Hydra is a great tool for brute-forcing. With this tool it is possible to brute-force most websites and protocols.
Protocols supported:
AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, ICQ, IMAP, IRC, LDAP2, LDAP3, MS-SQL, MYSQL, NCP, NNTP, Oracle, Oracle-Listener, Oracle-SID, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, REXEC, RLOGIN, RSH, SAP/R3, SIP, SMB, SMTP, SMTP-Enum, SNMP, SOCKS5, SSH(v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.
Can be found here: Hydra (http://www.thc.org/thc-hydra)
I dediced to see if it possible to brute-force my home AccessPoint administation login page.
Below is what i did.
First i started to examine the login page.
Viewing the source of the login-page to see if i could find any clues, find out what authentication it uses.
Basic, form-based etc.. There are a few ways of finding this out.
Using wireshark and intercept a login session gives a LOT of useful information.
Tried to login with a password while sniffing the traffic with wireshark, the password was incorrect (as suspected), but from this information we can see what variables are used for logging in.
Analyzing the sniffer output with "Follow TCP stream" i could see the following:
I was looking for what happens after the submit button was pressed and also what is sent in HTTP-POST. Found the variable pws indicating that this is used for password input.
Found an interesting variable: "dw(wrhtpsswd)" What does this do?
As we can see the password is base64 encoded as it is sent to the AP.
We can see that the length is 9 characters, max size is 12 characters.
Next step was further analysis with Mantra to examine web content.
DOM tab is an excellent way of analyzing variables and their associations.
This parameter wrhtpsswd sounds familiar. Incorrect password...
For a successful attack with Hydra we need to know the variable that submits the password and string included with it.
We also need to know the error message sent to us when entering an incorrect password.
From wireshark output we could not clearly see the Incorrect password message, but instead the AP sends a dw(wrhtpsswd) that DOM identified as the "Incorrect Password, Please confirm your password and try again" message.
Awesome, we can now go ahead and start the attack.
hydra parameters:
-l "" # There is no username required
-P PASSWORDS.TXT # Password file (in base64 encoded format)
-t #How many simultanious tasks
-f # Exit after the first found password
-v / -V # Verbose. Show every password combination
IP-address # you know
http-post-form # Method used
/login.cgi # The login page of the AP
"page=&logout=&action=submit # The string sent simulating a click on Submit button &pws=^PASS^%3D&itsbutton1=Submit&h_language=en" #pws from PASS in PASSWORDS.TXT
wrhtpsswd # The string to look for in the response when an incorrect password is entered
Awesome! Mission accomplished!
Hydra can be very time consuming depending on the size of the wordlist. A lot of options you can tweak for best timing and results. Play with it. Anything is possible, if not try harder.
A good source for common password lists can be obtained from SkullSecurity.
http://www.skullsecurity.org/wiki/index.php/Passwords
If you need to create your own custom password list Crunch is the way to go.
Excellent tool also included in Backtrack distributions or download it from Sourceforge.
http://sourceforge.net/projects/crunch-wordlist/
A good how-to can be found here.
http://adaywithtape.blogspot.se/2011/05/creating-wordlists-with-crunch-v30.html
Til next time. Bye for now!
/M