Origins….
Since the days of old everyone’s first experience with hacking always seems to be with WiFi and for obvious reasons, in the age of information we all require access to the internet, and what’s better than the internet than free internet?
Everyone has stories about how their first was as a young teenager cracking a WEP key and getting that good old internet, but since the release of WPA/WPA2 security such stories are now a thing of the past… or are they?
Enter Left: The Lazy Network Admin (or the common household). Anything that requires a password to be secure is only ever as secure as you make the password and what few people seem to realize is that the password on your router is not as secure as you may think.
Think about what makes password-based security work? Is it the length? The characters? Nope, it is the idea that no one except yourself knows the password and the rules you applied when making the password. Now consider this, how many people change the default password on their home router? The answer: A lot fewer people than there should be. Now you may think your password is secure because you don’t know it until your router arrives and neither does the company you paid for your router. Since this password wasn’t in play until it arrived on the router at your front door, how could it possibly be insecure?
Aireplay & Airodump: Catching the Hash
If you have any experience with Aircrack-ng or wifi hacking in general, you probably understand that the first steps in hacking wifi are capturing the 4 Way Handshake. Simply set your card into monitoring mode, select an access point with clients attached to it, then set up aireplay to deauthenticate a client and listen out of the handshake.
With the handshake captured in the cap/pcap file on our PC the next step is just to convert it into a hccapx file to make it compatible with HashCat for the password cracking portion.
Note: I have tried this using the built-in password cracker in the Aircrack toolkit and I will say this, DO NOT DO IT, no matter the password if it's a WPA key this will take way too long to complete. Use hashcat and GPU-based cracking, CPU no matter what will always take too long to crack even the weakest hash.
Now that we have our hccapx file and the rules for how the password is generated, we can generate the wordlist and pipe it into hashcat just let it do its job for us to get some free WiFi.
Loot N Shoot time
So with access to the network, aside from the free internet what could we do?
Well, the first and most obvious advantage of an attacker getting on your network is the free anonymity while hacking others, as with every attack no one uses their own infrastructure and their connection to the internet is no different. From someone else's connection to the internet, you have a free public IP, you can do attacks without being tracked by an ISP to your physical location, you can hack other infrastructure to set up a C2 if you’re using malware. Free internet paid by someone else grants you a lot as an attacker.
How about pivoting around and seeing what we have access to on the network? Maybe we can find other computers, laptops, mobile phones? An attacker with access to these devices now has all your data if they can get a shell on each of them, maybe even adding them to a botnet.
Then there’s the big one.. the router web panel, while inaccessible from outside the network, once you’re on the wifi you can get access by paying a visit to “192.168.0.1". What can we do within the web panel you ask? Well, how about opening up ports on your network in order to set up that C2 we discussed? We could also set up our own malicious DNS server to forward all the traffic from the household and allow the attacker to grab any goodies like credentials and bank details.
In short, a lot of damage can be done through popping someone's WiFi either to the people who own the network and to non-related people by the attacker using them as a proxy.
How to deal with this?
STOP USING DEFAULT PASSWORDS!
Seriously, the issue of using default passwords is one that is too common and it isn’t limited to just Routers, it affects other services like Tomcat, FTP servers, and many more. The best thing you can do with anything that asks for a password to secure it is to ensure you change it.
Now to be fair this isn’t going to be an issue for every router out there but it will affect a good portion. The reason it’s still possible for me to hack something like a Sky router regardless of the WPA2 security is due to how the rules for the default passwords are set up. For Sky, it was the passwords are always 8 characters long and only use the characters “EBWDCFAXRYVPTSUQ”, this allows for a very small amount of possible combinations and this made the cracking I did only take about 72 hours which in cracking time is quite short.
Hope this blog helps people secure their home networks more and encourages you lazy sys admins to think about that router a bit more. Take Care Guys ❤
