Hacking

Ethical hacking: Attacking routers

Greg Belding
September 25, 2019 by
Greg Belding

Routers are one of the most attractive points of a network for attackers to prey upon. These ubiquitous network devices often have more than one vulnerability, not to mention the effects that human error can have when administering these devices. 

This article will detail attacking routers from the ethical hacker’s perspective, including password-related issues, and will move on to more traditional router attacks that are not password-focused. Considering how common routers are on both enterprise and home networks, ethical hackers need to know about these attacks so they can better tighten security in their organization’s network defenses.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

The elephant in the room

Routers have a major weakness and there is probably no technological measure that can remedy it — human error. Any enterprise router worth its salt uses a password, and unfortunately, many information security professionals and remote workers never change their default router password. The statistics say that the number of those who neglect the password change is 30% and 46% respectively, which is shocking (especially for the information security professional). 

Not changing your router’s password may be the biggest weak point on your organization’s router. Is that the sound of you changing it right now? I thought so. Don’t relax just yet, though — simply changing your default password is not enough to ward of router password attacks. For those using wireless routers (most are by this point), passwords can still be changed once data packets are captured by attackers. 

Wireless attacks

The password issue mentioned above has spurred an increase in wireless attacks. The main goal of these attacks to crack the password, normally by using default passwords and with dictionary cracks. 

The most popular tool used for this today is Aircrack-ng. Included in Kali Linux, this hacking program is a standalone suite that features 802.11 WEP and WPA-PSK key cracker functionality with the capability to recover keys from captured data packets. Using airmon-ng allows attackers to capture the authentication handshake, which is used to crack the WPA/SPA2-PSK. 

Ethical hackers should use Aircrack-ng against their organization’s wireless router to see how vulnerable their router is, and then make any security adjustments available to their particular router accordingly.

Router scanning

Router scanning is a sort of hybrid attack method on both LAN and wireless (added later) routers that scans organization subnets and then attacks routers it finds. Router Scan by Stas’M is a hacking tool that allows hackers to perform router scanning and has the capability to pull important information about the wireless router, including access point name (SSID), access point key (password) and even what encryption method is used by the wireless router.

This information is gathered two ways— it uses a list of standard passwords to guess the router password and uses router model-specific vulnerabilities to either gather the information above or even bypass authorization altogether. Ethical hackers can use this program to test how attack-ready their password is, get a better idea of the vulnerabilities of the router model they use and to better understand how attackers act when using this method to attack their router. 

Non-password-focused attacks

As an ethical hacker, you cannot get hung up on passwords alone. While password weaknesses in routers are glaring, they are not the only focus of attackers. Below are the most common non-password-focused router attacks.

Denial of Service (DoS)

Denial of Service (DoS) attacks are the most popular form of non-password-focused router attacks. These attacks come in many forms but essentially all have the same end — flooding the router with so many requests that results in either slowing down or crashing servers behind the router. Commonly seen forms of this attack include Ping of Death, Smurf, buffer overflow and SYN attacks.

Ethical hackers should attempt as many different forms of DoS attacks against their router to see how their router, and ultimately their network, would respond. Appropriate remedial measures include reconfiguring router Access Control Lists to drop the offending traffic.

Packet mistreating attacks

This type of attack injects malicious code into the router, which then confuses and ultimately disrupts routers. Routers use what is called the routing process, and when malicious code is injected into this process, it stops the router from being able to handle packets in the routing table. 

Eventually, this malicious code starts circulating around the organization’s network in a loop. The network then becomes substantially congested, making it increasingly difficult for network engineers to debug. 

Router table poisoning

Routers use routing tables that transfer and receive information. Router tables are vulnerable; without proper security, router poisoning attacks can make malicious changes to the router table’s routine. Hackers normally get to this point by editing router table information packets. The end result is damage to the networks and servers behind the router. 

Ethical hackers need to understand their router model and configure applicable security measures as appropriate to squash router table poisoning attacks.

Hit-and-run attacks

These attacks are one-off attacks that are sometimes referred to as test hacks. Hit-and-run attacks inject malicious data via code into routers and normally cause routers to perform unusual routines. 

Ethical hackers should cooperate with information security professionals in the organization responsible for intrusion and detection by staging one of these attacks so the organization can better understand what will happen if it occurs in the real world.

Conclusion

Routers are one of the top points of attack for hackers, and an organization’s ethical hacker needs to keep this in mind. By tightening router password policies and staging these attacks against their organization’s router(s), ethical hackers will have surer footing regarding how attack ready their organization’s router is. 

After testing these, you know the drill: take appropriate remediation and tightening measures and then test again and again.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Sources

Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.