For today’s tidbit we are going to talk about securing your wireless router and a bit on what I thought for about a minute was going to be my first ever vulnerability disclosure…but alas.

From the reactions of my mostly business types work training class when a young finance consultant announced that the router was fine after the teacher had problems connecting to the work VPN, it seems that alot of people including your not too average Joe know all about “admin, admin.” However, judging from how often it works in the wild, alot of system administrators don’t know about “admin, admin.” Hence it seems worth posting about if only because the really good stuff isn’t ready yet and I took these screenshots.

As always we strongly encourage you to only do this on systems you own or have permission to hack, and the usual disclaimers apply. If you just can’t help yourself it may be worth your while to change your mac address as outlined in the previous tutorial Problems in WEP Cracking and How to Fix Them for reasons discussed later in the post.

Once connected to a wireless router find out your ip address on the network with ifconfig, ipconfig, etc depending on your poison of choice. If your ip address is 192.168.x.y there is a good chance there is something like this waiting for you at 192.168.x.1:

Now it is quite possible that the administrator of the router in question may used a password that meets most definitions of complex enough for deployment. Then again it might be admin (or the default credentials for the router model in question). Entering “admin admin” yields this:

And yes you can do alot more than change the SSID in there…

The moral of the story is on top of using good encryption on your wireless, make sure to secure interfaces to the router from users on the network.

Once upon a time Micheal, Rachel, and I were fooling with a linksys, a fairly up to date model that supports all those secure things like wpa2 and mac filtering and that sort of thing. We noticed it was at certain times allowing us to bypass the login screen to the router. Had we stumbled upon a vulnerability in the web interface implementation?

After some analysis it turned out that it was only logging the MAC address on an interface that had logged in with correct credentials allowing that interface to bypass credentials by just navigating to the url of another page within the interface instead of entering credentials founr some amount of time before the router is reset.

While not a vulnerability persay, it is not exactly a security feature. For instance if one happens to notice someone performing administrative tasks on the router over the wireless one might ascertain a good mac address similarly to beating mac filtering.

Not a major vulnerability, but it was a bit of fun and most instructive in the process of accessing vulnerabilities.

Georgia