Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
What are some tools that I can try to crack my routers username and password with? In the event of someone breaking my WPA encryption, I want to see how well my router username and password hold up.
I'm guessing it would just be a general password cracker, but one specifically for a router.
Well i can tell you right now that most WPA/WPA2 encryption will keep most war drivers away unless they are REALLY desperate. I wouldn't worry about it TBH.
I'm pretty familiar with war driving. Call me super paranoid, but could you please humor me? I wouldn't say I'm keeping national secrets, but I do have sensitive information.
Make sure you don't use uPNP. That will enable an attacker to open ports. Also make sure that you don't allow configuration via WAN or wireless. A cisco router for example uses basic authentication with the password being encrypted with base64 which is really cleartext. so if someone is on your network, they may be able to sniff your password when you log into router to configure it. If you make these two mistakes, an attacker may be able to retrieve the wpa password in a config.bin file (according to pauldotcomsecurity podcast). Make sure to keep your router's firmware up to date. I use a random 32 byte psk (64 hex digit).
Last edited by jschiwal; 01-23-2008 at 05:37 PM.
Reason: correction. /bin -> config.bin
Slayer, I'm already familiar WEP/WPA cracking. .Ethical of course
Lordfu, I've booted up Backtrack before, never saw anything for router cracking. Then again, I wasn't looking for it. I saw some new features for 3.0 that look awesome. Cookie cloning and such. Pretty cool. I'll have to look for that CD... it's lying around here somewhere.
Jschiwal... how can someone, who doesn't have the WPA password, sniff out my usernmae and password for the router and then obtain the WPA password? Wouldn't they have to be connected to the network in order to login to the router? You can't do that without having the WPA password first. If by chance they did sniff it out (assuming they're not connected to the network), they would still have to find out my IP address given by my ISP AND remote login would have to be enabled on the router to obtain the information. Unless I'm totally missing something here (I've been wrong before, MANY TIMES).
If you have WAN configuration enabled, they can use brute force. If you allow wlan configuration, someone at another host on your network could sniff the password. I didn't see the demonstration, but port scanning revealed that uCLinux was used and that the router hadn't been updated with newer firmware. An unpatched vulnerability may have been used. Yes, if you can connect wirelessly, you already have the PSK. If you are connected via an ethernet cable, I suppose you have to attack the switch before you can sniff traffic unless you can do something with ARP. I'm not a hacker or white hat, so I'm not someone who could do that. In a corporate or public environment, a radius server will be used to issue a key to the router for each user. There may be a bigger threat here if one user can retrieve the key issued to another user.
WPA1 is susceptible to a brute force attack. A good password is a must.
Here is a oneliner that I use to generate a random key:
Code:
dd bs=1 count=32 if=/dev/random | od -t x1 | sed -n -e 's/^.\{8\}//' -e 's/ //g' -e 1p
Besides routers, other embedded devices like printers may become targets. Printers tend to not get updated. Some printers use embedded XP and present a juicy target for hackers who would just love to retrieve the document cache. Recently, it was discovered that an LCD picture frame model was infected with a virus in the factory. It tries to spread to Windows computers via the usb port.
I don't think they sell Norton anti-virus for picture frames!
Virus in a picture frame, pretty humorous. I work for Cartridge World... I once had a customer accuse me of putting a virus on her toner cartridge. "MY AVG CAME UP AND SAID THERE WAS A VIRUS! THERE WAS NOTHING THERE BEFORE THE PRINTER CARTRIDGE WAS REFILLED! YOU PUT A VIRUS ON MY CARTRIDGE! LET ME SPEAK TO YOUR BOSS!" That made my day.
Anyway, the layout you're describing is small business or a corporate environment. I just have one computer with the router attached and another desktop on the network attached via wireless. If someone were to crack the wireless encryption (WPA2), how could they crack the username and password on the router? My guess is a cracker, brute force it. Otherwise, how would it be done? Would they use a program like Wireshark to view all traffic or is there another method? I would like to know so I know how to protect myself and advance my own knowledge.
The two holes that he found in a Linksys router (supplied by SANS) in the demonstration were uPNP and not having up to date firmware. In my opinion, attacking a router would be similar to attacking a server. Identify the ports and the OS. Use that info to break in due to know vulnerabilities. So your best defense is to make sure you have updated the firmware, use a good passphrase for wpa & the router config, don't use uPNP, don't allow wireless configuration or WAN configuration, and don't use the DMZ feature of the router. There is a brute force technique where you overload the switch's MAC table, but I don't know if this would make the router vulnerable, but it is used to cause some switches to act like a hub. One may even need to track whether there is a firmware update available for a switch, which often will have an embedded computer running some sort of OS.
Suppose you had a roommate who used a computer without root access, and you configured the computer to authenticate with your wireless router at boot, from the info in /etc/sysconfig/network/ifcfg-wlan0. This file contains the WPA preshared key. It is only readable by root. If that user can sniff the network when you type in your router password, he can gain knowledge of the username and password. ( Although booting with a live distro would give the same info if you authenticate using a PSK. )
From outside the network, I don't know if hackers are able to crack into WPA wireless networks that doesn't use dictionary words in the key. I once ran a password cracker against my regular user password and it didn't come up with the answer running overnight. A 32 byte random key would be a lot harder to crack. The problem with WEP isn't the RC4 encryption. It is that it makes key discovery easy. Hopefully if you follow the proper safeguards, a hacker will look for lower hanging fruit.
It may be possible with recorded encrypted traffic to eventually break it by trying every possible key. WPA doesn't protect against brute force but that would be very expensive ( or take a lot of luck ).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.