LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-21-2008, 04:15 PM   #1
MyHeartPumpsFreon
Member
 
Registered: Oct 2007
Location: The States, Florida
Distribution: Lonely Werewolf
Posts: 251

Rep: Reputation: 30
Pen testing on a router


Hey,

What are some tools that I can try to crack my routers username and password with? In the event of someone breaking my WPA encryption, I want to see how well my router username and password hold up.

I'm guessing it would just be a general password cracker, but one specifically for a router.

Any ideas?

Thanks,

Brandon
 
Old 01-21-2008, 05:29 PM   #2
C-Sniper
Member
 
Registered: Dec 2006
Distribution: Slackware
Posts: 507

Rep: Reputation: 33
Well i can tell you right now that most WPA/WPA2 encryption will keep most war drivers away unless they are REALLY desperate. I wouldn't worry about it TBH.
 
Old 01-21-2008, 05:57 PM   #3
MyHeartPumpsFreon
Member
 
Registered: Oct 2007
Location: The States, Florida
Distribution: Lonely Werewolf
Posts: 251

Original Poster
Rep: Reputation: 30
I'm pretty familiar with war driving. Call me super paranoid, but could you please humor me? I wouldn't say I'm keeping national secrets, but I do have sensitive information.

Thanks,

Brandon
 
Old 01-23-2008, 10:20 AM   #4
farslayer
Guru
 
Registered: Oct 2005
Location: Willoughby, Ohio
Distribution: linuxdebian
Posts: 7,232
Blog Entries: 5

Rep: Reputation: 189Reputation: 189
did you try simply searching google for wpa crack ? I think you will find what you are looking for...

http://www.informit.com/articles/article.aspx?p=369221
 
Old 01-23-2008, 10:21 AM   #5
lord-fu
Member
 
Registered: Apr 2005
Location: Ohio
Distribution: Slackware && freeBSD
Posts: 676

Rep: Reputation: 30
Boot Backtrack and have fun yourself.

Last edited by lord-fu; 01-23-2008 at 10:22 AM. Reason: Changed install to boot
 
Old 01-23-2008, 10:44 AM   #6
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
Make sure you don't use uPNP. That will enable an attacker to open ports. Also make sure that you don't allow configuration via WAN or wireless. A cisco router for example uses basic authentication with the password being encrypted with base64 which is really cleartext. so if someone is on your network, they may be able to sniff your password when you log into router to configure it. If you make these two mistakes, an attacker may be able to retrieve the wpa password in a config.bin file (according to pauldotcomsecurity podcast). Make sure to keep your router's firmware up to date. I use a random 32 byte psk (64 hex digit).

Last edited by jschiwal; 01-23-2008 at 06:37 PM. Reason: correction. /bin -> config.bin
 
Old 01-23-2008, 08:54 PM   #7
MyHeartPumpsFreon
Member
 
Registered: Oct 2007
Location: The States, Florida
Distribution: Lonely Werewolf
Posts: 251

Original Poster
Rep: Reputation: 30
Slayer, I'm already familiar WEP/WPA cracking. .Ethical of course

Lordfu, I've booted up Backtrack before, never saw anything for router cracking. Then again, I wasn't looking for it. I saw some new features for 3.0 that look awesome. Cookie cloning and such. Pretty cool. I'll have to look for that CD... it's lying around here somewhere.

Jschiwal... how can someone, who doesn't have the WPA password, sniff out my usernmae and password for the router and then obtain the WPA password? Wouldn't they have to be connected to the network in order to login to the router? You can't do that without having the WPA password first. If by chance they did sniff it out (assuming they're not connected to the network), they would still have to find out my IP address given by my ISP AND remote login would have to be enabled on the router to obtain the information. Unless I'm totally missing something here (I've been wrong before, MANY TIMES).

Thanks for all the help guys,

Brandon
 
Old 01-24-2008, 12:22 AM   #8
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
If you have WAN configuration enabled, they can use brute force. If you allow wlan configuration, someone at another host on your network could sniff the password. I didn't see the demonstration, but port scanning revealed that uCLinux was used and that the router hadn't been updated with newer firmware. An unpatched vulnerability may have been used. Yes, if you can connect wirelessly, you already have the PSK. If you are connected via an ethernet cable, I suppose you have to attack the switch before you can sniff traffic unless you can do something with ARP. I'm not a hacker or white hat, so I'm not someone who could do that. In a corporate or public environment, a radius server will be used to issue a key to the router for each user. There may be a bigger threat here if one user can retrieve the key issued to another user.

WPA1 is susceptible to a brute force attack. A good password is a must.
Here is a oneliner that I use to generate a random key:
Code:
dd bs=1 count=32 if=/dev/random | od -t x1 | sed -n -e 's/^.\{8\}//' -e 's/ //g' -e 1p
Besides routers, other embedded devices like printers may become targets. Printers tend to not get updated. Some printers use embedded XP and present a juicy target for hackers who would just love to retrieve the document cache. Recently, it was discovered that an LCD picture frame model was infected with a virus in the factory. It tries to spread to Windows computers via the usb port.

I don't think they sell Norton anti-virus for picture frames!

Last edited by jschiwal; 01-24-2008 at 12:29 AM.
 
Old 01-24-2008, 01:33 AM   #9
MyHeartPumpsFreon
Member
 
Registered: Oct 2007
Location: The States, Florida
Distribution: Lonely Werewolf
Posts: 251

Original Poster
Rep: Reputation: 30
Virus in a picture frame, pretty humorous. I work for Cartridge World... I once had a customer accuse me of putting a virus on her toner cartridge. "MY AVG CAME UP AND SAID THERE WAS A VIRUS! THERE WAS NOTHING THERE BEFORE THE PRINTER CARTRIDGE WAS REFILLED! YOU PUT A VIRUS ON MY CARTRIDGE! LET ME SPEAK TO YOUR BOSS!" That made my day.

Anyway, the layout you're describing is small business or a corporate environment. I just have one computer with the router attached and another desktop on the network attached via wireless. If someone were to crack the wireless encryption (WPA2), how could they crack the username and password on the router? My guess is a cracker, brute force it. Otherwise, how would it be done? Would they use a program like Wireshark to view all traffic or is there another method? I would like to know so I know how to protect myself and advance my own knowledge.

Thanks,

Brandon
 
Old 01-24-2008, 01:57 AM   #10
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
Here is the podcast I was talking about.
http://media.libsyn.com/media/pauldo...-episode96.mp3

The two holes that he found in a Linksys router (supplied by SANS) in the demonstration were uPNP and not having up to date firmware. In my opinion, attacking a router would be similar to attacking a server. Identify the ports and the OS. Use that info to break in due to know vulnerabilities. So your best defense is to make sure you have updated the firmware, use a good passphrase for wpa & the router config, don't use uPNP, don't allow wireless configuration or WAN configuration, and don't use the DMZ feature of the router. There is a brute force technique where you overload the switch's MAC table, but I don't know if this would make the router vulnerable, but it is used to cause some switches to act like a hub. One may even need to track whether there is a firmware update available for a switch, which often will have an embedded computer running some sort of OS.

Suppose you had a roommate who used a computer without root access, and you configured the computer to authenticate with your wireless router at boot, from the info in /etc/sysconfig/network/ifcfg-wlan0. This file contains the WPA preshared key. It is only readable by root. If that user can sniff the network when you type in your router password, he can gain knowledge of the username and password. ( Although booting with a live distro would give the same info if you authenticate using a PSK. )

From outside the network, I don't know if hackers are able to crack into WPA wireless networks that doesn't use dictionary words in the key. I once ran a password cracker against my regular user password and it didn't come up with the answer running overnight. A 32 byte random key would be a lot harder to crack. The problem with WEP isn't the RC4 encryption. It is that it makes key discovery easy. Hopefully if you follow the proper safeguards, a hacker will look for lower hanging fruit.

It may be possible with recorded encrypted traffic to eventually break it by trying every possible key. WPA doesn't protect against brute force but that would be very expensive ( or take a lot of luck ).

Last edited by jschiwal; 01-24-2008 at 02:11 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
pen-testing client, question on gateway and network topology b0nd Linux - General 0 01-10-2008 09:18 AM
Replace 'etch' with 'testing' in /etc/apt/sources.list to track 'testing' branch? Akhran Debian 3 04-09-2007 11:45 AM
Testing open ports, behind a router sekelsenmat Linux - Networking 7 06-28-2005 09:50 AM
HOW-TO Testing network card with a router drzigman Linux - Networking 0 01-03-2005 04:18 PM
Setup as getting debian testing files from ftp - will it stay with testing BrianHenderson Debian 2 09-02-2004 07:06 PM


All times are GMT -5. The time now is 09:17 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration