Recovering router password using Burp Suite dictionary attack

Categories Backtrack, Blackbuntu, Kali, Linux, Windows

Few weeks ago, during cleaning up, I found an old access point/router. I wanted to attach it to my network and do some tests, but I did not remember the password for configuring it through its web access page. I knew it had to be some default user/password but I did not succeed in my tries. I thought it was the right time to prepare a small dictionary attack. There are many powerful tools for this task but I used “Burp Suite” because I love it and I try to use it whenever I can. Furthermore is a perfect tool for understanding what happen behind the scenes during these kind of attacks.

I made the following video trying to explain this process. I hope you find it helpful.

If you want you can download the ‘combinator’ script used in the video ->  combinator.rb (184 downloads) .




  • haroon
    February 8, 2018

    please give the combinator script link

    • Samuel
      April 8, 2018

      Working now

  • Kirill
    November 24, 2016

    combinator.rb perezaleyte or give another link.
    Thank you

    • Samuel
      November 26, 2016


  • Ryan
    January 3, 2014

    Is there a way to recover a router password that isn’t on a router using HTTP basic authentication (popup on router page).

    • Samuel
      January 4, 2014

      Hello Ryan,

      You have to study first the way that credentials are provided to the router and then configure the attack in a proper way. In the final part of the video (min 06:43) I show how to use this technique for a router that does not get credentials using HTTP basic authentication.

  • Samuel
    December 13, 2013

    Hi Modar,

    You are right. The key here is that the communication between the user and the router is not encrypted. We are not using HTTPS for accessing the router’s homepage. This means that if you can sniff the http post request that contains the login info, you can get the password. The challenge here is how to get this request.

    For example if your are inside a not switched network, all the traffic is sent to all the stations and you only have to put your network interface in promiscuous mode to get it.
    If the user that logs into the router is using a wireless connection, you can “sniff the air” and get the traffic you need.
    Finally if you are inside a wired switched network you will have to apply a MITM (Man In The Middle) technique to get the traffic. You can use this technique even if the connection was encrypted by using a fake certificate.

    Once you can sniff the traffic (with your card in promiscuous mode) you can use a tool like Wireshark to view the individual packets, find the http post request and get the password.

    But nothing of this would have worked for me because nobody knew the password. So my options were dictionary attack or find some vulnerability to exploit for that router model.

    Thank you for your comment.

    • Modar
      December 16, 2013

      Thanks a lot for your reply. It helped a lot.

  • Modar
    December 12, 2013

    Great video! I was really looking for this.

    Quick question, though, what if I’m not using a common combination for my router homepage. What if I’m using numbers and symbols. Is there any way to capture the username/password combination when another user logs into the router’s homepage? Since the encoding is pretty basic, or sometimes even in plain text. In another way, if I’m connected to the network through the wireless password, but I have no access to the router’s homepage, can I sniff the combination when another user enters them, or is the dictionary attack the only way possible?


Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.