Practical WPA2 Attacks on NETGEAR Routers

"What's the wifi password?" is today's "Where is the bathroom?": the first question asked by guests of an unfamiliar location. I myself have asked this of many friends and this past week had noticed a security weakness in their routers. For those using NETGEAR brand routers, there is a simple pattern within the default WPA2 passwords that increases viability of WPA2 hash cracking.

NETGEAR routers are extremely common in my area as the default equipment supplied by Time-Warner-Cable/Spectrum, making this guide locally relevant as a combined St. Lawrence University/DHS project. With WPA2, the two major security flaws are WiFi Protected Setup pin bruteforce and extracting a plaintext password from the four way authentication handshake.

Since WPS pin attacks are patched by most router firmwares these days, we will use our password weakness with the aircrack-ng suite and hashcat tool to own a factory NETGEAR network.

The Weakness:

For all of the NETGEAR routers that I have encountered, the default WPA2 password fits the following format:

[adjective][noun][0-9][0-9][0-9]

As far as password complexity is concerned, this is not the worst possible format. With the minimum WPA-PSK password length being 8 characters, this often goes beyond the minimum and makes a complete pattern crack (i.e. all alphanumeric character combinations of length 8) less viable. The weakness lies in the fact that the format is known, and that WPA2 authentication handshake hashes can be dictionary attacked.

But people can change their WiFi passwords, right? They sure can, but the default format provided by NETGEAR are designed to be easily memorized and have the illusion of security by complexity. As a result, many NETGEAR customers feel comfortable leaving their password as the default. Users that are inclined to leave factory settings can be easily targeted with their default SSIDs:

NETGEAR[0-9][0-9]

The Dictionary:

To begin, we need an exhaustive dictionary list of default passwords. To do this, I merged my largest adjective wordlist (1466 entries) and a practically sized noun wordlist (3251 entires). I chose wordlists from my collection that did not contain inappropriate words, and had a minimum word length of 3 characters. I hacked together a python script to write all combinations of these lists and append all possible three digit codes.

Dictionary length = (1466 adj) * (3251 noun) * (10*10*10 num) = 4765966000 entries

The final dictionary size was 77 gigabytes: a very reasonable size for an offline hash attack.

The WPA2 Handshake Capture:

To begin, we need to capture the handshake with aircrack tools. Let's start by gathering some details on the target.

> airodump-ng wlan1


Here we see a NETGEAR default-named router with a mac address of 00:14:BF:1E:C7:4D on wireless channel 8. Let's capture its traffic.

> airodump-ng -c 8 --bssid 00:14:BF:1E:C7:4D  -w capture wlan1

With this running, we can patiently wait for a client to authenticate to the network. But we are in luck! We see client D4:61:2E:9F:BE:F0 actively communicating with our target access point. So rather than waiting, let's kick this client off the network and force them to automatically re-authenticate. We can capture the handshake on our command.

> aireplay-ng -0 1 -a 00:14:BF:1E:C7:4D -c D4:61:2E:9F:BE:F0 wlan1



We now have the handshake embedded in our packet capture file. Let's convert it to a hashcat-compatible format:

> aircrack-ng capture.cap -J finalcap

The Cracking:

Obviously we need to GPU accelerate the process, so we will use the hashcat cracking tool. Let's do some quick calculations for WPA2 cracking with our 77gb dictionary. On the AMD r9 270X card I have sitting at home, I can crack 90,000 WPA2 hashes per second [1].

Max Crack Time = (4765966000 entries) / (90000 H/s) / (60*60 s/hr) = 14.7 hrs

That's not bad for a card I paid $200 for in 2014. But everyone knows cloud-cracking is the way to go. How fast can we crack on an AWS p2.16xlarge? That GPU cluster has a hashcat benchmark of 1316.2 kH/s[2].

Max Crack Time = (4765966000 entries) / (1316200 H/s) / (60*60 s/hr) = 1.0 hrs

With a max crack time of 1 hr, a NETGEAR factory password can be broken in the cloud for less than $14 [3]. Let's compare that to the crack time of a router using a non-patterned alphanumeric default password. For the minimum length of 8 characters, lower-case alpha-numeric combinations:

Max Crack Time = (36 chars)^(8 length) / (1316200 H/s) / (60*60*24 s/day) = 24.8 days

Conclusion:

NETGEAR's decision to pattern their default WPA2 passwords was a poor security design choice. These passwords may seem secure to customers, but are in fact making them an easy target. Compared to a standard 8-character hash attack on factory WPA2 passwords, an attack on a factory NETGEAR router is much more rapid and practical.

Sources:

[1] http://crackingservice.com/v2/?q=benchmarks
[2] https://medium.com/@iraklis/running-hashcat-in-amazons-aws-new-16-gpu-p2-16xlarge-instance-9963f607164c
[3] https://aws.amazon.com/ec2/instance-types/p2/

Obligatory Note:

This project was supported in part by an assignment with the Secretary's Honors Program Cyber Student Volunteer Initiative sponsored by the U.S. Department of Homeland Security (DHS). This program is administered by the Oak Ridge Institute for Science and Education (ORISE) through an interagency agreement between the US. Department of Energy (DOE) and DHS. ORISE is managed by ORAU under contract with DOE.

Leave a Reply

Your email address will not be published. Required fields are marked *