Recovering router password using Burp Suite dictionary attack

Few weeks ago, during cleaning up, I found an old access point/router. I wanted to attach it to my network and do some tests, but I did not remember the password for configuring it through its web access page. I knew it had to be some default user/password but I did not succeed in my tries. I thought it was the right time to prepare a small dictionary attack. There are many powerful tools for this task but I used "Burp Suite" because I love it and I try to use it whenever I can. Furthermore is a perfect tool for understanding what happen behind the scenes during these kind of attacks.

I made the following video trying to explain this process. I hope you find it helpful.

If you want you can download the 'combinator' script used in the video -> combinator.rb.

Enjoy.

 

Posted on August 26, 2013 at 23:08 by Samuel · Permalink
In: Backtrack, Blackbuntu, Kali, Linux, Windows · Tagged with: , , , ,

7 Responses

Subscribe to comments via RSS

  1. Written by Kirill
    on November 24, 2016 at 15:24
    Reply · Permalink

    combinator.rb perezaleyte or give another link.
    Thank you

    • Written by Samuel
      on November 26, 2016 at 13:42
      Reply · Permalink

      Solved

  2. Written by Ryan
    on January 3, 2014 at 16:38
    Reply · Permalink

    Is there a way to recover a router password that isn't on a router using HTTP basic authentication (popup on router page).

    • Written by Samuel
      on January 4, 2014 at 12:27
      Reply · Permalink

      Hello Ryan,

      You have to study first the way that credentials are provided to the router and then configure the attack in a proper way. In the final part of the video (min 06:43) I show how to use this technique for a router that does not get credentials using HTTP basic authentication.

  3. Written by Samuel
    on December 13, 2013 at 11:46
    Reply · Permalink

    Hi Modar,

    You are right. The key here is that the communication between the user and the router is not encrypted. We are not using HTTPS for accessing the router's homepage. This means that if you can sniff the http post request that contains the login info, you can get the password. The challenge here is how to get this request.

    For example if your are inside a not switched network, all the traffic is sent to all the stations and you only have to put your network interface in promiscuous mode to get it.
    If the user that logs into the router is using a wireless connection, you can "sniff the air" and get the traffic you need.
    Finally if you are inside a wired switched network you will have to apply a MITM (Man In The Middle) technique to get the traffic. You can use this technique even if the connection was encrypted by using a fake certificate.

    Once you can sniff the traffic (with your card in promiscuous mode) you can use a tool like Wireshark to view the individual packets, find the http post request and get the password.

    But nothing of this would have worked for me because nobody knew the password. So my options were dictionary attack or find some vulnerability to exploit for that router model.

    Thank you for your comment.

    • Written by Modar
      on December 16, 2013 at 00:34
      Reply · Permalink

      Thanks a lot for your reply. It helped a lot.

  4. Written by Modar
    on December 12, 2013 at 23:59
    Reply · Permalink

    Great video! I was really looking for this.

    Quick question, though, what if I'm not using a common combination for my router homepage. What if I'm using numbers and symbols. Is there any way to capture the username/password combination when another user logs into the router's homepage? Since the encoding is pretty basic, or sometimes even in plain text. In another way, if I'm connected to the network through the wireless password, but I have no access to the router's homepage, can I sniff the combination when another user enters them, or is the dictionary attack the only way possible?

    Thanks.

Subscribe to comments via RSS

Please leave a reply :)

Time limit is exhausted. Please reload CAPTCHA.