Sign in to follow this  
Followers 0
N_0_1

Brute Force Hacking a router.

7 posts in this topic

It can be done, but it will be very slow.

For each attempt, you'll have to send a POST request, wait for the reply, parse the reply, and try again. So if it's not on the top list of default/guessable passwords, you're going to have to be one patient man. Even a modest five password attempts a second isn't going to get you anywhere fast. At that rate, it will take you up to seven years of continuous attempts to crack a very simple five character password. That's assuming no dictionaries are used. If you're inside the network though, it's just easier to press that RESET button on the device itself.

Edited by Seal
0

Share this post


Link to post
Share on other sites

And it's called brute force cracking. There's no such thing as brute force hacking.

0

Share this post


Link to post
Share on other sites

And only if the router was open to the outside (most arnt).

If it is it might be better to see if it's running telnet or ssh and brute force that or, even better, try and find an exploit.

0

Share this post


Link to post
Share on other sites

To secure routers and other networking devices I usually change the default user as well as the password.

From my experience it is much quicker to attack an SNMP service (assuming the community string correlates to the admin passwd or allows one to d/l the config file with a write community string) vs HTTP form or direct HTTP authentication. UDP allows the attacker to send community strings much faster than HTTP auth which uses TCP. The bottleneck in this type of attack is the network and not the CPU of the attacking system. Though I've not tried it yet a dictionary or brute force attack on a Gigabit network could be quite fast.

Dictionary attacks are far more successful when attempting 100 passwords for a thousand users than attempting a million guesses for one user.

EDIT: ssh attacks would probably be slow because the device has to perform a lot CPU intensive functions for authentication.

Edited by tekio
0

Share this post


Link to post
Share on other sites
From my experience it is much quicker to attack an SNMP service (assuming the community string correlates to the admin passwd or allows one to d/l the config file with a write community string) vs HTTP form or direct HTTP authentication. UDP allows the attacker to send community strings much faster than HTTP auth which uses TCP. The bottleneck in this type of attack is the network and not the CPU of the attacking system. Though I've not tried it yet a dictionary or brute force attack on a Gigabit network could be quite fast.

EDIT: ssh attacks would probably be slow because the device has to perform a lot CPU intensive functions for authentication.

If you're really going to go that route make sure you're using a high level of concurrency. Also, when making authentication requests via UDP, one would have to verify that an invalid login response was received from the server and retransmit lost passwords since the UDP protocol is unreliable.

In regard to making authentication attempts over an encrypted protocol during a brute force search, it would be more efficient to use earlier less complex versions of the protocol and negotiate weak ciphers/modes (i.e. SSLv3+RSA+CBC is going to be slower than SSLv2+RC2+ECB)

0

Share this post


Link to post
Share on other sites
From my experience it is much quicker to attack an SNMP service (assuming the community string correlates to the admin passwd or allows one to d/l the config file with a write community string) vs HTTP form or direct HTTP authentication. UDP allows the attacker to send community strings much faster than HTTP auth which uses TCP. The bottleneck in this type of attack is the network and not the CPU of the attacking system. Though I've not tried it yet a dictionary or brute force attack on a Gigabit network could be quite fast.

EDIT: ssh attacks would probably be slow because the device has to perform a lot CPU intensive functions for authentication.

If you're really going to go that route make sure you're using a high level of concurrency. Also, when making authentication requests via UDP, one would have to verify that an invalid login response was received from the server and retransmit lost passwords since the UDP protocol is unreliable.

I've always sent two SNMP requests, adjusted the timeout according to network latency, and checked for the retrieval of a common snmp request like 1.3.6.1.2.1.1.1. Of course my tools were rather crude, but got the job done. A good dictionary attack I've found, is much better than trying to bruteforce something over a network, especially a host several hops away..

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0