Pentesting Routers – Dictionary Attack with Burp Suite

May 23, 2016 | Views: 20198

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

 

Welcome Back Cybrarians!!!

Today, we’re going to talk about pentesting a home router’s web interface. When you break into a network (as pentester/hacker), you need to know how to access the web interface to gather more information about how to escalate your privileges within the system.

But, Why???

  • Information from the router helps you to know the connected devices on the network (this will give you a chance to customize suitable attacks on the connected devices)
  • The services that are enabled is also great to know
  • At the end, we can use the router  to —> upload a backdoor…just to be around…

In this tutorial, we’ll be pentesting the interface using two methods:

Method 1: Default Credentials

Method 2 : Dictionary Attack with Burp Suite

NOTE: I’m assuming that we know the network password. We’ll cover breaking into the network in another tutorial.

 

Tutorial Requirements:

  1. Router (Pentest your home router)
  2. Kali Linux on VirtualBox (Use Bridged Network)
  3. BurpSuite (Use the Kali Linux community version)

 

Step 1: Define your Coordination on the Network Map

Now that you are connected to the intended access point, you need to know the Default Gateway in order to access the interface:

– Type ifconfig in the terminal to make sure you have a valid internal IP address

—>  Ifconfig

rout1.JPG

Use the IP Routing table command to get the default gateway of the network

—-> route -n

rout2.JPG

The default Gateway of this router is 192.168.1.1

192.168.1.1 is gateway IP address for our computer. The flag U indicates the route is up and G indicates that it’s a gateway.

Step 2: Access the Web Interface

Open a web browser and type the Default Gateway in the URL address

rout3.JPG

Now that we come across the web interface, we have two methods to deal with that…

Step 3 : Use Method 1 ——>  Default Credentials

One of the important things that we need always to remember is that as pentester/hackers, we need to escalate our penetration tactics from very obvious techniques to the most customized ones. Therefore, starting with testing any web interface with common default credentials can help save a lot of time and effort. More than 50 % of regular users do not change any default settings or credentials of their personal network (as long as it’s working, nobody cares whether it is secure or NOT).

In the image above, we see that the router’s name is NETGEAR and its model is WNDRV3400v2. We can look for the default passwords by Googling the exact version.

Sometimes, you can get information from the official website or use the RouterPasswords Websites.com: http://www.routerpasswords.com/

rout4.JPG

Also, it’s possible to check the router MAC Address to determine the router model name.

MAC Vendor Lookup: http://www.macvendorlookup.com/

route5.JPG

Once you find the username and password, try them. They might work surprisingly.

Step 4 : Use Method 2 ——> Dictionary Attack with Burp Suite

In this method, we’re going use a dictionary attack to crack the web login page.

Configure the browser to use the local proxy

Go to Edit —– > Click on Preferences

burp.jpg

When we get to the Preferences page, click on Advanced —— > and then Network tab and click on Settings.

brup2.JPG

In the connection setting window:

– Choose — Manual Proxy Configuration. Set up the HTTP proxy as localhost and for the port 8080

– Check “Use this proxy server for all protocols” box

– Click “Ok” to save all changes

burp3.png

Forward Requests through Burp Suite

burp1.JPG

Open the Burp Suite and go to Proxy —->  Click on Forward

burp4.png

Once the requests are forwarded, go to the default gateway page and you should see this page:

rout3.JPG

For testing, if the requests are forwarded correctly, try to fill the username and password fields with anything that an attacker would do. You should get results back in the proxy field:

b2.JPG

Highlight the authorization code

b4.JPG

Right-click on the highlighted code and choose “Send to Intruder”

b5.jpg

Open the Intruder tab and click on position to add the authorization code to the payloads

b7.jpg
For this attack, we’re going to use a Sniper type of attack.

Note: Sniper is an attack that enumerates over each parameter, one at a time. If you have multiple parameters, it will enumerate the first parameter with all the payloads from the wordlist supplied and then move on to the second and so on.

In the payload section, we’re going to choose payload type as simple list. The simple list is going to be rockyou.txt wordlist that has most of the commonly used passwords.

b8.png

Once it’s loaded, we’re going to add rules for the payload processing and encoding

 

First Rule: Adding a Prefix  

For this tutorial, we’re assuming that the username is a default name as admin.

b9.png

 

Second Rule: Add Base64 Encoding Rule

b10.jpg

The rule will encode the wordlist to Base64

Start the Intruder Attack

After setting the up the rules, we start the attack. Go the Intruder Tab on the menu bar and choose Start Attack.

b11.png

b13.png

The attack will try every word in the list until it finds the right one. The wrong passwords will result in 401 status (Unauthorized Access). However, the 200 status will result in finding the correct password.

 

When you get the 200 status, click on it and go down to the Raw tab:

b14.png

You should see the Authorization code as the above picture.

Highlight and right click to choose Send to Decoder.

Decode the Password

Go to the Decoder tab and Choose Decode as Base64

2.JPG

You should see the decode password as the above picture. The password turned out to be “Slow2000” for this Web interface login.

Note: When you decode a password, sometimes you need to click on smart decode first, then Decode as Base64.

 

Thanks for reading!

@ZeeMaXX

Save

Save

Save

Save

Save

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
29 Comments
  1. Thanks so much!

  2. Great piece of info…I have used it long ago and you have literally reminded me of everything about Burp Suite

  3. Thank you. Burpsuite is the best tool in delivering this results

  4. Thanks. Better than bests

  5. You might let new users of Kali know where to find the RockYOU wordlist. IIRC in recent releases it is in /var/wordlists/RockYou.txt.tgz and will have to be extracted by hand before it can be used. Or is it a bzip-ed tar file now?

Page 5 of 6« First...«23456»
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel