[Boards: 3 / a / aco / adv / an / asp / b / biz / c / cgl / ck / cm / co / d / diy / e / fa / fit / g / gd / gif / h / hc / his / hm / hr / i / ic / int / jp / k / lgbt / lit / m / mlp / mu / n / news / o / out / p / po / pol / qa / qst / r / r9k / s / s4s / sci / soc / sp / t / tg / toy / trash / trv / tv / u / v / vg / vip /vp / vr / w / wg / wsg / wsr / x / y ] [Search | Home]
4Archive logo
hello anons, asked /g/ about this earlier...
If images are not shown try to refresh the page. If you like this website, please disable any AdBlock software!

You are currently reading a thread in /wsr/ - Worksafe Requests

Thread replies: 7
Thread images: 1
hello anons, asked /g/ about this earlier and was kicked out because /g/ is only for shills shilling shills anymore...

trying to run a dictionary attack against a nas on my network @ 1.11, trendnet tn 200, only issue is i am too inexperienced to
get the tools to see the target. target is a web form so using medusa's web-form module with options -m FORM:/cgi-bin/login_mgr.cgi and -m FORM-DATA:

Only issues is that it will not take my data format... when peaking with wireshark or browser console the form data comes back with this:
[code]
cmd=login&username=admin&pwd=WVdSdGFXND0%3D&ssl=0&port=0
[/code]

admin is the username that i will be using since it's default for the device
that password there is just whatever is already in that box, 12345 or something like that.

when i use this as my -m FORM-DATA:"cmd=login&username=admin&pwd=WVdSdGFXND0%3D&ssl=0&port=0"
medusa says:
[code]
Invalid FORM-DATA format. Using default format: "post?usersname=&password="
[/code]

Might some kinda hacker anons help me understand what i am doing wrong?

thanks!
>>
i am op and i will post here as i learn

from medusa site for using module "web-form"...

FORM-DATA:<METHOD>?<FIELDS>
Methods and fields to send to web service. Valid methods are GET and POST. The actual form
data to be submitted should also be defined here. Specifically, the fields: username and
password. The username field must be the first, followed by the password field.
Default: "post?username=&password="

Usage example: "-M web-form -m USER-AGENT:"g3rg3 gerg" -m FORM:"webmail/index.php" -m DENY-SIGNAL:"deny!"
-m FORM-DATA:"post?user=&pass=&submit=True"

so i'll try using:
-m FORM-DATA:"post?cmd=login&username=admin&pwd=&ssl=0&port=0"
wondering if i should put $password or something like that in there, if there is an option for that, so it knows where to be trying the passwords
>>
>>34785
using the format mentions yielded this: I am getting closer, on the right track...

cmd=loginadmin&username=admin12345&pwd=&ssl=0&port=0

this tells me that... i should try to leave off cmd=login, because admin is getting thrown there... then i need to remove "admin" from the format as medusa is obviously appending that... if i were to just remove cmd=login it would show username adminadmin next time i run the command.
>>
okay so this is a legit attempt and fail using the browser and the gui... playing by the rules... captured by wireshark obvi...

POST /cgi-bin/login_mgr.cgi HTTP/1.1
Host: 192.168.1.11
Connection: keep-alive
Content-Length: 56
Accept: */*
Origin: http://192.168.1.11
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.1.11/web/home.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8

cmd=login&username=admin&pwd=WVdSdGFXND0%3D&ssl=0&port=0HTTP/1.1 200 OK
Content-Language: en
P3P: CP='CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR'
Content-type: text/html
Transfer-Encoding: chunked
Date: Sun, 17 Jan 2016 05:30:42 GMT
Server: lighttpd/1.4.28

14
{ret:"fail", flag:0}
0

-----------------
So we see it's a POST, we see the target, the host... we see the form-data cmd=login&username=admin&pwd=WVdSdGFXND0%3D&ssl=0&port=0

The server's reply begins at HTTP/1.1 200 OK
ret:"fail" should be used to let medusa know that when you see this is means try the next password... BUT, next i have to get medusa to give the form-data as requested with the cmd=login, i do believe.
>>
>>34808
yes as expected when i tried again with medusa it put the username after the first = and the password after the second =... i have to get it to stop doing this...

POST /cgi-bin/login_mgr.cgi HTTP/1.0
Host: 192.168.1.11:80
User-Agent: I'm not Mozilla, I'm Ming Mong
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

cmd=loginadmin&username=123456&pwd=&ssl=0&port=0

HTTP/1.0 200 OK
Content-Language: en
P3P: CP='CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR'
Content-Length: 0
Connection: close
Date: Sun, 17 Jan 2016 05:38:28 GMT
Server: lighttpd/1.4.28

--------------------------
See?
cmd=loginadmin <---- this should only say cmd=login
then &username=admin&pwd=12345 (this is the first password listed in the dictionary).

once i get that straightened out i can add the rules that let medusa know to continue
>>
>>34817
if i leave everything out of the form-data except for the username and password (maybe cmd=login, ssl=0, port=0, will just default)
the server says it gets the PORT but doesn't reply ... like it didn't understand. I think I just have to have that cmd=login at the beginning...
>>
>>34824
tried putting the form-data out of order, but including everything, that way username and password would be in their right places AND all of the data would be there but I got a HTTP 500, didn't like that. Next I tried using $username and $password to get the shit in the right places but medusa doesn't understand these...
Thread replies: 7
Thread images: 1
Thread DB ID: 434218



[Boards: 3 / a / aco / adv / an / asp / b / biz / c / cgl / ck / cm / co / d / diy / e / fa / fit / g / gd / gif / h / hc / his / hm / hr / i / ic / int / jp / k / lgbt / lit / m / mlp / mu / n / news / o / out / p / po / pol / qa / qst / r / r9k / s / s4s / sci / soc / sp / t / tg / toy / trash / trv / tv / u / v / vg / vip /vp / vr / w / wg / wsg / wsr / x / y] [Search | Home]

[Boards: 3 / a / aco / adv / an / asp / b / biz / c / cgl / ck / cm / co / d / diy / e / fa / fit / g / gd / gif / h / hc / his / hm / hr / i / ic / int / jp / k / lgbt / lit / m / mlp / mu / n / news / o / out / p / po / pol / qa / qst / r / r9k / s / s4s / sci / soc / sp / t / tg / toy / trash / trv / tv / u / v / vg / vip /vp / vr / w / wg / wsg / wsr / x / y] [Search | Home]

All trademarks and copyrights on this page are owned by their respective parties. Images uploaded are the responsibility of the Poster. Comments are owned by the Poster.
This is a 4chan archive - all of the shown content originated from that site. This means that 4Archive shows their content, archived. If you need information for a Poster - contact them.
If a post contains personal/copyrighted/illegal content, then use the post's [Report] link! If a post is not removed within 24h contact me at [email protected] with the post's information.