AP Takeover Attacks


Published on

This is a short presentation about access point (AP) takeover attacks. It gives a brief overview of methods and the reasons hackers may want to use these attacks, it then provides some examples. A full paper on this topic is available at http://www.ericgoldman.name

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

AP Takeover Attacks

  1. 1. Theory and Strategies for Takeover Attacks Presented by Eric Goldman – http://www.ericgoldman.name
  2. 2. This is an excerpt from a larger presentation which covered numerous AP exploit strategies and specified attacks. You can find more of my presentations on SlideShare and at my main website, http://www.ericgoldman.name. Please feel free to post questions or comments about this presentation. A full academic paper on this topic is available on my website. More papers & presentations at http://www.ericgoldman.name 2
  3. 3.  AP is a gateway between wireless and wired networks; all wireless traffic passes through  As a result it is usually the most valuable target on the WLAN for Snooping or DoS  Wireless hardware is more vulnerable than wired equivalents because it must support more protocols and features, which are relatively young and/or under development  Fun target because there are so many different ways to attack an AP More papers & presentations at http://www.ericgoldman.name 3
  4. 4.  Gain unauthorized access to the network ◦ Attacker wants to get the rest of the network, but too timely to break all security procedures  Monitor traffic and steal user data ◦ Steal valuable information about users or company  Make money ◦ By controlling AP you can insert your own ads on every page and replace other adds with your own ◦ Examples: dd-wrt + NoCatSplash or a web proxy More papers & presentations at http://www.ericgoldman.name 4
  5. 5.  Multiple management interfaces may exist, with different security (console, web, ssh, etc)  Setting misconfigurations, groups of settings, or improper implementation of settings  Steal login information by cracking or finding in-the-clear authentication (web, telnet)  Physical access- administration allowed w/o password when direct connected, reset device More papers & presentations at http://www.ericgoldman.name 5
  6. 6.  Effects 8 different devices, 3 versions of IOS  Vulnerability is in Web Management Interface  When you switch from global password control to local user list with individual passwords in the web interface all login security is disabled  As a result, anyone can easily access the admin interface without having any login information or credentials More papers & presentations at http://www.ericgoldman.name 6
  7. 7.  Router allows admin password to be modified, but there is a undocumented hardcoded account there as well  Hardcoded accounts: U= super, P=5777364  Accessible from both LAN/WLAN  Traced back to hardware developer in Taiwan, 5777364 is their phone number ◦ May affect other vendors who use their hardware ◦ Was still in later firmware upgrades for Netgear ◦ Vendor solution: make a new hardcoded account More papers & presentations at http://www.ericgoldman.name 7
  8. 8.  APs are a more valuable target than a single client node; attack more users and resources  Wireless network equipment, especially budget consumer products often are poorly designed and coded  Attacking AP can cut off many users from access, can make any connectivity difficult  Taking over an AP can allow the attacker to accomplish many different objectives More papers & presentations at http://www.ericgoldman.name 8
  9. 9.  Cisco. (2006, September 20). Cisco Security Advisory: Access Point Web-browser Interface Vulnerability. Retrieved April 6, 2009, from Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20060628-ap.shtml  Hackers come up with new methods to hack Wi-Fi networks. (2008, March 21). Retrieved April 6, 2009, from Internet Security: http://www.internet- security.ca/internet-security-news-010/hackers-coming-up-with-new-ways-to- hack-wi-fi-networks.html  Knienieder, T. (2004, June 3). Netgear WG602 Wireless Access Point Default Backdoor Account Vulnerability. Retrieved April 6, 2009, from Secuirty Focus: http://www.securityfocus.com/bid/10459/info  Mateti, P. (2005). Hacking Techniques in Wireless Networks. Retrieved April 6, 2009, from Wright State University: http://www.cs.wright.edu/~pmateti/InternetSecurity/Lectures/WirelessHacks/Mat eti-WirelessHacks.htm#_Toc77524669  Megidish, G. (2008, August 17). Getting Paid For Others’ Work. Retrieved April 6, 2009, from SecuriTeam: http://blogs.securiteam.com/index.php/archives/1128  Bellardo, J., & Savage, S. (2003). 802.11 Denial-of-Service Attacks:vulnerabilities and practical solutions. San Diego, California: Department of Computer Science and Engineering, University of California at San Diego. More papers & presentations at http://www.ericgoldman.name 9