The inadvertent router pen test story

The History

A few weeks ago I started a small project to document the devices in my home network. I had recently purchased a VPN device so I wanted a clear understanding of where it would fit.

In 2019 after upgrading my Wi-Fi to Google, I repurposed my older Netgear R8000. As part of that project, I re-imaged and replaced the  Netgear OS with open-source ddWRT, and switched off all the Wi-Fi. So it essentially became a 4 port switch to connect my ethernet devices.

and it stayed, pretty much forgotten, until recently.

Now

During the documentation phase, I thought I might take the opportunity to update the ddWRT version since it was going to be a bit out of date.

That should be simple enough, login, apply new image, reboot... but I couldn't log in.

I tried a few combinations of what would have been the password combinations I would've used back then. I looked up the defaults just in case it had reset itself at some point, but that failed.

I did a search on my machine to see if I'd documented it, but found nothing.

The Hacking

This was the opportunity to practice the hacking skills I'd been learning via Hack the Box.

1. Nmap

An Nmap scan revealed HTTP (80) and SSH ports were open. No real surprises there but we'll come back to this later.

2. Burpsuite

A browse to the login page revealed the login process, from this I was able to capture the submission of the username and password and determine that the process used basic authentication. I was able to see that the username/password combinations used base64 encoding to obfuscate.

I ran a few tests via interceptor and was able to set up a response that appeared to submit the username/password combinations correctly and 'code 200' response from the router.

So now it was time to build out my 2 custom word lists.

The first was a list of possible usernames, this was a combination of the defaults one might expect plus all of the ones I might have used, including various combinations of lowercase, capitalizations, and ALL CAPS. So a list of around 20-25 entries.

The second word list for all the possible passwords I might have set, plus the usual defaults again with the variances of capitalisations.

I then ran these via interceptor against the router login page, with no luck.

I was reasonably confident that I'd set up the parsing of the wordlists correctly, but there was a chance I was getting a bad response.

3. Metaspoilt

Now, Nmap had revealed that SSH was open. I now used Metasploit's SSH scanner module with the same word lists as above and let that run.

So set the RHOST and the 2 wordlists and fired it off.

This was significantly slower as each attempt was deliberately slowed so as not to get the connection blocked. So I let that run, it took the best part of an hour or two, but it too failed!

4. Routersploit

This Python script is available via GitHub and I downloaded and installed it. The interface for this is very similar to Metasploit. So I set up the required parameters and fired that off.

This too failed to find any usable vulnerability.

Conclusion

At this point, I can draw two conclusions, and I'm split 50/50 between them.

1. The device is secure in its current config and I've nothing to worry about.

2. The device has been compromised at some point in the last ~4 years.

So do I assume the first and leave it as it is, or be cautious and hard reset the device and update it?

There is only one option, assume the worst, hard reset, and update.

It shouldn't take long, the biggest issue is it's in a confined space so the most amount of time would be getting adequate physical access to hit the reset button.

Lessons learned

It was a very useful exercise to take these new skills learned, use the various tools, and apply them to a real-world scenario.

Document usernames and passwords when setting up devices!

How to update Burpsuite in Kali & Parrot 5/6

1. Download the Community .jar file

Open Burpsuite, then open help and check for updates
click the link to open in browser then for the download, choose the community edition (or pro if you have that) & select the JAR version
close burpsuite

2. Go to Downloads folder

cd ~/Downloads

3. Set file for execution

chmod +x burpsuite_community_v2023.12.1.4.jar

4. Find location of burpsuite.jar

locate burpsuite.jar

result should in

/usr/share/burpsuite

5. Backup old jar file

cd /usr/share/burpsuite

sudo cp burpsuite.jar burpsuite.bak

sudo rm burpsuite.jar

6. Copy new jar file

cd ~/Downloads

sudo cp burpsuite_community_v2023.12.1.4.jar /usr/share/burpsuite/burpsuite.jar

You're done
- launch your updated Burpsuite

Recovery:

If it has gone wrong, delete the .jar and copy (sudo cp) the burpsuite.bak to burpsuite.jar to get the old version back

sudo rm /user/share/burpsuite/burpsuite.jar

sudo cp /user/share/burpsuite/burpsuite.bak /user/share/burpsuite/burpsuite.jar

Can a PSU affect CPU performance?

In 2020 I built my current Desktop PC for gaming.

An AMD B550 Mobo, 3600X CPU, 16 BG ram with the semi modular Gigabyte B700H PSU (80 plus Bronze).

Since then I've double the Ram to 32 GB and upgraded the CPU twice, first to 5800X and now the 5800X3D.

The system has performed just fine over that time.

I've got an NVidia GTX 2080ti rate at 250W and the PSU has not had any trouble at all.

After upgrading to the 5800X3D I did notice that the Cinebench R20 and R23 scores were a little below average but I put this down to silicon lottery and air cooling. It still ran pretty fast.

I've been looking to replace the 2080ti with a 7900XT and to do that the 700W PSU was on the limit. So with that in mind I saw a deal on a 850W Seasonic Focus GX 850 80PLUS Gold fully modular PSU and ordered it.

The swap out was done in no time and the first thing I then did was fire up Cinebench R20. It scored 3% faster than the last time I ran it a few months ago. Seemed a bit weird and it's possible that BIOS updates may have played a part in this but I don't think so, the last test were done ~ 4 months ago when I upgrade the Noctua fans on the PSU cooler and got a nice reduction in temps but no bump in performance. No Bios updates has been released or applied in that time.

So I then did a full pass Cinebench R23 test and this reported a 4% bump in performance!

Has my PSU been holding my CPU back, what do you think?

The free or open source tools I use in my day job

Current

Proxmox - repurpose old hardware for Lab and testing Virtual Machines
Docker - easy linux image deployment and testing
Portainer - Docker Manager

Uptime Kumar - on Docker via Portainer - important servers and service uptime monitoring
Dashy - on Docker via Portainer - cool shortcuts

Kali Linux Distro install on Proxmox for various security testing and pen testing
hashcat
breachparse

burpsuite

Wazuh VM on Proxmox for SDR and SIEM
OpenVAS (gvm) on Proxmox for pen testing
Netbox VM - Network Documentation
MediaWiki VM - Documentation
phpbb - IT Forum for internal use /discussion

KIX32 - login script and general automation of repetitive tasks, software removal, reg edits, software install, software updates, windows updates, 

Tools I've used but since dumped

Noctua NH-U12S SE-AM4 - upgraded with 2x NF-A12x25 PWM (chromax.black)

When I first built my new gaming PC during the Covid lockdown back in 2020 I ordered the  Noctua NH-U12S SE-AM4 to cool the Ryzen 5 3600. And it cooled it very well. the 3600 has a  65 watt TDP and the  NH-U12S handled it easily.

Later on upgraded to the Ryzen 5 5600X, also with a 65W TDP but I did order and add another fan to the back of Noctua NH-U12S SE-AM4. Again this wasn't a problem at all and the system ran very cool and quiet.

In January 2023, I pushed the boat out again and max'd my AM4 system with the AMD Ryzen 7 5800X3D. I kept the cooling as above but we now had to cope with 105W TDP and it showed.

Cinebench20 would push CPU the temps to 89 degrees(c), a bit toasty!

So I started looking at the Noctua NH-D15 chromax.black as a possible replacement. 

Problem 1, it's a pricey solution at ~£110

Problem 2, this tall boy would be cutting it very close to being able to fit in my case (Phanteks Eclipse P400A)

So I left it for a while...

...

Then I started looking at the NF-A12x25 PWM fans to replace the fans and keep the NH-U12S.

Again not the cheapest solution, with each coming is at ~£30 each, but half the cost of the NH-D15 solution.

So I bit the bullet, ordered and installed them, and re-used the older Noctua from the NH-12S as additional case exhaust fans.  A simple swap over re-jig that probably took less than 30 minutes in total, most of which was giving the case & fans a good spring clean.

They are a bit chunkier and weightier than the old fans but install just as easily.

Now the bit you're interested in, the performance.

I re-calibrated the fans and curves with the 'Auto' function available in my Asus BIOS and booted the system.

All good, already noticeably quieter.

Then I ran Cinebench20 twice, and each time the temperature peaked at a max of 82 degrees(c)!

A 7 degree drop in maximum operating temperature, so now I don't have thermal throttling concerns anymore and it's a better than expected win.

I am very happy!

Making my own Force Feedback Pedals (FFB) Pedals

To Start with I have Fanatec CSL Elite Load cell Pedals.

I wanted to add some more realism without spending a huge amount of money.

To start with I had my son's old PS4 controller that was going to be thrown out since he got his PS5, so I took that apart and removed the 2 rumble motors.

I then wired and soldered some longer wiring for later.

The weights were a bit lop-sided with 4 large weights on the left motor and a 1/2 weight on the right.

With some gentle hammering I was able to remove 1 of the heavier ones from the left and added it to the right. It was a bit loose, so I used a hot glue gun to ensure it wouldn't fall off.

That left me with with 1.5 weighted motor which I intend to use on the accelerator pedal and 3 weighted motor for the brake pedal.

Next I had to source how to drive these motors. The simple answer is SimHub and Arduino.

Simhud is the free software that gets the data from the sim and passes it to the Arduino. I donated to get the licensed version, if you can afford it, you should too, it's well worth it.

The Arduino required is the UNO V3, in addition it needs a  Adafruit Motor/Stepper/Servo Shield for Arduino v2 Kit. This is the bit that actually controls the motors once they're wired up. One board can drive up to 4 motors. I found and ordered these, along with a USB cable, from the PiHut.com. That cost cust over £40 with delivery.

There are no screw holes on the back of the Fanatec CSL Elite pedals so I was struggling to think how to mount the motors, luckily someone had already though of this and produced and shared the following 3D printable Models.

I upload and ordered via Treatstock.co.uk, where I found the prices quite reasonable. My choice cost me ~$20 for a set on 2.

Simhub have a very detailed Guide here on setting up the Shield and UNO - here

A very useful Youtube video from amstudio - here - showing how he put his together and was my inspiration for this.

if you can't be arsed doing it all yourself, for ~£100 you can buy a setup from Sim 3D - reviewed here

£100 is not a bad price all things considered, by the time I've got satisfactory 3D mounts printed and delivered I'm probably going to be at that mark.

Your also going to need to do some soldering, so if you don't have a soldering iron et al you're going to have to fork out for that too.

Anyway, I've soldered the Shield connectors. A magnifying glass would have been useful but I managed to get it done and then check the finished points by taking a picture on my phone and zooming in.

All looked good, so now the big test. Added power (12V 3w), wired up the heavy brake motor to M1 and the lighter accelerator to M4, powered it up and plugged in the USB to the PC.

The it was a simple matter of firing up Simhub, launching the Arduino configurator. Choosing the Shield and Arduino and then applying the sketch the UNO. That went off without a hitch and was surprising simple to do. Next was to get to Simhub and press those test buttons. It worked!

Now I have to wait for the arrival of the 3D mounting kit and putting the UNO is suitable box so I can then mount and install the motors to the pedals.