How to use Hydra

Say you have wireless router to which you have forgotten the password. The easiest thing to do in this case is
to reset the router to factory defaults. However if you have a lot of custom settings and your backup is
nonexistent, out-dated, corrupted, or the backup restored a password which you do not remember, you can
try a brute force attack on the router. From http://freeworld.thc.org/thc-hydra/. Hydra currently supports:
TELNET, FTP, HTTP-GET, HTTP-HEAD, HTTPS-GET, HTTPS-HEAD, HTTP-PROXY, LDAP2, LADP3,
SMB, SMBNT, MS-SQL, MYSQL, POSTGRES, REXEC, RSH, RLOGIN, CVS, SNMP, SMTP-AUTH,
SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, SSH2, Teamspeak, Cisco auth, Cisco enable,
Cisco AAA (incorporated in telnet module)
For the sake of this document I will use a Linksys WRT54GL, hardware v1.1, Linksys firmware 4.30.11 and
dd-wrt v2.4sp1. The first thing you have to do is find out if the device uses a username AND password to
login. Several devices only require a password to login into the device as admin, root, system, etc. The easiest
way to find this out is to goto the vendor’s website and download installation manual which willgive you this
information. For the Linksys firmware
boot BackTrack and login as root 1.
hydra -l “” -P wordlist.txt -f -v -e ns 192.168.1.1 http-get /
-l is for a username which is null in this case
-P is a wordlist of passwords to try
-f stop hydra when it finds the password
-v is for verbose
-e try no password and password the ip address of the device one of the currently supported options
192.168.1.1 is the IP of the AP
http-get is the correct option to this AP
/ is where you have to put in the username and password. In this case you have to put in the username
and password before you can do anything. You will have to figure this out for yourself as each device is
different.
2.
some other option you may need are:
-t TASKS run TASKS number of connects in parallel (default: 16)
You may have to adjust this number down as larger numbers may cause the router to crash or
misbehave. I usually use 10.
-v / -V verbose mode / show login+pass combination for each attempt
3.
As I said earlier, http-get is the correct option for my Linksys AP (with the factory firmware). When you goto
the AP website a dialog box opens and prompts for a username and password. Each AP is different and as
Cracking Passwords Version 1.1 file:///D:/password10.html
23 of 45 2/15/2010 3:48 PM
such you will have to change options as RaginRob found out. The following is a slightly modified version
from his tutorial.
I recently started playing around with Hydra and tried to hack my router. After searching the forum and
googling around a while I noticed that there are only some howto’s for routers that have http-auth
authentication. That is, when you go to 192.168.2.1 e.g. and before showing anything you have to enter login
and password in a popup. My router (T-Com Sinus 154 DSL Basic 3) and many others I’ve dealt with so far
work differently. When I want to login to my router, I have to go to 192.168.2.1, a web interface with a
password field shows up, and I have to enter the password which is then checked by /cgi-bin/login.exe via
http-post.
It was quite tricky to find out how to use this authentication with hydra, so I guess there are some of you that
can benefit from this. I’ll describe how I did it, so you can adapt the method and use it with your own router.
First of all I examined the login page of the web interface. Be sure to look at the frame source and not the
frameset. You should see the form and the action, here’s what I saw:
The form is defined as:
<form name=”tF” method=”post” action=”/cgi-bin/login.exe” onSubmit=”evaltF();”>
Somewhere in the form there will be the field that takes the password:
<input type=”password” name=”pws” class=”stylepwd” size=”12″ maxlength=”12″>
This is probably the most important data you need. You need to write down the field name (“pws” in my
case). The size attribute comes in very handy too because it tells us that the password’s max length is 12
characters.
After that I tried to get familiar with Hydra’s options. I figured out that you needthe following options:
hydra -l “” -P passwords.txt -t 1 -f -v -V 192.168.2.1 http-post-form /cgi-bin
/login.exe:pws=^PASS^:loginpserr.htm
-l Sets the login name. In the end I don’t need a login name but hydra gets kind of pissed when you don’tpass
something, so I gave an empty string.
-P The wordlist to use for the password
-t 1 task only, not really necessary, I just wanted to make sure Hydra doesn’t choke on too many requests -f
Hydra shall stop when a working password is found
-v be verbose. and even more. I skipped that in the final version but it’s ok for debugging
192.168.1.1 is victim’s ip
http-post-form the method to use
/cgi-bin/login.exe:pws=^PASS^:loginpserr.htm
This is the most important part. Here we tell Hydra what to pass the passwords to. The argument consists of
three parts separated by “:”.
The first part is the script that takes the POST data, we found that in the frame source above.
The second part is the field name of the password field with an added =^PASS^. ^PASS^ is the variable that
hydra substitutes with the passwords in the wordlist.
The third part is the “incorrect” condition. Hydra has to find out somehow if the current password that was
send to the router is correct or not. You have to find a string that is actually IN A NEGATIVE RESPONSE
from the router. As we don’t have the password yet we can’t know what the router will send if the password is
correct, therefore we have to check if it is NOT, which we can find out easily. To find out what the router
sends back to hydra I used Wireshark.
Cracking Passwords Version 1.1 file:///D:/password10.html
Open up wireshark, go to the router login page, start capturing and then login with a wrong password. After
that, stop capturing and apply a “http” filter. You will see the POST data sentfrom hydra to the router (you
should also see the “pws=blabla” in the details, that’s where hydra sends the passwords from the wordlist).
Below that you’ll find the router answer. In my case it says something like “This page has moved to
loginpserr.htm” packed in some basic HTML. So I used the string loginpserr.htm to validate the .. uhm…
faultyness. OMFG %-]
Hydra will consider a password as CORRECT when the router answer DOES NOT contain the given string.
So be sure to take an expression that somehow sounds like “incorrect” or “wrong”. If you took “the” for
example, and the POSITVE response would be something like “the password you entered was correct”, hydra
will not recognize it as correct but incorrect.
If your router does not only need a password but also a username, you can easily add the according login
name to the last part. So if you need to send the field “login” or whatever it is called in your case with the
value “admin” as the only username you could use
/cgi-bin/login.exe:login=admin&pws=^PASS^:loginpserr.htm
When you need to try a whole username list then you can specify the list via
-L usernames.txt
and
/cgi-bin/login.exe:login=^USER^&pws=^PASS^:loginpserr.htm
For dd-wrt do
boot BackTrack and login as root 1.
hydra -l admin -P wordlist.txt -f -e ns 192.168.1.1 http-get /login.asp
-l is for a username which is admin in this case. dd-wrt allows the user to chose the username that is
require to login to the device so it could be anything.
-P is a wordlist of passwords to try
-f stop hydra when it finds the password
-v is for verbose
-e try no password and password the ip address of the device one of the currently supported options
192.168.1.1 is the IP of the AP
http-get is the correct option to this AP
/ is where you have to put in the username and password. In this case you have to put in the username
and password before you can do anything. You will have to figure this out for yourself as each device is
different.
2.
some other option you may need are:
-t TASKS run TASKS number of connects in parallel (default: 16)
You may have to adjust this number down as larger numbers may cause the router to crash or
misbehave. I usually use 10.
-v / -V verbose mode / show login+pass combination for each attempt

END of hydra