Medusa | Cracking Router’s Password via Bruteforcing!
In this tutorial, we’ll use medusa (a password cracking tool) to brute force our router’s password. We’ll also discuss attack’s impact and ways to protect router against bruteforcing.
Table of Contents [Quick Links]
Parallel Network Login Auditor is a Brute-force testing tool that can be used to perform brute-forcing against multiple hosts, users or passwords concurrently. Medusa is intended to be a speedy, massively parallel, modular, login bruteforcer. The goal is to support as many services which allow remote authentication as possible.
Syntax and Attack!
Please note that I’m brute-forcing my own router’s password. Therefore, you shouldn’t also try cracking other’s router password.
I will be using a small dictionary file (10Kpass.txt) which is stored in /root/DICTIONARY/ directory.
Syntax: medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]
- medusa -f -h 192.168.1.1 -u admin -P /root/DICTIONARY/10Kpass.txt -M http
Above options can be explained as follows:
- -f: Stop scanning host after first valid username/password found
- -h: Target hostname or IP address.
- -u [TEXT]: Username to test
- -U [FILE]: File containing usernames to test
- -p [TEXT]: Password to test
- -P [FILE]: File containing passwords to test
- -M [TEXT]: Name of the module to execute
More Medusa Commands!
As always you can find more about Medusa by typing following commands at terminal.
- man medusa
Few more medusa commands are as follows:
- -C [FILE]: File containing combo entries. See README for more information.
- -O [FILE]: File to append log information to
- -e [n/s/ns]: Additional password checks ([n] No Password, [s] Password = Username)
- -M [TEXT]: Name of the module to execute (without the .mod extension)
- -m [TEXT]: Parameter to pass to the module. This can be passed multiple times with a different parameter each time and they will all be sent to the module (i.e.-m Param1 -m Param2, etc.)
- -d: Dump all known modules
- -n [NUM]: Use for non-default TCP port number
- -s: Enable SSL
- -g [NUM]: Give up after trying to connect for NUM seconds (default 3)
- -r [NUM]: Sleep NUM seconds between retry attempts (default 3)
- -R [NUM]: Attempt NUM retries before giving up. The total number of attempts will be NUM + 1.
- -t [NUM]: Total number of logins to be tested concurrently
- -T [NUM]: Total number of hosts to be tested concurrently
- -L: Parallelize logins using one username per thread. The default is to process the entire username before proceeding.
- -f: Stop scanning host after first valid username/password found.
- -F: Stop audit after first valid username/password found on any host.
- -b: Suppress startup banner
- -q: Display module’s usage information
- -v [NUM]: Verbose level [0 – 6 (more)]
- -w [NUM]: Error debug level [0 – 10 (more)]
- -V: Display version
- -Z [TEXT]: Resume scan based on map of previous scan
Router Hacking is Dangerous!
So, what a hacker can do with valid combination router’s username and password?
- After getting hands on your router’s username and password, a hacker can change your default DNS details.
- This will make your browser to request malicious DNS (controlled by Hacker) for resolving domain name.
- Malicious DNS will probably return IP address of phishing website and you’ll soon lose personal information and few online accounts.
You can find details about DNS (Domain Name System) in basics of computer networking tutorials.
There are two basic security steps that everyone (home, office, SMB) can follow:
- Stop access to router login page via WiFi or WAN (Internet). This will stop almost all possible attacks. To achieve this, you can redirect all port 80 router connections to unused or invalid IP.
- If you need access to router over WiFi or WAN, then the default password and choose a strong password.