2015/02/04

Bruteforcing TP-Link routers with JavaScript

Recently I read this post on reddit: "get_local_and_public_ip_addresses_in_javascript", and i was thinking about hacking into WiFi routers. I have TP-LINK Wireless Lite N Router WR741N, so I started testing it with Chrome + Iceweasel on Linux.

So I started googling and found first post about "Brazilian, U.S. Web Users Targeted by Router-Hacking Group" and very interesting post also from Brazil was this: "4.5 million routers hacked in Brazil". The attack code was manipulated to target Internet Explorer that targeted possible IP addresses on a readers' local network range including '192.168.0.1' and '192.167.1.1'. And I thought, "It can't be that difficult when one can get local ip with javascript", and I started digging ...

I have found this and it was my first step :) I was able to find the IP, so I started to talk with router. Things are hard nowadays because of Same-origin policy, one can't send XMLHttpRequests directly to router. There is HTTP Basic Auth and you can't read version from dialog-window, can't access headers etc.

But with TP-Link, one can use iframe or img tags. Things went badly with Chrome, so I only tested iceweasel. As I said, you can't send GET/POST request, but you can login with this: <iframe src="http://admin:admin@192.168.1.1">.

Funny thing about bypassing same origin policy is that you really don't have to bypass it, you can login with iframe or as I did, include TP-Link router logo to img tag:

http://www.tp-link.com/resources/simulator/TL-WR750N_V5.0/images/top1_1.jpg

But there is a problem, if username/password does't match, dialog window (Basic Auth) will pop-up and there is no way how to close/hide it with javascript. After some hours with experimenting with alerts and other things i bypassed it simply with: setAttribute("id", Math.random());

After one day I wrote PoC against my router, on 0:11 you can see green iframe box, it is TP-Link logo and successful attack:




Great thing about TP-Link is that one can view emulators on their page:
http://www.tp-link.com/en/support/emulators/

OK, now i can get local IP, i can crack password with "bypassing" auth dialog using wordlist attack, but how to fingerprint router version to possible DNS changing? And i started digging in emulators ...

I knew that I could include images, but what about scripts? There is one great piece of .js file, localiztion/str_menu.js

http://www.tp-link.com/resources/simulator/TL-WR750N_V5.0/localiztion/str_menu.js

It's basically structure of the left menu, so one can include this <script>, call predefined variables and determine if they are defined or not. It's easy way how to determine what menu user can see and what router he have.

You can see PoC here, recommended Mozilla Firefox without AdBlock and TP-Link router:
http://www.hacktheplanet.cz/PoC.html

Source code is here, it's a crap, but I was writing/testing it only for 2-3 days:
https://gist.github.com/vavkamil/50f9c2faf100ad8c5376

And if you don't have TP-Link router, you can use this demo with my "emulator":
http://www.hacktheplanet.cz/PoC2.html

It is terribly simple to write such a thing like this, changing DNS settings is a few lines of more code. How we can defend themselves, if I was able to get my local/public IP and change my DNS settings using Iceweasel over TOR with enabled JavaScript. We are Living in Scary Times!

EDIT2: If you are reading some tutorial about "how to configure wireless router" and you are logged in, use different browser. Website with tutorial can setTimeout and hack you after some time.

EDIT1: Imagine using this with MITMf, storing wordlists into localstorage and using users on poisoned network to attack public WiFi routers. Adding some sources to read:

http://net.ipcalf.com/
http://crypto.stanford.edu/PwdHash/pwdhash.pdf
http://www.browserleaks.com/javascript
http://www.gnucitizen.org/blog/hacking-the-interwebs/
http://www.eweek.com/security/plug-and-play-flaws-leave-millions-of-devices-vulnerable-researchers
http://www.w3schools.com/html/html5_webstorage.asp
http://www.w3schools.com/html/tryit.asp?filename=tryhtml5_webstorage_local_clickcount
https://hacking.ventures/local-ip-discovery-with-html5-webrtc-security-and-privacy-risk/
https://dl.dropboxusercontent.com/u/1878671/enumhosts.html
https://github.com/diafygi/webrtc-ips
https://diafygi.github.io/webrtc-ips/
http://www.scip.ch/en/?vuldb.8501
http://1337day.com/exploit/20372
http://diveintohtml5.info/storage.html
https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/6.x/http-tplink-dir-traversal.nse
http://www.pcworld.com/article/2104380/attack-campaign-compromises-300000-home-routers-alters-dns-settings.html
http://hexus.net/tech/news/network/61925-some-tp-link-routers-vulnerable-exploit-found-wild/
http://www.jakoblell.com/blog/2013/10/30/real-world-csrf-attack-hijacks-dns-server-configuration-of-tp-link-routers-2/
http://news.softpedia.com/news/Cybercriminals-Exploit-TP-Link-Router-CSRF-Vulnerabilities-to-Hijack-DNS-Settings-395545.shtml
https://exploits.shodan.io/?q=TP-Link
https://developer.mozilla.org/en-US/docs/Web/HTTP/Basic_access_authentication
http://www.w3schools.com/html/tryit.asp?filename=tryhtml5_webstorage_local_clickcount

10 comments :

  1. > Things are hard nowadays because of Same-origin policy, one can't send
    > XMLHttpRequests directly to router. There is HTTP Basic Auth and you can't read
    > version from dialog-window, can't access headers etc.

    You can, actually. You just can't read the response (try it yourself against a netcat listener: `nc -kl 5555` it will take some monkeying to work in all browsers - iirc you need to set Content-type explicitly to avoid the CORS pre-flight request). Alternatively you can build a `form` and set its target attribute to the name of an iframe in your page.

    ReplyDelete
  2. http://blog.kapravelos.com/post/68334450790/attacking-home-routers-via-javascript

    ReplyDelete
  3. great work but not work for me my router tl-wr941nd

    ReplyDelete
  4. The Router IP adress is not allways .1 at the end. Check if you can find the adress when you use "http://tplinklogin.net". Normaly it's the common adress for the router interface.

    ReplyDelete
  5. Pretty sure we can find out the correct ip using time based attack, no?
    Want to bypass SoP, use dns rebinding when you have the correct ip ;)

    ReplyDelete
    Replies
    1. Yeah maybe, but you must set a long delay to get it work :)

      Delete
    2. for rebinding, not so long (i didn't test it for a long time, maybe fixed now) :

      safari : 5.1.7 (7534.57.2) : 1-2 sec
      firefox 16.0.1 : 1-2sec with tcp reset, +-5min without reset
      chrome 22.0.1229.94: 55sec
      ie: can't have another request

      Delete
    3. thank you for info, I thought that for dns pinning 30 minutes is recommended. It's nice to always have a new things to learn :)

      Delete
  6. Awesome and excellent posts in your sharing! I will be using this in the near future.GOOD thanks.

    ReplyDelete
  7. Very helpful, thanks! I tried to pry open the air filter as well but found your great blog before I broke anything!

    ReplyDelete