Wardriving and how a business should NOT host a wireless hotspot

The other day I was out wardriving, and testing out some android apps. I found that I really like WiGLE, it syncs with GPS and Google Maps all while having a pretty decent refresh rate for each network scan. While no android app I’ve used, nor the hardware can match the robust power of a laptop running kismet, the nice thing about the android apps, is the size of phone, and the ease of charging while driving. Most people use their android phone for their turn by turn GPS, so it doesn’t draw attention when mounted in the car (running a map program) while you’re really logging all networks in the area.

While I was driving around, I found many companies are still running open wireless networks, which peeked my interest. I started with a coffee shop, but they were smart enough to password protect their routers, and there were no customers for me to attack. I kept driving around and noticed another shop that had a wireless network going. I stopped outside, and fired up my laptop. The first thing I did was run ‘netstat -nr’ to find the router’s address. When I opened the router in Firefox, I was alarmed that I was not even prompted for a username or password and I was able to modify any of the administration settings. To confirm that I wasn’t just getting read-only access, I used the website filter to block Twitter, Facebook, and Google. Once I got the screenshots confirming that devices trying to access those resources were blocked … I turn the blocking off, don’t need any one to know i’d been here.

Next Steps require a root term, so i fire one up. fire up netdiscover -i wlan0 -r 192.168.0.0/24 -P > netdiscover.txt ( this will give me a quick list of hosts alive on the network) I immediately make sure i grab an nmap scan too for some extra data to help in my picking of victim;
nmap 192.168.0.0/24 > nmap.txt, I then set my sights on a PC with a samba port open, connect to it as guest, and get access to all shares, so the My Documents share is where I really was interested to look. To my horrified surprise, I found a treasure trove of information, a file titled “Logins.doc” and thought “I wonder what that is?” and sure enough, it was a username/password file that held all the website usernames and passwords they use for various ordering websites.  The folder “My Scans” well, you guessed it.. Scanned invoices, complete with Customer contact, address, service, and so much more.

All this prompted me to post this blog post detailing what NOT to do on your small business wireless network. And I will lay out a few minor things that would help this poor company from leaving them, and their customers vulnerable to data theft.

Step 1) Put a password on the router. Their router was an “Actiontec PK5000” and with a quick google search I found the user manual which states that by default there is no password for the router to allow for “easy” configuration. It also states that as long as no password is set, there it will not prompt for login information. Simply putting a password on the router would cause it to require a login to view and edit the configurations.

Step 2) Don’t name your desktop after the Store, That gave me a bullseye to start looking for where the best information is. Instead use random names that will mean NOTHING to an attacker, or even someone who is looking around.

Step 3) Enable WPA2 encryption on the wireless access point. Even if you want your customers to be able to access the network while they are waiting for service, or eating or whatever you might do at your particular business, putting a password on your wireless network will prevent most attackers from starting an attack from your parking lot, where you might never even know something is happening. All you would need to do is have the customer ask you for your password, and they can connect. Granted, an attacker could do the same thing, but then he’s been on camera, you’ve seen his face, and likely he’s a customer and you have his information to give to the police in case something bad DOES happen.

Step 4) Backup sensitive data to an encrypted external device, and do not keep it on the network for everyone to access. you could use a portable hard drive, USB key, or any number of devices that you would be able to lock in your company safe and only remove to do your backup. once the data is backed up, delete it off the computer.

Even following these four simple steps would protect your small business from a lazy or impatient hacker. There is a saying, “If my friend and I are being chased by a bear, I don’t have to outrun the bear, I just need to outrun my friend” the same is true for security. If you have a better protected network than your neighbor, your neighbor is the one with the target.

Just some advice from your friendly neighborhood network ninja.

-DarkLordZim

Advertisements

Comments are closed.