Jump to content


Photo
- - - - -

Brute Force Hacking a router.


  • Please log in to reply
6 replies to this topic

#1 N_0_1

N_0_1

    DDP Fan club member

  • Members
  • 41 posts

Posted 30 December 2008 - 09:03 PM

If it is even possible, if it is how would i go about it?

#2 Seal

Seal

    Not a fan of clubs.

  • Agents of the Revolution
  • 2,440 posts
  • Country:
  • Gender:Male
  • Location:Canada

Posted 30 December 2008 - 09:15 PM

It can be done, but it will be very slow.

For each attempt, you'll have to send a POST request, wait for the reply, parse the reply, and try again. So if it's not on the top list of default/guessable passwords, you're going to have to be one patient man. Even a modest five password attempts a second isn't going to get you anywhere fast. At that rate, it will take you up to seven years of continuous attempts to crack a very simple five character password. That's assuming no dictionaries are used. If you're inside the network though, it's just easier to press that RESET button on the device itself.

Edited by Seal, 30 December 2008 - 09:21 PM.


#3 chown

chown

    SUPR3M3 31337 Mack Daddy P1MP

  • Moderating Team
  • 493 posts
  • Country:
  • Gender:Male
  • Location:Floating on a sea of hydrogen

Posted 30 December 2008 - 09:21 PM

And it's called brute force cracking. There's no such thing as brute force hacking.

#4 phr34kc0der

phr34kc0der

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 469 posts
  • Country:
  • Gender:Male

Posted 30 December 2008 - 09:42 PM

And only if the router was open to the outside (most arnt).
If it is it might be better to see if it's running telnet or ssh and brute force that or, even better, try and find an exploit.

#5 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,082 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 30 December 2008 - 10:23 PM

To secure routers and other networking devices I usually change the default user as well as the password.

From my experience it is much quicker to attack an SNMP service (assuming the community string correlates to the admin passwd or allows one to d/l the config file with a write community string) vs HTTP form or direct HTTP authentication. UDP allows the attacker to send community strings much faster than HTTP auth which uses TCP. The bottleneck in this type of attack is the network and not the CPU of the attacking system. Though I've not tried it yet a dictionary or brute force attack on a Gigabit network could be quite fast.

Dictionary attacks are far more successful when attempting 100 passwords for a thousand users than attempting a million guesses for one user.

EDIT: ssh attacks would probably be slow because the device has to perform a lot CPU intensive functions for authentication.

Edited by tekio, 30 December 2008 - 10:35 PM.


#6 duper

duper

    Dangerous free thinker

  • Members
  • 816 posts
  • Location:NYC

Posted 01 January 2009 - 10:05 PM

From my experience it is much quicker to attack an SNMP service (assuming the community string correlates to the admin passwd or allows one to d/l the config file with a write community string) vs HTTP form or direct HTTP authentication. UDP allows the attacker to send community strings much faster than HTTP auth which uses TCP. The bottleneck in this type of attack is the network and not the CPU of the attacking system. Though I've not tried it yet a dictionary or brute force attack on a Gigabit network could be quite fast.

EDIT: ssh attacks would probably be slow because the device has to perform a lot CPU intensive functions for authentication.


If you're really going to go that route make sure you're using a high level of concurrency. Also, when making authentication requests via UDP, one would have to verify that an invalid login response was received from the server and retransmit lost passwords since the UDP protocol is unreliable.

In regard to making authentication attempts over an encrypted protocol during a brute force search, it would be more efficient to use earlier less complex versions of the protocol and negotiate weak ciphers/modes (i.e. SSLv3+RSA+CBC is going to be slower than SSLv2+RC2+ECB)

#7 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,082 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 02 January 2009 - 02:39 AM

From my experience it is much quicker to attack an SNMP service (assuming the community string correlates to the admin passwd or allows one to d/l the config file with a write community string) vs HTTP form or direct HTTP authentication. UDP allows the attacker to send community strings much faster than HTTP auth which uses TCP. The bottleneck in this type of attack is the network and not the CPU of the attacking system. Though I've not tried it yet a dictionary or brute force attack on a Gigabit network could be quite fast.

EDIT: ssh attacks would probably be slow because the device has to perform a lot CPU intensive functions for authentication.


If you're really going to go that route make sure you're using a high level of concurrency. Also, when making authentication requests via UDP, one would have to verify that an invalid login response was received from the server and retransmit lost passwords since the UDP protocol is unreliable.


I've always sent two SNMP requests, adjusted the timeout according to network latency, and checked for the retrieval of a common snmp request like 1.3.6.1.2.1.1.1. Of course my tools were rather crude, but got the job done. A good dictionary attack I've found, is much better than trying to bruteforce something over a network, especially a host several hops away..




BinRev is hosted by the great people at Lunarpages!