Secure Your Wireless Router Part 2

I was at a friend’s house this past weekend when I asked to connect to his wireless router with my laptop. This friend was not computer savvy so I wasn’t surprised to find that security was not configured on his router.

This reminded me of an article (Secure You Wireless Router) a colleague of mine at Avert Labs had written several months ago about how more and more homes in China nowadays have wireless routers, but very few people bother to secure their routers.

I proceeded to lecture my friend about the importance of being security-aware, and the dangers of not being so – identity theft, stolen passwords, private documents, pictures, etc.

To demonstrate my point, I asked his permission to perform a penetration test which he agreed to.

I proceeded with the same steps described in my colleague’s article. I obtained an IP on the unsecured network, found the router’s IP, opened up a browser to that IP and was presented with the router’s administration login page. A quick search online easily gave up the default admin password for this router – “admin”. I tried that and sure enough, got into the admin page.

Next I checked the logs on the router and identified an active host on the network that was not my own. I then tried to open a NetBIOS NULL session with the host which worked. So far everything I tried had worked on the first attempt. Getting the NULL session opened up some opportunities for some good information gathering. For one, I determined that the host was running Windows 2000. More interestingly, I was able to get a list of user accounts. All without the need for a username and password. Only one of the accounts sounded like it was user-created. I tried to map a drive using that account with a blank password, and failed. I tried a few more times before giving up on guessing passwords.

I was using my work laptop so I had a Foundstone Enterprise install handy. I scanned the host for vulnerabilities, looking out for anything remotely exploitable. I came up with a handful, but one check jumped out at me – “Administrator Account Has No Password”. I tested this by mapping a drive with the administrator account and a blank password, half hoping that it was a mis-detection. Alas, the map succeeded and at this point the demonstration was over. I now had full access to my friend’s filesystem, and now the possibilities were endless. Having an Administrator account with a blank password on a Windows machine is such an old security hole that I didn’t even bother to test it early on.

For the home user, here are are just a couple tips to get you started with security and get you in way better shape than my friend:

1. Secure your wireless network. Look up how to do it online or have your techie friend do it for you, like I did for mine.
2. Set a strong password for your Windows Administrator account. Better yet, disable the account.
3. Disable NULL sessions. Look up how to do it online.