How I Hacked Your Router

Some time ago a friend in infosec asked me to do a strange thing.  He asked me to hack him.  We will call him Bill, for the sake of anonymity.  Other names and places have been changed to protect the innocent.  Vendor names have been kept to incriminate the guilty.

Hacking a large corporation is easy(ish).  They have information assets that may span the globe, and despite investments in various protection technologies, it’s just hard to keep track of all that stuff.  It requires Zen-like discipline to rigorously follow the cycle of scan-patch-repeat day after day, on all assets in an organization, without fail.

Hacking a person can be tough.  It’s true that blackhats have the advantage in terms of the asymmetric nature of information security.  Sometimes it only takes one bug.  But the attack surface area of a single individual is quite small compared to a corporation.  In addition, most people trust large vendors with their information and the cloud vendors typically do a decent job of protecting people.

I started with basic recon.  I like to use Maltego, along with sites like checkusernames.com, knowem.com, pipl search, and other tools to enumerate online presence.  There’s also the classics like Google+, Facebook and Linkedin.  It helps to have a fake profile on Facebook for this kind of work.  A good bait profile should be tuned to your target.  It will help when extracting additional information via social engineering.

In terms of online presence, password reset questions are good low hanging fruit.  I’ve seen webmail accounts asking for information that you can pull right out of the target’s Facebook profile.  I’m sure most people don’t even make the connection; they may have written their reset questions 5 years ago.  None of this stuff was going to work in this case though.  My target was an infosec nerd, and he was expecting me.

Time to take the fight to him.  First, I checked to see if he is hosting anything on his home Internet connection.  He may have been doing this and not even know it.  Many apps and devices use UPnP to punch holes in consumer-grade firewalls without much fanfare.  Sometimes all it takes is a NAS or media server to open up a backdoor.  To find his home IP address, I used a Skype resolver, such as resolvme.org.  It worked brilliantly, so I scanned his IP address (and a few neighboring IPs) to see if I could find any services.  No dice though… I’m sure he figured I would do this.

Next up, 802.11.  Wireless networks are a great attack vector.  I have two Radeon 6990’s in an i7 rig that chews through WPA hashes.  I use a Markov predictive wordlist generator to feed guesses to oclHashcat.  It can achieve an 80% average crack rate over an 8 hour time frame.

So I set about to Bill’s address with various Alfa wifi cards in tow.  While in this case I actually know Bill’s address, I may have been able to get this information via recon or social engineering.  It’s not exactly a secret.  After successfully capturing a WPA handshake, I ran the cracker for a week.  Still no dice.  This would probably work on most people, but Bill is an infosec guy.  His WPA key is probably >32 characters long.

At this point you’re probably wondering why I didn’t just spear-phish him with a Java 0-day and go have my victory beer.  The answer is simple — I know my target.  He has mastered the mantra of scan-patch-repeat.  Java isn’t even installed.  And if I did have a browser 0-day in my back pocket, I would have used it to win the pwn2own last week.

After my visit to Bill’s place, I did come away with one useful piece of information.  The wireless MAC address (BSSID) of his router: 06:A1:51:E3:15:E3.  Since I have the OUI (the first 3 bytes of the MAC), I know that it’s a Netgear router.  I also know that Netgear routers have some issues, but Bill was running the latest firmware.  That doesn’t mean that all the vulnerabilities were patched in the latest firmware though.  The only way to be sure was to buy a Netgear router and test it myself.

Determining the exact model is probably not possible (not remotely anyway).  Consumer devices may have a lot of variation between different models as the reference platforms come from SoC vendors such as Broadcom and Atheros.  I know that Bill is a bit frugal, so I went with the WNDR3400v3 — the entry level unit.

After reading about some of the vulnerabilities this device has had in the past, I created two Metasploit modules.  In the first module, I would use a CSRF bug to POST to the UPnP interface and punch a hole to access the telnet service of the router itself.  This issue likely exists in numerous other devices and is worth emphasizing:

If you can spoof UPnP requests via CSRF, you can turn the entire network inside-out.

That’s an important point.  I was opening up a single port.  You can use Ajax requests from the victim’s browser to configure NAT entries for every IP in a subnet, effectively disabling the firewall.  There are hard limits to the number of UPnP NAT entries of course, but most devices will allow enough entries to map a few key ports for a hundred hosts or so.

In order to trick Bill into connecting to my exploit, I sent him an email with an embedded link.  Cobalt Strike has a tool to copy an existing email (headers and all), which makes this basically turn-key.  All you need to do is modify the links.  So what email does everyone always click?  What would work even against an infosec guy?  Linkedin invites.

EDIT: Some readers have wondered why Bill would fall for this. Even a cursory check of the sender domain or link would have been a dead giveaway. The key to a successful SE campaign is a good pretext. For a background on pretexting, read this article. In this case the invite appeared to be from someone he had a meeting with that afternoon. Well, more of an informal job interview really. I suppose it was confirmation bias — he wanted to believe he got the job.

Now before I sent the email, I needed a follow up payload.  By default, the telnet port is enabled on Netgear routers, but the service is unresponsive.  You have to connect to the port and send a special unlock key.  Public exploits exist for this flaw, but I wrote another MSF module because I love my Ruby (and Metasploit).

Bill clicked the link.  As soon as I saw the callback, I triggered the second module and logged into the router via telnet.  Once I obtained root access to the router, I immediately changed the DNS settings to point to a DNS server that I control.

Controlling DNS is a powerful thing; it effectively provides you with on-demand man-in-the-middle.  There are plenty of MITM attack vectors, but I like Evilgrade for stealth.  Evilgrade has been out for years, and still works great (some modifications necessary).  It took about a week before Bill decided to upgrade notepad++ to the new version.  When he did, he was fed a backdoored version that gave me a Meterpreter shell on his computer.  I immediately emailed him a few screen shots and a keystroke log, and he unplugged his computer a few minutes later.

For my efforts, I was rewarded with a six-pack of Ruby ale.  I do love my Ruby.

37 thoughts on “How I Hacked Your Router”

  1. So how’d you sucker Bill into clicking your exploit link? Since you hadn’t yet hijacked his DNS, I presume the link didn’t (couldn’t) actually point to linkedin.com — shouldn’t his mail client have warned him? (Mine would.)

    1. See this video by Raphael Mudge. He does a much better job of explaining it than I would. I also had another advantage — Bill and I worked for the same company at the time, so I could send the phish to myself to make sure it passed all the filters. This isn’t so unrealistic though. An advanced adversary will scour RFPs, public records and job postings to learn what protection technologies a company has and attempt to duplicate their environment for testing.

      1. Funny you should mention that. I was at a security conference recently where a vendor was giving away these branded cards with fold-out USB connectors. I figured it was a flash drive. When I plugged it in, it was actually a keyboard HID that opened a browser window to the vendors site. I’ve known about the hak5 ducky for quite some time, and this still took me by surprise.

  2. This was a really good read man I especially liked your part when you talk about your rig chewing through WPA hashes ha that just sounds awesome. I do have some questions if you don’t mind someone picking your brain but either way definitely keep writing, I’ll keep reading

  3. […] In order to trick Bill into connecting to my exploit, I sent him an email with an embedded link. Cobalt Strike has a tool to copy an existing email (headers and all), which makes this basically turn-key. All you need to do is modify the links.  So what email does everyone always click?  What would work even against an infosec guy?  Linkedin invites. http://disconnected.io/2014/03/18/how-i-hacked-your-router/ […]

      1. Thanks, can I then extend my question to: if you download a file through SSL, is that just a mitigation against MITM or a complete showstopper? assuming the attacker was not privy to any of the certificate controls.

      2. It depends. If an update process uses SSL and only validates that the server certificate is signed by a trusted root CA, there may still be issues. It will stop the casual attacker, but it doesn’t protect against CA compromise (which happens), and I have seen certain CA’s provide wildcard certs to enterprise customers (for their Bluecoat boxes, etc) in the past. Yes, full on X.509 CA=true signing certs.

        Most update processes will perform further validation to ensure that the server has the expected certificate or public key, ie. cert pinning. This is an effective mitigation.

  4. Why on earth was Bill using his router’s DNS settings and not setting the IP address in his network settings himself?

    1. Generally home routers provide DHCP and DNS services. They usually set the DNS address to be the inside address of the router, and use dnsmasq for forwarding. Even if this isn’t the case, you can still set the DNS address in the DHCP scope. Even if he was manually configuring his DNS (which is unlikely), I’d bet a destination NAT rule would sort that out.

  5. For the CSRF exploit to work, you would have to guess the local IP-adress of the router AND the router interface was not password protected? Or was this also an authentication bypass vulnerability? Also, did the telnet service allow root access out of the box?

    1. Guessing the local IP for the default gateway isn’t too hard — it’s either 192.168.0.1 or 192.168.1.1 for 99% of home users. And you don’t have to guess just one address. This exploit isn’t authenticated. It uses Universal Plug and Play, which doesn’t require authentication. The use of the UPnP exploit provides telnet access on the WAN interface, and once connected as root, you can do anything you like.

      Not all CSRFs require guessing an address however. The WD MyCloud exploit I wrote requires zero knowledge of the internal network and uses a netcat-based reverse shell. It can be activated using an HTML img tag, too.

  6. Your InfoSec-guy was sloppy. I’m just your average cautious hacker and I’d never use a closed source firmware on my WLAN access point. Also true InfoSec-guys never read HTML-mail, mutt is a perfectly good e-mail solution. If an e-mail is only in HTML any true hacker will render the page in his head. :)

      1. what about the WNDR3800? It’s becoming quite popular with ISP’s and out of the box it starts off with WPA2 authentication and seemingly has a special firmware branded with the ISP’s logo. I tried flashing DD-WRT onto it and it just defaults back to it’s factory settings without the new firmware.

  7. Pretty neat story.

    I’m not that up-to-date with vulnerabilities in custom firmwares like OpenWRT or DD-WRT, but i think it’s more likely that this wouldn’t have succeeded (at least in this way) if he had one of them running on the Netgear router.

    After finding out about OpenWRT, i assured that my first router bought would be OpenWRT compatible and flashed it with it.

  8. Yeah if you use passwords from grc.com/password you will not be able to hack through the password easily. I think Steve Gibson said it would take about 255 years to the power of infinity. :)

  9. Thanks much Phikshun, this is priceless!

    I’m not in infosec per se, but I’ve defended a small biz, myself and family for years and have always tried to consider these kinds of scenarios.

    Smartphones & tablets have added a new attack vector that you didn’t mention, esp if you can get near the victim. Hak5’s wifipineapple and similar tools are helpful there. Though to be fair the article is about (home) routers.

    I was expecting to see more specific pointers to info on just how hackable the popular home routers are. But that can be turned up with a google for “consumer router vulnerabilities”

    Great stuff ;)

  10. Even though written last year, still a good a valid post. What about the flip side of the coin – mitigations? DNSCrypt would have blocked anything related to DNS MITM attacks. What about the email, CSRF, etc?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s