Time to change that default WiFi password

[Pip]

This is for those that use ISP supplied routers/All-in-one modem/routers who have never given a thought to their wireless security. I'll try to keep this simple for the non-tekkies among us (no disrespect).

Wireless password cracking has been around for a long time, when done by "Whitehats" (the good guys) it is to expose a flaw so that manufacturers can fix the flaw, when done by "Blackhats" (the bad guys) it's at best to use your internet for free, at worst to gain access to your computer and everything else in you home (LAN) network.

A little bit of history, when wireless access was introduced back in 1997 it was fully accepted that only those with the password would be able to connect to the router and that all information between the device and the router should be private. Wired Equivalent Privacy (WEP) was introduced, its intention was to provide data confidentiality comparable to that of a traditional wired network. It didn't take long before it was revealed the password could be found in minutes.

Along came Wi-Fi Protected Access (WPA) in 2003 closely followed by WPA2 a year later, much more secure and things looked good.

Then in 2006 along came WPS, press a button enter an 8 digit number and you're connected. Oh dear. It didn't take long to find a flaw.

In 2011 Crag Heffner of Tactical Network Solutions released a program called Reaver that exploited this flaw. (For those interested I'll explain the flaw at the end ).

Next came Bully, based on the Reaver progam but more aggressive in the brute force attack. Then along came Dominique Bongard who found further flaws in certain chip manufacturers equipment, namely Broadcom, Realtek, Ralink, MediaTek and Celeno, and the Pixie Dust Attack was born, soon incorporated into both Bully and Reaver and now seconds, not minutes to find your password.

Most, if not all vendors of routers who use these chips have pushed out firmware updates to stop this exploit but if in doubt check that WPS is disabled in your router. As an aside those that use their own routers make sure your fimware is up to date for it.

Now to the point of this thread.

If you use ISP supplied equipment then the format of the WiFi password is well known. For instance in the UK Sky routers use A-Z and are 8 letters long,
Virgin Media use a-z again 8 letters (except the new Superhub 3) BT use a-f and 34678 for a total of 10 digits. There is now a community website where a .cap file can be uploaded (I'll explain in a mo) and the default password can be found within 3 days.

So, what's a .cap file? (Foggy I'm trying to keep this simple for the non-tekkies).

Every time you connect a device to your router there is what is called a 4 way handshake. Basically your device calls the router and asks to connect, the router asks who you are, you give the password and the router says "Yes OK"

Within that 4 way handshake contains the password, to find it takes a lot of processing power but the community site must have it to produce results so quickly.

Bottom line, if you have ISP supplied equipment change that default password, preferrably use a phrase you like and remember. Keep yourself safe!

Now for the tekkies.

How does Reaver (and the Bully derivative) work?

WPS relies on an 8 digit pin to be entered to connect so that should equate to a combination of 10^8 (100,000,000) combinations but it doesn't. The last number is a checksum based on the previous 7 numbers so is a given number. So that leaves 10^7 (10,000,000) combinations, it'll still take 106 days at one try per second? Wrong again.

The pin is split into 2. So get the first 4 correct and then the router will ask for the last 4. Now we only have to guess the first 4 to progress, that's 10^4 or 10.000 numbers, once we get that right than all we have to find is the next 3 or 10^3 or 1000 (don't forget the last is a given based on the previous 7) so we end up with 11,000 possible tries to get the correct pin and be given the password. Do the math yourself, 11,000 at 1ps = x hours.

Pixie Dust Attack.


Important parts of a WPS exchange: M1, M2, M3, other


Enrollee Nonce
PKE Public Key (Enrollee Public Key)

Registrar Nonce
PKR Public Key (Registrar Public Key)

E-Hash1 = HMAC-SHA-256(authkey) (E-S1 | PSK1 | PKE | PKR)
E-Hash2 = HMAC-SHA-256(authkey) (E-S2 | PSK2 | PKE | PKR)

Authkey [derived from the KDK (Key Derivation Key)]


E-Hash1 is a hash in which we brute force the first half of the PIN.
E-Hash2 is a hash in which we brute force the second half of the PIN.
HMAC is a function that hashes all the data. The function is HMAC-SHA-256.
PSK1 is the first half of the router's PIN (10,000 possibilities)
PSK2 is the second half of the router's PIN (10,000 possibilities)
PKE is the Public Key of the Enrollee (used to verify the legitimacy of a WPS exchange and prevent replays.)
PKR is the Public Key of the Registrar (used to verify the legitimacy of a WPS exchange and prevent replays.)

and it only takes seconds.

update.png

[Fogdude]

I NEVER use the ISP router except as a MODEM for access to the ISP. Comcast will still issue a MODEM only , without wireless, which is what I demand from them. AT&T will not, so the very first thing I do is make all the wired ports on the router pass-though. I DISABLE the wireless connectivity on this router. Then I connect my own 3rd party router to it. That is the router & wireless I use in my home network, NEVER the ISP wired or wireless, except through the pass-through wired port. ALL my wireless & wired traffic go through my 3rd party router. For security reasons, I won't disclose the brand I use, but I've been using them for decades & never had an issue. I also immediately change the Admin password on my 3rd party router, as well as on the ISP router.

I NEVER use the WPS push button security option on my wireless. ALL my wired & wireless devices are whitelisted & if my router is accessed by any other device I get a notification. I have NEVER had a notification & I check my router logs monthly to make sure I'm not being accessed.

I avoided using wireless on any of my networks until just a few years ago for all the reasons listed by Pip. Wireless security has never been what it should.

I use wired connections everywhere, except when there is absolutely no other option.

[Pip]

I never would expect anything less from you Foggy. You know the pitfalls as do I.

This thread is about awareness for those that don't know especially now that wireless is being pushed as the main connectivity with Laptops, Tablets and phones.

It never has nor will it be the most secure connection. Those that want to will get in and if they want wreck havoc to the user.

I've tested the community site by resetting a router so the default password is restored, capturing the handshake betweem my PC (on wireless) with my laptop and uploading the .cap file. 3 days later I had the default password.

Unfortunately here in the UK most ISP's only allow their equipment to connect, Sky TalkTalk etc, BT allow 3rd party equipment as both modem/router Virgin Media only allow you to put their hub in modem mode and use your own router.

I haven't even touched on "man in the middle" attacks yet though. I'm sure you know about them too. Bottom line, wired connection is the only safe way to go.

BTW Foggy, If I was sniffing wireless traffic near you I'd be able to tell you what brand of router you use.


Virgin Media's first "Superhub" had the following login info.

Username:- Admin

Password:- Changeme

How many ordinary users check this though?

[Fogdude]

[size=150]

BTW Foggy, If I was sniffing wireless traffic near you I'd be able to tell you what brand of router you use.


Virgin Media's first "Superhub" had the following login info.

Username:- Admin

Password:- Changeme

How many ordinary users check this though?

I know. That's why my WiFi is whitelisted & no new connections are accepted.

Most US router makers ship theirs with 'Admin' as the username & 'password' as the frickin' password! And few, if any users, ever change this! I could go on about the default settings in the WiFI security & the networking options that are set by default, but I think we've made the point. There is plenty of information available for guiding the unknowing through tightening up their systems. Luckily, few of us have anything of interest to the casual hacker. We're just not worth the effort, for the most part, unless the hacker is just bored.

[ctaulbee]

One thing I do is re-name the device, then disable it from broadcasting it's name, that's how most find you, they listen, scanning channels until they hear your router.

If broadcasting is turned off they can't do that, only way to connect, is to know the router name and yes you still have to have a correct password but the router will only respond if it's pinged by name, so you have to know the name to get it to listen to you.

Then as Foggy said white list only for connections, ie if the device mac address is not manually set in the router, then your not getting connected anyway, even after all the above.

That's worked very well for me.

[chouette]

[VincentLupo]

I even use mac authentication for physical connections. I've actually screwed myself a few times early on and had to fully reset all my routers cause I locked myself out.

[Fogdude]

I even use mac authentication for physical connections. I've actually screwed myself a few times early on and had to fully reset all my routers cause I locked myself out.

Yep. that can happen!

I had to walk my brother through hardening his router's wired & wireless connections. He's an avid online gamer & never considered that his connections were susceptible, until his system stopped working & all he could do was a wipe & reinstall. Then it happened again within 2 days. I had him look at his router's log & he had at least 5 foreign connections that were active at the time. I had him go to every machine he had & check the MAC addresses & check them against his router & 4 of them were not his. I then showed him how to put in his MAC addresses & turn off any other connections.

He hasn't had another problem since.

[Pip]

then disable it from broadcasting it's name, that's how most find you, they listen, scanning channels until they hear your router.

If broadcasting is turned off they can't do that, only way to connect, is to know the router name and yes you still have to have a correct password but the router will only respond if it's pinged by name, so you have to know the name to get it to listen to you.

Not quite ct. There are ways.

Consider this,

I want to hack your wireless and you have turned off broadcasting so you don't appear-wrong.

It won't show the network name but it will show the mac address of the router.
It will also show the mac address of the device connectied to your router.
So, the router and the device have to communicate. That communication can be intercepted once the mac is known. De-authenticate the device from the router and it has to authorise itself again, capture the 4 way handshake, job done if using the default password.

Even whitelisting a mac address won't stop it as all you do is wait for the whitelisted one to disconnect then spoof it's mac and you've got into it. The router won't allow the genuine device to reconnect until the spoofed one has gone.

This is of course taking it to extremes, the post was only supposed to let non-tecn users know to change the default password.

[Fogdude]

I think you satisfied the non-technical needs in the initial post. The rest of us can't help ourselves & this is always good information, even for those less technical.

[chouette]

I think you satisfied the non-technical needs in the initial post. The rest of us can't help ourselves & this is always good information, even for those less technical.

[Pip]

I think you satisfied the non-technical needs in the initial post. The rest of us can't help ourselves & this is always good information, even for those less technical.

I know what you mean Foggy, I'm the same myself. I'm in the loop on this and get to know ways and means for exploitation before it's published. I can continue this thread if you guys want explaining the how, why and how to counter it if you wish.

I'll also try to keep it simple for non-techies. Actually most of it is simple to counter when you realise how it's done.

[Fogdude]

I see no reason not to continue sharing. Those not as technical, with questions, can always chime it. Questions are always a good way of digging into a topic.

[Pip]

I've found a bit of time to carry on with this so here's the next installment.

Let's start with operating systems. Windows isn't really very good for WiFi hacking so the obvious choice is Linux. You can use any flavour of Linux but you will have the hassel of installing all the different programmes. My go to Linux release is.

Kali Linux.png (1.02 MiB) Viewed 43127 times

[size=150]produced by Offensive Security. It has (almost) all the tools needed for WiFi hacking. Modded programmes such as Reaver modded to work with PixieDust need installing but it's no biggie.

I covered Reaver, Bully and PixieDust in the first post so I'll cover handshakes here. I must add that to use any of the online attack programmes you must have a wireless adapter that supports packet injection.

To capture handshakes the tool of choice is the Aircrack-ng suite. We put our wirelessadapter in monitor mode and start Airodump-ng. This will scan for all networks in range (including hidden ones ct ). We select one with a client attached and continue to monitor it wirh Airodump-ng, next we start Aireplay-ng and deauthenticated the client by injecting deauth packets. The client then has to re-authourise and the 4way handshake starts. Airodump has been patiently waiting to capture the handshake and saves it as a .cap file.

I have a "fire and forget" script for this which takes about 2 mins to set up which will cycle through all networks in range until I stop it. It automatically skips networks it's captured the handshake from.

The hanshake contains the network name even if hidden and the password. Now all I have to do is extract the password. This is the part that take the time. It's easier and quicker if it's a default password as I already know the structure of that, eg. Virgin Media 8 lower case or Sky, 8 Uppercse. BT use a combination of 4lowercase and 4 digits. Anyway, program of choice for password extraction - OCLhashcat, this uses the graphics card for the computing. For me to crack a .cap file on my rig it takes 10 - 15 days but my graphics card is getting on a bit and only has 1600 stream processing units. I could put another one in and crossfire them and the time would be halved. Not bad for a possible 208,827.064,576 combinations!

What if the password is a word or phrase? No problem OCLhashcat can perform a dictionary attack too! Obviously the time will vary depending on the complexity but it is worth remembering there's a limit of 64 characters for a password.

Coming soon the Evil Twin attack with Wifiphisher.

[Fogdude]

Methinks this is tracking off into the darker realms that cross the line into abetting, not helping. While I do enjoy such topics, I don't think it's wise to continue this thread on this site. Of course, that's just me...

[Pip]

Not really Foggy, I've purposely not referenced any of the command lines.

All the programmes mentioned in both posts have to be run through a terminal window (think command prompt) and if you don't get the command line correct you're dead in the water.

[Fogdude]

I know. I didn't say it actually hit on it. I said it was approaching. It just seems a bit on the edge, to me. An awful lot of inside baseball.

[Pip]

Let's face it Foggy, in my first post I detail which programmes and how they do it. In the recent post you think I'm going near the edge yet I've only done the same as the first post and you advocated me carrying on.

I'm not having a go at you but unless I explain how it can be done then it means nothing, I won't give enough details on how to do it.

I'm very careful about the amount of information I have put into both (and any future) posts. Those alredy tech minded like yourself probably already know about what I am posting or at least must have touched on it at sometime in your career.

Consider this, how many windows users would be able to use a Linux based system? Whitehats put exploits in the public domain for one reason only - The security hole can be filled. ISP's in the UK and Europe have protected their equipment from all 3 attacks outlined in the first post as I suspect those in the rest of the world has. Thanks to testers I know in the US I know your ISP's have too. The problem appears to be those using non-ISP equipment not updating their firmware as the router suppliers have fixed it (mostly).

I know of one team in the US that continuously check and develop tools only to bring it to the fore so that security flaws can be resolved. Even now they are finding both reaver and PixieDust can work on certain routers but I won't release that info here. It's too new! (I'll be testing it in the UK soon when they've perfected it and provide feedback to them).

Bottom line, you have to show how (up to a point) to get people to sit up and listen and then protect themselves. Wait until you see the next one then you may agree.

[Fogdude]

I understand your point & I wasn't having a go at you, either. My comment wasn't probably as well thought out as it should have been. My only point was that it's difficult to know where the line should be. We don't always know who the audience is & while some information may seem mundane or common knowledge, it may be just enough to push a would-be hacker nearer that point. Not that you'd divulge anything specific, but with enough pieces & explanation of the mechanics, who knows who it may inform in a negative way?

That said, have at it. I trust you not to push the envelope too far, as I'm sure the others here do.

[Pip]

I never thought you were having a go at me Foggy. Any wanabee hacker con download and install Kali Linux but then they've a very long learning curve to be able to use it. By the time they've figured it out the hole will been filled.

I worry about the Android apps out there which I won't mention.

I remember a small programme for windows 3yrs ago that had a database of most router pin numbers and found them quicker than reaver. Put the pin into reaver and all was revealed. It's now redundant though thanks to the work whitehats do and I'm glad I know a few of them. As most are based in the US they are thankful for the input that I and others in Europe (and the rest of the world), can give them.

The whole point of this thread is to make members aware of what could happen if they don't take the correct precautions. To do that I have to show how without giving too much away to those who want to try it.

For those who do wish to try it I'll just say try learning Linux first and then learn the command lines, that should take about 2yrs and by then the exploit will be redundant.

I'm deliberately leaving time between the posts to give members the time to think about their security protocols and hopefully change them. Even you and ct aren't bullet proof.

I'll be going here next week. IP EXPO Europe 2016 is your chance to see some of the world’s best and most famous hackers and cyber security researchers share their latest research, hacking techniques and tools which can be used against your network.

[Roseflamingo]

I know your trying to be helpful and I do appreciate the info but I get headaches from reading this kind of stuff. I consider myself a pretty intelligent guy but to me this is all a foreign language that I just can't seem to grasp (not yet, anyway). I'm still having problems setting up my home servers, I tend to make changes according to directions and spend hours doing it and winding up right where I started which always seems to be nowhere! I guess I'm just too old to understand this stuff, born in the era of B&W televisions, wall phones, film cameras and LP's. I did master that pesky flashing time clock on my VCR though! Now somebody please pass me the funnies and some aspirin...

[Pip]

I know your trying to be helpful and I do appreciate the info but I get headaches from reading this kind of stuff. I consider myself a pretty intelligent guy but to me this is all a foreign language that I just can't seem to grasp (not yet, anyway). I'm still having problems setting up my home servers, I tend to make changes according to directions and spend hours doing it and winding up right where I started which always seems to be nowhere! I guess I'm just too old to understand this stuff, born in the era of B&W televisions, wall phones, film cameras and LP's. I did master that pesky flashing time clock on my VCR though! Now somebody please pass me the funnies and some aspirin...

Same era as Foggy and myself then.

Don't worry about the detail in this thread (it's there for the tekkies). After the next exploit I talk about I'll be posting how you can protect against almost all attack attempts.

Meanwhile this might make you smile.

[chouette]

I know your trying to be helpful and I do appreciate the info but I get headaches from reading this kind of stuff. I consider myself a pretty intelligent guy but to me this is all a foreign language that I just can't seem to grasp (not yet, anyway). I'm still having problems setting up my home servers, I tend to make changes according to directions and spend hours doing it and winding up right where I started which always seems to be nowhere! I guess I'm just too old to understand this stuff, born in the era of B&W televisions, wall phones, film cameras and LP's. I did master that pesky flashing time clock on my VCR though! Now somebody please pass me the funnies and some aspirin...

My sentiments exactly!

Cool video Pip, lol

[Roseflamingo]

I Love, love LOVE IT! thanks Pip, that's just what I needed. (love how the video was slightly speeded up to fit the music. I own everyone of their films that are available and they still make me laugh, such wonderful men and movie comedians.) Thanks again.

[Pip]

OK, so here's the final exploit I'm going to tell you about and I'm not going to go into too much detail for obvious reasons.

Wifiphisher and the Evil Twin attack.

Fisrstly the Evil Twin. That is where I make my PC/laptop appear to your device as being your router. It will have the same network name and mac address as your router. Now all I have to do is have your device connect to me instead of your router.

Enter Wifiphisher. This will automatically set up the Evil Twin (once I select your network) then send deauthorization packets (and continue to do so) to disconnect you from your router. As your device will automatically try to reconnect to your network it will then pick up me - the Evil Twin, I look identical to your router so your device doesn't know any different.

You'll then be presented with a web page like this (in reality identical to your routers web interface).

wifiphisher.jpg (43.58 KiB) Viewed 43023 times

Now this is where I want you to think and be truthful. Would you be fooled by this? Don't forget we've been conditioned by windows to click to accept upgrades
it's not a leap in the dark to get you to enter your wifi password to get the firmware update for your router is it?

Once you do enter your password you'll get online but everything you do will be passing through my computer. Think you can beat it by putting a false password in? Think again, in the time you are expecting the firmware update to complete Wifiphisher has tried your password on your router. If it fails you get a page telling you you've entered an incorrect password.

I seriously doubt if any of you come across this one but then again...

This whole thread has been purely to raise awareness of what can happen and how easy it could be for someone to hack your wifi password if they had the time and inclination to do so. I do not condone anyone hacking wifi passwords unless they have the express permission of the bill payer of the connection. Yes I do it but always with permission and it's earned me quite a few drinks.

Users in my immediate area are now much more aware and more secure.

I'll give you time to digest this post and comment if you wish, then tomorrow I'll post on the best method of protection.