Bruteforcing router login tips (D-link DIR-655)

[XaneXXXX]

As you can see in the picture, the login form is not the usual one that most routers have, from what i know most of them have the normal "popup" login form. I have tried using THC-Hydra on this which i normally use when i'm bruteforcing, but hydra can't do this since the username thing is kind of weird.. Or maybe it can only that i don't know how?
When i click the User name tab i can choose between Admin and User, if i select User i can login with a blank password, but i can't change a thing in the settings since i need the Admin account for that.
I also tried using Burpsuite to capture the login data so that i can do a normal http-post bruteforce, but that didn't work either since the router page redirects TWO times before getting to the login page and Hydra can only work with one redirect.

Has anyone encountered this kind of login before?

The login form is also "/login.asp" in the end, not login.php like many others. I don't know anything about .asp lol

Cheers! :)

[Sethioz]

Brutus? i never got it to work, but i did a messy manual bruteforce on some sites.
I put together a wordlist and used commview to monitor the responses. Ofcourse i had controlled environment of the page too, so i knew what is the response for "wrong pass" and "right pass".
So i set commview to monitor and STOP recording packets when "right pass" packet was received. so basically i just spammed it with tons of passwords and commview stopped it right after right pass, then i had to go thru last 3-10 passwords manually, cuz i set it to send like 100 per second.

as i said, messy method, but worked. so you need to get a hold of router you know the pass for.

I'm not a programmer, so hard for me to write a custom program, but in terms it's easy to write a simple tool to "check" passwords.

[XaneXXXX]

Thanks for your answer, i will check it out! :)

[Sethioz]

i just have to ask, did you try defaults? such as admin:admin or "admin:password" ..etc and googled it too?
I cracked 1 network that uses d-link, it was admin:admin
some are case sensitive and use like Administrator:admin or Administrator:administrator ..etc

there are only very few routers that use some random combination as password and they write it on back of the router, rest use some defaults and people very rarely change the logins.

[XaneXXXX]

Yes of course. That was the first thing i tried. I googled for the default passwords for that router including just a blank password. none of them worked. I'm not 100% sure that i tried it with uppercase. Will test right now and get back to you.

Update: Didn't work :(

[XaneXXXX]

I found this: http://securityadvisories.dlink.com/sec ... e=SAP10048

But i can't really understand how i can use this, not good with site exploits. Any ideas? :)

The firmware version for the router is 2.0.0, and the exploit was found on a later firmware. So it should work on this too.

[Sethioz]

I think that admin password exploit has been patched long ago, if not, then he talks about IP hijacking.
like in some area there was a wifi hotspot (paid ofc) and i hijacked somebody's MAC and changed mine and i was able to his paid internet. MAC works exactly like IP.
IP is assigned based on MAC (in local area network) or maybe based on PC name. So if both machines have same MAC and IP, then router is not able to tell the difference between the machines. so if 1 user is logged in as admin and you hijack the IP and/or MAC, then router is not able to tell the difference and thinks that it's same machine.

imagine if you'd have 2 cloned SIM cards, they would both act as one. or if you have 2 mice on PC, they act as same.
but going direct to pages, not sure how that works, i think it all relys on having 1 user logged in as admin, so it's almost a no go, since i doubt anyone would sit there on admin page. anyone who uses admin page configures the router manually and there's no way you would have gotten the wifi pass in the first place, so i guess it's out of question.

unless you "ask" for it nicely :) have some fake page, lock him out of wifi and force him to log into admin and monitor at same time.
usually such fake pages work fine, cuz ppl are retarded and have no idea that they got screwed :)

[XaneXXXX]

Yeah i was thinking of using that as a last resort, just cloning the page and force him to it with arp spoof or something similar :)

[Sethioz]

i need to ask someone to write a custom tool to bruteforce any type of HTML page. brutus is similar, but its like 2000 or older and it's rather useless. i never got it to work.
some simple tool that would do "do THIS" and "STOP if you find THIS". then you can leave it to guess passwords and it auto stops when password is found.

[XaneXXXX]

hmm yeah, there is a tool called "Sentry". I have it if you want it. 1.4 is the latest version. It's a great program. But it's too advanced for me.

The program can handle redirects, bypass most of the cookies (it auto update session cookies etc). It can also bypass SOME captchas.

But if you can understand and learn the tool. it can bruteforce almost any website.

[Sethioz]

if it's freeware, then post it here. if not, put into private section and make sure you encrypt the .rar + files, then include pass in there.

[XaneXXXX]

Yeah it's a freeware, uploading latest version 1.4.1.

If you try the program please tell me if you understand it/have any use for it. Would love to learn some more about it, not that many tutorials about the advanced stuff.

[Sethioz]

Is that ... written by a girl? or what's with all those pink anima thingies that girls love?
anyway it doesn't look so complex, but can't bother testing it atm. I might just install some test site to take a whack at, disable the flood protection and lock outs just to see how it works.