hydra help

Viewing 31 reply threads
  • Author
    Posts
    • #4761
      LT72884
      Participant

      Ok so here is what i have done. my home network is on the 192.168.2.0/24 network and i have BT2 bridged via virtual box. i perfomr this command:

      nmap -sV -P0 192.168.2.0-255

      finds all my interesting stuff along with banner grabbing. So i notice it finds my router and tells me the exact type and what not. Very cool. So i point firefox to the IP provided and it asks for user name and pass. For lab purposes i set user name to admin and a simple password(7 digit number. this might be the problem). I make sure that hydra is set to verbos and that its pointing to the wordlist.txt i set protocol to http-get and set username to admin pointing to target ip of 192.168.2.1. after 15 minutes of waiting this is what appears on my output. even though i grabbed it at 19,441 or so. it was still going at 50,000+ tries.

      19487: Can not connect [timeout], process exiting
      Process 19424: Can not connect [timeout], process exiting
      Process 19425: Can not connect [timeout], process exiting
      Process 19426: Can not connect [timeout], process exiting
      Process 19427: Can not connect [timeout], process exiting
      Process 19428: Can not connect [timeout], process exiting
      Process 19429: Can not connect [timeout], process exiting
      Process 19430: Can not connect [timeout], process exiting
      Process 19431: Can not connect [timeout], process exiting
      Process 19432: Can not connect [timeout], process exiting
      Process 19433: Can not connect [timeout], process exiting
      Process 19439: Can not connect [timeout], process exiting
      Process 19440: Can not connect [timeout], process exiting
      Process 19441: Can not connect [timeout], process exiting

      It never found my password but it sure knocked my internet connection around.

      What could be the issue?

      thanx for all your time, effort and input you have given  me so far here. I know i ask alot but i hope i can find something to give in return.

      Matt

    • #29812
      KamiCrazy
      Participant

      here is a snippet of the code


      //
      alarming functions

      void alarming() {
          fail++;
          alarm_went_off++;
      // uh, I think it's not good for performance if we try to reconnect to a timeout system!
      //    if (fail > MAX_CONNECT_RETRY) {
              fprintf(stderr, "Process %d: Can not connect [timeout], process exitingn", (int)getpid());
              if (debug) printf("DEBUG_CONNECT_TIMEOUTn");
              hydra_child_exit();
      //    } else {
      // if (verbose) fprintf(stderr, "Process %d: Can not connect [timeout], retrying (%d of %d retries)n", (int)getpid(), fail, MAX_CONNECT_RETRY);
      //    }
      }

      It means that basically hydra is unable to open a connection to whatever you are telling it to connect. You should verify that http-get is the correct authentication method you should use.

    • #29813
      j0rDy
      Participant

      did you set the parameters right? hydra can close the connection before he gets the result, so try to ajust the number of connections and the time it waits for response.

      here’s some reseach material:

      http://www.enterprisenetworkingplanet.com/netsecur/article.php/3745276

      i quote:
      The Tuning tab is used for selecting the number of login attempts that are submitted simultaneously, and this number can be quite critical. Too high and the chances of being detected or locked out of the system are much higher, but too low and it could take days to work through your password list.

    • #29814
      KamiCrazy
      Participant

      After reviewing your question again, I would also look into whether you are attacking the right web page for your router.

    • #29815
      zeroflaw
      Participant

      Yea be sure to use the right parameters. Especially pay attention to the -t -w and -f parameters. You usually want to use -f to make hydra stop when it gets the password right. If you don’t do this I believe it will just keep running and try other passwords.

      Though, it seems you’re attacking something that doesn’t accept connections.

    • #29816
      LT72884
      Participant

      @zeroflaw wrote:

      Yea be sure to use the right parameters. Especially pay attention to the -t -w and -f parameters. You usually want to use -f to make hydra stop when it gets the password right. If you don’t do this I believe it will just keep running and try other passwords.

      Though, it seems you’re attacking something that doesn’t accept connections.

      i used xhydra form the cli. I followed a video tutorial from the purehate blog(google search) and followed it to a T. I even have the same router as he uses in the video. WRT54G non flashed. Just the normal firmaware.

      thanx for the input.

    • #29817
      zeroflaw
      Participant

      XHydra? Is that the GUI version? Well anyway, it seems you need to be really careful with the number of tasks you let hydra perform. After some googling and actually trying hydra myself on the de-ice disks, I’ve found that 8 tasks works best.

      Hope this helps.

      I prefer to use the command line versions for some reason, lol.

    • #29818
      LT72884
      Participant

      @zeroflaw wrote:

      XHydra? Is that the GUI version? Well anyway, it seems you need to be really careful with the number of tasks you let hydra perform. After some googling and actually trying hydra myself on the de-ice disks, I’ve found that 8 tasks works best.

      Hope this helps.

      I prefer to use the command line versions for some reason, lol.

      Yes xhydra is the gui.

      http://blip.tv/scripts/flash/showplayer.swf?enablejs=true&feedurl=http://purehate138.blip.tv/rss&file=http://blip.tv/rss/flash/527781&showplayerpath=http://blip.tv/scripts/flash/showplayer.swf

      is the video and it says 68 tasks, i think. I guess i need a good hydra tutorial. I better start googling. haha that sounds funny.

      thanx

    • #29819
      KamiCrazy
      Participant

      pure_hate has said that he only used 68 to speed things up in the vid, he posted in a thread 2 years ago on remote-exploits.org forum that you should use something more sensible.

    • #29820
      LT72884
      Participant

      @KamiCrazy wrote:

      pure_hate has said that he only used 68 to speed things up in the vid, he posted in a thread 2 years ago on remote-exploits.org forum that you should use something more sensible.

      LOL, my bad. I just need to read up on hydra. haha thanx

    • #29821
      j0rDy
      Participant

      wow, i’m a little suprised i got the (first) right answer, hehe. anyway glad its solved!

    • #29822
      LT72884
      Participant

      @j0rDy wrote:

      wow, i’m a little suprised i got the (first) right answer, hehe. anyway glad its solved!

      Hmm, i tried messing around with the parameters and took it down to 8 and below for tasks. Still same error. Maybe my router is the issue. I know it does weird things at times. haha. ill keep trying and when i get it to work, ill post my finindgs.

      thanx for the input

    • #29823
      hayabusa
      Participant

      I’d throw a packet trace on the wire (wireshark,) and see if A.) the packets are getting to the router, and B.) if the router ever appears to respond.  That should tell you if the router is doing ANYTHING in response.  If it is, and hydra just doesn’t like it, then it’s a timeout or something on the application side.  If it’s NOT, then you need to see if the router even tries to accept connection attempts, and go from there.

      Based on your saying it sure knocks your connection around, it sounds like the packets are definitely hitting it, so it’s more than likely you’re either hitting the wrong page on the router, or your router isn’t configured for http versus https or something, and you’re misconfigured, somwehere, either at the router or in hydra…

      Very basic overview, but you should be able to get the idea…

    • #29824
      LT72884
      Participant

      @hayabusa wrote:

      I’d throw a packet trace on the wire (wireshark,) and see if A.) the packets are getting to the router, and B.) if the router ever appears to respond.  That should tell you if the router is doing ANYTHING in response.  If it is, and hydra just doesn’t like it, then it’s a timeout or something on the application side.  If it’s NOT, then you need to see if the router even tries to accept connection attempts, and go from there.

      Based on your saying it sure knocks your connection around, it sounds like the packets are definitely hitting it, so it’s more than likely you’re either hitting the wrong page on the router, or your router isn’t configured for http versus https or something, and you’re misconfigured, somwehere, either at the router or in hydra…

      Very basic overview, but you should be able to get the idea…

      Hmm, i know the router is set to http because i tried hhtps and it hated that. Im gonna have to try wireshark and see what happens. Never thought of that actually. See i do learn something new everyday..

      Im thinking that my router might be messed up because when i first bought it it had a very hard time doing normal things such as saving settings.. Gonna try against smoothwall and see what happens.

    • #29825
      j0rDy
      Participant

      you can also try adding another computer to the router through the broadcast port and sniff all packages with wireshark. actually the same option as hayabusa offered, but then you sniff the complete network to check for abnormality.

    • #29826
      hayabusa
      Participant

      @j0rDy wrote:

      you can also try adding another computer to the router through the broadcast port and sniff all packages with wireshark. actually the same option as hayabusa offered, but then you sniff the complete network to check for abnormality.

      Or if you WANT to see what other machines / devices are doing, you can use ettercap to sniff the switched network ports…  many an option to be had.  Again, though my reason was simply to determine, for certain, which end is failing in your testing – the application, or the remote device / service.  I’m doubtful it has anything to do with anything on the other ports, but that’s only based on my knowledge of hydra, and the unreachable errors you were getting…

      Cheers!

    • #29827
      LT72884
      Participant

      @j0rDy wrote:

      you can also try adding another computer to the router through the broadcast port and sniff all packages with wireshark. actually the same option as hayabusa offered, but then you sniff the complete network to check for abnormality.

      yup, i have 2 PC’s on the network. My parents and mine, oh and the dang printer to.. Gonna try this tonight and see what i find.

      thanx for the input.

    • #29828
      LT72884
      Participant

      i ran wireshark and pinged my router. Traffic seems normal. Did an nmap scan and that worked. But as soon as i tried hydra, same issue. Wiresharks out put says TCP GET HTTP 404 NOT FOUND src80 dst4392. that was the reply from the router. Also noticed a GET HTTP foo/bar/protected.html from BT4 to router..Other than that, the packets seem to be normal.. My network set up is host only and NAT for outside communication.. Shouldnt matter though..

      hydra is set up for 8 tasks with a timeout of 30. using http-get as protocol with the password list of darkcode.lst and no proxy set up. however i just realized i have K9 installed on my machine…

      thanx

    • #29829
      hayabusa
      Participant

      So, if the router is giving you the 404, then you’re not even reaching whatever HTTP page hydra is going to.  So either it’s passing a bad URL, or something’s still not configured right.  Thus your failure to connect.

    • #29830
      j0rDy
      Participant

      @LT72884 wrote:

      @j0rDy wrote:

      you can also try adding another computer to the router through the broadcast port and sniff all packages with wireshark. actually the same option as hayabusa offered, but then you sniff the complete network to check for abnormality.

      yup, i have 2 PC’s on the network. My parents and mine, oh and the dang printer to.. Gonna try this tonight and see what i find.

      thanx for the input.

      disconnect the printer, you know, just to be sure  😉 😀

    • #29831
      KamiCrazy
      Participant

      @LT72884 wrote:

      Also noticed a GET HTTP foo/bar/protected.html from BT4 to router..

      I believe this is your problem. foo/bar/protected?

    • #29832
      hayabusa
      Participant

      Doh!!!  Sssshhhhhhh… I was going to see if he was going to check that for himself.  I was ‘trying’ to point him in the proper direction, without totally pointing to it.  😛

    • #29833
      LT72884
      Participant

      @hayabusa wrote:

      Doh!!!  Sssshhhhhhh… I was going to see if he was going to check that for himself.  I was ‘trying’ to point him in the proper direction, without totally pointing to it.   😛

      LOLOL. my  next question was going to be this”what the heck is this fo/bar stuff all about?” but i didnt have time to add that to my post last night.. hahaha. I have no idea what that is at all. All i know is that its from BT and for some reason hydra is using that .html file for something. maybe… what that something is. I have no idea yet. So if my thinking is correct, hydra is using the foo/bar html page rather than actually trying to get to http://192.168.2.1 on port 80?

      thanx guys

    • #29834
      hayabusa
      Participant

      Yes… start there…  😉

    • #29835
      LT72884
      Participant

      @hayabusa wrote:

      Yes… start there…   😉

      I found the foo/bar/protected.html file under specific settings. changed it to point to my router. However still same output. Wireshark shows 404 bad request. Funny thing is, my router got boched up from the attack. couldnt ping it from any host machine. power cycled it and the modem. and it was still TKO.. After a third powercycle it finally came back up. It was warm to. hahaha

      Im getting closer i think. or at least i hope.

      thanx for the help guys

    • #29836
      j0rDy
      Participant

      good to see you havent given up yet! i think it is key you point your attack directly at the page you want it to start at. lets make it a little more visual. if your directing it at the index.html page, it might not work because of for example iframes and stuff its made from. try to get the actual page that contains the login without extra pages like headers and footers! (this subtle enough?)

    • #29837
      LT72884
      Participant

      @j0rDy wrote:

      good to see you havent given up yet! i think it is key you point your attack directly at the page you want it to start at. lets make it a little more visual. if your directing it at the index.html page, it might not work because of for example iframes and stuff its made from. try to get the actual page that contains the login without extra pages like headers and footers! (this subtle enough?)

      I have trie3d to view the source code of the actual page but firefox wont allow me to view it nor wil IE. It actually doesnt bring up a separate page for login, rather a dialog box.. Then the actual config page. It seems that the video i watched, that shows them using 192.168.2.1, was have been an older firmware. Its like linksys smartened up a we bit.. haha

      thanx

    • #29838
      j0rDy
      Participant

      if the site doesnt let you view the source there are a lot of workarounds for it. try saving the page and open it locally, or just perform the complete scan/hack in a controlled environment and mirror/wget the whole site 😀 good luck and let us know the output!

    • #29839
      LT72884
      Participant

      @j0rDy wrote:

      if the site doesnt let you view the source there are a lot of workarounds for it. try saving the page and open it locally, or just perform the complete scan/hack in a controlled environment and mirror/wget the whole site 😀 good luck and let us know the output!

      well, i cant do anything when that dialog box appears. file,edit,veiw, history and all those tabs gray out. they become non clickable. I can view the source code once i have logged in, but that defeats the purpose of the hack. If i were pentesting my companies router, i would have to find the correct page without loging in.. so i have to avoid that step at home.. hahaha

      so i will have to try the wget and what not to see if i can get the source code of the login dialog box or at least find out where it is redirecting me to.

    • #29840
      LT72884
      Participant

      Ok so i ran wireshark as i did the wget 192.168.2.1 request and checked for any http gets and found this:

      WWW-Authenticate: Basic realm=”WRT54GL”rn

      after that line came the following:

      SRC=192.168.2.1 DST=10.0.2.15 HTTP HTTP/1.0 401 Unauthorized  (text/html)

      the html output of that is just a red display with black letters.

      So my guess is that when i type 192.168.2.1 into a browser, it makes a TCP connection to the router and then the router dishes out a seperate web page with a different address then just 192.168.2.1 for security reasons and my task is to find out what page it really is requesting so that i can point hydra to it. If that notion is correct. then how do i accomplish this with out loggin into the router to see the sorce code. ive gotta make this realistic. haha
      thanx guys

    • #29841
      j0rDy
      Participant

      allright, i guess you have enough pointers to figure it out. good luck and post the solution you used for the archive!

    • #29842
      LT72884
      Participant

      hmm, still cant seem to figure this out. I tried wget and it says same thing. cant authenticate with webpage. I cant seem to find out what webpage the router redirects the user to for the login dialog box.. wireshark doesnt tell me and i cant see the source code for the dialog box..

      thanx

Viewing 31 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?