Hey, I hope one of you in her can help me, I have a little problem I need to get a password to a router on the net. I use telnet to connect the router and then the router ask me for a password, how can I get that password. Some one now any way ore tools I can use to get that password?
I relay hope some one can help me
Sorry for me bad English
Tarantula[X]
Sep 20 2003, 08:13 AM
Um here ya go.... You can try default passwords because many dumb admins leave them as the default. Also you can freeze the router in which period the password will be temporarily reset to its default.The default depends on the type of router.
For example the default password for a cisco router may be "admin". While the router is frozen,connect to it and try the defaults.In v4.1 cisco software a HUGE password string is/was enough to freeze the router. Not sureif this bug is fixed. Also you can try other DoS attacks(much of which the router may filter ;-( anyways)...
Once the first password phase is cracked what lies next is getting the enable pass which I would not describe how to do in detail because it all depends onthe software running, type of router etc. Simply get the password file and crack it!
goofy
Sep 20 2003, 01:51 PM
Thanks fore you help. Its was very use full fore me
wicked
Nov 16 2003, 08:59 PM
Nice one Contempt ...
Wkd.
.../
tolf
Nov 17 2003, 02:03 AM
Does it ask for a userid and password or just password??
If it has userid and pass that means AAA is used and you have to brute force with two factor, if just password try the defaults "cisco" admin etc, run this through a brute forcer as well..
Also if it has HTTP access this exploit will show you the config and line passwords striaght away...
Perhaps someone could do us up a password / Combo file for Default User/Pass for all OS's ... now that would come in Handy with AD...
Wks..
.../
Enjoying Tolf..
Ipsec Espah
Dec 2 2003, 02:10 AM
Cisco routers don't have default passwords... And like was previously mentioned if it prompts you for a username i would just forget about it because after a few incorrect logins you will be locked out.
Ipsec Espah
Dec 2 2003, 02:13 AM
QUOTE (wicked @ Nov 17 2003, 07:01 PM)
Ahh this gets more intriquing by the minute.....
Perhaps someone could do us up a password / Combo file for Default User/Pass for all OS's ... now that would come in Handy with AD...
To the original question, you need to enumerate the router make/model before you go looking for some Universal Router Compromiser/Cracker application (available only from New Zealand)....
Use an app that will grab the SNMP banner, or when you Telnet to it, see if it gives you a banner, see if you get a response on port 80 for it's banner (some admins have this enabled for some lame reason, remote admin for the noob or something). You never know.
Tools such as XSCAN 2.3 (www.xfocus.org), NMAP 3.48 (www.insecure.org), or Superscan4 (www.foundstone.com) will help you in this matter.
"When you pick up a tool..don't you think you should learn how to use it before hammering away at things?"..so keep asking questions...
Team effort!
-Hardcore
ikkyu
Dec 11 2003, 03:43 AM
you must know the make and model before you can procede, find that out then you can find an exploit and if necessary cracker
decryption MD5 is not easy task since most the router password is encrypted with MD5
tolf
Jan 20 2004, 04:32 AM
QUOTE (ST. @ Jan 19 2004, 12:14 AM)
only hammering with bruteforce is possible
Incorrect . There are many other ways to gain access:
(1) HTTP exploit previously mentioned (in the config ip http server) - if this enabled the majority of cisco devices are affected by this vulnerabilty(up until 12.1 or 2 IOS i think) and you can either execute system commands directly to the router, or obtain the configuration stright off, grab the type seven hash and break it in 1 second (if enable secret is enabled it will take longer). If acls are applied the confguration will show the IP address to spoof (us iterm to grab a connection)...
(2) Scan the device for port for SNMP - check for default or commonly used community strings(public for RO and private for RW). Again if RW SNMP is enabled then you have access to the router to make configuration changes. Use solarwinds SNMP thingy to download and upload the confg.
(3) Scan the device for tftp - if the feature is enabled you can upload a config to the device with no authnetication what so ever.
(4) Many other vulnerabilities inherent to the devices IOS version and type.. ie what does the banner say when you telnet to it? Search on the web for those vulnerabilites.
Go forth young one..
gman24
Feb 6 2004, 09:05 PM
If you can, sniff between someone who has access to the router and the router. When they log on, crack the hash (or if its plaintext, you got it).
ST.
Feb 7 2004, 12:19 AM
yep, use google to find a biiig list of defaults passwords to routers, it could help
d00m
Feb 8 2004, 01:34 AM
Some time back securityfocus.com had posted two part papers on cisco security.Sorry i am too lazy to post the links.
COM
Feb 8 2004, 11:58 AM
All routers have a generic pass, you can try this first. For example all Zyxels have password 1234 for default Some Linksys in port 8080 have pass Admin.
Normaly when you config your router change default pass, "Normaly"
o_g_i_e
Mar 16 2004, 04:32 PM
Hi...I'm newbe.
___________________ EDITED BY PACKET - NEW TOPIC QUESTION UNRELATED TO EXISTING TOPIC PLEASE POST THIS AS A NEW TOPIC IN THE NEWBIES SECTION ___________________
147111
Apr 29 2004, 07:20 AM
Can be collected in a lot of places, you go to test by oneself all right
