Posted by Sillychicken On October - 6 - 2011 33 Comments

This will give you a quick run down on how to brute force your router if it uses HTTP BASIC AUTH

using THC-HYDRA

If you receive a popup window when you try to access your router, then this method should work for you.

Read the article then watch the movie

THC-Hydra – can be downloaded from their site here
Password list – try openwall’s free list

Find your router IP, you should already know this, mine is 192.168.1.2. It is a DSL-G604T and the default username for this router is “admin”.
If for some reason you can’t remember yours try a default password site such as CIRT.net

Make sure you have downloaded and extracted THC-Hydra. I have extracted mine to C:\CMD\Hydra in this example and I also have my password list in the Hydra directory.

Open a command prompt and navigate to the Hydra directory
to change directory in dos used the “CD” command followed by the path CD C:\CMD\Hydra

run the command below substituting in your values
(command flags are case sensitive).

hydra -l {username} -P {password list path} -s {port} {IP Address} http-get /
My command looks like:
hydra -l admin -P password.lst -s 80 192.168.1.2 http-get /

Command break down:
hydra –> the hydra program
-l –> (lower case “L” not to be confused with a upper case i) single username to target. Use uppercase -L to specify a username list
-P –> provide path to password lis. -p to try a single password ie “passw0rd”
-s –> port to target your router may run on a different port such as 8080
{IP Address} hopefully this is clear
http-get –> service to brute force
“/” –> this specifies the page to target if this is left out the command will not run. “/” just indicates the root do not include the ”
you will get an output line with username and password if you are successful.
This attack is only as good as your dictionary.

Next how to brute force web forms, check it out!!

IMPORTANT:
This is for educational purposes only, dont go attacking devices which don’t belong to you .

33 Responses so far.

  1. Pratik Koirala says:

    thank you so much. I found the password. :) )

  2. LPunker says:

    I want to test this, but i’m affraid my service provider wil see that i try to bruteforce my router. Is it possible that they can see that i’m brute forcing it by the way?

  3. Shashi says:

    I need password list to download. how can i get that file..

  4. snake says:

    password list attack is called wordlist attack not brute force.
    BF is when the hacking tool tries all the alphanumeric and special characters that the user selected.

  5. Silver says:

    I have a dictionary of 1 GB and I can not use it, the thc-hydra gives me this error:

    Error: Could not allocate enough memory for password file data

  6. sai says:

    Thanks you very much…. :D

  7. jerry says:

    hello!
    I’ m jerry and i use globesurfer3 as a router and i try to forward my ipcam f980a but i never succeed please can you help me to guide me!
    i check port with canyousee me but it repliesalways error on any port! i’ve already contacted my isp and they said that they didn’t block any port but it’s my router globesurfer3 witch blocks my ports!
    so please help me

  8. david says:

    Your video has the [80] [www] line in it with the deets, mine doesn’t, is this because the attack failed? It has all the other lines, just not that one :(

  9. meysam says:

    All this learning is true when you are connected to your router right now, what we i do when the pc not connected to target router?

  10. pifufo says:

    cmd\hydra>hydra 1- admin -P password.lst 80.192.168.1.2 http-get /

    Me sale acceso denegado ayuda por favor

  11. Cooltiger says:

    hey i was wondering how to get past if my router blocks you out after 10 trys for the password for a certain time?

  12. Cooltiger says:

    I also cant seem to find a way to download Hydra any longer

  13. seiji says:

    [Error]Unknown Service : http-get/
    says the result, can you help me please?

  14. tpaul says:

    I tried to download thc hydra, but it is coming up as rar file, i dont know how to handle it from here

  15. Hi there friends, its enormous paragraph on the topic of educationand completely
    explained, keep it up all the time.

  16. Hello, i read your blog occasionally and i own a similar one and i was just curious if you get a lot of spam responses?
    If so how do you prevent it, any plugin or anything you can suggest?
    I get so much lately it’s driving me mad so any support is very much
    appreciated.

  17. When some one searches for his vital thing, thus he/she needs to be available that in detail, therefore that thing is maintained over here.

  18. lamo says:

    your router? my router is zyxel, and its www auth without login, how u make hydra work for telnet brute without login, only Password:
    lamers

  19. Hey there just wanted to give you a quick heads up.

    The words in your content seem to be running off the screen in Opera.
    I’m not sure iif this is a format issue or something to do wiyh browser compatibility but I figured I’d poost to
    let you know. The style and design look great though!
    Hope you get the issue fixed soon. Cheers

  20. Thanks for the maarvelous posting! І ѕeriously enjoyed reading іt, ʏou may bee a ǥreat author.I will
    make ѕure to bookmark yοur blog and will
    come ƅack very sߋօn. I wantt to encourage ƴou continue youг great posts, ɦave a nice day!

  21. Thiis is reɑlly interesting, Yoս arе а very skilled blogger.
    I haνe joined your feed and looҟ forward to seeking mοre of your great post.
    Also, I have shared your web site in mʏ social networks!

  22. Johne64 says:

    What is the website that means it is easy to understand podcasts and blog sites? I don’t get an iPod, does that make any difference? . ekdeeeffkedd

  23. cyc says:

    Hi all,

    In cmd hydra -l {username} -P {password list path} -s {port} {IP Address} http-get / , how do i find the username, password list path and port?

    -cyc-

  24. I’ve learn several good stuff here. Certainly price bookmarking for revisiting.
    I wonder how much attempt you set to create the sort of magnificent informative
    website.

  25. You have to cut the fruits that bounce off of the plenty of birds
    call of duty advanced warfare download become available to play, the magic
    skill. It will need to walk the little device. Even you can ask your mates to follow suit.
    Well, for iPad, iPhone 4S, iPod touch and go to your mobile phone prices have
    come!

  26. Every weekend i used to pay a visit this website, because i wish for enjoyment, for the reason that this this web site conations truly good funny
    data too.

  27. his i the vry st League of Legends Ashe build fr 2014. The Country Mouse And The City Mouse Adventures – Season 1 (1998)In this entertaining
    and educational animated series, country mouse Emily and her city mouse cousin, Alexander, travel to exotic
    locales around the world, learning all about different cultures and
    working together to solve problems. Can the intrepid and
    hardworking Bob fix all these problems.

  28. Hi there to all, the contents present at this
    website are in fact amazing for people knowledge, well, keep up
    the good work fellows.

  29. Greetings! Very useul advice inn this particular article!
    It’s the little changes that will make the most significant changes.
    Thanks a lot for sharing!

  30. Genuinely no matter if someone doesn’t understand afterward its up to other visitors that they will help, so here it occurs.