Access to a router's GUI

Question

During a recent visit to a coffee shop, I noticed that they hadn't bothered changing their default user name and password for their router.

I realise that someone could log on and be annoying to other users (kicking people off the network, locking the network), but what other malicious activities could be done with this kind of access?

For info, the coffee shop ran an open wifi network.

I did tell the coffee shop about this problem, but they didn't really care (or understand?)

score 22 · Answer 1 · answered Jan 11 '11 at 07:23

The other answers are correct, however there is one big fish being mostly ignored:

DNS cache poisoning

As @Larry said, since you own the router you own the DNS. Meaning you can cause any other user of that network, use any server you want for any address they request.

But more than that:

You can make leave your DNS ownership in place, even when you're not there anymore other users will continue to use your servers.
Even after the other users leave, you can still own whatever address they try to access.
To clarify, let's assume some victim at some point uses the coffeeshop to access http://www.google.com/. This should resolve to 209.85.143.104. However, because you pwned the router, you're sending anyone who requests http://www.google.com/ to 207.200.14.140. This will continue to happen, even after you go home...
Now, what happens if you set the TTL for the DNS response (the one returning 207.200.14.140 for http://www.google.com/), to some value far in the future? The victim will go home, back to his "secure" network, and at some point will again browse to http://www.google.com/. Shouldn't be a problem, right? Well, the TTL caused the DNS response to stay cached on your machine, so your browser now doesnt even bother making another DNS request - it just sticks with the 207.200.14.140 it got at the coffeeshop. That you gave it. 3 weeks ago.

Just a suggestion? A bit borderline, but since noone at the coffeeshop cares (or probably even knows how to logon to a router what that even is), do them a favor: change the password for them. Write it down for them, hand it to the manager, and if he really needs it, he'll figure out what to do, and maybe even learn a lesson.
Of course, this is borderline ethical, maybe even illegal, so caveat emptor. But other users WILL be grateful (even if they know nothing about it).

Rory Alsop · Accepted Answer · 2011-01-10T22:07:06.913

21

Was prompted by conversation with @Iszi on chat to make things much clearer - to just highlight the main increased risks.

An attacker could reroute every request sent by users of the network leading to:

Phishing attack - for example the normal guidance for users is to never click on untrusted links for things like online banking, but to always type in the url for www.examplebank.com. Controlling the router lets an attacker get around that control easily so you could end up at a site which will grab your online banking credentials as you log in.

Malware attack - You can be rerouted to a site which will attempt to download malware onto your computer even though you specified a known good URL

Inline data injection/modification - An attacker could modify any data in transit. This would be hard to do from the perspective of a user of the wireless network, but much more straightforward for an attacker if all data was routed via a server they control

Other attacks based on this Man In the Middle - various other compromises

The internet is your oyster with this one - effectively users would no longer be able to trust any communication through the network! It is almost as good as pwning the users computer.

The other points I mentioned are already possible on wireless networks so I have taken them out.

edited Jan 10 '11 at 22:07

answered Jan 10 '11 at 00:55

Rory Alsop

61,474
12
117
321

4

Many (all?) of these can be done by anyone on most wifi networks. It would help to distinguish this case from a typical open or WEP wifi network, either in terms of ease of attack, reliability of attack, or whatever. – nealmcb Jan 10 '11 at 02:40
Those attacks are simple on an open or WEP network, but a tad more involved on a well secured wireless LAN. This effectively makes a wireless network using strong security (WPA2/TKIP for example) open to the attacker controlling the router. – Rory Alsop Jan 10 '11 at 08:16
3

@Rory - I think what neal is getting at, is that most of these attacks are viable without requiring access to the AP or Router's configuration interface. What the OP is looking for is to define the particular attacks that such access facilitates, or more appropriately what particular attacks does denial of such access prevent or inhibit? – Iszi Jan 10 '11 at 16:50
@Iszi Yes, that's what I was trying (unsuccessfully) to get at. – csgillespie Jan 10 '11 at 21:12
2

@Iszi - updated to try and clarify the difference – Rory Alsop Jan 10 '11 at 21:25
1

Very good edit, Rory. I think you've made your points perfectly. – Iszi Jan 11 '11 at 00:14
2

Even with attacks that are still possible without access to the router this is still a problem as it greatly reduced the "cost" of performing such an attack. – Rob Moir Jan 11 '11 at 13:16
Denial of service is another one. Where I live some people had their routers hacked, the passwords changed and the WiFi set up with encryption.. for non-technical users that can be pretty time consuming to fix. – Matthew1471 Jul 16 '16 at 23:32

score 11 · Answer 3 · answered Jan 10 '11 at 00:03

11

If you own the router, you own the internet effectively. For example, you can tell the router to use your computer as the DNS server for all the clients on the network - that means you own address resolution for every client on the network.

answered Jan 10 '11 at 00:03

Larry Osterman

1,226
10
8

Can someone say phishing? You could also be annoying by binding apache to all domains and redirecting everything to it. You could even use that as a demonstration on why its important to keep your router secure – TheLQ Jan 10 '11 at 02:46
Even worst is that some routers allow configuring the gateway with a remote address. That way one could divert all the traffic and sniff everything from home. – jweyrich Jan 11 '11 at 00:23

lew · Answer 4 · 2011-01-14T01:49:11.593

Depending on the way the router handles it (e.g. encryption implementation), you may be able to 'backup'/'save' the configuration, and extract the PPPoE/A logon credentials from the configuration.

From here, you may be able to access the account on the ISPs website, with potential access to sensitive information. With some social engineering, potential access to further information if you call the ISP help desk.

Potentially not very useful information, but certainly possible in the right conditions.

score 0 · Answer 5 · answered Sep 06 '12 at 20:40

0

You can find out the MAC adress of all the computers that logged in to the network, which, with this information on the right/wrong hands, can do a lot of damage.

answered Sep 06 '12 at 20:40

João Gonçalves

41
5

3

You can also do that without router access, and I don't see what kind of damage that could do. – Luc Sep 06 '12 at 20:49

Access to a router's GUI

5 Answers5

Linked