- Kali Linux (For using Hydra and Burp Suite)
- FoxyProxy Standard (Extension for Firefox).
INTRODUCTION:
Mate, it's crucial to have a username for the router you're targeting. To find the default username of the router ISP, you can use these websites:
https://www.routerpasswords.com/
https://192-168-1-1ip.mobi/default-rout ... ords-list/
Without a username, it's not recommended to force the login page. Trying to brute-force both the username and password is a real pain in the arse and will take forever to complete.
METHOD:
Setting Up FoxyProxy in Kali:
Open up Firefox and click on the FoxyProxy icon. Then go to "Options" and hit "Add". Fill in all the details as you see below:
Details:
Title or Description (optional):DEFAULT
Pattern Shortcuts: "Enabled" ON and "Add whitelist pattern to match all URLs" ON
Proxy Type: HTTP
Proxy IP address or DNS name: 127.0.0.1
Port: 8080
Click "Save". Leave Firefox open, we'll need it later.
We've dubbed it the "DEFAULT", and the Proxy Type is set to HTTP (fair dinkum, since we're interceptin' them web requests, ain't it?). The IP address is your local host (127.0.0.1), and the port's been set to 8080, which is where Burp Suite's keepin' an ear out. Make sure you click that save button, so your web browser's all set up to have Burp Suite interceptin' them web requests before you go off to the interwebs.
Now, open Terminal and type:
Code: Select all
burpsuite
I reckon you shouldn't be sendin' any info to the company. Best to uncheck that box before ya click continue. Once it loads up, you'll be greeted with the setup, so just hit that "Next" button and then "Start Burp". Burp Suite'll start up.
Now, before we get our HTTP proxy goin', let's see what happens when we try to access the router login page with the wrong password. For this little exercise, we're targetin' the router at 192.168.0.1, and the admin password's s'posed to be "ADMIN".
In the URL, I'll punch in the router IP and visit https://192.168.0.1. Reckon we'll be presented with a router login portal. If we don't see the username, we'll need to look up the default one for that router make and model.
Alright, time to try some wrong credentials. I know the right password's "ADMIN", so I'll enter somethin' different. And what do ya know, it says "User Name or Password is incorrect." Gotta remember that, it'll come in handy in a bit.
Once we've seen what happens with the wrong password, let's reload the router admin page and start fresh, yeah?
Alright, once you've reloaded the webpage and you're ready to enter them credentials to log in, click on the FoxyProxy icon and select the "Default (for all URLs)" in green. If you set everything up right like I said before, you should see "DEFAULT" in green too.
Back to FireFox now. When I'm at the router login page, I'll enter the password "ADMIN" and hit enter. If you do the same, you'll notice FireFox just hangs there and doesn't show anything. It's waitin' on something.
Now, head back to Burp Suite and have a look at the "Proxy" tab. It should be orange now. Click on it to see the HTTP POST data that's been captured and intercepted before it gets sent to the website. This is the HTTP proxy in action, grabbin' that HTTP POST data from your web browser before it goes to the website. You can change anything here before it gets sent, but we won't worry about that for now.
Leave it as is and have a look at where your username and password are being entered into the "POST" request. That's the important bit.
Alright, pay close attention to the first line of that captured request:
"POST /goform/formLogin HTTP/1.1"
See that "/goform/formLogin" bit? That's the path where the credentials are being sent, and we'll need that info to tell Hydra where to send the password attempts. In this case, when we enter our credentials and hit enter on the router login page, they're being sent to http//192.168.0.1/goform/formLogin
The credentials captured by Burp Suite in my example are the HTTP POST data, which is:
login=admin&pass=ADMIN
We need to collect all this data so we can feed it to the Hydra password cracking tool. That way, Hydra knows what and where to attack on the login webpage.
Alright, time to put Hydra to the test. Open up a new Terminal window and make your password list file.
echo PASS > pass.txt
echo PASSWORD >> pass.txt
echo ADMIN >> pass.txt
echo ADMIN1234 >> pass.txt
echo 12345 >> pass.txt
Now, in the Terminal, you'd replace the IP with the actual router IP and "pass.txt" with a real wordlist, like "/usr/share/wordlist/routerpass.txt", if you were using this against a real target. But for now, let's just use the example IP and wordlist.
The command would look something like this:
Code: Select all
hydra 192.168.0.1 http-post-form "/goform/formLogin:login=^USER^&pass=^PASS^:F=User Name or Password is incorrect." -l admin -P pass.txt -vV -f
This tells Hydra to use the username "admin", the password list "pass.txt", port 80, the target IP, and the HTTP POST form we got from Burp Suite. The "F" flag is what Hydra looks for to know it's found the wrong credentials.
You can use a wordlist that comes pre-installed with Kali, create your own, or download one from other sources. Google's your best mate when it comes to finding bigger wordlists for those brute force dictionary attacks. And don't forget, the wordlists might be in other languages, depending on where your target's located.
Now, each router's a bit different, so just because you know how to "properly" launch these attacks doesn't mean you'll always have 100% success.
Some router post data can be a real pain to interpret, or you might not be able to easily pick out the details you need. Routers are configured in all sorts of different ways, so you've gotta be prepared for a bit of a challenge.
Some decent password lists: https://github.com/danielmiessler/SecLi ... /Passwords