I recently started playing around with Hydra and tried to hack my router. After searching the forum and googleing around a while I noticed that there are only some howto’s for routers that have http-auth authentication. That is, when you go to 192.168.2.1 e.g. and before showing anything you have to enter login and password in a popup. My router (T-Com Sinus 154 DSL Basic 3) and many others I’ve dealt with so far work differently. When I want to login to my router, I have to go to 192.168.2.1, a web interface with a password field shows up, and I have to enter the password which is then checked by /cgi-bin/login.exe via http-post.
It was quite tricky to find out how to use this authentication with hydra, so I guess there are some of you that can benefit from this. I’ll describe how I did it, so you can adapt the method and use it with your own router.
First of all I examined the login page of the web interface. Be sure to look at the frame source and not the frameset. You should see the form and the action, here’s what I saw:
The form is defined as:
<form name="tF" method="post" action="/cgi-bin/login.exe" onSubmit="evaltF();">
Somewhere in the form there will be the field that takes the password:
<input type="password" name="pws" class="stylepwd" size="12" maxlength="12">
This is probably the most important data you need. You need to write down the field name (“pws” in my case). The size attribute comes in very handy too because it tells us that the password’s max length is 12 characters.
After that I tried to get familiar with Hydra’s options. I figured out that you need the following options:
Sets the login name. In the end I don’t need a login name but hydra gets kind of pissed when you don’t pass something, so I gave an empty string.
The wordlist to use for the password
1 task only, not really neccesary, I just wanted to make sure Hydra doesn’t choke on too many requests
Hydra shall stop when a working password is found
be verbose. and even more. I skipped that in the final version but it’s ok for debugging
the victim’s ip
the method to use
This is the most important part. Here we tell Hydra what to pass the passwords to. The argument consists of three parts separated by “:”.
The first part is the script that takes the POST data, we found that in the frame source above.
The second part is the field name of the password field with an added =^PASS^. ^PASS^ is the variable that hydra substitutes with the passwords in the wordlist.
The third part is the “incorrect” condition. Hydra has to find out somehow if the current password that was send to the router is correct or not. You have to find a string that is actually IN A NEGATIVE RESPONSE from the router. As we don’t have the password yet we can’t know what the router will send if the password is correct, therefore we have to check if it is NOT, which we can find out easily. To find out what the router sends back to hydra I used Wireshark.
Open up wireshark, go to the router login page, start capturing and then login with a wrong password. After that, stop capturing and apply a “http” filter. You will see the POST data sent from hydra to the router (you should also see the “pws=blabla” in the details, that’s where hydra sends the passwords from the wordlist). Below that you’ll find the router answer. In my case it says something like “This page has moved to loginpserr.htm” packed in some basic HTML. So I used the string loginpserr.htm to validate the .. uhm… faultyness. OMFG %-]
Hydra will consider a password as CORRECT when the router answer DOES NOT contain the given string. So be sure to take an expression that somehow sounds like “incorrect” oder “wrong”. If you took “the” for example, and the POSITVE response would be something like “the password you entered was correct”, hydra will not recognize it as correct but incorrect.
Here’s the complete example:
hydra -l "" -P passwords.txt -t 1 -f -v -V 192.168.2.1 http-post-form /cgi-bin/login.exe:pws=^PASS^:loginpserr.htm
If your router does not only need a password but also a username, you can easily add the according login name to the last part. So if you need to send the field “login” or whatever it is called in your case with the value “admin” as the only username you could use
When you need to try a whole username list then you can specify the list via