So you thought I couldn't get in?



Similar documents
9 Simple steps to secure your Wi-Fi Network.

VIDEO Intypedia012en LESSON 12: WI FI NETWORKS SECURITY. AUTHOR: Raúl Siles. Founder and Security Analyst at Taddong

Wireless Encryption Protection


Time Warner Cable Internet. Easy Connect Guide. Enjoy surfing at your own speed. Super fast.

Self Help Guide IMPORTANT! Securing Your Wireless Network. This Guide refers to the following Products: Please read the following carefully; Synopsis:

Particularities of security design for wireless networks in small and medium business (SMB)

Securing your Linksys WRT54G

Wi-Fish Finder: Who will bite the bait?

Setting up a WiFi Network (WLAN)

Simple Network Management Pwnd. Information Data Leakage Attacks Against SNMP

How Do People Use Security in the Home

Easy Connect Guide New Modem Installation - See page 2 Replacement Modem Installation - See page 9

Malware & Botnets. Botnets

Chapter 2 Configuring Your Wireless Network and Security Settings

Fibe Internet Connection Hub Reference Guide

MN-700 Base Station Configuration Guide

Methodology: Security plan for wireless networks. By: Stephen Blair Mandeville A. Summary

SEPTEMBER Volume 9, Issue 9 EMPLOYEES OF THE MONTH MANSFIELD OFFICE

ALL Mbits Powerline WLAN N Access Point. User s Manual

INFORMATION TECHNOLOGY MANAGEMENT COMMITTEE LIVINGSTON, NJ ITMC TECH TIP ROB COONCE, MARCH 2008

WiFi-SB-L3 300M WiFi Router WiFi Bridge WiFi Repeater. WiFi Router WiFi Repeater WiFi Bridge WiFi-SB-L3 Quick Setting Guide

Frequently Asked Questions

Configuring Wireless Security on ProSafe wireless routers (WEP/WPA/Access list)

Configuring Your Network s Security

WEP WPA WPS :: INDEX : Introduction :

WLAN Security Networking with Confidence

1 Your wireless setup guide

Configuring Routers and Their Settings

HSyE HIPAA Training. Summer 2015

Implementing Security for Wireless Networks

Frequently Asked Questions

Figure 1. The Motorola SB4200 cable modem

The Media Image of the Diabetic. the news says is "diabetes," "diabetics," and "obesity," so will my friends think I'm diabetic

Wireless LAN Security: Securing Your Access Point

WiFi Security Assessments

Network Security Best Practices

Quick Start Guide. WRV210 Wireless-G VPN Router with RangeBooster. Cisco Small Business

You may refer the Quick Installation Guide in the package box for more information.

Computing From Home. How to Access Rowan Network Resources When you Are Not On Campus. Marc Fleischner Network and System Services

SAFEGUARDING YOUR HOMEOWNERS ASSOCIATION AND COMMON AREAS

THE 123 OF WIRELESS SECURITY AT HOME 家 居 WIFI 保 安 123

Wireless LAN Pen-Testing. Part I

Chapter 2 Wireless Settings and Security

The Real State of WiFi Security in the Connected Home August 25, 2015

STILETTO 2 Wi-Fi & Hotspot Troubleshooting Guide

Setting Up Your Wireless Network

AC750 WiFi Range Extender

United States Trustee Program s Wireless LAN Security Checklist

Connecting to the Internet. LAN Hardware Requirements. Computer Requirements. LAN Configuration Requirements

Question How do I access the router s web-based setup page? Answer

The next generation of knowledge and expertise Wireless Security Basics

Catapult PCI Compliance

How to configure Mac OS X Server

Securing your Linksys Wireless Router BEFW11S4 Abstract

Sweex Wireless BroadBand Router + 4 port switch + print server

Security Considerations for Cellular 3G Modems & 3G Wireless Routers

Transcription. Crashplan vs Backblaze. Which service should you pick the short version

Top 10 Security Checklist for SOHO Wireless LANs

INFORMATION TECHNOLOGY. Revised May 07. Home Networking Guide

How To Sniff Network Traffic

How To Set Up A Computer With A Network Connection On A Cdrom 2.5 (For A Pc) Or Ipad (For Mac) On A Pc Or Mac Or Ipa (For Pc) On An Ipad Or Ipro (

Wireless Pre-Shared Key Cracking (WPA, WPA2)

If you lost all of your data right now... What would you do?... Backup Plan For Home Users and Very Small Businesses

Nighthawk AC1900 WiF Range Extender

Static Business Class HSI Basic Installation NETGEAR 7550

You don t hear me but your phone s voice interface does. José LOPES ESTEVES & Chaouki KASMI

IN THIS GUIDE YOU WILL LEARN HOW TO GET YOUR ROUTER GOING IN NO TIME THE INCREDIBLY EASY GUIDE TO SETTING UP YOUR DGN2200 WIFI MODEM ROUTER

Tax and Accounting Document Delivery

Cisco Virtual Office Express

Recommended Wireless Local Area Network Architecture

N600 WiFi USB Adapter

Chapter 3 Safeguarding Your Network

Using Wireless Technology Securely

Basic Computer Security Part 2

Wireless Networks. Welcome to Wireless

CONNECTING THE RASPBERRY PI TO A NETWORK

Certified Wireless Security Professional (CWSP) Course Overview

Cyber Security Awareness

PowerShell. It s time to own. David Kennedy (ReL1K) Josh Kelley (Winfang) Twitter: dave_rel1k

Get Connected! How to Configure Your Computer for MITnet. Red Hat Enterprise Linux Mac OS X Windows XP Professional, Vista

WLAN Authentication and Data Privacy

Online Backup by Mozy. Common Questions

Multi-Factor Authentication

Conceptronic 150N Wireless LAN Access Point User s Manual Version: 1.0

WEP WPA WPS :: INDEX : Introduction :

Installing Cable Modem Software Drivers

Apple AirPort Extreme (ME918ZP/A) Router Guide (MAC OS version)

Netcomm NB604N. Modem Configuration Guide. Netcomm NB604N. Configuring in Layer2 PPPoE for Windows XP and 2000 IMPORTANT MESSAGE

Using Microsoft Vista and Windows XP to Manage Wireless Network Connections

WHITE PAPER. WEP Cloaking for Legacy Encryption Protection

Transcription:

So you thought I couldn't get in? Compromising ISP issued 802.11 wireless cable modem networks for profit. By: GuerrillaWarfare Email: gwf@gwf.ninja Company: WarGamesLabs Twitter: https://twitter.com/guerrillawf Github: https://github.com/guerrillawarfare

Agenda Who am I? (yes, a bit of narcissism) The research (What I found) Exploit code (yes, it is indeed an exploit look up the word exploit ) End.

Who am I? GuerrillaWarfare a.ka. gwf a.k.a. gwaffles a.ka. G-Dubs Offensive Software Developer @WarGamesLabs An entity that posts code, then takes it down cause it sucks. Avid book reader. An angry Guerrilla! (not to be confused with Gorilla) Mystic nerd with a passion.

The Research part 1 So about a year ago, I bought some cable service from TWC (Time Warner Cable). The cable technician comes out, I watch him whip out his fancy shmancy laptop. My mind is blown. He tells me, that you shouldn't be worried about hackers, it would take a very very long time for someone to crack your wifi. It's impossible. and so here I am today, showing you that it's damn sure NOT impossible and how it can be done. 1. I take that stupid technician up on his impossible challenge and I begin to do research. 2. I find what I think is a correlation between the SSID and the MAC address. I was wrong! 3. I take a took at the WPA2 Key on the side of the Cable Modem. It was U10C0FE2A2292 (13 Characters long) at the time. 4. I find the correct correlation between the WPA2 Key and the Broad-casted SSID. 5. I laugh. Very hard.

The Research part 2 7. I confirm that the attack works well and it does! So by this time last year, I was going to publish this bit of research but life happened. So here you are now checking it out. I'm not the 1 st entity to ever show that this was possible, but no one seems to give a fuck, so why not viscerally embarrass ISPs and compromise most deployed 802.11 WPA2 cable modem networks out there right? This year I did a lot more research pertaining to this specific subject. Since my neighborhood (within a => 7 mile radius) is riddled with ISP issued 802.11 capable cable modems. I went out into the field and did some work. I'm not going to explain how to capture a handshake or anything of that nature, because if you are reading this presentation you should know how to do so. Long story short: I was able to compromise more than 50+ ISP issued 802.11 Cable Modem networks with ease. Scary huh? and you thought the NSA couldn't get your password. Ha!

The Research part 3 1 st off let me display a list of affected cable modem by model numbers. TG852G DDW3611 U10C022 DG860A TG862G DWG875 SBG6580 DDW365 DVW3201B 2 nd You guessed right. 9 Different model numbers with basically the same password. Lulz!

The Research Part 4 Each one of the models I've shown you so far have a 4 character keyspace of entropy. Meaning, there is only entropy of 4 characters. The parenthesis represents the 4 characters of Entropy For example: ESSID: DVW3201BC8 KEY: DVW3201B(FC04)C8 ESSID: DDW365BB KEY: DDW365(E061)BB ESSID: SBG658003 KEY: SBG6580(578A)03 ESSID: DWG87556 KEY: DWG875(9E00)56 ESSID: TG862G42 KEY: TG862G(BF51)42

The Research Part 5 The main deployed keyspace (character array/list) within these models are hexadecimal, 0-9A-F (hex-upper when using crunch ). The only other keyspace used is 0-9A-Z (ualpha-numeric in crunch ). I use both keyspaces in Crippled. Equipped with a machine that can perform on average 4K p/s when using aircrack-ng I found that each key could be recovered within less than 20 seconds! Using the hexupper character set from crunch. It takes about 5 minutes on average with the ualphanumeric character set from crunch. Scared yet? You should be. The next couple of slides will be picture demos of said research. There is an additional video demo that is already up at the Armory, in the demos folder.

Exploit Code: PoC GTFO In the past if you have visited my github repositories before, you may or may not have seen Crippled. The WPA2 Access Point Default key generator. Currently I have taken it down to completely rewrite it in C (before it was in python.). Once it is back up It will not be taken down again (Python was shitty for this task.). For now I will include the python version as a zipped archive which will be in the presentations folder. Here is a picture of Crippled what looks like (The python version):

THE END Mitigations? isn't it obvious what should be done here if you want privacy?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information