NEW: We have a Discord server now. Click here to go there now!

NOTE: Why not use our List Manager to crack your lists? Its easy and enables better management.

NOTE: When cracking WPA/WPA2 passwords, make sure you check gpuhash.me first incase it's already been processed.

Home - Wireless Cracking - Using Hydra Against BT Router


30 Results - Page 1 of 1 -
1
Author Message
Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 2982 Reputation
Offline
Mon, 02 Mar 2015 @ 22:36:06

I have been given an old BTHomeHub router to play with and I thought it would give me a good opportunity to practice with Hydra.

Unfortunately it seems my first test subject is a harder one than expected.

I have set up a known password for the admin account and made sure it is in the passwords text file.

I have connected via a cable to LAN and set up Hydra in a way I thought would work.


The command I am using.

hydra -l "" -P '/root/Desktop/passwords.txt' -t 1 -f -v -V 192.168.1.254 http-post-form /login.lp:password=^PASS^:error.lp


Explanation...

-l "" = No user on this router, just password input.

-P '/root/Desktop/passwords.txt' = This contains my test passwords.

-t 1 = One task, I don't want to flood it.

-f = Stop when found.

-v -V = I want to see what's going on

192.168.1.254 = IP of router.

http-post-form = Post type found in page source.

/login.lp = Log in page found in page source.

password=^PASS^ = Name of password variable found in page source.

error.lp = Rejection page found in page source.


When I run Hydra it seems to be testing all the passwords and then reaches the end saying not found.

Has anyone here been able to get Hydra working in this situation ? If so can you please let me know what I am doing wrong ?

Thanks.


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
Milzo
Administrator
Status: Trusted
Joined: Sat, 29 Dec 2012
Posts: 3095
Team:
Reputation: 5065 Reputation
Offline
Tue, 03 Mar 2015 @ 01:37:50

What is the landing page name after a successful login?. You can tell hydra check for page redirect with S=

So your command would look like:

hydra -l "" -P /root/Desktop/passwords.txt -t 1 -f -v -V 192.168.1.254 http-post-form "/login.lp:password=^PASS^:S=page_name.[asp | php | cgi)"


Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 2982 Reputation
Offline
Tue, 03 Mar 2015 @ 11:51:18

I will go and test this, thank you

I must have logged off minutes before you posted last night.

I have noticed you have used & instead of : in your other post.....

Code:
VmLoginPassword=^PASS^&VmLoginErrorCode=0&VmChangePasswordHint=0

I will try that also 



Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 2982 Reputation
Offline
Tue, 03 Mar 2015 @ 14:09:24

The target page is...

http://bthomehub.home/settings.lp?be=0&l0=2&l1=-1&l2=-1

I tried the above and also...

http://bthomehub.home/settings.lp

Still not working. But it is different, it takes a long time and never gets beyond testing the first password. It repeats the [status] then number of tries per min.

Where did you find the S= command ? I didn't see it in their help. The only reference to s or S is -s port or -S use SSL.

I could not find anything for S=

I am sure you have a secret supply of manuals only the L337 are allowed to read LOL


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
Milzo
Administrator
Status: Trusted
Joined: Sat, 29 Dec 2012
Posts: 3095
Team:
Reputation: 5065 Reputation
Offline
Tue, 03 Mar 2015 @ 14:23:21

It isn't well documented, I had to sprawl the net to pick up workings of it.

Have you looked at hydra -U http-post-form which explains the module in brief.

S= Success Page
F= Failure page (default)
C= Cookies
H= Header Value(s)

Did you try....

hydra -l "" -P /root/Desktop/passwords.txt -t 1 -f -v -V 192.168.1.254 http-post-form "/login.lp:password=^PASS^:S=settings.lp"

I'm going to try this in the HomeHub4, I know it will probably lock out though.


Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 2982 Reputation
Offline
Tue, 03 Mar 2015 @ 14:40:40

Ahh hydra -U http-post-form ! Thanks.

You are right, I have found out more from other people websites than the actual Hydra one. I've just noticed something else, the Hydra in Kali is an old one version 7.5. Looking at the change-log there is an interesting fix in later versions...

Code:
said:

Small fix for HTTP form module for redirect pages where a S= string match would not work (thanks to mkosmach for reporting)

I am looking forward to learning how you get on with a BT4 router. I will just update Hydra and try again.


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
Milzo
Administrator
Status: Trusted
Joined: Sat, 29 Dec 2012
Posts: 3095
Team:
Reputation: 5065 Reputation
Offline
Tue, 03 Mar 2015 @ 14:47:15

Hash-IT said:

Ahh hydra -U http-post-form ! Thanks.

You are right, I have found out more from other people websites than the actual Hydra one. I've just noticed something else, the Hydra in Kali is an old one version 7.5. Looking at the change-log there is an interesting fix in later versions...

Code:
said:

Small fix for HTTP form module for redirect pages where a S= string match would not work (thanks to mkosmach for reporting)

I am looking forward to learning how you get on with a BT4 router. I will just update Hydra and try again.

Yeah get the latest one from github, use my command i posted on the Virgin page to get it.

BTHub4 looks at little more complex, I see the use of cookies random auth keys and it also hashes the password before it posts it !

tbh it's probably worth while as it locks you out after a few attempts and the lockout time increases if you continue to make guesses.


Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 2982 Reputation
Offline
Tue, 03 Mar 2015 @ 14:56:15

Yikes BTHub4 sounds HARD !

To be honest, I am surprised it took until 2015 for a router to have anti brute force protection.

I will be some time installing and testing, just to let you know.

Thanks for your help user, as always.


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 2982 Reputation
Offline
Tue, 03 Mar 2015 @ 20:34:32

Well I am using Hydra 8.2 now and I have tried just about every combination to get this to work, with no luck so far

I understand settings.lp is the page I need to access behind the password prompt, but what is telling hydra that's what I am trying to do ?

I can only guess that Hydra tries to access the page in the line S=, it's just I was thinking (and tried) S=bthomehub/settings.lp and S=/settings.lp


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
Milzo
Administrator
Status: Trusted
Joined: Sat, 29 Dec 2012
Posts: 3095
Team:
Reputation: 5065 Reputation
Offline
Tue, 03 Mar 2015 @ 21:20:13

Have you used wireshark or even live headers to check the exact post data? that's what you need to try and emulate in hydra


Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 2982 Reputation
Offline
Tue, 03 Mar 2015 @ 21:27:18

Just done that now and noticed that Hydra is sending a GET / login.lp !! Shouldn't it be POST ?

Ahh Just noticed it sends a POST later

This filter works for wireshark

http.request.method == "GET" OR http.request.method == "POST"

Just tried Live Headers and I would say the pages / links I have are correct.

bthomehub/login.lp
bthomehub/settings.lp
password=^PASS^


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
blandyuk
Administrator
Status: Trusted
Joined: Tue, 05 Jul 2011
Posts: 3205
Team: HashKiller
Reputation: 7744 Reputation
Online
Tue, 03 Mar 2015 @ 22:13:33

Hydra is just a HTTP login cracker using word-lists then? Simple enuf tbh How many threads can it handle at once?

Like you say, ALL forms of authentication should have lock-out policies to stop the likes of these attacks. They are easy to implement so no excuse.


Please read the forum rules | Please read the paid section rules

Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 2982 Reputation
Offline
Tue, 03 Mar 2015 @ 22:19:14

Yes it is a HTTP and HTTPS cracker. It can do a lot of others too.

Code:
 Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP,
 HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET,
 HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP,
 MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere,
 PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP,
 SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion,
 Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

No idea how many threads it can use, I can't get it to work at all


You haven't got a BT router have you Blandy ?


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
hacker-zone

Status: Banned
Joined: Wed, 12 Nov 2014
Posts: 90
Team:
Reputation: 90 Reputation
Offline
Tue, 03 Mar 2015 @ 22:22:38

WARNING! User is BANNED and maybe a SCAMMER.

Yes it does use multiple threads you can specify it with the -t command.


BTC: 1JAc5xbxwfUj4Lo2RAtmYPbkXntknsJNwf

Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 2982 Reputation
Offline
Tue, 03 Mar 2015 @ 22:58:30

I have just tried using the Hydra GUI, it doesn't even have an option to specify ^USER^ or ^PASS^ yet it complains you haven't set these details when you try to run it LOL


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
Spike188

Status: Trusted
Joined: Mon, 07 Jul 2014
Posts: 613
Team: Biang-Kerox
Reputation: 649 Reputation
Offline
Tue, 03 Mar 2015 @ 23:14:42

Hash-IT said:

I have just tried using the Hydra GUI, it doesn't even have an option to specify ^USER^ or ^PASS^ yet it complains you haven't set these details when you try to run it LOL

make the mouse over the "http[s]-form{get|post} text field and you can see how you can specify the ^USER^and^PASS^ parameter


My private Bcoin : 1DzoZ2ksiF8RdjDmbWvDpuxtdDAf8WEbUi
If I found hashes in the paysection please donate to the forum do not send it to my privat bcoin.

Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 2982 Reputation
Offline
Tue, 03 Mar 2015 @ 23:30:45

If you mean just hover over it then it doesn't offer me any options. If you mean right click then all I get is options about unicode.


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
Spike188

Status: Trusted
Joined: Mon, 07 Jul 2014
Posts: 613
Team: Biang-Kerox
Reputation: 649 Reputation
Offline
Tue, 03 Mar 2015 @ 23:33:43

no only hold over the textfield then he show a tooltip which show how to setup the right commands

its look like

login.php:user=^User^&pass=^PASS^&mid=123:incorrect ....


My private Bcoin : 1DzoZ2ksiF8RdjDmbWvDpuxtdDAf8WEbUi
If I found hashes in the paysection please donate to the forum do not send it to my privat bcoin.

Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 2982 Reputation
Offline
Tue, 03 Mar 2015 @ 23:37:27

Not on my version which is the latest one


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
Spike188

Status: Trusted
Joined: Mon, 07 Jul 2014
Posts: 613
Team: Biang-Kerox
Reputation: 649 Reputation
Offline
Tue, 03 Mar 2015 @ 23:39:10

i have download for test the version 1.2.0.0


My private Bcoin : 1DzoZ2ksiF8RdjDmbWvDpuxtdDAf8WEbUi
If I found hashes in the paysection please donate to the forum do not send it to my privat bcoin.

Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 2982 Reputation
Offline
Tue, 03 Mar 2015 @ 23:41:02

I can't find a version number on the GUI but it came with Hydra 8.2


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
Spike188

Status: Trusted
Joined: Mon, 07 Jul 2014
Posts: 613
Team: Biang-Kerox
Reputation: 649 Reputation
Offline
Tue, 03 Mar 2015 @ 23:43:28

go to help and see the about

i download this gui http://www.geogensoft.com/software/11-geogensoft-hydra-gui


My private Bcoin : 1DzoZ2ksiF8RdjDmbWvDpuxtdDAf8WEbUi
If I found hashes in the paysection please donate to the forum do not send it to my privat bcoin.

Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 2982 Reputation
Offline
Tue, 03 Mar 2015 @ 23:48:15

This GUI doesn't have a "Help".

I got it from here...

https://github.com/vanhauser-thc/thc-hydra


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 2982 Reputation
Offline
Tue, 03 Mar 2015 @ 23:51:39

Ahh I see, I was using the one which came with Hydra.

Your one looks good but they say...

GeoGen Hydra GUI based on hydra 5.4


... 5.4 is pretty old


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
Spike188

Status: Trusted
Joined: Mon, 07 Jul 2014
Posts: 613
Team: Biang-Kerox
Reputation: 649 Reputation
Offline
Tue, 03 Mar 2015 @ 23:51:49

lol you using linux right? my gui is for windows

i only load this for the gui .
if i need hydra i use kali without any gui


My private Bcoin : 1DzoZ2ksiF8RdjDmbWvDpuxtdDAf8WEbUi
If I found hashes in the paysection please donate to the forum do not send it to my privat bcoin.

Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 2982 Reputation
Offline
Tue, 03 Mar 2015 @ 23:52:52

Yes, I am using Kali for this


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
Spike188

Status: Trusted
Joined: Mon, 07 Jul 2014
Posts: 613
Team: Biang-Kerox
Reputation: 649 Reputation
Offline
Tue, 03 Mar 2015 @ 23:54:11

i never try a gui for kali sorry that i can't help


My private Bcoin : 1DzoZ2ksiF8RdjDmbWvDpuxtdDAf8WEbUi
If I found hashes in the paysection please donate to the forum do not send it to my privat bcoin.

Avatar
hacker-zone

Status: Banned
Joined: Wed, 12 Nov 2014
Posts: 90
Team:
Reputation: 90 Reputation
Offline
Tue, 03 Mar 2015 @ 23:57:15

WARNING! User is BANNED and maybe a SCAMMER.

Have you tried using the hydra-gtk that comes with kali?


BTC: 1JAc5xbxwfUj4Lo2RAtmYPbkXntknsJNwf

Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 2982 Reputation
Offline
Wed, 04 Mar 2015 @ 00:02:51

hacker-zone said:

Have you tried using the hydra-gtk that comes with kali?

Yes I tried that before the update to xHydra. It had a lot less features and still no option to add ^USER^ ^PASS^.

I don't understand why someone hasn't noticed this before ???


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 2982 Reputation
Offline
Fri, 06 Mar 2015 @ 23:56:31

Some (small) progress.

Out of frustration with this and to make sure I wasn't doing something completely stupid and decided to tackle a Netgear router for a while.

I would guess it took me ~15 minutes to get it working and crack my known password. So I am starting to think V2 BT routers are smarter than we first thought and perhaps they have some sort of protection.

What seems to cause me more trouble is the type of password box which pops up and provides little information as to the parameters for the username and password.

I managed to find out the Netgear was "GET" and not http-post-form like the BT one by using Wireshark. However I have to admit it was by pure chance I noticed a "GET".

Where can I find out how to find these parameters more decisively, rather than manually looking through the wireshark screen ?

I can filter http:request:method == "POST" or http:request:method == "GET" which narrows things down.

Is there a smarter way to find the things I need to set up Hydra ? A better filter perhaps ?

The details I need to find, in a more dignified way are...

Login page = this is hard to find on the type that simply make a pop up box.
^USER^ =
^PASS^ =
Success page = If this wasn't my router how would I know the success page ?
Error page = Again the pop up style password authentication boxes do seem to forward you to an error page.


Despite all the questions, I totally 0wn3d my old Netgear, so yay for that !

Thanks.

EDIT

Just a note for others. I noticed that if the router was the pop up style, it works better if you don't ID the login page.

So instead of

/login.lp:password=^PASS^:error.lp

Make it

/:password=^PASS^:error.lp

You need the /


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E


30 Results - Page 1 of 1 -
1

We have a total of 212138 messages in 26015 topics.
We have a total of 23009 registered users.
Our newest registered member is Francescafalk.