Adsl routers are very common now a days as the primary hardware device used to connect to broadband connections. The modems connect to the broadband service using the username/password. Then the pcs connect to this router to form a local area network. The pcs use the router as the primary gateway to connect to the internet. So it is only the router that is directly connected to the internet and not the individual pcs. With a switch it is possible to connect multiple pcs to a single router and all of them share the same internet connection.
Now there routers are like mini computers that have many services running on them. The services are meant for administration and configuration. For example most routers now a days provide web based configuration system through port 80 just like any website. So to configure your router you would open its ip address in your browser.
The administration pages are always password protected. However here lies the actual hack. Most routers are pre configured with a default username and password. Manufacturers tend to keep it same across all the makes and models to keep it simple for users. The most common username/password combinations are admin/admin or admin/password.
Moreover users are unaware of the fact that the router is exposed to the outer internet when online. And this makes the router remotely accessible. So if a hacker finds out the ip address, he would also open the ip his browser and get the same administration page. And next the hacker would try the default username/password combination to login, which would work in most cases.
Search for routers
So the first step is to search for such online routers. Now the easiest way to do this is by searching the ip range of your own isp. If you are using a router, then your isp gave a router to other customers as well. So first of all find out your own ip address from ipmango.com. Lets say I found my ip address to be 126.96.36.199. Now I can scan the range of ip address keeping the first 3 octets constant. So the range is 188.8.131.52-255.
There are many tools that can be used for scanning ip ranges. Some of the popular ones are nmap and angry ip scanner. Both of them are free. Angry ip scanner is a gui tool that is easy to use for beginners. It can scan a range of ip address to discover alive hosts and can also scan selected ports on the online hosts.
Here I am going to use nmap, which is a commandline tool. Lets tell nmap to scan for open port 80 in that ip range and fetch the daemon banner for the port 80 service if available. The daemon banner is a quick way to distinguish between various types of adsl routers.
Here is the command with full output.
$ sudo nmap -sS -sV -vv -n -Pn -T5 184.108.40.206-255 -p80 -oG - | grep 'open' Host: 220.127.116.11 () Ports: 80/open/tcp//tcpwrapped/// Host: 18.104.22.168 () Ports: 80/open/tcp//http//micro_httpd/ Host: 22.214.171.124 () Ports: 80/open/tcp//tcpwrapped/// Host: 126.96.36.199 () Ports: 80/open/tcp//tcpwrapped/// Host: 188.8.131.52 () Ports: 80/open/tcp//http//Fortinet VPN|firewall http config/ Host: 184.108.40.206 () Ports: 80/open/tcp//tcpwrapped/// Host: 220.127.116.11 () Ports: 80/open/tcp//http?/// Host: 18.104.22.168 () Ports: 80/open/tcp//tcpwrapped/// Host: 22.214.171.124 () Ports: 80/open/tcp//http?/// Host: 126.96.36.199 () Ports: 80/open/tcp//http?/// Host: 188.8.131.52 () Ports: 80/open/tcp//http//Gadspot|Avtech AV787 webcam http config/ Host: 184.108.40.206 () Ports: 80/open/tcp//http?/// Host: 220.127.116.11 () Ports: 80/open/tcp//ssl|http//thttpd/ Host: 18.104.22.168 () Ports: 80/open/tcp//http?/// Host: 22.214.171.124 () Ports: 80/open/tcp//tcpwrapped/// Host: 126.96.36.199 () Ports: 80/open/tcp//http//Gadspot|Avtech AV787 webcam http config/ Host: 188.8.131.52 () Ports: 80/open/tcp//http//Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)/ Host: 184.108.40.206 () Ports: 80/open/tcp//http//Apache httpd/ Host: 220.127.116.11 () Ports: 80/open/tcp//http//micro_httpd/ Host: 18.104.22.168 () Ports: 80/open/tcp//http?/// Host: 22.214.171.124 () Ports: 80/open/tcp//http?/// Host: 126.96.36.199 () Ports: 80/open/tcp//tcpwrapped/// Host: 188.8.131.52 () Ports: 80/open/tcp//tcpwrapped/// Host: 184.108.40.206 () Ports: 80/open/tcp//http//Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)/ Host: 220.127.116.11 () Ports: 80/open/tcp//tcpwrapped/// Host: 18.104.22.168 () Ports: 80/open/tcp//http//micro_httpd/ Host: 22.214.171.124 () Ports: 80/open/tcp//http//Microsoft IIS httpd 6.0/ Host: 126.96.36.199 () Ports: 80/open/tcp//tcpwrapped/// Host: 188.8.131.52 () Ports: 80/open/tcp//http//Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)/ Host: 184.108.40.206 () Ports: 80/open/tcp//http?/// Host: 220.127.116.11 () Ports: 80/open/tcp//tcpwrapped/// Host: 18.104.22.168 () Ports: 80/open/tcp//tcpwrapped/// Host: 22.214.171.124 () Ports: 80/open/tcp//http//Apache httpd 2.2.15 ((CentOS))/ Host: 126.96.36.199 () Ports: 80/open/tcp//tcpwrapped/// Host: 188.8.131.52 () Ports: 80/open/tcp//http//Allegro RomPager 4.51 UPnP|1.0 (ZyXEL ZyWALL 2)/
You might be surprised to see the number of online hosts. The text that follows after http// is the daemon banner.
The entries which have the text "tcpwrapped" indicate the service is probably not accessible or is being blocked through some access control mechanism.
Now try opening some of these ip addresses in your browser and you should get a login prompt. Try logging into those with the following username/password combinations.
username : admin password : admin or password
These are the most common default logins for commercial adsl routers. Either of them should work in some of the routers. If the router's default login has been changed by the user, then it wont work.
Routers can be exploited in many ways. Once the attacker gets inside the router's admin panel, he can play the settings in any way. The username/password for the internet connection are stored in plain text format in the router's configuration pages. The hacker can steal the information from there.
An attacker might change the dns servers to hijack all dns queries that originate from the router. For example if you have configure the network settings of your computer to use the router as the dns server, and your isp provides dns servers to the router while establishing a connection, then all dns queries generated from the computers are send to the router, which in turn sends the dns queries to the isp's dns servers.
An attacker can override the settings to save a specific dns server ip and use it instead of the isp provided dns servers. In such a scenario the requests would be send to the malicious dns server configured by the hacker. Now the hacker might have a dns server configured which redirects users to some phishing page or something similar.
Booting the router
Hackers might reboot the router to hamper the internet connectivity of the users. The reboot option is available in the administration panel or even the telnet console.
Dos attack on the router
The hacker might also try somekind of dos attack on the router. This will either crash or hang the router. Now in most cases a hanged router would be difficult to detect. The lights on the router would blink as normal, but internet connectivity would slow down or cease. Users might be think that internet is down from the isp side and may become idle.
Automated scripts can be written in python or C that can craft and carry out such dos attacks very well. This can effectively cause the degradation of internet connectivity for multiple users connected to that isp.
Since the routers are very limited in resouces like memory and cpu, they are weak at handling malicious kind of traffic. For example malformed packets or too many tcp syn packets on a port can cause the router to hang or freeze temporarily or even permanently.
Secure your routers
Now that you know how hackers can target routers to mess up the internet connection or even steal username/passwords, the next best thing to do is to secure your own routers.
1. Change the default username/password - This will make it nearly impossible for a hacker to get in.
2. Disable remote administration - The router should be configurable only from the local network or LAN.
3. Disable WAN ping reply to avoid detection - Configure the router to not reply to ping requests from the wan side (that is the internet).
Following the above steps should secure the router well enough.