Hacking a Netgear Router

[79wjd]

I'm working on a project for school and I need to find a way to force my personal router (Netgear WNR2000v5) to restart. 

 

I've found this list of exploits: https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear-wnr2000.txt that my router should still be vulnerable to, but I'm not sure how to run them. 

[Droidbot]

download postman for chrome

 

make a post to <router IP addr.>/apply_noauth.cgi?/reboot_waiting.htm

 

[79wjd]

6 minutes ago, Droidbot said:

download postman for chrome

 

make a post to <router IP addr.>/apply_noauth.cgi?/reboot_waiting.htm

 

I'm not on that network, since I'm trying to break into it.

[Droidbot]

1 minute ago, djdwosk97 said:

I did that and it says it couldn't get a response. (I'm not on that network, since I'm trying to break into it)

Ah, you'll need the target network to have a guest network on. 

You need to make a post request with body = x-www-form-urlencoded and the key submit_flag=reboot&yes=Yes

 

 

[79wjd]

1 minute ago, Droidbot said:

Ah, you'll need the target network to have a guest network on. 

You need to make a post request with body = x-www-form-urlencoded and the key submit_flag=reboot&yes=Yes

 

 

I'm trying to hack the router with everything at its default settings, so I can't use a guest network. 

[Droidbot]

2 minutes ago, djdwosk97 said:

I'm trying to hack the router with everything at its default settings, so I can't use a guest network. 

Ergh, that's a tough one. Maybe run ophcrack and connect and disconnect some devices from the router to get the WiFi password?

[79wjd]

4 minutes ago, Droidbot said:

Ergh, that's a tough one. Maybe run ophcrack and connect and disconnect some devices from the router to get the WiFi password?

I was really hoping to focus on WPS PIN cracking for gaining the password (rebooting the router is just to bypass the 3 pin attempt limit).

[79wjd]

17 minutes ago, Droidbot said:

Ah, you'll need the target network to have a guest network on. 

You need to make a post request with body = x-www-form-urlencoded and the key submit_flag=reboot&yes=Yes

 

 

Also, I did that from on the network and it says I couldn't get a response. 

Doing a GET request from 192.168.1.1/BRS_netgear_success.html worked though for getting the serial number. 

[79wjd]

bump @Droidbot

 

Any ideas?

[Droidbot]

3 minutes ago, djdwosk97 said:

bump @Droidbot

 

Any ideas?

no ideas, never really done something like this before

 

you could ask the exploit maker and see if he can help you

[79wjd]

1 minute ago, Droidbot said:

no ideas, never really done something like this before

 

you could ask the exploit maker and see if he can help you

I know he included his email in the page, but I don't know if I want to bother him. 

[iamMINT]

So you're trying to guess a WiFi password? What kind of security standard is it using? If its WPS then you could break it in seconds. WPA/WPA-2 is a little different.

[79wjd]

7 minutes ago, JohnBRoark said:

So you're trying to guess a WiFi password? What kind of security standard is it using? If its WPS then you could break it in seconds. WPA/WPA-2 is a little different.

I'm trying to crack WPA2 through the WPS exploit, however the router I'm doing testing on disables WPS after three failed attempts and reenables it after the router restarts. So, I just need to find a way to force the router to restart. 

[iamMINT]

Now from what I understand WPA2 is still vulnerable. If you capture the four way handshake when someone connects to the network wireless, you can crack the hashes and get the password (just hoping it isn't too complicated). 

 

From what I remember, aircrack-ng can do this just as long as you have a machine with wireless capabilities. It has to be set to the broadcast id of your target router, and with the right commands it can be set to find a host once someone logs into the network wireless. At this point, it'll grab hashes from the handshake. Though, I really am not very keen on wireless networking, so I can't tell you for sure how this works or why (just has to do with WPA2 encrypted handshakes), but I do know from my testing that it doesn't seem to work as well on WPA2-PSK and Business wireless. My own netgear consumer router is susceptible to getting its wireless pass cracked if using WPA2 standards though. 

[79wjd]

1 hour ago, JohnBRoark said:

(just hoping it isn't too complicated). 

That's the reason I was focusing on exploiting WPS, I figured it would be easier to force the router to restart than it would be to try and crack something complicated. 

[iamMINT]

Well, WPS is unbelievably breakable. There are dozens of guides out there on how to break WPS security, and from what I know it isn't done through making the router restart at all. Its just a super outdated protocol. 

[.spider.]

I guess it takes several seconds to reboot the router so it would take ages to run the WPS attack.

[79wjd]

6 hours ago, JohnBRoark said:

Well, WPS is unbelievably breakable. There are dozens of guides out there on how to break WPS security, and from what I know it isn't done through making the router restart at all. Its just a super outdated protocol. 

:

9 hours ago, djdwosk97 said:

I'm trying to crack WPA2 through the WPS exploit, however the router I'm doing testing on disables WPS after three failed attempts and reenables it after the router restarts. So, I just need to find a way to force the router to restart. 

 

4 hours ago, .spider. said:

I guess it takes several seconds to reboot the router so it would take ages to run the WPS attack.

It actually isn't that long. It would theoretically take about 60 hours to break if the router had to be restarted after every three attempts.