One penetration test of wireless routing in a cell

By: vitter@safechina.net
Web: http://www.securitycn.net

Some time ago, when I was just buying a wireless route, I took a notebook at home to perform a wireless route penetration test in the residential area. I would like to remind you again, wireless route security issues should be paid attention to (participate in previous articles: "wireless is not just as important as Network Security").

The lookup Network found that there are 3 pretty good SSID, 2 of which are WPA encrypted, and one WEP (SSID is TP-LINK) encrypted.

Figure 1 Wireless Network

We know that WEP encryption can be easily cracked (in the previous articles "cracking wireless network WEP/WPA keys" and "backtrack3 (BT3) detailed steps for cracking WEP wireless network passwords for usb, BT3 cracking client wireless WEP passwords successfully, perfect support for Intel 2200BG, and Intel 3945ABG OmniPeek 4.1 packet capture and cracking WEP), let's start with WEP. We will not describe the specific method of cracking the password here. I will participate in the above article.

 

Figure 2 get the password

If the password is obtained, the next step is to connect to the wireless network.

 

Figure 3 network connection OK

The ip address I allocated is 192.168.1.1xx.

Figure 4 my ip Address

Next we will scan and step on his network.

 

Figure 5-1 network step 1

 

Figure 5-2 network step 2

Because of his SSID number, it is easy for us to know the model of the wireless router he should use: TP-LINK. After scanning, port 80 is enabled for the wireless route with ip address 192.168.1.1. We try to log on to web management.

 

Figure 6 wireless routing web Management

Next, try the username and password by default. No, it seems that the password has been changed.

 

Figure 7 changed the password

OK. Let's guess again. We have scanned a host. The ip address is 192.168.1.1xx and the host name is guoxx. It seems that the host name should be guoxx, let's try to see if the wireless route management user and password are the same.

 

Figure 8 OK

It seems that the host's security awareness is poor because both the user name and password are the same. OK. The next step is to check its wireless route configuration. I found that he used a wireless router for ADSL dialing. It was a good luck. As shown in the figure, if there is a star number, we try the password and we don't know if it can be found.

 

Figure 9 adsl dialing Configuration

Check the source file first. It seems that the TP-LINK is still limited, then we look at a browser, take out Opera, and then check the source code, with the framework, source code (Ctrl + Shift + U ).

 

Figure 10 Source Code of Opera Query

This time I got OK and found the plaintext password.

 

Figure 11 plaintext Password

It seems that TP-LINK wireless routing is not safe, so obvious vulnerabilities are there, I also use this brand of products ah, fortunately I don't need him to dial, too insecure, this should be reflected by the vendor so that they can better fix the vulnerability.

Okay. We found his ADSL account and password. You can think about the rest of the work, which is of a lot of use.

Let's look back at the host penetration. in Figure 5-2, we see that it is an XP system, with 3389 enabled and shared. It seems that the host has used remote desktop.

Let's try again with the username and password guoxx. No. I changed my password to an ADSL password, and OK went in. Haha, I am lucky today. I didn't have any effort. I was still thinking about using some remote vulnerabilities. I didn't expect it to be so simple, I found that I used the sogou input method. Oh, this version also has a logon vulnerability, but I have all the passwords, and this vulnerability is useless. The rest is cloning an admin account, planting a pony, wiping pp and leaving.

In summary, we need to note that:
1. Try to use WPA2 with higher security as far as possible, disable DHCP, bind the MAC address, and do not broadcast the SSID. In this way, our wireless network is much more secure. If someone else cannot access our network, this article will fail.
2. Do not use your own Chinese and English names for passwords. Do not use the same host name as your host name, or use the same user name and password, the password must contain more than 8 characters including uppercase and lowercase letters, numbers, and special characters.
3. Disable services that are not needed in windows, especially remote desktop, and install patches. Use a secure version for third-party input methods.