June 14, 2009 at 5:34 am #3883
i’m quite a newbie…so sorry if i should make idiot questions 😉
i’m dealing with a D-Link DI-524 (Firmware version V2.04)
The router itself has wireless set on OFF (i access it thru on AccessPoint of the same Lan i’m autheticated on)
i can access the router Administration web page (http://router-ip Login) as “user” and
i could download the settings backup file (which is called “config.bin“)
i’m guessing, not sure btw, this file contains also the admin password to the router….by i can’t read it, maybe encrypted?
so, i thought there could be another way to “retrieve” the admin pwd.
I’ve been reading about tools like Hydra or Medusa…
but i don’t have a clue about how to use them, even where to download the suitable version (i’m using WindowsXp)
I thank you very much for any help/suggestion. 🙂
June 14, 2009 at 8:50 am #24769VedderParticipant
Who has turned turned off the wireless?
If an admin has turned it off then I am sure that they don’t want it turned back on.
Is this you router?
June 14, 2009 at 6:53 pm #24770
i’ trying to do this security test on the wireless lan of my brother (with his permission, or better he himself has asked me to do that)
can somebody please help me about either reading the “config.bin”
or using Medusa/Hydra on Windows (as i said the router has http web login)?
June 15, 2009 at 1:45 am #24771KetchupParticipant
Hydra and Brutus will attack the password on the web site used to manage the router. Both tools are incredibly easy to use. You simply point them at the website url that requires logon, and specify a type of attack. You can use a dictionary word list, or you can simply brute force the password. Both tools are pretty slow. Just search google for “brutus download” or “hydra download.”
As far as reading the config.bin, the password there is most likely encrypted. You would have to first find the password in the file and then determine the hash algorithm. I am not sure if this is a realistic attack vector. I could be wrong though.
June 15, 2009 at 8:02 am #24772
These passwords are often poorly encoded and fairly easy to bypass if you have some time to spare. I wrote up a couple of examples from a few years back where I cracked simple password encoding schemes. If you can change the user password and look at the password hash you can used this as leverage; this in knows as a known plaintext attack.
Silly question, but have you tried the default passwords for this device? admin:password for the win!
June 15, 2009 at 9:04 am #24773
can somebody please help me […] using Medusa/Hydra on Windows (as i said the router has http web login)?
Don’t want to be rude but when you can’t read manuals and documentations on those tools such a test may be something which is currently above your head as they tools are really easy to handle.
June 15, 2009 at 12:23 pm #24774unsupportedParticipant
If you are unable to use the tools you are asking about, try the simple approach. Search for the default router password. There are plenty of sites which will show them. If the default password does not work and you have physical access to the device just try resetting it and then use the default password.
June 15, 2009 at 3:30 pm #24775
If the default password does not work and you have physical access to the device just try resetting it and then use the default password.
Just remember to check you bro has the settings for his broadband provider if this thing is linked to an ADSL line. Otherwise this move might cause upset family harmony.
June 16, 2009 at 6:29 am #24776
i used Bruter
but after a few attempts (some minutes) it stopped…and the Router went offline the Lan !!???
June 16, 2009 at 6:45 am #24777
As I don’t know your router model in detail maybe you just DoS’ed it? Meaning that you sent so much requests to it that it denied its further service and temporary shut down.
Some routers will also behave like this when you entered a certain number of wrong credentials which is of course a security feature.
Don’t you have physical access as stated by unsupported?
June 16, 2009 at 7:33 am #24778
It could be a defense mechanism in case of brute force attack but like awesec says it’s as likely to be an accidental DoS. Embedded router web servers are often very flaky under load; I’ve seen them fail following an nmap scan so the notion that a brute force attack would disable it is plausible.
If you have the config file dumped perhaps you should reset the router to the factory default and reload the file? I think your current approach demonstrates the sledgehammer/walnut interface scenario.
June 16, 2009 at 8:24 am #24779
as i said the router is a D-Link DI-524 (Firmware version V2.04)
the test i’m doing is meant without physical access to it
so, i should decrease the number of simoultaneous “connections” with Bruter ? (i set to 5)
or the brute force will cause router’s breakdown all the same ?
(after shutting down, should it reload by itself or not ?)
other ways to retrieve the admin passowrd ?
June 16, 2009 at 8:32 am #24780
I read that but I haven’t any experience with this particular router myself, that was what I meant.
It sounds logical to remove the number of attempts but then it will depending on the password take you quite a long time to successfully brute the password if at all. Therefore I would say it will be hard to succeed by going this way.
Other attack possibilities my be on exploits available for this router or its firmware (haven’t checked this) if its using an old one.
As physical access is no possibility (..) you may try something like phisihing, social engineering etc. Also a keylogger or similar on your brothers pc may help.
But all this are attack possibilites which have not really anything to do with the router itself and may then again not be what you are looking for.
Another way may be to reverse engineer the file format of the config file when you assume that the credentials are stored there.
June 17, 2009 at 1:04 am #24781former33tParticipant
I’ll throw in my two cents. I’ve DOS’d more than a fair share of SoHo routers doing “testing” (of the ethical type of course). FWIW, the quickest way to DoS the average SoHo router is to hit the DHCP server a LOT. Most SoHo routers can’t really handle more than one or two DHCP requests at a time. They’ll fail spectacularly (stop switching, routing to Internet, etc) long before they exhaust their IP range.
June 21, 2009 at 12:08 am #24782mafebresvParticipant
May you share your config.bin? I would like to take a look on it 🙂
- You must be logged in to reply to this topic.