6 replies to this topic

[N_0_1]

If it is even possible, if it is how would i go about it?

[Seal]

It can be done, but it will be very slow.

For each attempt, you'll have to send a POST request, wait for the reply, parse the reply, and try again. So if it's not on the top list of default/guessable passwords, you're going to have to be one patient man. Even a modest five password attempts a second isn't going to get you anywhere fast. At that rate, it will take you up to seven years of continuous attempts to crack a very simple five character password. That's assuming no dictionaries are used. If you're inside the network though, it's just easier to press that RESET button on the device itself.

Edited by Seal, 30 December 2008 - 09:21 PM.

[chown]

And it's called brute force cracking. There's no such thing as brute force hacking.

[phr34kc0der]

And only if the router was open to the outside (most arnt).
If it is it might be better to see if it's running telnet or ssh and brute force that or, even better, try and find an exploit.

[tekio]

To secure routers and other networking devices I usually change the default user as well as the password.

From my experience it is much quicker to attack an SNMP service (assuming the community string correlates to the admin passwd or allows one to d/l the config file with a write community string) vs HTTP form or direct HTTP authentication. UDP allows the attacker to send community strings much faster than HTTP auth which uses TCP. The bottleneck in this type of attack is the network and not the CPU of the attacking system. Though I've not tried it yet a dictionary or brute force attack on a Gigabit network could be quite fast.

Dictionary attacks are far more successful when attempting 100 passwords for a thousand users than attempting a million guesses for one user.

EDIT: ssh attacks would probably be slow because the device has to perform a lot CPU intensive functions for authentication.

Edited by tekio, 30 December 2008 - 10:35 PM.

[duper]

From my experience it is much quicker to attack an SNMP service (assuming the community string correlates to the admin passwd or allows one to d/l the config file with a write community string) vs HTTP form or direct HTTP authentication. UDP allows the attacker to send community strings much faster than HTTP auth which uses TCP. The bottleneck in this type of attack is the network and not the CPU of the attacking system. Though I've not tried it yet a dictionary or brute force attack on a Gigabit network could be quite fast.

EDIT: ssh attacks would probably be slow because the device has to perform a lot CPU intensive functions for authentication.

If you're really going to go that route make sure you're using a high level of concurrency. Also, when making authentication requests via UDP, one would have to verify that an invalid login response was received from the server and retransmit lost passwords since the UDP protocol is unreliable.

In regard to making authentication attempts over an encrypted protocol during a brute force search, it would be more efficient to use earlier less complex versions of the protocol and negotiate weak ciphers/modes (i.e. SSLv3+RSA+CBC is going to be slower than SSLv2+RC2+ECB)

[tekio]

From my experience it is much quicker to attack an SNMP service (assuming the community string correlates to the admin passwd or allows one to d/l the config file with a write community string) vs HTTP form or direct HTTP authentication. UDP allows the attacker to send community strings much faster than HTTP auth which uses TCP. The bottleneck in this type of attack is the network and not the CPU of the attacking system. Though I've not tried it yet a dictionary or brute force attack on a Gigabit network could be quite fast.

EDIT: ssh attacks would probably be slow because the device has to perform a lot CPU intensive functions for authentication.

If you're really going to go that route make sure you're using a high level of concurrency. Also, when making authentication requests via UDP, one would have to verify that an invalid login response was received from the server and retransmit lost passwords since the UDP protocol is unreliable.

I've always sent two SNMP requests, adjusted the timeout according to network latency, and checked for the retrieval of a common snmp request like 1.3.6.1.2.1.1.1. Of course my tools were rather crude, but got the job done. A good dictionary attack I've found, is much better than trying to bruteforce something over a network, especially a host several hops away..