Forum Thread: Bruteforcing a DLINK DSL2750U ADSL Router with Hydra

Bruteforcing a DLINK DSL2750U ADSL Router with Hydra

Hey Guys,

My first time posting on NullByte, but have been an active reader within the community. I've just started out on learning various basic techniques used for navigating around various security mechanisms. I referred a number of posts on NullByte about bruteforcing routers with Hydra. Most of the articles are focused on beating the basic authentication provided by http. But almost all practical routers consists of a web interface which is first loaded and a custom authentication form that needs to be filled. Here's a snapshot of my DLINK status page and login page respectively :

I used the following link as my main reference in understanding the process of bruteforcing.

https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/

As you see, a login form is presented and the username is given as a drop down consisting of only one element "admin". Also the login page is at 192.168.1.1/cgi-bin/webproc.

Here is the source of the login page: http://www.mediafire.com/file/b60tuxc41gasfrr/router-login-source.txt

To build up the command to execute hydra on this web form, I used BurpSuite. On intercepting the bad response, this is what I get :

Once a wrong password is entered, the error message displayed is as below :

The link does not change on the error message and the error message itself comes as a pop-up. Right clicking on the screen is set to off as well.

I ran my hydra command as below:

hydra -l "" -P "/root/pass.txt" 192.168.1.1 http-post-form "/cgi-bin/webproc:%3Ausername=^USER^&%3Apassword=^PASS^&%3Aaction=Login:"Username or Password wrong:H=Cookie: %3Asessionid=68b3e673"

This gives the hydra output as matching all passwords in the dictionary. So I figure my incorrect page section is bad. Since my routers failed login does not give out any proper information, I tried looking at the "S=" option for the error section of hydra. I noticed that on successfully logging in I'm being redirected to link as shown below:

http://192.168.1.1/cgi-bin/webproc?getpage=html/index.html&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:page=wizard

So I modified my hydra command to the following :

hydra -l "" -P "/root/pass.txt" 192.168.1.1 http-post-form "/cgi-bin/webproc:%3Ausername=^USER^&%3Apassword=^PASS^&%3Aaction=Login:S=?getpage=html/index.html&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:page=wizard:H=Cookie: %3Asessionid=68b3e673"

Now the output of hydra does not match any password in the list.

I've been trying many ways to get this done but am stuck up. Any help pointing towards the right direction would be helpful. If there's any more information you would want to know to help me out, please let me know. Looking to solving this somehow. Cheers and thanks for your patience guys! :)

please let me know if any of you have faced a similar router infront of Hydra.

2 Responses

Hi,
I had not escaped the ":" with "\". So I ran the following command on hydra and captured the tcp stream .

hydra -l "" -P "/root/pass.txt" 192.168.1.1 http-post-form "/cgi-bin/webproc:%3Ausername=^USER^&%3Apassword=^PASS^&%3Aaction=Login:S=?getpage=html/index.html&errorpage=html/main.html&var\:language=en_us&var\:menu=setup&varage=wizard:H=Cookie: %3Asessionid=68b3e673"

Update

I did a wireshark capture to check out whats really happening when I run hydra with a single request .

Here's the capture : tcp-wireshark-cap.pcap

Looks like both GET and POST are getting a bad response. I'm doing something terribly wrong here... Anyone knows what I'm getting wrong ? Please help...

Share Your Thoughts

  • Hot
  • Active