How to exploit home routers for anonymity

This article is just a demo for educational purposes. To those who say this sort of information should be censored, I say you can close your eyes and shout, “la-la-la-la-this-doesn’t-exist” all you want but that won’t make practices like those outlined below disappear. Only through awareness can you grow and protect yourself and others.

Download device-pharmer
git clone https://github.com/DanMcInerney/device-pharmer
Device-pharmer will take advantage of Shodan and concurrently test 1000 hosts from the search results to find open targets. It will print the IP, port, and title of the page if the connection was successful. All successful connections will be logged in _results.txt in the current working directory. Device-pharmer will be included by default in the next update of Kali.

Get a Shodan API key
1) Sign up for a free Shodan account
http://www.shodanhq.com/account/register
Recommended.

OR

2) Search Google for one
site:pastebin.com shodan api key
This is not an optimized search. It’s just to give you an idea of how to find this sort of information.

Choose a router model to target
Search Google/Amazon/Cuil for routers with baked in VPN support. Perhaps, “vpn router” might do the trick ;). PPTP and OpenVPN are probably the easiest to set up. We’ll pretend for the rest of this exercise that the common D-Link DIR-300 is a router with baked in PPTP VPN support via stock firmware.

(Optional) Find a free HTTP proxy
git clone https://github.com/DanMcInerney/elite-proxy-finder
Run:
python elite-proxy-finder.py -s 2
This script scrapes a few reliable proxy sites for only high anonymity public proxies and concurrently tests the results against a few IP checking sites including an HTTPS one. Then it checks the proxy headers to ensure eliteness. It will display the fastest proxies that pass all tests first. -s 2 will show only the top 2 fastest proxies amongst all the results.
elp
OR

https://hidemyass.com/proxy-list
Choose Speed: Fast and Connection time: Fast

Search Shodan using device-pharmer
python device-pharmer.py -s 'dir-300' -a Wutc4c3T78gRIKeuLZesI8Mx2ddOiP4 --proxy 123.12.12.123:8080 --timeout 30

Alternatively if you know the default username/password you can tell the script to attempt to login to each device found:
python device-pharmer.py -s 'dir-300' -a Wutc4c3T78gRIKeuLZesI8Mx2ddOiP4 --proxy 123.12.12.123:8080 --timeout 30 -u admin -p password

-s: Search Shodan for ‘dir-300’; use single or no quotes
-a: Shodan API key
–proxy: Proxy all requests through this server (optional)
–timeout: By default it’s 12 seconds but since we’re proxying our requests we’re going to want to increase that to account for the lag the proxy is going to introduce (optional)
-u: Try logging in with this username (optional)
-p: Try logging in with this password (optional)

If you have a free account you will only be given one page of results which amounts to 100 hosts. Plenty. If you have a pro account then you can use the -n option to specify how many pages of results you want to run through like “-n 5”.

Example results in the log file dir-300_results.txt without attempting to log in:
dir300

Set up dynamic DNS
http://www.noip.com
Register a free account then go to Manage Hosts > Add Host and fill it out. Max of 3 hosts.

Visit one of the results from the log file “dir-300_results.txt” in your browser
1) Look for the dynamic DNS settings (usually under a link like “DDNS”) and set it up with your noip account
2) Look for the PPTP VPN settings once you’re in, enable it if necessary, and create an account for yourself.

Set up network manager
1) apt-get install network-manager-pptp-gnome
Assuming you’re in Kali.

2) http://support.vpninja.net/hc/en-us/articles/200373377-Ubuntu-12-04-PPTP-Setup
Follow the instructions here.

Clear the router logs
Probably a good idea to do this before and after every session you make to the router. Safety first, of course. Usually you can find the logs in a link like “Settings” or “System” within the router web interface. If you can completely turn off the logs, even better.

Voila!
Your own hypothetical personal VPN.

Ultimately this is one of the less malicious things you can do with this power. If you really wanted to do harm you could change the DNS to point to a malicious server amongst other things. You’d be pretty careless if you actually performed all the steps above as it’s illegal and not really very anonymous as ISPs have logs too. That being said, it doesn’t take much imagination to use similar steps from above and think of alternate ways to abuse a truly massive amount of internet connected devices. IP cameras, network attached storage devices, watches, phones, power plants, particle accelerators.

As the internet-of-things ramps up the amount of low hanging fruit you can find using methods described here is going to explode like the Cambrian.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s