esp8266 Bruteforce #2 CRAR

Zrzut ekranu 2018-03-27 o 22.40.18

Next day – next step.

So while being at the hotel after hours i finally decided to spend time on coding CRAR instead of watching the German Eurosport. One – i don’t understand a word, two time flies 3x faster during coding – so as i’m pretty much waiting for end of week to depart from here i started coding and testing.

First of all – Victim

So in order to test CRAR properly i had to find a good victim. Quickly downloaded the LAN Scan tool to figure out what’s happening here. The Hotel has a free WiFi connection so there should be also some router here that you can login to manage it. Quick scan revealed a good target for the game.


I opened the web page to figure out what am i trying to achieve here and i found what i was looking for. Simple login page using a POST to a PHP script – meaning we can easily craft the data and keep on sending. The web page presents itself as : Tiger IP Connect 5.1

Zrzut ekranu 2018-03-27 o 21.56.28

Googled quickly to figure out what is this – seems like a dedicated software to control/manage access to AP (see here). Doesn’t really mater as long as i can test CRAR on it. So, knowing we have a page to login, let’s see how data is posted to this http server. No fancy investigation was done just a view into the html output from this server.

Zrzut ekranu 2018-03-27 o 21.56.34

I easily found that the form with user/password is POSTing to index.php. Well with all that in hand i was ready to launch the ESP (well took one for a trip, knowing i will be bored as hell after hours hehehe).

Secondly – the configuration

Right, i hooked up my ESP to my Macbook and as the software was done  i started configuring the brute-forcer as per the details taken from the web page form.


There are couple updates here since my last post, mainly done for ease of setting up the whole process. Let me guide you through what are these settings.

  1. ESP starts in AP_STA mode, so that i can access it’s own WIFI when craxor is connected to victim AP. Thanks to this i don’t have to connect to victim’s WiFi anymore, i can reconfigure CRAR by connecting to the hotspot it creates.C

Settings are as follows:

  • WiFi – self explanatory, target (victim) AP SSID
  • Password – target (victim) AP Password – in this case, no password, public hotspot
  • Host – the HTTP ip address
  • URL – the URL for the POST
  • Body – the arguments for the POST (taken from the html form definition above), here i assume that the username is admin, why not. It’s just testing, nothing serious 😉
  • Min characters – this is to indicate minimum characters for Wordlist generator
  • Max characters – this is to indicate maximum characters for Wordlist generator
  • Socket Timeout – this is for the socket connect function, so it doesn’t get stuck waiting for socket to timeout, i make it 200ms
  • Charset – this is for the wordlist generator i basically say here that i want to generate 6 characters long including lower case, upper case and numbers.
  • Success Word – hehe bad naming but this is the text that when NOT found means we got this form cracked. Why ‘not’ found ? Well it’s because it’s hard to guess what page displays when login is OK, so it’s better to see if failure text is present every time we check new word from generator. If Failure text is not present, we might be already logged in!


  • Start – which is to start the bruteforce process
  • Pause – which is to pause the bruteforce
  • Reset – which is to restart the ESP (start from setup())


  • Started flag (1/0)
  • Current Word – that’s basically the word we test against now
  • Total Epochs – number of epochs passed (iterations basically)
  • Epochs / sec – number of iterations per second
  • WiFi Signal – yeah, signal to the AP
  • WiFi Connected – just a flag if we’re connected


Self explanatory 🙂

Page down there are more debug things you might be interested in, so here is the screen

Zrzut ekranu 2018-03-27 o 21.56.57

Basically what we see here is

Sent – what we have sent to the server

Received – what we have received from the server
Based on  received text area  you can deduct why i put “Invalid” in the Success Word field.

If Invalid is found, it means we have probably logged in. As long as this word is present in the response, we know we have provided invalid credentials.

Ok, so i’m leaving this soft running until the last day, we will see what happens, overall it’s just a test of the soft and the overall POC. As resuming the wordlist generation is also implemented, i can easily turn off and on ESP and cracking will continue from the last word saved.

Zrzut ekranu 2018-03-27 o 22.44.18

Will see where we are on Friday with that 😉





Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s