Jump to content
Sign in to follow this  
herman

Hydra help wanted

Recommended Posts

herman
I am trying to get into my SOHO router by brute forcing the login page but can't get it to work with hydra. 

 

With Wireshark I found this sequence:

 

POST /login.cgi



Cookie: SessionID=

(the rest of the header had standard fields)

 

A successful login gives a 200 response and redirects us to the main page.

A failed login also gives a 200 response and javascript pop-up "Username or pasword error, try again!"

 

As first try I skipped over the specific header options and gave the following command:

hydra 10.0.0.1 -l admin -P goodpass -f -v -t 1 http-post-form 'login.cgi:username=^USER^&password=^PASS^&submit.htm%3Flogin.htm=Send:S=Username or password error'

 

It did not detect the good pass. A wireshark packet looked the same as a real packet but had of course the specific header options missing. So I tried to send a modified header with hydra and as first test included the referer:

 

hydra 10.0.0.1 -l admin -P goodpass -f -v -t 1 http-post-form 'login.cgi:username=^USER^&password=^PASS^&submit.htm%3Flogin.htm=Send:H=Referer\:http\://10.0.0.1/login.htm:S=Username or password error'

 

Running this command had hydra crash itself so I most likely use a wrong syntax. I did google around but many people string things together slightly different so it gets me confused as to the right order.

 

Anybody who can shed some light on this?

Share this post


Link to post
Francesco
I think you should change the 'S' (success) parameter with something like "moved" or "redirect".

Can you try it and let me know?

 

Thank you.

Share this post


Link to post
herman
Haha I feel stupid, this is why we should not test late at night no matter how much coffee we have at hand. Changed the S to an F and the capital p to a lowercase as to test 1 password (known good) instead of a list. That went well, reset it to the list and it also found the correct password.

 

For reference the full command:

 

- Test a single password:

hydra 10.0.0.1 -l admin -p goodpass -f -v -t 1 http-post-form '/login.cgi:username=^USER^&password=^PASS^&submit.htm%3Flogin.htm=Send:F=Username or password error'

 

- Test a list of passwords:

hydra 10.0.0.1 -l admin -P /root/Desktop/mypasses -f -v -t 1 http-post-form '/login.cgi:username=^USER^&password=^PASS^&submit.htm%3Flogin.htm=Send:F=Username or password error'

Share this post


Link to post
Francesco

:) if you test it late at night, be sure you have at least one beer next to the keyboard :P

Share this post


Link to post
herman

Hehe that could work  ^_^

 

A related question: another embedded device I am looking at uses Basic Authentication and GET requests. When I test manually I can fire like 10 login requests at the HTTP service without getting blocked. 

 

When I try hydra with 1 known good or know bad password it works as expected. It simply sends a GET request to the correct page and base encodes the username:password combination and returns a success or failure. If I change the command from a single password to a password list and start Hydra it will time out. The device and HTTP service seem to stay up.

 

So I suspected there might be some rate detection / limiting going on. Hydra help told me requests can be throttled with the -t 1 switch but that does not seem to have any effect. 

 

Any ideas? Otherwise I will try to throw a small Python script together to see if it behaves the same.

Still having a small battle with the firmware to get into the file system and access the binaries. That would help a lot in my research  :D

Share this post


Link to post
GiRa

IIRC the -t option is a rate, so you have to use something like 0.6 to slow it down.

 

If you want a more granular control over response status codes, application replies and so on, give patator a try.

  • Like 1

Share this post


Link to post
herman

Aha thanks, I was aware it sets a rate but did not know it could accept values smaller than 1. I'll google for patator, never used that application before. When I have a chance to test again, somewhere this week, I will update my findings here.

Share this post


Link to post
herman

A little update, I tested it but could not get the username / password base encoded so the login page rejects our attempts. I tried to add the basic authentication switch and played with the base encoding option. Will dive into it when I have time.

 

I finished my write-up on the router I was testing with a release date currently set at Dec 01. Failed to unpack the firmware due to encryption so focused on the webGUI.

  • Like 1

Share this post


Link to post
herman

Never solved it but here is a write-up of the exploits I found in my little SOHO router: http://www.exploit-db.com/exploits/35419/

 

When I have time in the near future I still want to have a look at the problem but right now I am too occupied with other stuff.

Share this post


Link to post
GiRa

herman,

if you didn't solve it with hydra, I strongly suggest you to try patator: it's powerful and easy to adapt to something custom.

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
×