root@dafthack:~#‎ > ‎

How Not to Sell a Wireless Router on Ebay

posted Sep 17, 2013, 12:08 PM by Beau Bullock   [ updated Oct 4, 2013, 1:27 PM ]

This is a post about why you don't sell electronics to strangers on sites like Ebay without factory resetting the device and completely wiping any data that might be on it. This post is also partly about open-source intelligence and partly about attacking wireless routers. To give some background about how this came about I am giving a lecture of sorts on Wi-Fi hacking to a local group of information security professionals in a few weeks. One of the attacks I am going to demonstrate is the WPS PIN brute force attack. I bought a wireless router on Ebay that came with the previous owners SSID and pre-shared key.
Hacking ensued.

In the following blog post the names of the individuals involved as well as their SSID's/Username's/Credential's have been modified to protect the innocent.

This post is not specifically about the WPS attack. There are plenty of articles detailing the WPS attack already. However, this post came about after using it to attack a router I bought on Ebay, so here is a brief background:

WPS, or Wi-Fi Protected Setup, is an ease of use functionality added to wireless routers and devices to make connecting them a lot easier. Basically, you hold down a button on the router and one on your device and they magically connect. WPS uses an 8 digit PIN to connect the devices. Once connected, the router securely transfers the pre-shared key for the network to the device where it is then used to connect the device to the network.

In 2011 it was proven that these PIN's could be brute forced within a few hours. Once the PIN has been brute forced the router will hand over the WPA/WPA2 pre-shared key to the attacker. This vulnerability makes any WPA or WPA2 pre-shared key at risk of being obtained by an attacker no matter what length or complexity the PSK is using.

I needed a wireless router with WPS to demonstrate this attack on so I searched on Ebay. There is a good list of routers that are vulnerable to the WPS attack here. After searching for a few of the different routers on Ebay, the cheapest I found was an auction for a Cisco Linksys E1000. I ended up winning the auction for $10 with free shipping.

After receiving the router I immediately plugged it in and it powered itself on. I checked my available Wi-Fi networks and to my surprise there was a new network that was not named "linksys". I found myself looking at a network called "Battle Falcon!!". Battle Falcon huh? With a WPA2 PSK on my newly obtained router?

I could have just held the reset button down for the 10 seconds it takes to factory reset it and have an open "linksys" network to play with... but where's the fun in that? I decided to use the same technique that I was going to demonstrate at the lecture I will be giving. First, I fired up my Kali VM. Then I plugged in my Alfa AWUS036H wireless card. I ran the following commands:

airmon-ng check kill <-- kills any processes that may interfere with airmon
airmon-ng start wlan0 <-- puts the wireless card into monitor mode
airodump-ng mon0  <-- starts sniffing packets and grab the BSSID of the AP

After grabbing the BSSID the next step was to run Reaver against the router to brute force its WPS PIN and obtain the PSK.

reaver -i mon0 -b 00:11:22:33:44:55 -v <-- Starts brute forcing the WPS PIN. 

I could have just looked at the back of the router and used the PIN listed there with the -p option in Reaver. This would have immediately given me the PSK instead of waiting a few hours for it to be brute forced but I wanted to test out how long it would take anyways.

This can take anywhere between 3 and 12 hours usually so I let it run overnight. In the morning I was looking at the pre-shared key that belonged to the "Battle Falcon!!" network. 
 
 
You might say "So what!? You have the password for a Wi-Fi network that no one is connected to. What harm can come of that?" Well let's look at it from an open-source intelligence (OSINT) view.

What do I know about the person who sold me the router before I do any reconnaissance?

  • Their Username on Ebay is BattleFalcon32 (I see a trend starting here...)
  • I have their name and address from the box that the router was shipped in. Let's call our subject "John Smith", and he lives in Georgia.
  • The email attached to their Paypal account is jsmith@emailsite.com
  • Their Ebay account has a picture of him

What else can we find out about this person using OSINT?

  • Doing a quick Google search of their name and state led me to the subject's SoundCloud account with the username BattleFalcon26. This is a slightly different number from the Ebay account but you can definitely see that the person likes their Battle Falcon account. According to this SoundCloud account the subject likes dubstep music. There was also another picture of jsmith here and I can verify it is the same person by comparing it with the Ebay photo.
  • This Google search also found that the person was born on January 6, 1980, and graduated from Southview High School in 1998.
  • Surprisingly, a Pipl search I did didn't turn up too much on the subject.
  • Using Namechk.com I was able to check both usernames BattleFalcon26, and BattleFalcon32 against the majority of popular websites. This led me to find the users Amazon, and Twitter accounts.

So what do we have now?

  • Name = John Smith
  • Address = 1234 Pwnd CT, GA
  • Birth date = 1/6/1980
  • Graduated from = Southview High School in 1998
  • Email Address = jsmith@emailsite.com
  • Ebay Username = BattleFalcon32
  • SoundCloud Username = BattleFalcon26
  • Amazon Username = BattleFalcon26
  • Twitter Username = BattleFalcon26
  • Wireless SSID = Battle Falcon!!
  • Wireless Network Password = Shazm123

This is where I, as an ethical security researcher, have stopped. If this person were the target of a penetration test and we have permission to attack the subject directly we could then proceed in attempting to login to the targets various accounts using the password we got from brute forcing the WPS PIN on their wireless router. It's pretty obvious password reuse could come into play here since the subjects username appears to follow the same trend. Luckily, this subject didn't have a public LinkedIn account where we could easily find out where they worked. If they did we might be able to figure out a corporate login based off of what we know about the subject. Oh, and if I was really determined to compromise more accounts of this subjects I could just drive to their house and jump on their new wireless network more than likely using the same credentials as the one I bought and then just sniff their traffic, attack their hosts, man-in-the-middle them, etc.

There are three things to take away from this. One, don't reuse your passwords. Two, be careful about what you are posting publicly. Three, don't sell electronic equipment that has not been factory reset or wiped completely of all your data. There are some really evil people out there that would have probably gone a lot farther than I did. This shows how important reconnaissance is when performing a penetration test. I have not sent one packet to the targets network or tried to break into any of their accounts. But, I have a lot of information that would prove very valuable if we were performing a penetration test against them.
 

Disqus

The gadget spec URL could not be found