Wifi Ownage

5 Jun

Wifi networks can be quite easy to pawn these days, with the availability of fast cloud based cracking services, big optimized dictionaries and  complex software…even if you implement the best encryption schemes out there like WPA2 – AES…all it takes is just a bit of luck with a good dictionary and a not so complex password. Therefore even with modest hardware, cracking a wifi network is not that hard…provided you don’t use a password combination like this: 1aE&saA3@#S!

Recently one of my friend asked me to audit his personal wifi network in order to test it’s security. The way he was smiling…made me feel like he’s well prepared…although he’s a not so technical guy but he’s aware of the basics and did what he thought was best to make his access point secure.

So I got myself a drink & fired up my Linux install. I set my wifi card on monitor mode and used the suite of tools provided by aircrack  to probe his wireless network. His access point was using WPA2 – AES encryption scheme, which is good. On further inspection using tools like reaver, I also noticed that his router wasn’t using WPS (which is turned on by default in most cases) so it seems like he did his homework.

WPS is an additional security layer through which you can securely authenticate multiple devices by just pressing a button on your router…but it comes with a flaw that allows you to pretty much bruteforce your way through the router and once you hit the right pin…you’re give the passphrase to the access point! I don’t really see the point of WPS and it’s the one thing that in my opinion made wireless networks more insecure and easy to crack. The cost of convenience can be a big price to pay…so if you’re an owner of a wifi network & you’re reading this…make sure you turn off wps mode on your router.

So since it wasn’t possible to use reaver to bruteforce wps, I decided to move on with Aircrack.  It seemed like he was connected to the network, so by using a combination of aireplay-ng, airodump-ng I was able to deauthenticate him from the network and capture the 4 way handshake. In case some people don’t know what a 4 way handshake is…it is pretty much a 4 way process of interaction between a client and the access point. It’s a protocol that is used by wpa/wpa2 standard to authenticate and associate a client with the wireless network. From a hacker’s point of view, it’s like a candy which comes wrapped up in some metal box made of solid titanium. In case you didn’t get it, think of a bank’s safe (which is usually made with the hardest materials like titanium). To crack open the safe you’ll need to enter the right password and there’s no other way around that. Forget the high tech blow torch or other stuff you see in the movies for now.

So I was able to get the four way handshake & I loaded up a good dictionary and fired up aircrack-ng to crack the handshake. Well what do you know in a matter of 10-15 mins, I heard the cores slow down and to my surprise the password was cracked! The password were all numbers but I think it was around 12 characters in length, still ended up being a part of the dictionary.

Since he gave me the permission to pentest his network, I wasn’t restricted to anything but I decided not to pentest the connected clients as that would be in my opinion a violation of privacy. So to prove to him what a malicious hacker could do I decided to log into his router and got in with the default password! Damn no one these days even bothers to change their router’s password. It was a Zyxel router with some good little things here and there but I decided to log into the command line shell and see what I can find.

So I telnet into the router with default password & was given r00t access. I rarely fiddled around with busybox systems but just for the sake of proving what a hacker could do I decided to take a look around…until finally I hit something that caught me by surprise.

When I used the ps command, it showed me the username & password of the account my friend had with his ISP. Usually, even if a hacker manages to crack the network & get onto the routers networking settings the password section for the ISP’s account is like filled with asterisks for security reasons…so copy paste won’t work. But in this case by just tinkering around with the process list I was able to get to the credentials due to the pppd daemon that was running. Since this ISP is quite common in the area where I’m from…a hacker could connect to a nearby hotspot from that provider and login with the stolen credentials and he’s no longer bound to a particular access point.

So as you can see, securing your network is really important. Always the first thing you need to do is change the default password in your router’s admin panel. As for the wireless passphrase, try to use a complex auto generated password of atleast 15-20 characters in length. If you must do it manually for convenience, make sure your password is alphanumeric…mix some random words with numbers, a few symbols and stuff in a totally random pattern so that your password would probably not be in a dictionary…and believe me there are really BIG dictionaries out there…they can be as big as 13 GB in size!

As for my friend, I’m pretty sure his smile will wear off once he hears how his network got owned but don’t worry about him…this pentest was just for educational purposes only, no real harm has been done.

Source: http://irenicus09.wordpress.com/2013/06/05/wifi-ownage/


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: