The History
A few weeks ago I started a small project to document the devices in my home network. I had recently purchased a VPN device so I wanted a clear understanding of where it would fit.
In 2019 after upgrading my Wi-Fi to Google, I repurposed my older Netgear R8000. As part of that project, I re-imaged and replaced the Netgear OS with open-source ddWRT, and switched off all the Wi-Fi. So it essentially became a 4 port switch to connect my ethernet devices.
and it stayed, pretty much forgotten, until recently.
Now
During the documentation phase, I thought I might take the opportunity to update the ddWRT version since it was going to be a bit out of date.
That should be simple enough, login, apply new image, reboot... but I couldn't log in.
I tried a few combinations of what would have been the password combinations I would've used back then. I looked up the defaults just in case it had reset itself at some point, but that failed.
I did a search on my machine to see if I'd documented it, but found nothing.
The Hacking
This was the opportunity to practice the hacking skills I'd been learning via Hack the Box.
1. Nmap
An Nmap scan revealed HTTP (80) and SSH ports were open. No real surprises there but we'll come back to this later.
2. Burpsuite
A browse to the login page revealed the login process, from this I was able to capture the submission of the username and password and determine that the process used basic authentication. I was able to see that the username/password combinations used base64 encoding to obfuscate.
I ran a few tests via interceptor and was able to set up a response that appeared to submit the username/password combinations correctly and 'code 200' response from the router.
So now it was time to build out my 2 custom word lists.
The first was a list of possible usernames, this was a combination of the defaults one might expect plus all of the ones I might have used, including various combinations of lowercase, capitalizations, and ALL CAPS. So a list of around 20-25 entries.
The second word list for all the possible passwords I might have set, plus the usual defaults again with the variances of capitalisations.
I then ran these via interceptor against the router login page, with no luck.
I was reasonably confident that I'd set up the parsing of the wordlists correctly, but there was a chance I was getting a bad response.
3. Metaspoilt
Now, Nmap had revealed that SSH was open. I now used Metasploit's SSH scanner module with the same word lists as above and let that run.
So set the RHOST and the 2 wordlists and fired it off.
This was significantly slower as each attempt was deliberately slowed so as not to get the connection blocked. So I let that run, it took the best part of an hour or two, but it too failed!
4. Routersploit
This Python script is available via GitHub and I downloaded and installed it. The interface for this is very similar to Metasploit. So I set up the required parameters and fired that off.
This too failed to find any usable vulnerability.
Conclusion
At this point, I can draw two conclusions, and I'm split 50/50 between them.
1. The device is secure in its current config and I've nothing to worry about.
2. The device has been compromised at some point in the last ~4 years.
So do I assume the first and leave it as it is, or be cautious and hard reset the device and update it?
There is only one option, assume the worst, hard reset, and update.
It shouldn't take long, the biggest issue is it's in a confined space so the most amount of time would be getting adequate physical access to hit the reset button.
Lessons learned
It was a very useful exercise to take these new skills learned, use the various tools, and apply them to a real-world scenario.
Document usernames and passwords when setting up devices!
No comments:
Post a Comment