How is traffic hijacking generated?

Source: Internet
Author: User

Traffic hijacking. After a period of silence on this old attack, it has recently started to stir up. Many well-known brands of routers have successively discovered security vulnerabilities, attracting domestic media reports. As long as the user does not change the default password and opens a webpage or even post, the router configuration will be secretly modified. One night, the Internet has become vulnerable.

The attacks are still several attacks, and the reports are still the same brick-and-mortar reminders, so that everyone is numb. We have long been suffering from hijacking by operators and frequent advertisements. No loss has occurred for so many years, so you can close your eyes.

In fact, it is lucky to be hijacked by a carrier. Compared with the mysterious hackers hidden in the dark, operators, as public enterprises, still have to abide by the law. Although there is no program operation, there is still a bottom line for advertising hijacking. This doesn't mean that you can see advertisements. It reminds you that there is a risk of hijacking in the current network. On the contrary, everything seems calm and there is no exception, maybe there is already a huge number of spies lurking in the network, waiting for you to hook up at any time-this is not as simple as advertising, but to steal money!

Will I be hijacked?

Many people have the following idea: only those with weak security awareness will be infiltrated. As long as a variety of professional firewalls are installed and system patches are updated in a timely manner, all the passwords are complex. Hijacking is definitely not a turn for me.

Indeed, those with strong security awareness are naturally not prone to intrusion, but they are only for traditional virus Trojans. In the face of traffic hijacking, almost everyone is equal. Network security is different from traditional system security. The network is the combination of various hardware devices, especially the barrel effect. Even if you have a system like a god, your security level is instantly lowered when you encounter a device like a pig. Low-cost routes are becoming more and more popular. They carry a variety of Online Transaction traffic. Can you use them with confidence?

Even if you believe that the system and equipment are absolutely reliable, can you rest assured? In fact, there are not many problematic devices, but there are many problems. Are there still some defects? Yes, the most important thing is missing: the network environment.

If there are hackers lurking in the network environment, even if there is enough professional technology, it is difficult to escape. If the enemy is dark, it will fall into the trap.

Of course, the flies don't bite the eggs seamlessly. What are the risks that cause cracks in your network environment? There are too many attacks that have been popular since ancient times. You can even create one by yourself based on the actual environment.

Now I recall the hijacking cases I tried.

Ancient times:

  • Hub sniffing
  • Mac Spoofing
  • Mac erosion
  • ARP attack
  • DHCP phishing
  • DNS hijacking
  • CDN intrusion


  • Vro Weak Password
  • Vro csrf
  • Pppoe phishing
  • Honeypot agent

Industrial Age:

  • Weak Wi-Fi password
  • WiFi pseudo-hotspot
  • Forced Wi-Fi disconnection
  • WLAN base station phishing
Hub sniffing

The hub device is no longer in use, even a decade ago. As an early network device, its only function is to broadcast packets: send packets received by an interface to all interfaces. Without worrying about the small and astonishing bandwidth, This forwarding rule alone is so unreasonable. Privacy and security can be imagined if anyone can receive data from the entire network environment.

Sniffer has become the top tool of that era. As long as the filter is configured, various plaintext data can be captured in a short time without any defense measures.

Preventive Measures: It's still in use. Please try again.

The only available feature of this type of device is bypass sniffing. The broadcast feature makes it easy to analyze the communication between other devices, for example, capturing data packets from a set-top box without affecting normal communication.

Mac Spoofing

The emergence of vswitches gradually eliminated hubs. The vswitch binds the MAC address and interface, and the packet is finally sent to only one terminal. Therefore, it is theoretically safe to configure the corresponding MAC interface in advance.

However, few people do this. Most of them use the default device mode-Automatic learning to be lazy. The device automatically associates the source address of the package with the package sent by an interface to this interface.

However, this kind of learning is not intelligent, or even too rigid, and any Hearsay will be regarded as truth. It is very easy for a user to send a packet with a custom source MAC address, so the switch is very easy to be fooled. If a source address is forged, the address can be associated with its own interface to obtain the traffic of the victim.

However, the victim then sends out another package, and the binding relationship resumes its original normal state. Therefore, as long as users send messages more frequently, they can compete for the receiving right of the MAC address. If the gateway address is forged, the switch mistakenly thinks that the gateway cable is inserted into your interface, and the outbound traffic in the network environment will arrive at you instantly.

Of course, unless you have other outbound channels, you can send the stolen data proxy; otherwise, you don't want to send it to the real gateway that is broken down by you, the hijacked user cannot access the Internet. Therefore, this attack is not harmful, but it is highly destructive and can be broken collectively in an instant.

Preventive Measures: Try to bind Mac and interfaces to a fixed network. It seems that most Internet cafes are bound with Mac and interfaces, greatly enhancing the security of the link layer. At the same time, the independent subnet segments should be divided into VLANs as much as possible to avoid excessive broadcast environments.

If you have seen more than people in college without VLAN division, you can use a short-circuit network cable to destroy the entire network.

Mac erosion

The forwarding difference between a hub and a vswitch is mentioned earlier. If the switch finds a MAC address that has not yet been learned, where will the packet be sent? To avoid packet loss, it can only be broadcast to all interfaces.

If the learning function of a vswitch is ineffective, it will be degraded into a hub. Because the hardware configuration of the vswitch is limited, it is obviously impossible to record an infinite number of entries corresponding to the address. The record tables in the vswitch will soon be filled up and even overwrite the original learning records. User data packets cannot be forwarded normally and can only be broadcast to all interfaces.

Preventive Measures: You can also bind a MAC address to an interface. Once bound, this interface only allows a fixed source address, and the counterfeit will naturally become invalid. Of course, a better vswitch has some policies and won't associate an interface with too many MAC addresses.

I tried it once at home to capture the Internet traffic of users in the community. However, fake packets are sent too quickly ,~ 0.15 million packets/second, even more fatal is to send the error target address to the access server of the metropolitan area network. As a result, the staff cut off the network of the entire community for half a day... therefore, you must select an address in the VLAN as the target MAC address to avoid a large amount of data storms.

ARP attack

Almost all of us have heard of this attack. Even those who do not know the computer, even if they do not know how to install an ARP firewall to ensure security, the dangers of this attack can be imagined.

Simply put, ARP queries the MAC address corresponding to an IP address on a broadcast. If you know the MAC address corresponding to this IP address, you can connect to the link (the link layer can only communicate with the MAC address ).

If someone impersonates a reply and grabs the lead from a normal person, the forged answer will be preemptible. After the IP address is resolved to the wrong address, all communications are hijacked.

In fact, there was a more serious bug in the early system: directly sending an ARP reply packet to the user, even if the other party never requested it, the system would accept the reply, save the records in advance. This cache-based poisoning improves the hijacking success rate.

Preventive Measures: As such attacks are too prevalent, most routers have anti-ARP functions. The number of ARP firewalls on the client is also numerous, and it seems to have become the standard for security software. Of course, the system also supports mandatory binding of IP addresses to MAC addresses, which can be used if necessary.

Wireshark is used for demonstration in many tutorials. In fact, there was a software called IRIS that was very useful in the past. You can modify the packet to send it again and use it to easily understand the principles of various attacks. However, it does not support 64-bit update after N years.

DHCP phishing

In reality, not everyone configures network parameters, or automatically configures the network system for convenience. For this purpose, the DHCP service was born.

Because IP addresses, gateways, and DNS are not configured, it is hard to get them on the network. Therefore, you must first obtain these IP addresses from DHCP. However, since no IP address is connected, how does one communicate? Obviously, it can only be sent to the broadcast address (, and you are temporarily using an invalid IP address ( ). (In fact, as long as there is a MAC address for link layer communication, the IP address already belongs to the network layer, but DHCP uses UDP due to some special needs)

Because it is sent to broadcast, all users in the Intranet can hear it. If Multiple DHCP servers exist, reply to them separately. The user selects the first DHCP server. The rules are so simple that users have no choice.

If hackers have also enabled the DHCP service in the internal network, the reply packet that the user receives may be sent by the hacker. At this time, the user's network configuration is completely resigned and it is hard not to be hijacked.

Preventive Measures: If you use a network cable to access the Internet, you 'd better configure it manually. Of course, the administrator should strictly control the DHCP reply permission, and only allow specific interfaces of the switch to be eligible to send the reply packet.

As long as this type of question/answer models are used, they all face the risk of being impersonated to answer. Many principles are similar.

DNS hijacking

DNS is responsible for resolving the domain name to an IP address, just as ARP resolves the IP address to a MAC address. As a service at the network layer, it faces a wider range of users, and of course faces more risks. Once compromised, all users are unlucky. All major network accidents in recent years are related to DNS.

Once the DNS service is controlled by hackers, all kinds of domain name resolution initiated by users will be secretly manipulated. Resolve a normal website to the IP address of the hacker server, and enable the HTTP proxy in advance. Users can hardly see any flaws when accessing the internet. hackers get all access traffic, all types of website account information will be displayed at a glance.

Due to the importance of the DNS server, there is usually high security protection in reality. It is not easy to intrude into its system. However, some DNS programs may not be so familiar with the public. Some DNS programs have design defects, which allow hackers to control the direction of some domain names. The most notorious one is DNS cache poisoning.

You may have discovered that the domain name-> ip-> Mac-> interface, as long as it is a dynamic query, will have one more link, the risk naturally increases. Flexibility and security are always indispensable.

Preventive Measures: Manually set some authoritative DNS servers, such as and 4.4.4, which may be more reliable.

Public Network DNS hijacking rarely occurs, but the DNS hijacking of home routers has been flooded. Vro vulnerabilities reported at the beginning are used to modify the DNS address.

CDN intrusion

We all know that CDN can be accelerated, but the principle is not clear to many people. In fact, CDN itself is a DNS hijacking, but it is benign.

Unlike hackers force DNS to resolve domain names to their own phishing IP addresses, CDN enables DNS to actively cooperate and resolve domain names to nearby servers. This server also enables HTTP proxy so that users cannot feel the existence of CDN.

However, CDN is not as greedy as hackers, hijacking all user traffic. It only "hijack" users' static resource access, for resources previously accessed by users, CDN will directly feedback to users from the local cache, so the speed has been greatly improved.

However, as long as there is a cache, there is a lot to do. Once the CDN server is compromised, the cached files on the hard disk are in danger. Web pages are injected with scripts, executable files are infected, and a large wave of botnets are about to emerge.

Preventive Measures: If the operator is not reliable, a third-party DNS without acceleration may not be resolved to the CDN server.

Many CDN black and white channels are available. In order to save the traffic from playing the cards according to the routine, the cache time is not updated, and even after the URL question mark is ignored, as a result, programmers have a headache in resource update.

Vro Weak Password

When the computer price drops again and again, when everyone wants to buy a second, the router market is also booming.

However, due to tedious configuration and poor user experience, a considerable number of users still do not understand how to configure routers. and admin/admin are almost constants of domestic routers. How many times, with no technical content to enter the internet cafe or library router background.

If someone attempts to restart the route or throttling the speed for others, you must thank him for his kindness. If you change the dns of the vro, it will be quite serious! DNS hijacking on the Internet usually does not last long, but the DNS hijacking on the vro may not be noticed for years and months.

In fact, some users with strong security awareness also use the default password. The reason is simple. The current vro has two thresholds: one is the Wi-Fi connection password, and the other is the management password. A lot of people don't have to worry about having a complicated Wi-Fi password. I thought I couldn't connect to my network. How could I go to the backend?

I had this idea before, but I always felt wrong: in case other computers or mobile phones in the house are poisoned, what should I do if I automatically try to use a weak password to blow into the vro background. The city walls have been occupied, so what is the purpose of the city walls.

In fact, apart from modifying DNS configurations, hackers also have even more terrible behavior: upgrading the firmware of a router -- replacing it with a firmware that looks exactly the same but has been implanted with malware! Although this is not yet widespread, once popular, a large number of routers will become Pandora magic box.

Preventive Measures: Never underestimate the vro password. In fact, it is more important than all your accounts.

If you do not change the default password, you cannot be blessed ~

Vro csrf

Back to what I said at the beginning of this article, why are there so many vrouters with this vulnerability? Maybe the router developers overestimate the users and think that the vast majority of users have modified the default password, so csrf is almost impossible to generate.

In fact, the security awareness of Chinese netizens far exceeds their imagination. As mentioned above, only the Wi-Fi password is set and the management password is ignored, so that a malicious program can quietly enter the vro background.

I didn't expect this virus to happen now, and it's still a web version!

The csrf vulnerability makes viruses and Trojans useless. When a user directly accesses a webpage or even a post, the browser automatically initiates a configuration modification request to the router.

Because the Web Development of Domestic routers is so poor, login is basically using an insecure and ugly HTTP 401 pop-up box. You only need to enter "User name: password @" in the URL to automatically log on. No prompt is displayed even if the logon fails.

Preventive Measures: Check whether the vro password is tampered with regularly.

After reading the source code of the vro page, you will find that it is terrible, even in the ie5 era. Vro chips are all purchased, and the kernel is also open-source. The so-called "Independent R & D" refers to the pages that have been made?

Pppoe phishing

Well, let's stop talking about vrouters. Next we will talk about what advanced vrouters can't do.

In addition to some large companies or schools, they use a fixed leased line to access the Internet. Individuals or small organizations seldom use this type of local luxury package and can only honestly dial the Internet-whether it is China Telecom, or Netcom China tietong.

Many people have misunderstandings that dialing is a process of establishing physical signals. Point-to-point communication fails before dialing. If so, how does the account and password pass through during dial-up? Obviously not possible. In fact, the terminals are always smooth, but without dialing, you cannot obtain parameters such as IP address, gateway, and session. Even if the packets are forcibly sent to the gateway, however, unauthenticated sessions are ignored, and you naturally cannot access the Internet.

Pppoe, which is frequently seen during dial-up. Point-Point Protocol over Ethernet. Therefore, the Protocol is a Point-to-Point Protocol. A user sends an account and password to the terminal (BRAS) and obtains the Internet IP address, gateway address, and session. In addition, the protocol is based on Ethernet, and even if the line is not, you have to try to encapsulate the data.

Traditional ADSL uses telephone lines to access the Internet. Therefore, a "cat" is required to convert the Ethernet data into telephone signals and transmit the data through a telecom switch. This equipment ensures that each household is independent, so as to prevent phone signals from being eavesdropped.

However, the various communications that emerged later may not be necessary. Many of the bandwidth "Gigabit to the building, MB to the home" is to build n residential area networks, and then merge them into a large man. The so-called "100 MB" is nothing more than the network cable that is dragged into your home to be inserted on the next Mbps switch in the building.

Anyone who has used China Netcom knows that the bandwidth of Mbit/s is not approaching, and even the speed of the network in some southern regions is as slow as a snail bait. However, during the download process, the data volume can easily reach several megabytes per second. At this time, the role of the LAN has come into play. If multiple people nearby are watching the same video, P2P will directly share traffic in the Intranet, greatly reducing the pressure on nodes.

However, how insecure the whole community is to become a LAN. Sometimes, even unreasonable VLAN division leads to multiple cells forming an intranet. If someone turns on the DHCP service, other users will be able to access the Internet by plugging in the network cable, and do not need to even dial up. Isn't it a pie in the sky? If you dare to eat it, it may fall into the trap of hackers.

Of course, there are not many plug-ins directly, basically through automatic dial-up through the router. But their protocols are the same-pppoe, a very insecure protocol.

Similar to the DHCP protocol, pppoe also explores available terminals through broadcast, which means that intranet users in the entire community can receive them. Meanwhile, the probe package keeps bubbling up until it is received by terminals in the Metropolitan Area Network, then begin to respond in succession.

If someone in the Community opens a pppoe terminal service without permission, it is obviously the first to receive the service. The real response package is still passed in the streets, and users and hackers have begun to negotiate and authenticate.

However, you may say that you have to dial a number to get the hook. Now you use a vro and it will not be disconnected for years. If you don't want to wait patiently, there is also a very simple method: To get a group offline.

As I said, a short-circuit network cable can be used to cause a broadcast storm. However, this is too violent, and may even cause traffic exceptions. We can use a simpler and more effective method: Mac spoofing, without stopping forging the MAC address of the terminal server, we can suck all the data packets of the Community users.

Pppoe uses a tunneling method to encapsulate any data in its stack. Therefore, it captures any package of the user and obtains the session ID on the pppoe stack. Then impersonate the terminal and send a "Disconnect" command to the user, so that the user is offline. By using this method, users in the entire community can dial a new number every minute, so they can quickly fish.

Even worse, pppoe transfers the user name and password in plain text most of the time, so it can also obtain the authentication account sent by the user.

I spoke about the fact that more than 1000 machines in the dormitory are not VLAN-specific, so I wrote a simple pppoe simulator to easily capture the Internet account in the entire network environment. (It also supports the prank function of one-click all-dial and collective deprecation ~)

Preventive Measures: Because the security of pppoe is heavily dependent on the physical layer, do not install Ethernet access bandwidth whenever possible. Of course, administrators should strictly restrict pppoe from searching for reply packets, just as DHCP allows only specific interfaces. In fact, it is impossible to have a Bras server in the community. Therefore, only the WAN port of the switch is allowed to have a reply packet, so it is not easy to get caught.

Pppoe also has a more serious bug. The session ID is only 2 bytes, up to 65536 possibilities. Create a request packet for "dial-up disconnection" in advance, and traverse the session ID in sequence to bring all users of a terminal server offline. If you collect the addresses of all terminal servers in advance, you can initiate a citywide network disconnection --

This bug should have been fixed. You only need to bind it. <会话 id,用户 mac,小区 vlan-id> Link. In addition, a small script can disconnect the networks of counties and cities throughout the city, indicating that the terminal deployment cannot be too concentrated.

Honeypot agent

As we all know, a country has a high demand for proxy. Whether it's black, white, transparent, or highly transparent, as long as it can be turned over.

VPN requires username and password and various authentication, and it is almost impossible to be hijacked midway through. Hackers captured people's innocence and turned their eyes to the proxy. Indeed, it is difficult to hijack encrypted data in the middle, but it is still necessary to restore the actual content on the server end. If you connect to a free VPN for a while, you may have boarded the hacker's thief ship.

Compared with HTTP proxy, VPN only affects some functions. All these applications do not know, and some important data is still sent out, and eventually hijacked by hackers.

Preventive Measures: Do not greedy for small profits. Use agents with free secrets. There is no free lunch in the world.

Many honeypot agents may not be deployed by hackers, but you know.

Weak Wi-Fi password

When the Internet expands to mobile devices, the network cable becomes the biggest burden, and wireless networks gradually enter people's horizons. Nowadays, due to the low cost and convenience of wireless, almost all convenient devices are used. Everything is no longer restricted. People can access the Internet anytime and anywhere, which was unimaginable in the past. Hackers can also initiate attacks anytime and anywhere, which was previously dreamed.

However, no matter how the Internet access method changes, Ethernet is always the core of the network. As I mentioned earlier, although the carrier is a telephone line, the Ethernet data is finally demodulated. The same is true for Wi-Fi. No matter how the radio waves are transmitted, only standard Ethernet packets can be restored to be routed.

The wireless network is like an invisible huge hub, without any physical media. Everyone nearby can listen to data signals, and professional devices can even capture data farther away. If there is no powerful encryption method to encapsulate data, there will be no privacy.

Wpa2 is now a standard Encryption Algorithm for wireless networks after various types of encryption have been cracked. If we try to connect to the backend through weak passwords again and again, the efficiency will be poor.

Different from dialing, WiFi users must first "associate" the hotspot to establish a physical channel. Like pppoe, WiFi can communicate with each other before authentication, and it is plain text data. However, this is only the plain text of the authentication data packet, and the real password will not appear in it. After all, it is completely different from the purpose of dialing: one is to encrypt all the traffic, while the latter only identifies whether you have the permission to access the Internet.

Traditional sniffer tools can be used to conveniently obtain these handshake packets. Although no password can be found, data related to key initialization is stored in it. Using a professional wpa2 cracking tool and a wide array of password dictionaries, a considerable number of wireless networks can be cracked at an acceptable time.

For many people, wireless passwords are the first and only line of defense. After the connection, you can easily enter the vro background without an accident, and then you can control the entire intranet traffic.

Preventive Measures: The simplest and most effective method: add some special symbols to the password.

If you brush a firmware for the router, it will automatically crack other wireless networks. After the cracking, it will automatically go to the background and update its own firmware... The router Trojan broke out.

WiFi hotspot phishing

The above is a simple description of wireless password cracking. But if I already know the password, how can I initiate an intrusion?

This is a common scenario. In some malls, restaurants, hotels, and other places, wireless networks can be found on walls or cards even with passwords. Or if the wireless password of the neighbor is cracked but cannot enter the vro background, how can we continue?

Nowadays, more and more intelligent wireless devices have been able to defend against primitive intrusions such as Mac spoofing and ARP attacks. Therefore, a more advanced and concealed approach is required to bypass network devices, directly launch point-to-point attacks.

Users who use wireless networks in major companies or business malls will find that the network exists everywhere in the room, even if the signal from the first layer to the fifth layer is still full, however, the signal wall in the home has dropped a lot. Is it a hot spot with a particularly strong signal? But it cannot be received outside the building. In fact, it is not difficult to find that there are a lot of dishes on the ceiling of each floor. Yes, it is these devices distributed everywhere that cover the wireless network of the entire building, making the signal dead corners less.

However, there are so many hot spots at the same time, but few are displayed in the search list. Because they all have the same hotspot name (SSID), the client usually combines the hotspot with the same name into one. When connecting, the system selects the best signal. If the authentication methods for these hot spots are the same, no matter which one is connected.

[] (Http://

Looking at this feature carefully, it is not difficult to find a lot of articles to do-this is not a natural preparation for us to fish! Let's start another pseudo-hot spot with the Same Name authentication. As long as the signal is overwhelming, it is appropriate to catch nearby fish.

At present, there are almost no clients to defend against this problem. No matter whether it is a mall, a coffee shop, or even some large companies, this is also helpless. The reason is very simple. The problem is neither on the device nor on the deployment, nor on the user. This is the weakness of the entire protocol stack.

The only material used to initiate this attack is an ultra-high-power hotspot, so as to overwhelm the normal situation and strive to be the "most trusted" signal source for users.

In fact, every hotspot always broadcasts a beacon data packet containing the hotspot name and other related information. After the user's network card is collected and filtered and analyzed, the user can know which hot spots are nearby and how their respective signals are. High-power hotspots, and the signal strength when the user receives the Image Service (bsns) is naturally higher.

Of course, an excessively high signal source may trigger some monitoring alarms, and you will also be placed in a huge radiation. If a targeted antenna is used to only kill a specific azimuth slice, the effect will be better.

However, it is not enough to launch light. Even if you can push beacon to dozens of kilometers away, you can see your hot spot name throughout the city, but the devices that come to connect are not that strong. Therefore, without a highly sensitive receiving system, a strong signal is just wishful thinking.

Preventive Measures: Because of underlying defects, such hijacking is usually difficult to defend against. Theoretically, hot spots are usually fixed. Therefore, you can record the 3D coordinates of each hot spot in advance, and then monitor the Hot Spot Location Based on WiFi location, if a hotspot signal appears away from the previous point, it is likely to be a fake signal from a phishing hotspot.

However, in reality, it is not easy to track so many devices at the same time. Unless all wireless devices are equipped with nearby hotspot monitoring functions, this can save a lot of tracing costs.

However, in scenarios with high security, access authentication is still used. During connection, you must enter the user name and password for access.

After a user successfully connects to wifi, the network status changes. Some systems attempt to request a specific URL. If HTTP 302 is returned, the redirected webpage is automatically displayed. The purpose is to facilitate access to the web edition. Sometimes a logon page is automatically displayed when you connect to CMCC. Supported for iPhone, iPad, MacOS, and WP. It should be nice to use this waste function to play ads ~

Forced Wi-Fi disconnection

I have to say that another defect of wifi is getting offline. Similar to pppoe, there is a logout package when the dial is active or passive, and the same is true for WiFi.

As mentioned earlier, session IDs that traverse pppoe can assume that all users send a logout request to disconnect the network throughout the city. WiFi also has similar defects, but in turn: Impersonate a hotspot and broadcast the logout package to all users, so all users connected to the hotspot are offline.

However, the removal of Wi-Fi is only because authentication is canceled, and users and hotspots are still associated. The user then re-initiates the authentication, thus giving the hacker a chance to obtain the handshake data.

If the broadcast continues, the user will never be able to access the Internet, and the screen will keep flashing "connection.../disconnected 』. The other party may try to restart the route, but the problem is still found, and all devices are in this situation, it will think that there is a problem with the router, so try to restore the factory settings-this moment, the danger is coming!

According to the style of the domestic router, no password is available for WiFi at the factory, and the background is basically a weak password. Therefore, there is a very short security gap that can be drilled into this device and win his network! If you have written the script in advance, and once an open hotspot is found, you can immediately connect it to the background and kill it directly! The other party has just recovered the vro and has been hijacked before returning to the computer. This is unexpected...

Of course, to prevent him from entering the vro and changing the password, you must immediately hide the SSID so that beacon will not be sent out, so that everyone will not be able to see this device, only through bssid (vromac MAC address). But some people may wonder how the recovered router cannot be seen? At this time, you have to establish a phishing hotspot in advance. The name is the same as the hidden SSID, and the other party will be tempted to their own honeypot.

In this Honeypot, open a site similar to the router page (you can directly reverse proxy the page of his router) and drag the user, this gives you plenty of time to operate on the hidden real device. You can even change the firmware!

Of course, some devices do not allow easy firmware update. You need to enter a number on the vro or press a key to start. Now you have to play the role of the honeypot site. You can draw a text box on the page to prompt him to enter the number on the vro or ask him to press the button directly. Because the vro backend is too professional, few people will question its authority, almost all of which are step-by-step.

In fact, your honeypot is always on, and the other party will certainly configure the WiFi password, management password, and pppoe account in it. So all his Internet secrets are under control! It doesn't matter if you don't change the vro. You can enter the vro at any time in the future.

Preventive Measures: Do not easily restore the factory settings of the vro. Be sure to change the default password as soon as possible. Even if there are no hackers around, some poisoned devices may be connected at any time and burst into the background.

It's hard to work both. Is it too Yin? Using psychology or social engineering, vulnerabilities that are not very serious can be expanded many times.

WLAN base station phishing

The hot spot phishing mentioned above can only be performed on specific occasions. Users who hijack KFC can only access the route in the vicinity of KFC; users who intrude into the Community can only access the route at home. This greatly limits the scope of attacks and does not make full use of the flexibility of the wireless network.

However, there is a network that can be received wherever you go. When you open your phone, you can always see that CMCC and other hot spots are like ghosts. Today, WLAN services have blossomed everywhere, covering almost all parts of the country. It supports a higher frequency band and is backward compatible with WiFi and devices throughout the city, trying to build a wireless MAN. The only regret is that it is charged, and the signal is average, far less practical than 3G.

Sometimes we are not connected to these hot spots, but the system is automatically connected. The reason is very simple. Some time ago, I tried to connect to them. However, the system will save the hot spots that have been actively connected, and the system will automatically go up when it appears again. In fact, there are not a few people who have connected to these hot spots.

Needless to say, you also think of hot spot phishing. In addition, almost all users use wifi to connect, so there is no need to use WLAN devices. Use the previous high-power hotspot and place the CMCC name on the balcony to face the street. Later, a bunch of users will be connected. If you support virtual AP, the CMCC-AUTO, Chinanet and so on these names all use, come to visit more.

As mentioned above, many devices can automatically pop up webpages after connecting to wifi. Using this feature, phishing is easier. In order to save traffic, most mobile phone systems prioritize the use of wifi when WiFi and 3G are available at the same time, So users' traffic may flow to hackers without knowing it.

In fact, we can also integrate the entire phishing solution into Android. Using the hotspot created by the mobile phone to attract nearby users, the captured traffic can also be forwarded through its own 3G network proxy. With the powerful forwarding mechanism of Linux kernel, we can easily control various user traffic. In the future, don't laugh at people who bow their heads and play mobile phones. People may be hijacking you.

However, in some places such as the subway, the 3G signal is very poor, it is difficult to forward the data received by the hot spot, so only phishing can not be hijacked. Can this standalone mode still intrude into the system? The next article describes how to initiate offline phishing.

Preventive Measures: If WiFi is not needed, it should be closed in time to avoid automatically connecting to insecure hot spots. It is better to delete some connection records that are not used for a long time.

Android hotspot supports only 10 users by default. A hotspot named CMCC is opened in the street, and it will be instantly full. Therefore, we still need to add a few good wireless network cards in the notebook collection bag, which is both concealed and effective. Although high-power antennas are quite enjoyable, they cannot be used excessively. Maybe they will be checked for water meters someday ~


Let's talk about it here. These are only examples that have been tried before. In fact, there are too many ways. If we calculate the internal method of the system, there will be no more. However, no matter how it changes, the ultimate use of traffic hijacking is almost the same-what can be done with it? What is the ultimate danger? Listen to the next decomposition.

Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.