hello anons, asked /g/ about this earlier and was kicked out because /g/ is only for shills shilling shills anymore...
trying to run a dictionary attack against a nas on my network @ 1.11, trendnet tn 200, only issue is i am too inexperienced to
get the tools to see the target. target is a web form so using medusa's web-form module with options -m FORM:/cgi-bin/login_mgr.cgi and -m FORM-DATA:
Only issues is that it will not take my data format... when peaking with wireshark or browser console the form data comes back with this:
[code]
cmd=login&username=admin&pwd=WVdSdGFXND0%3D&ssl=0&port=0
[/code]
admin is the username that i will be using since it's default for the device
that password there is just whatever is already in that box, 12345 or something like that.
when i use this as my -m FORM-DATA:"cmd=login&username=admin&pwd=WVdSdGFXND0%3D&ssl=0&port=0"
medusa says:
[code]
Invalid FORM-DATA format. Using default format: "post?usersname=&password="
[/code]
Might some kinda hacker anons help me understand what i am doing wrong?
thanks!
i am op and i will post here as i learn
from medusa site for using module "web-form"...
FORM-DATA:<METHOD>?<FIELDS>
Methods and fields to send to web service. Valid methods are GET and POST. The actual form
data to be submitted should also be defined here. Specifically, the fields: username and
password. The username field must be the first, followed by the password field.
Default: "post?username=&password="
Usage example: "-M web-form -m USER-AGENT:"g3rg3 gerg" -m FORM:"webmail/index.php" -m DENY-SIGNAL:"deny!"
-m FORM-DATA:"post?user=&pass=&submit=True"
so i'll try using:
-m FORM-DATA:"post?cmd=login&username=admin&pwd=&ssl=0&port=0"
wondering if i should put $password or something like that in there, if there is an option for that, so it knows where to be trying the passwords
>>34785
using the format mentions yielded this: I am getting closer, on the right track...
cmd=loginadmin&username=admin12345&pwd=&ssl=0&port=0
this tells me that... i should try to leave off cmd=login, because admin is getting thrown there... then i need to remove "admin" from the format as medusa is obviously appending that... if i were to just remove cmd=login it would show username adminadmin next time i run the command.
okay so this is a legit attempt and fail using the browser and the gui... playing by the rules... captured by wireshark obvi...
POST /cgi-bin/login_mgr.cgi HTTP/1.1
Host: 192.168.1.11
Connection: keep-alive
Content-Length: 56
Accept: */*
Origin: http://192.168.1.11
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.1.11/web/home.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
cmd=login&username=admin&pwd=WVdSdGFXND0%3D&ssl=0&port=0HTTP/1.1 200 OK
Content-Language: en
P3P: CP='CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR'
Content-type: text/html
Transfer-Encoding: chunked
Date: Sun, 17 Jan 2016 05:30:42 GMT
Server: lighttpd/1.4.28
14
{ret:"fail", flag:0}
0
-----------------
So we see it's a POST, we see the target, the host... we see the form-data cmd=login&username=admin&pwd=WVdSdGFXND0%3D&ssl=0&port=0
The server's reply begins at HTTP/1.1 200 OK
ret:"fail" should be used to let medusa know that when you see this is means try the next password... BUT, next i have to get medusa to give the form-data as requested with the cmd=login, i do believe.
>>34808
yes as expected when i tried again with medusa it put the username after the first = and the password after the second =... i have to get it to stop doing this...
POST /cgi-bin/login_mgr.cgi HTTP/1.0
Host: 192.168.1.11:80
User-Agent: I'm not Mozilla, I'm Ming Mong
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
cmd=loginadmin&username=123456&pwd=&ssl=0&port=0
HTTP/1.0 200 OK
Content-Language: en
P3P: CP='CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR'
Content-Length: 0
Connection: close
Date: Sun, 17 Jan 2016 05:38:28 GMT
Server: lighttpd/1.4.28
--------------------------
See?
cmd=loginadmin <---- this should only say cmd=login
then &username=admin&pwd=12345 (this is the first password listed in the dictionary).
once i get that straightened out i can add the rules that let medusa know to continue
>>34817
if i leave everything out of the form-data except for the username and password (maybe cmd=login, ssl=0, port=0, will just default)
the server says it gets the PORT but doesn't reply ... like it didn't understand. I think I just have to have that cmd=login at the beginning...
>>34824
tried putting the form-data out of order, but including everything, that way username and password would be in their right places AND all of the data would be there but I got a HTTP 500, didn't like that. Next I tried using $username and $password to get the shit in the right places but medusa doesn't understand these...
