should be able to viewsource of the login form(s) and figure out how to programatically assemble the necessary HTTP (or HTTPs) requests to perform the automation you're looking for.
Edit: Oh I forgot part, you'll also need to read up on HTTP response codes so you can figure out if you successfully logged in or not. (Maybe program exit codes too depending on how you decide to go about this .... if you use wget or similar and shell script it then you'll need to check $errorlevel or %errorlevel%)
I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.
I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.
thorin, Thanks you for the links it was what i was looking for.
Cheers
Posting Permissions