Recently one of my friend asked me to audit his personal wifi network in order to test it’s security. The way he was smiling…made me feel like he’s well prepared…although he’s a not so technical guy but he’s aware of the basics and did what he thought was best to make his access point secure.
So I got myself a drink & fired up my Linux install. I set my wifi card on monitor mode and used the suite of tools provided by aircrack to probe his wireless network. His access point was using WPA2 – AES encryption scheme, which is good. On further inspection using tools like reaver, I also noticed that his router wasn’t using WPS (which is turned on by default in most cases) so it seems like he did his homework.
WPS is an additional security layer through which you can securely authenticate multiple devices by just pressing a button on your router…but it comes with a flaw that allows you to pretty much bruteforce your way through the router and once you hit the right pin…you’re give the passphrase to the access point! I don’t really see the point of WPS and it’s the one thing that in my opinion made wireless networks more insecure and easy to crack. The cost of convenience can be a big price to pay…so if you’re an owner of a wifi network & you’re reading this…make sure you turn off wps mode on your router.
So since it wasn’t possible to use reaver to bruteforce wps, I decided to move on with Aircrack. It seemed like he was connected to the network, so by using a combination of aireplay-ng, airodump-ng I was able to deauthenticate him from the network and capture the 4 way handshake. In case some people don’t know what a 4 way handshake is…it is pretty much a 4 way process of interaction between a client and the access point. It’s a protocol that is used by wpa/wpa2 standard to authenticate and associate a client with the wireless network. From a hacker’s point of view, it’s like a candy which comes wrapped up in some metal box made of solid titanium. In case you didn’t get it, think of a bank’s safe (which is usually made with the hardest materials like titanium). To crack open the safe you’ll need to enter the right password and there’s no other way around that. Forget the high tech blow torch or other stuff you see in the movies for now.
So I was able to get the four way handshake & I loaded up a good dictionary and fired up aircrack-ng to crack the handshake. Well what do you know in a matter of 10-15 mins, I heard the cores slow down and to my surprise the password was cracked! The password were all numbers but I think it was around 12 characters in length, still ended up being a part of the dictionary.
Since he gave me the permission to pentest his network, I wasn’t restricted to anything but I decided not to pentest the connected clients as that would be in my opinion a violation of privacy. So to prove to him what a malicious hacker could do I decided to log into his router and got in with the default password! Damn no one these days even bothers to change their router’s password. It was a Zyxel router with some good little things here and there but I decided to log into the command line shell and see what I can find.
So I telnet into the router with default password & was given r00t access. I rarely fiddled around with busybox systems but just for the sake of proving what a hacker could do I decided to take a look around…until finally I hit something that caught me by surprise.
When I used the ps command, it showed me the username & password of the account my friend had with his ISP. Usually, even if a hacker manages to crack the network & get onto the routers networking settings the password section for the ISP’s account is like filled with asterisks for security reasons…so copy paste won’t work. But in this case by just tinkering around with the process list I was able to get to the credentials due to the pppd daemon that was running. Since this ISP is quite common in the area where I’m from…a hacker could connect to a nearby hotspot from that provider and login with the stolen credentials and he’s no longer bound to a particular access point.
So as you can see, securing your network is really important. Always the first thing you need to do is change the default password in your router’s admin panel. As for the wireless passphrase, try to use a complex auto generated password of atleast 15-20 characters in length. If you must do it manually for convenience, make sure your password is alphanumeric…mix some random words with numbers, a few symbols and stuff in a totally random pattern so that your password would probably not be in a dictionary…and believe me there are really BIG dictionaries out there…they can be as big as 13 GB in size!
As for my friend, I’m pretty sure his smile will wear off once he hears how his network got owned but don’t worry about him…this pentest was just for educational purposes only, no real harm has been done.