January 9th, 2010
We’ve been on hiatus over the past few months working on other projects, but last week we re-focused on D-Link routers. While we previously found a flaw in D-Link’s CAPTCHA implementation, this time around we’ve found a way to view and edit D-Link router settings without any administrative credentials.
The short story is that D-Link routers have a second administrative interface, which uses the Home Network Administration Protocol. While HNAP does require basic authentication, the mere existence of HNAP on D-Link routers allows attackers and malware to bypass CAPTCHA “security”. Further, HNAP authentication is not properly implemented, allowing anyone to view and edit administrative settings on the router.
HNAP appears to have been implemented in D-Link routers since 2006, and cannot be disabled. We have verified that vulnerabilities exist in the HNAP implementations of the DI-524, DIR-628 and DIR-655 routers, and suspect that most, if not all, D-Link routers since 2006 are vulnerable.
You can read our full write-up here, and download our POC tool, HNAP0wn, here.
d-link, hack, HNAP, Routers
May 9th, 2009
We just finished our talk at ChicagoCon, and it was awesome! We’re posting the slides up here for those of you who couldn’t make it to the con. A quick overview of our talk:
Our presentation focuses on SOHO router security, specifically, exploiting router vulnerabilities to gain direct access to the internal WiFi network without having to crack encryption keys.
We discuss various methods of router reconnaissance, including some new tools that we’ve written specifically for this purpose, how to obtain WPA keys using simple HTML img tags, and how to own the WiFi network remotely using anti-DNS pinning attacks.
We even throw in some hardware hacks, describing how to implant a hardware backdoor into a router’s WPA encryption using nothing more than a stick of gum or a simple $8 circuit.
Download the slides here!
Papers conference wifi
December 4th, 2008
I’ve just published a new article on my column over at Ethical Hacker describing the UPNP protocol, and how to hack it using Miranda. Don came up with a great image for the article too…you can check it out here!
EthicalHacker, Tutorial, UPNP
November 9th, 2008
We’ve been taking a close look at some popular SOHO routers lately, and have started to find some really interesting stuff. It’s actually a little disconcerting – I don’t think that we have seen a router that doesn’t contain some type of exploitable vulnerability. We’ve written up a preliminary paper detailing some of the issues that we’ve discovered; there are some other, more serious issues that we’re still in the middle of investigating and we’ll hopefully have more information about those up here soon. An excerpt from the introduction:
With embedded devices permeating today’s home networks, they have begun to attract a higher level of scrutiny from the security community than in previous years. In particular, the members of GNUCitizen have been relentlessly testing routers and wireless access points. Their discovery of multiple vulnerabilities in the BT Home Hub router affected a wide range of home networks in the UK [1], and their Router Hacking Challenge prompted a flurry of vulnerability reports against a variety of popular home routers, including the venerable Linksys WRT54G [2]. Specific vulnerabilities in home routers range from traditional Web attacks, such as XSS and CSRF, to authentication bypass attacks and buffer overflows; it is assumed that the reader has at least a passing knowledge of the attacks described in this paper.
The purpose of this paper is to outline the security measures being taken by vendors to prevent such attacks in their home routing products, what those security measures accomplish, and where they fall short. We will use existing network tools to examine common vulnerabilities in a range of popular devices and demonstrate weaknesses in the security of those devices; additionally, we will examine common trends in security measures that have been duplicated across vendors, and examine how those trends help and hinder the security of their devices. In particular, we will examine the following home routers, which are some of the latest offerings from their respective vendors at the time of this writing:
- Linksys WRT160N
- D-Link DIR-615
- Belkin F5D8233-4v3
- ActionTec MI424-WR
Read the entire article here.
Papers, Research, Routers
November 3rd, 2008
In Windows, all applications must communicate with the kernel through API functions; as such, these functions are critical to even the simplest Windows application. Thus, the ability to intercept, monitor, and modify a program’s API calls, commonly called API hooking, effectively gives one full control over that process. This can be useful for a multitude of reasons, including debugging, reverse engineering, and hacking (in all interpretations of the word).
While there are several methods which can be used to achieve our goal, this tutorial will examine only DLL redirection. This approach was chosen for several reasons:
- It is relatively simple to implement.
- It allows us to view and modify parameters passed to an API function, change return values of that function, and run any other code we desire.
- While most other methods require code to be injected into the target process or run from an external application, DLL redirection requires only write access to the target application’s working directory.
- We can intercept any API call without modifying the target (either on disk or in memory) or any system files.
The full article has been posted on EthicalHacker.net and milw0rm.com.
reverse engineering, windows
