Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AP Takeover Attacks


Published on

This is a short presentation about access point (AP) takeover attacks. It gives a brief overview of methods and the reasons hackers may want to use these attacks, it then provides some examples. A full paper on this topic is available at

Published in: Technology
  • Login to see the comments

  • Be the first to like this

AP Takeover Attacks

  1. 1. Theory and Strategies for Takeover Attacks Presented by Eric Goldman –
  2. 2. This is an excerpt from a larger presentation which covered numerous AP exploit strategies and specified attacks. You can find more of my presentations on SlideShare and at my main website, Please feel free to post questions or comments about this presentation. A full academic paper on this topic is available on my website. More papers & presentations at 2
  3. 3.  AP is a gateway between wireless and wired networks; all wireless traffic passes through  As a result it is usually the most valuable target on the WLAN for Snooping or DoS  Wireless hardware is more vulnerable than wired equivalents because it must support more protocols and features, which are relatively young and/or under development  Fun target because there are so many different ways to attack an AP More papers & presentations at 3
  4. 4.  Gain unauthorized access to the network ◦ Attacker wants to get the rest of the network, but too timely to break all security procedures  Monitor traffic and steal user data ◦ Steal valuable information about users or company  Make money ◦ By controlling AP you can insert your own ads on every page and replace other adds with your own ◦ Examples: dd-wrt + NoCatSplash or a web proxy More papers & presentations at 4
  5. 5.  Multiple management interfaces may exist, with different security (console, web, ssh, etc)  Setting misconfigurations, groups of settings, or improper implementation of settings  Steal login information by cracking or finding in-the-clear authentication (web, telnet)  Physical access- administration allowed w/o password when direct connected, reset device More papers & presentations at 5
  6. 6.  Effects 8 different devices, 3 versions of IOS  Vulnerability is in Web Management Interface  When you switch from global password control to local user list with individual passwords in the web interface all login security is disabled  As a result, anyone can easily access the admin interface without having any login information or credentials More papers & presentations at 6
  7. 7.  Router allows admin password to be modified, but there is a undocumented hardcoded account there as well  Hardcoded accounts: U= super, P=5777364  Accessible from both LAN/WLAN  Traced back to hardware developer in Taiwan, 5777364 is their phone number ◦ May affect other vendors who use their hardware ◦ Was still in later firmware upgrades for Netgear ◦ Vendor solution: make a new hardcoded account More papers & presentations at 7
  8. 8.  APs are a more valuable target than a single client node; attack more users and resources  Wireless network equipment, especially budget consumer products often are poorly designed and coded  Attacking AP can cut off many users from access, can make any connectivity difficult  Taking over an AP can allow the attacker to accomplish many different objectives More papers & presentations at 8
  9. 9.  Cisco. (2006, September 20). Cisco Security Advisory: Access Point Web-browser Interface Vulnerability. Retrieved April 6, 2009, from Cisco:  Hackers come up with new methods to hack Wi-Fi networks. (2008, March 21). Retrieved April 6, 2009, from Internet Security: http://www.internet- hack-wi-fi-networks.html  Knienieder, T. (2004, June 3). Netgear WG602 Wireless Access Point Default Backdoor Account Vulnerability. Retrieved April 6, 2009, from Secuirty Focus:  Mateti, P. (2005). Hacking Techniques in Wireless Networks. Retrieved April 6, 2009, from Wright State University: eti-WirelessHacks.htm#_Toc77524669  Megidish, G. (2008, August 17). Getting Paid For Others’ Work. Retrieved April 6, 2009, from SecuriTeam:  Bellardo, J., & Savage, S. (2003). 802.11 Denial-of-Service Attacks:vulnerabilities and practical solutions. San Diego, California: Department of Computer Science and Engineering, University of California at San Diego. More papers & presentations at 9