Help getting into my solar meter

A safe place for newbies. You won't get flamed here, as long as you've put in some effort before posting (i.e: Google)...

Trying to get into my solar controller

Postby simonmason » Sat Mar 19, 2016 2:35 pm

I have a solar controller on my solar panels at home. It has only a password field. I have tried hydra and brutus without much luck - I can't actually confirm that they are doing anything. The web page is quite simple so I am assuming a brute force approach should yield the password - it used to be written on a piece of tape on the unit and is now gone. All of the tools I tried expect a userid and password and I spent a lot of time trying options to get around this with no luck. The unit is on my home network - 192.168.X.X. I will post the html from the main page and the failed login page below if that helps. I was trying to do things in Brutus because it seems to have more options but I am open to any suggestions. Thanks.

Main Page:
Code: Select all
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> <title> Locus Energy LGate LGate 101 </title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/> <link rel="icon" href="favicon.ico" type="image/x-icon"/> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link type="text/css" rel="stylesheet" href="styles.css"/> <script type="text/javascript"> <!-- function Device2and3ok() { device2 = document.getElementsByName("device_PulseCounterWater")[0]; if (!device2) { return true; // not on page so not an issue } device3 = document.getElementsByName("device_PulseCounterEnergy")[0]; device2.readOnly = false; device3.readOnly = false; if (device2.value != "none" && 0) { alert("Device 2 not allowed on an LGate 120"); return false; } if (device3.value != 0 && 0) { alert("Device 3 not allowed on an LGate 120"); return false; } if (device2.value != "none" && device3.value != 0) { alert("Device 2 and Device 3 are mutually exclusive."); return false; } else { return true; } } function IncompatibleDevicesCheck() // called when user attempts to submit { if (!Device2and3ok()) { return false; } device1 = document.getElementsByName("device_InternalWattMeter")[0]; if (device1 && 0) { if (device1.value != "none" && device1.value != "VisionMeter" && device1.value != "VisionMeter3Phase") { alert("Only VisionMeter, VisionMeter3Phase or none allowed on device 1 for an LGate 120/320"); return false; } var low_bandwidth = document.getElementsByName("router_LowBandwidth")[0]; if (low_bandwidth.value == "Enabled" && !LowBandwidthAllowed()) { alert("Must have a Vision Meter and only a Vision Meter, and be in cell mode, for Low Bandwidth Mode"); return false; } } else { if (device1 && (device1.value == "VisionMeter" || device1.value == "VisionMeter3Phase")) { alert("VisionMeter is only allowed on an LGate 120/320"); return false; } } device4 = document.getElementsByName("device_InternalWattMeterUsage")[0]; if (device4 && device4.value != "none" && 0) { alert("Device 4 not allowed on an LGate 120"); return false; } return true; } function getElementsByName_iefix(tag, name) { var elem = document.getElementsByTagName(tag); var arr = new Array(); for (i = 0,iarr = 0; i < elem.length; i++) { att = elem[i].getAttribute("name"); if (att == name) { arr[iarr] = elem[i]; iarr++; } } return arr; } function SubSettingVisibility(parentName,subsettingName,visibleValue) { var parent_tmp = new Array(); parent_tmp = getElementsByName_iefix("select", parentName); var parent = parent_tmp[0]; subsetting = document.getElementsByName(subsettingName)[0]; if (parent && parent.value == visibleValue) { subsetting.parentNode.parentNode.style.display = ""; } else if (subsetting) { subsetting.parentNode.parentNode.style.display = "none"; } return true; } function StringVisibility(modbusName,stringName) { return SubSettingVisibility(modbusName,stringName,"powergateplus"); } function DisableStaticChoicesIfDHCP() { var dhcp = document.getElementsByName("router_DHCPMode"); if (dhcp && dhcp[0].value == "Enabled") { document.getElementsByName("router_StaticIP")[0].readOnly = true; document.getElementsByName("router_Gateway")[0].readOnly = true; document.getElementsByName("router_NetMask")[0].readOnly = true; document.getElementsByName("router_DNS")[0].readOnly = true; } else if (dhcp) { document.getElementsByName("router_StaticIP")[0].readOnly = false; document.getElementsByName("router_Gateway")[0].readOnly = false; document.getElementsByName("router_NetMask")[0].readOnly = false; document.getElementsByName("router_DNS")[0].readOnly = false; } } function LowBandwidthAllowed() { var cellular = document.getElementsByName("ppp_configured")[0]; var lg120 = 0; var device1 = document.getElementsByName("device_InternalWattMeter")[0]; var vm_on_d1 = device1 && device1.value == "VisionMeter"; var device2 = document.getElementsByName("device_PulseCounterWater")[0]; var none_d2 = !device2 || device2.value == "none"; var device3 = document.getElementsByName("device_PulseCounterEnergy")[0]; var none_d3 = !device3 || device3.value == 0; var device4 = document.getElementsByName("device_InternalWattMeterUsage")[0]; var none_d4 = !device4 || device4.value == "none"; var device5 = document.getElementsByName("device_Modbus1")[0]; var none_d5 = !device5 || device5.value == "none"; var device6 = document.getElementsByName("device_Modbus2")[0]; var none_d6 = !device6 || device6.value == "none"; var device7 = document.getElementsByName("device_Modbus3")[0]; var none_d7 = !device7 || device7.value == "none"; var device8 = document.getElementsByName("device_Modbus4")[0]; var none_d8 = !device8 || device8.value == "none"; var device9 = document.getElementsByName("device_Modbus5")[0]; var none_d9 = !device9 || device9.value == "none"; var device10 = document.getElementsByName("device_Modbus6")[0]; var none_d10 = !device10 || device10.value == "none"; var device11 = document.getElementsByName("device_Modbus7")[0]; var none_d11 = !device11 || device11.value == "none"; var device12 = document.getElementsByName("device_Modbus8")[0]; var none_d12 = !device12 || device12.value == "none"; var device13 = document.getElementsByName("device_Modbus9")[0]; var none_d13 = !device13 || device13.value == "none"; var device14 = document.getElementsByName("device_Modbus10")[0]; var none_d14 = !device14 || device14.value == "none"; var device15 = document.getElementsByName("device_Modbus11")[0]; var none_d15 = !device15 || device15.value == "none"; var device16 = document.getElementsByName("device_Modbus12")[0]; var none_d16 = !device16 || device16.value == "none"; var device17 = document.getElementsByName("device_Modbus13")[0]; var none_d17 = !device17 || device17.value == "none"; var device18 = document.getElementsByName("device_Modbus14")[0]; var none_d18 = !device18 || device18.value == "none"; var device19 = document.getElementsByName("device_Modbus15")[0]; var none_d19 = !device19 || device19.value == "none"; var device20 = document.getElementsByName("device_Modbus16")[0]; var none_d20 = !device20 || device20.value == "none"; var vm_only = vm_on_d1 && none_d2 && none_d3 && none_d4 && none_d5 && none_d6 && none_d7 && none_d8 && none_d9 && none_d10 && none_d11 && none_d12 && none_d13 && none_d14 && none_d15 && none_d16 && none_d17 && none_d18 && none_d19 && none_d20; return (cellular.value == "true" && lg120 && vm_only); } function MaybeDisableLowBandwidth() { lbw = document.getElementsByName("router_LowBandwidth"); if (lbw[0]) { if (LowBandwidthAllowed()) { document.getElementsByName("router_LowBandwidth")[0].readOnly = false; } else { document.getElementsByName("router_LowBandwidth")[0].readOnly = true; } } } function SubSettingsVisibility() { StringVisibility( "device_Modbus1", "device_Strings1" ); StringVisibility( "device_Modbus2", "device_Strings2" ); StringVisibility( "device_Modbus3", "device_Strings3" ); StringVisibility( "device_Modbus4", "device_Strings4" ); StringVisibility( "device_Modbus5", "device_Strings5" ); StringVisibility( "device_Modbus6", "device_Strings6" ); StringVisibility( "device_Modbus7", "device_Strings7" ); StringVisibility( "device_Modbus8", "device_Strings8" ); StringVisibility( "device_Modbus9", "device_Strings9" ); StringVisibility( "device_Modbus10", "device_Strings10" ); StringVisibility( "device_Modbus11", "device_Strings11" ); StringVisibility( "device_Modbus12", "device_Strings12" ); StringVisibility( "device_Modbus13", "device_Strings13" ); StringVisibility( "device_Modbus14", "device_Strings14" ); StringVisibility( "device_Modbus15", "device_Strings15" ); StringVisibility( "device_Modbus16", "device_Strings16" ); SubSettingVisibility( "device_Modbus1", "device_SMAModel1", "SMADevice" ); SubSettingVisibility( "device_Modbus2", "device_SMAModel2", "SMADevice" ); SubSettingVisibility( "device_Modbus3", "device_SMAModel3", "SMADevice" ); SubSettingVisibility( "device_Modbus4", "device_SMAModel4", "SMADevice" ); SubSettingVisibility( "device_Modbus5", "device_SMAModel5", "SMADevice" ); SubSettingVisibility( "device_Modbus6", "device_SMAModel6", "SMADevice" ); SubSettingVisibility( "device_Modbus7", "device_SMAModel7", "SMADevice" ); SubSettingVisibility( "device_Modbus8", "device_SMAModel8", "SMADevice" ); SubSettingVisibility( "device_Modbus9", "device_SMAModel9", "SMADevice" ); SubSettingVisibility( "device_Modbus10", "device_SMAModel10", "SMADevice" ); SubSettingVisibility( "device_Modbus11", "device_SMAModel11", "SMADevice" ); SubSettingVisibility( "device_Modbus12", "device_SMAModel12", "SMADevice" ); SubSettingVisibility( "device_Modbus13", "device_SMAModel13", "SMADevice" ); SubSettingVisibility( "device_Modbus14", "device_SMAModel14", "SMADevice" ); SubSettingVisibility( "device_Modbus15", "device_SMAModel15", "SMADevice" ); SubSettingVisibility( "device_Modbus16", "device_SMAModel16", "SMADevice" ); SubSettingVisibility( "device_Modbus1", "device_SMASerial1", "SMADevice" ); SubSettingVisibility( "device_Modbus2", "device_SMASerial2", "SMADevice" ); SubSettingVisibility( "device_Modbus3", "device_SMASerial3", "SMADevice" ); SubSettingVisibility( "device_Modbus4", "device_SMASerial4", "SMADevice" ); SubSettingVisibility( "device_Modbus5", "device_SMASerial5", "SMADevice" ); SubSettingVisibility( "device_Modbus6", "device_SMASerial6", "SMADevice" ); SubSettingVisibility( "device_Modbus7", "device_SMASerial7", "SMADevice" ); SubSettingVisibility( "device_Modbus8", "device_SMASerial8", "SMADevice" ); SubSettingVisibility( "device_Modbus9", "device_SMASerial9", "SMADevice" ); SubSettingVisibility( "device_Modbus10", "device_SMASerial10", "SMADevice" ); SubSettingVisibility( "device_Modbus11", "device_SMASerial11", "SMADevice" ); SubSettingVisibility( "device_Modbus12", "device_SMASerial12", "SMADevice" ); SubSettingVisibility( "device_Modbus13", "device_SMASerial13", "SMADevice" ); SubSettingVisibility( "device_Modbus14", "device_SMASerial14", "SMADevice" ); SubSettingVisibility( "device_Modbus15", "device_SMASerial15", "SMADevice" ); SubSettingVisibility( "device_Modbus16", "device_SMASerial16", "SMADevice" ); return true; } function ValidNumber(p,id,min,max,was) { thestring = document.getElementById(id).value; decimal_points = 0; digit_count = 0; for (i = 0; i < thestring.length; i++) { ch = thestring.substring(i, i+1); if (ch == ".") { decimal_points++; } else if (ch >= "0" && ch <= "9") { digit_count++; } if (((ch < "0" || ch > "9") && ch != ".") || decimal_points>1) { document.getElementById(id).value = was; alert("Numbers may contain digits 0 thru 9 and at most one decimal point!"); return false; } if (parseFloat(thestring) < parseFloat(min) || parseFloat(thestring) > parseFloat(max)) { document.getElementById(id).value = was; alert("\"" + p + "\" must be between " + min.toString() + " and " + max.toString() + "!"); return false; } } if (digit_count == 0) { document.getElementById(id).value = was; alert("Numbers must contain at least one digit"); return false; } return true; } function ValidHHMM(p, id, min, max, was) { thestring = document.getElementById(id).value ok = false; if (/^[0-9]{1,4}$/.test(thestring)) { minutes = parseInt(thestring); } else if (/^([0-9]{1,2}):([0-9]{1,2})$/.test(thestring)) { parts = /^([0-9]{1,2}):([0-9]{1,2})$/.exec(thestring); minutes = parseInt(parts[1])*60 + parseInt(parts[2]); } else { alert("HHMM fields must have mmmm or hh:mm format"); document.getElementById(id).value = was; return false; } if (minutes < min || minutes > max) { alert("HHMM fields must be in range [ " + min.toString() + ".." + max.toString() + " ] minutes"); document.getElementById(id).value = was; return false; } return true; } function ValidInteger(p,id,min,max,was) { thestring = document.getElementById(id).value; decimal_points = 0; for (i = 0; i < thestring.length; i++) { ch = thestring.substring(i, i+1); if (ch == ".") { decimal_points++; } if (((ch < "0" || ch > "9") && ch != ".") || decimal_points>0) { document.getElementById(id).value = was; alert("Integers may contain digits 0 thru 9 and no decimal points!"); return false; } if (parseFloat(thestring) < parseFloat(min) || parseFloat(thestring) > parseFloat(max)) { document.getElementById(id).value = was; alert("\"" + p + "\" must be between " + min.toString() + " and " + max.toString() + "!"); return false; } } return true; } var $seconds_waited = 5; var $ping_img; var $ping_imgPreload; var $ping_timer; function image_loaded() { clearTimeout($ping_timer); $ping_timer = null; window.location = "index.php"; }; function ping_init() { var $sess = new Date(); var $nocache = $sess.getTime(); var $imguri = $ping_img+"?time="+$nocache; $ping_imgPreload = new Image(); $ping_imgPreload.onload = image_loaded; $ping_imgPreload.src = $imguri; $ping_timer = setTimeout("fail_to_ping()",5000); }; function fail_to_ping() { clearTimeout($ping_timer); $ping_timer = null; $ping_imgPreload = null; reload(); }; function reload(){ document.getElementById('reboot_div').innerHTML = "Waiting for status page to become available. " + $seconds_waited.toString() + " seconds have elapsed."; $seconds_waited+=5; $ping_img = "/ping.php"; ping_init(); }; var $refresh_timer; var $stop_refresh; function refresh_status(){ if ($stop_refresh != 1) { window.location.href=window.location.href; } }; function set_refresh(){ $refresh_timer = setTimeout('refresh_status();', 14000); }; function reset_refresh(){ $stop_refresh = 0; clearTimeout($refresh_timer); $refresh_timer = setTimeout('refresh_status();', 14000); }; function stop_refresh(){ $stop_refresh = 1; }; //--> </script> </head> <body > <div id="logo" > <img src="logo.gif" alt="Locus Energy"/> </div> <div id="product_name"> LGate 101 </div> <div id="info"> <b>IP</b>: 192.168.002.073 &nbsp; <b>WEB CONFIG</b>: v2.0 &nbsp; <b>APP</b>: v1.04H_EM3 &nbsp;<b>PIC</b>: v03.07 </div> <div id="mac"> <b>MAC</b>: 00:04:A3:60:34:E2 </div> <form action="index.php?config" method="post"> <div id="password_div"> Password:<br/> <input class="password" type="password" name="password" onkeypress="reset_refresh()"/> <input class="log_in_button" type="submit" onclick="clearTimeout($refresh_timer)" value="Login"/> </div> </form> <div id="copyright"> &copy;2012 Locus Energy<br/> <a href="http://www.locusenergy.com/LGate_info">Copyrighted open source projects used</a> </div> </body> </html>

Page after failed attempt:
Code: Select all
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> <title> Locus Energy LGate LGate 101 </title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/> <link rel="icon" href="favicon.ico" type="image/x-icon"/> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link type="text/css" rel="stylesheet" href="styles.css"/> <script type="text/javascript"> <!-- function Device2and3ok() { device2 = document.getElementsByName("device_PulseCounterWater")[0]; if (!device2) { return true; // not on page so not an issue } device3 = document.getElementsByName("device_PulseCounterEnergy")[0]; device2.readOnly = false; device3.readOnly = false; if (device2.value != "none" && 0) { alert("Device 2 not allowed on an LGate 120"); return false; } if (device3.value != 0 && 0) { alert("Device 3 not allowed on an LGate 120"); return false; } if (device2.value != "none" && device3.value != 0) { alert("Device 2 and Device 3 are mutually exclusive."); return false; } else { return true; } } function IncompatibleDevicesCheck() // called when user attempts to submit { if (!Device2and3ok()) { return false; } device1 = document.getElementsByName("device_InternalWattMeter")[0]; if (device1 && 0) { if (device1.value != "none" && device1.value != "VisionMeter" && device1.value != "VisionMeter3Phase") { alert("Only VisionMeter, VisionMeter3Phase or none allowed on device 1 for an LGate 120/320"); return false; } var low_bandwidth = document.getElementsByName("router_LowBandwidth")[0]; if (low_bandwidth.value == "Enabled" && !LowBandwidthAllowed()) { alert("Must have a Vision Meter and only a Vision Meter, and be in cell mode, for Low Bandwidth Mode"); return false; } } else { if (device1 && (device1.value == "VisionMeter" || device1.value == "VisionMeter3Phase")) { alert("VisionMeter is only allowed on an LGate 120/320"); return false; } } device4 = document.getElementsByName("device_InternalWattMeterUsage")[0]; if (device4 && device4.value != "none" && 0) { alert("Device 4 not allowed on an LGate 120"); return false; } return true; } function getElementsByName_iefix(tag, name) { var elem = document.getElementsByTagName(tag); var arr = new Array(); for (i = 0,iarr = 0; i < elem.length; i++) { att = elem[i].getAttribute("name"); if (att == name) { arr[iarr] = elem[i]; iarr++; } } return arr; } function SubSettingVisibility(parentName,subsettingName,visibleValue) { var parent_tmp = new Array(); parent_tmp = getElementsByName_iefix("select", parentName); var parent = parent_tmp[0]; subsetting = document.getElementsByName(subsettingName)[0]; if (parent && parent.value == visibleValue) { subsetting.parentNode.parentNode.style.display = ""; } else if (subsetting) { subsetting.parentNode.parentNode.style.display = "none"; } return true; } function StringVisibility(modbusName,stringName) { return SubSettingVisibility(modbusName,stringName,"powergateplus"); } function DisableStaticChoicesIfDHCP() { var dhcp = document.getElementsByName("router_DHCPMode"); if (dhcp && dhcp[0].value == "Enabled") { document.getElementsByName("router_StaticIP")[0].readOnly = true; document.getElementsByName("router_Gateway")[0].readOnly = true; document.getElementsByName("router_NetMask")[0].readOnly = true; document.getElementsByName("router_DNS")[0].readOnly = true; } else if (dhcp) { document.getElementsByName("router_StaticIP")[0].readOnly = false; document.getElementsByName("router_Gateway")[0].readOnly = false; document.getElementsByName("router_NetMask")[0].readOnly = false; document.getElementsByName("router_DNS")[0].readOnly = false; } } function LowBandwidthAllowed() { var cellular = document.getElementsByName("ppp_configured")[0]; var lg120 = 0; var device1 = document.getElementsByName("device_InternalWattMeter")[0]; var vm_on_d1 = device1 && device1.value == "VisionMeter"; var device2 = document.getElementsByName("device_PulseCounterWater")[0]; var none_d2 = !device2 || device2.value == "none"; var device3 = document.getElementsByName("device_PulseCounterEnergy")[0]; var none_d3 = !device3 || device3.value == 0; var device4 = document.getElementsByName("device_InternalWattMeterUsage")[0]; var none_d4 = !device4 || device4.value == "none"; var device5 = document.getElementsByName("device_Modbus1")[0]; var none_d5 = !device5 || device5.value == "none"; var device6 = document.getElementsByName("device_Modbus2")[0]; var none_d6 = !device6 || device6.value == "none"; var device7 = document.getElementsByName("device_Modbus3")[0]; var none_d7 = !device7 || device7.value == "none"; var device8 = document.getElementsByName("device_Modbus4")[0]; var none_d8 = !device8 || device8.value == "none"; var device9 = document.getElementsByName("device_Modbus5")[0]; var none_d9 = !device9 || device9.value == "none"; var device10 = document.getElementsByName("device_Modbus6")[0]; var none_d10 = !device10 || device10.value == "none"; var device11 = document.getElementsByName("device_Modbus7")[0]; var none_d11 = !device11 || device11.value == "none"; var device12 = document.getElementsByName("device_Modbus8")[0]; var none_d12 = !device12 || device12.value == "none"; var device13 = document.getElementsByName("device_Modbus9")[0]; var none_d13 = !device13 || device13.value == "none"; var device14 = document.getElementsByName("device_Modbus10")[0]; var none_d14 = !device14 || device14.value == "none"; var device15 = document.getElementsByName("device_Modbus11")[0]; var none_d15 = !device15 || device15.value == "none"; var device16 = document.getElementsByName("device_Modbus12")[0]; var none_d16 = !device16 || device16.value == "none"; var device17 = document.getElementsByName("device_Modbus13")[0]; var none_d17 = !device17 || device17.value == "none"; var device18 = document.getElementsByName("device_Modbus14")[0]; var none_d18 = !device18 || device18.value == "none"; var device19 = document.getElementsByName("device_Modbus15")[0]; var none_d19 = !device19 || device19.value == "none"; var device20 = document.getElementsByName("device_Modbus16")[0]; var none_d20 = !device20 || device20.value == "none"; var vm_only = vm_on_d1 && none_d2 && none_d3 && none_d4 && none_d5 && none_d6 && none_d7 && none_d8 && none_d9 && none_d10 && none_d11 && none_d12 && none_d13 && none_d14 && none_d15 && none_d16 && none_d17 && none_d18 && none_d19 && none_d20; return (cellular.value == "true" && lg120 && vm_only); } function MaybeDisableLowBandwidth() { lbw = document.getElementsByName("router_LowBandwidth"); if (lbw[0]) { if (LowBandwidthAllowed()) { document.getElementsByName("router_LowBandwidth")[0].readOnly = false; } else { document.getElementsByName("router_LowBandwidth")[0].readOnly = true; } } } function SubSettingsVisibility() { StringVisibility( "device_Modbus1", "device_Strings1" ); StringVisibility( "device_Modbus2", "device_Strings2" ); StringVisibility( "device_Modbus3", "device_Strings3" ); StringVisibility( "device_Modbus4", "device_Strings4" ); StringVisibility( "device_Modbus5", "device_Strings5" ); StringVisibility( "device_Modbus6", "device_Strings6" ); StringVisibility( "device_Modbus7", "device_Strings7" ); StringVisibility( "device_Modbus8", "device_Strings8" ); StringVisibility( "device_Modbus9", "device_Strings9" ); StringVisibility( "device_Modbus10", "device_Strings10" ); StringVisibility( "device_Modbus11", "device_Strings11" ); StringVisibility( "device_Modbus12", "device_Strings12" ); StringVisibility( "device_Modbus13", "device_Strings13" ); StringVisibility( "device_Modbus14", "device_Strings14" ); StringVisibility( "device_Modbus15", "device_Strings15" ); StringVisibility( "device_Modbus16", "device_Strings16" ); SubSettingVisibility( "device_Modbus1", "device_SMAModel1", "SMADevice" ); SubSettingVisibility( "device_Modbus2", "device_SMAModel2", "SMADevice" ); SubSettingVisibility( "device_Modbus3", "device_SMAModel3", "SMADevice" ); SubSettingVisibility( "device_Modbus4", "device_SMAModel4", "SMADevice" ); SubSettingVisibility( "device_Modbus5", "device_SMAModel5", "SMADevice" ); SubSettingVisibility( "device_Modbus6", "device_SMAModel6", "SMADevice" ); SubSettingVisibility( "device_Modbus7", "device_SMAModel7", "SMADevice" ); SubSettingVisibility( "device_Modbus8", "device_SMAModel8", "SMADevice" ); SubSettingVisibility( "device_Modbus9", "device_SMAModel9", "SMADevice" ); SubSettingVisibility( "device_Modbus10", "device_SMAModel10", "SMADevice" ); SubSettingVisibility( "device_Modbus11", "device_SMAModel11", "SMADevice" ); SubSettingVisibility( "device_Modbus12", "device_SMAModel12", "SMADevice" ); SubSettingVisibility( "device_Modbus13", "device_SMAModel13", "SMADevice" ); SubSettingVisibility( "device_Modbus14", "device_SMAModel14", "SMADevice" ); SubSettingVisibility( "device_Modbus15", "device_SMAModel15", "SMADevice" ); SubSettingVisibility( "device_Modbus16", "device_SMAModel16", "SMADevice" ); SubSettingVisibility( "device_Modbus1", "device_SMASerial1", "SMADevice" ); SubSettingVisibility( "device_Modbus2", "device_SMASerial2", "SMADevice" ); SubSettingVisibility( "device_Modbus3", "device_SMASerial3", "SMADevice" ); SubSettingVisibility( "device_Modbus4", "device_SMASerial4", "SMADevice" ); SubSettingVisibility( "device_Modbus5", "device_SMASerial5", "SMADevice" ); SubSettingVisibility( "device_Modbus6", "device_SMASerial6", "SMADevice" ); SubSettingVisibility( "device_Modbus7", "device_SMASerial7", "SMADevice" ); SubSettingVisibility( "device_Modbus8", "device_SMASerial8", "SMADevice" ); SubSettingVisibility( "device_Modbus9", "device_SMASerial9", "SMADevice" ); SubSettingVisibility( "device_Modbus10", "device_SMASerial10", "SMADevice" ); SubSettingVisibility( "device_Modbus11", "device_SMASerial11", "SMADevice" ); SubSettingVisibility( "device_Modbus12", "device_SMASerial12", "SMADevice" ); SubSettingVisibility( "device_Modbus13", "device_SMASerial13", "SMADevice" ); SubSettingVisibility( "device_Modbus14", "device_SMASerial14", "SMADevice" ); SubSettingVisibility( "device_Modbus15", "device_SMASerial15", "SMADevice" ); SubSettingVisibility( "device_Modbus16", "device_SMASerial16", "SMADevice" ); return true; } function ValidNumber(p,id,min,max,was) { thestring = document.getElementById(id).value; decimal_points = 0; digit_count = 0; for (i = 0; i < thestring.length; i++) { ch = thestring.substring(i, i+1); if (ch == ".") { decimal_points++; } else if (ch >= "0" && ch <= "9") { digit_count++; } if (((ch < "0" || ch > "9") && ch != ".") || decimal_points>1) { document.getElementById(id).value = was; alert("Numbers may contain digits 0 thru 9 and at most one decimal point!"); return false; } if (parseFloat(thestring) < parseFloat(min) || parseFloat(thestring) > parseFloat(max)) { document.getElementById(id).value = was; alert("\"" + p + "\" must be between " + min.toString() + " and " + max.toString() + "!"); return false; } } if (digit_count == 0) { document.getElementById(id).value = was; alert("Numbers must contain at least one digit"); return false; } return true; } function ValidHHMM(p, id, min, max, was) { thestring = document.getElementById(id).value ok = false; if (/^[0-9]{1,4}$/.test(thestring)) { minutes = parseInt(thestring); } else if (/^([0-9]{1,2}):([0-9]{1,2})$/.test(thestring)) { parts = /^([0-9]{1,2}):([0-9]{1,2})$/.exec(thestring); minutes = parseInt(parts[1])*60 + parseInt(parts[2]); } else { alert("HHMM fields must have mmmm or hh:mm format"); document.getElementById(id).value = was; return false; } if (minutes < min || minutes > max) { alert("HHMM fields must be in range [ " + min.toString() + ".." + max.toString() + " ] minutes"); document.getElementById(id).value = was; return false; } return true; } function ValidInteger(p,id,min,max,was) { thestring = document.getElementById(id).value; decimal_points = 0; for (i = 0; i < thestring.length; i++) { ch = thestring.substring(i, i+1); if (ch == ".") { decimal_points++; } if (((ch < "0" || ch > "9") && ch != ".") || decimal_points>0) { document.getElementById(id).value = was; alert("Integers may contain digits 0 thru 9 and no decimal points!"); return false; } if (parseFloat(thestring) < parseFloat(min) || parseFloat(thestring) > parseFloat(max)) { document.getElementById(id).value = was; alert("\"" + p + "\" must be between " + min.toString() + " and " + max.toString() + "!"); return false; } } return true; } var $seconds_waited = 5; var $ping_img; var $ping_imgPreload; var $ping_timer; function image_loaded() { clearTimeout($ping_timer); $ping_timer = null; window.location = "index.php"; }; function ping_init() { var $sess = new Date(); var $nocache = $sess.getTime(); var $imguri = $ping_img+"?time="+$nocache; $ping_imgPreload = new Image(); $ping_imgPreload.onload = image_loaded; $ping_imgPreload.src = $imguri; $ping_timer = setTimeout("fail_to_ping()",5000); }; function fail_to_ping() { clearTimeout($ping_timer); $ping_timer = null; $ping_imgPreload = null; reload(); }; function reload(){ document.getElementById('reboot_div').innerHTML = "Waiting for status page to become available. " + $seconds_waited.toString() + " seconds have elapsed."; $seconds_waited+=5; $ping_img = "/ping.php"; ping_init(); }; var $refresh_timer; var $stop_refresh; function refresh_status(){ if ($stop_refresh != 1) { window.location.href=window.location.href; } }; function set_refresh(){ $refresh_timer = setTimeout('refresh_status();', 14000); }; function reset_refresh(){ $stop_refresh = 0; clearTimeout($refresh_timer); $refresh_timer = setTimeout('refresh_status();', 14000); }; function stop_refresh(){ $stop_refresh = 1; }; //--> </script> </head> <body > <div id="logo" > <img src="logo.gif" alt="Locus Energy"/> </div> <div id="product_name"> LGate 101 </div> <div id="info"> <b>IP</b>: 192.168.002.073 &nbsp; <b>WEB CONFIG</b>: v2.0 &nbsp; <b>APP</b>: v1.04H_EM3 &nbsp;<b>PIC</b>: v03.07 </div> <div id="mac"> <b>MAC</b>: 00:04:A3:60:34:E2 </div> <form action="index.php?config" method="post"> <div id="password_div"> Password:<br/> <input class="password" type="password" name="password" onkeypress="reset_refresh()"/> <input class="log_in_button" type="submit" onclick="clearTimeout($refresh_timer)" value="Login"/> <br/><b>Unrecognized Password</b> </div> </form> <div id="copyright"> &copy;2012 Locus Energy<br/> <a href="http://www.locusenergy.com/LGate_info">Copyrighted open source projects used</a> </div> </body> </html>
simonmason
n00b
 
Posts: 4
Joined: Sat Mar 19, 2016 2:18 pm

Help getting into my solar meter

Postby simonmason » Sat Mar 26, 2016 8:51 am

I have a solar meter installed in my house and I can't find the password anyhwere. It looks like the solar company that installed it went out of business. It is a password only, very simple form. It resides on my home network and has a 192.168.X.X IP. I looked at hydra but it doesn't appear to work without a login and password. I thought I could get Brutus to work but so far haven't had much luck - mostly due to my knowledge in the space - hence I am posting in the Newbie forum. If I can get some pointers on how to configure Brutus to do this I would really appreciate it. Thanks.


I ran burp and entered a password and got the output below.

POST /index.php?config HTTP/1.1
Host: 192.168.2.73
Content-Length: 14
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://192.168.2.73
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.2.73/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=a3db8a4ba4cda0fe83224850e4ec601d
Connection: close

password=simon

This is a screen shot of a failed password attempt. The previous screen looks exactly the same except it doesn't say Unrecognized Password
Screen Shot 2016-03-26 at 9.47.25 AM.png
Screen Shot 2016-03-26 at 9.47.25 AM.png (37.21 KiB) Viewed 3039 times
simonmason
n00b
 
Posts: 4
Joined: Sat Mar 19, 2016 2:18 pm

Re: Help getting into my solar meter

Postby Cool_Fire » Sun Apr 03, 2016 2:57 am

Off the top of my head, only having a password field should not be a problem for either hydra or brutus. I think both allow you to omit the username, but of that I'm not 100% sure.
Either way you can just have it brute force the password field only and set a static username for a field that does not exist. The program will send a username along with each request but since the login page only cares about the password variable it doesn't matter anyway.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.
User avatar
Cool_Fire
Not a sandwich
 
Posts: 1880
Joined: Fri May 09, 2003 1:20 pm
ICQ: 336613081
Website: https://www.insomnia247.nl/
Yahoo Messenger: cool_fire_666
AOL: EvilCoolFire
Location: 41 6d 73 74 65 72 64 61 6d

Re: Help getting into my solar meter

Postby simonmason » Sun Apr 03, 2016 7:03 am

I had some issues with hydra trying to get it to proceed without a userid. I read a post where someone said use the cisco option as that doesn't require a userid but no luck. So I thought I would just use Brutus as this should be quite simple, I can't imagine the password is that complex.

When I run Brutus and uncheck userid and let it run it stops every time after the first try and says success - positive identification. The page reloads with every bad password attempt and says unrecognized password. Somehow I have to tell Brutus that this was an unsuccessful attempt but I can't figure out how to do this?
simonmason
n00b
 
Posts: 4
Joined: Sat Mar 19, 2016 2:18 pm

Re: Help getting into my solar meter

Postby simonmason » Sun Apr 03, 2016 7:58 am

I believe I have gotten it to work. I chose HTML form and then went into define sequence. I then put the bad password response in response 1 and checked positive response. I did not specify any other fields as when I try to read the form from the web site Brutus says that there are no html forms. It is running, hopefully successfully. We shall see. If anyone reads this and thinks I just sent it into a useless process, please let me know! Thanks.
simonmason
n00b
 
Posts: 4
Joined: Sat Mar 19, 2016 2:18 pm

Re: Help getting into my solar meter

Postby Cool_Fire » Wed Apr 06, 2016 1:44 pm

I then put the bad password response in response 1 and checked positive response.
Perhaps I misunderstand or you misspoke but this sounds like you have your logic inverted here. It would be looking for the failed login message as a sign that the login was successful.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.
User avatar
Cool_Fire
Not a sandwich
 
Posts: 1880
Joined: Fri May 09, 2003 1:20 pm
ICQ: 336613081
Website: https://www.insomnia247.nl/
Yahoo Messenger: cool_fire_666
AOL: EvilCoolFire
Location: 41 6d 73 74 65 72 64 61 6d


Return to ā€œ%sā€ Newbie Corner

Who is online

Users browsing this forum: No registered users and 2 guests

cron