Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My son is able to hack into my Linksys WRT1900AC router


  • Please log in to reply
27 replies to this topic

#1 CrunchyWolf318

CrunchyWolf318

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:32 PM

Posted 27 May 2017 - 08:44 PM

Hello,

 

I hope someone can help me here.

 

I have a home network running Windows 10. There is one hardwired computer and printer and a Linksys WRT1900AC router. All the remaining devices are wifi connected. There are iPads, iPhones, Xbox, Fire TV, a Apple TV box and a wifi connected computer. The network runs quite smoothly. I am however, having some major issues with my son. Specifically for this forum I am referring to his ability to hack into the network.

 

As I mentioned before, I have a Linksys WRT1900AC router. It is currently setup to allow only MAC addresses that I approve. The router is setup to allow only the MAC addresses I approve, on the network. Each access to the router (2.4GHZ, 5GHz and Hardwire) are password protected. I even have parental controls setup. For some time now, every time I login to the router (from my phone or wired pc), I have noticed that the parental controls change. They are changed to give him more time on the computer. At first I thought it might be the router flaking out. It wasn't long before I found out that my son was indeed hacking into the router.

 

While researching the net I came across a number of helpful ideas to limit access. What I haven't found yet is how he is able to determine, within minutes, what my new router password is. It doesn't matter if I change it, he is still able to get into it. I wanted to turn off remote administration but my wife was against that. Maybe I haven't searched long enough but I have seen a number of hacks when the default password had not been changed. This however, is not the case with my router. I changed the password right from the beginning.

 

I'm guessing he is using some type of app to break in.

 

My goal is to not only keep him out but everyone else as well.

 

Any help would be appreciated.

 

Thank you.

 



BC AdBot (Login to Remove)

 


#2 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:32 AM

Posted 27 May 2017 - 11:07 PM

My best guess (and it is largely a guess) is that maybe he is using some sort of packet sniffer that is catching the password packets. This assumes that the router configuration page login is NOT protected by HTTPS encryption. To try to get past this, you might try disconnecting everything from the router (i.e. all wired devices EXCEPT the computer you use to configure it), then log into the router. Next turn off WiFi temporarily on the router. THEN do a new password on the router with ONLY your computer connected to the router. Then turn on the WiFi and reconnect everything. Then do not log in again for a while. Then after some time, log into the router and see if anything has changed. Just keep in mind that if this is the path your son is using, then anytime you log into the router, he could intercept the password. And since that particular router does no have a physical button to turn off WiFi, there is no effective way to disconnect all other WiFi devices from the router without logging in first (except maybe to some how block the WiFi signal such a putting the router in a Faraday Cage).

If I let my mind wander into the area of "nefarious" guessing, then the other possibility is a keylogger on your computer.

Those are the most obvious potential ways to me.

Then there just might be weakness to exploit on that router, but I would not know about anything like that.

#3 MDD1963

MDD1963

  • Members
  • 699 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 28 May 2017 - 08:23 AM

Within security/network/administration,t here is the ability to disallow wireless admin login....

 

Tell him the next change that takes effect for future incidents will be his computer being blocked from all access ....; tinker in the settings again, and, threaten to heave his laptop out onto the street (after first seeing if it can attain an altitude of 75 feet or so), and he is welcome to count the pieces afterward...


Asus Z270A Prime/7700K/32 GB DDR4-3200/GTX1060


#4 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 9,006 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:10:32 AM

Posted 28 May 2017 - 10:02 AM

Crunchy,

 

            If you ever are able to definitively determine how this breach has been repeatedly occurring I, for one, would appreciate it if you'd post about the how.

 

            I'd definitely "start from scratch," resetting the router to defaults and making sure your son is nowhere around when you're in the process of setting up the router.  If it is possible to prevent access to the admin functions via WiFi then I'd do that, as how often do you need to get to these (under normal circumstances)?  I also cannot understand why, under usual circumstances, you'd ever need remote access to your router.  I turn that off as a matter of course.

 

            Also, how are you connecting the WiFi devices?  Via use of a password or WPS?   You might want to try using WPS instead after you've done all the MAC address setup.

 

            I am at a complete loss as to how he'd be repeatedly able to determine the admin password to the router itself, as that should be well-nigh impossible to do if you can't guess it.  [Clearly "well-nigh" doesn't matter, because he can somehow do it.]

 

            And, based on the keylogger observation, you might want to use a "completely clean" computer, borrowed from someone, to do the complete "from scratch" setup.


Edited by britechguy, 28 May 2017 - 10:04 AM.

Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#5 RolandJS

RolandJS

  • Members
  • 4,533 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:09:32 AM

Posted 28 May 2017 - 10:07 AM

I'm wondering if the fox is still in the hen-house as OP re-organizes the chickens.  Seriously speaking, I read elsewhere that the ideas that smax is putting forth really works.  For this plan to work, OP has to work the plan -- as smax posted.

 

smax, I googled and got this:

https://www.google.com/search?q=hacker+accessing+router+and+password&oq=hacker+accessing+router+and+password&aqs=chrome..69i57.8178j0j1&sourceid=chrome&ie=UTF-8

Obviously, OP has to close the doors that some of the returned links are taking advantage of.


Edited by RolandJS, 28 May 2017 - 10:09 AM.

"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#6 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 9,006 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:10:32 AM

Posted 28 May 2017 - 10:26 AM

If you look at most of the links (I did a quick survey) that RolandJS posted the search for it also becomes obvious that you need physical access to the router with an ethernet cable if all remote/WiFi access to admin functions is off.

 

So, again, we come back to the bedrock security principle that physical access control is the first thing one needs to have.

 

If the router in question isn't locked up somewhere that only the original poster, or those he trusts implicitly, can get access to it then that should be part of the plan, too.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#7 buddy215

buddy215

  • Moderator
  • 13,315 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:32 AM

Posted 28 May 2017 - 02:49 PM

Where are you keeping a record of the custom password and user name for the router? The reason for asking that should be obvious.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#8 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:12:32 AM

Posted 28 May 2017 - 07:47 PM

Disable WPS (Easy to crack like really easy), you already filter through MAC so now make sure the firmware is up to date because he could be using a login string exploit to gain admin with out password.

See if he cracks into it then, but my guess is WPS is being exploited as most routers only used to read the first 4 digits LOL.



#9 CrunchyWolf318

CrunchyWolf318
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:32 PM

Posted 29 May 2017 - 01:32 PM

Thank you all for your replies and suggestions.

 

smax013 - I'm not sure yet if he is using a packet sniffer. I'm still looking into that.

mdd1963 - Wireless admin is turned off now. I took his phone away a month ago. It will soon be time to take the computer if I can't figure this out.

britechguy - Yes, I started from scratch; all new passwords, turned off WPS, allowed only specific MAC addresses to have access. Unfortunately the router can't be physically locked up.

ronaldjs - Thank you. I'm still loing through the results of your search string.

buddy215 - To some this may be ill advised but my passwords are only known to me and they are in my head. I have rarely forgotten one.

johnnyjammer - Yes, WPS is already off and I setup MAC addressing.

 

I had remote admin turned on so I had access to turn on/off my kids WIFI access when I would need to get their attention.

 

I will repost when I finally get an answer as to how my son is able to login to the router.

 

Thanks again,

CrunchyWolf



#10 buddy215

buddy215

  • Moderator
  • 13,315 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:32 AM

Posted 29 May 2017 - 02:38 PM

Well, that eliminates one of the obvious ways he gained access. I don't trust my memory and prefer a written log.

 

Using a Live Linux OS to resecure the router would eliminate the possiblilty of a keylogger being involved if that is

how his access is obtained...... if he was still able to gain access to the router's settings after doing that.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#11 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:32 AM

Posted 29 May 2017 - 09:01 PM

I took his phone away a month ago. It will soon be time to take the computer if I can't figure this out.


This might have to ultimately be the way you deal with it. Keep messing with the parental controls on the router and keep losing your stuff. At the end of the day, there may not always be pure tech solutions. You might just have to revert to old "you are grounded" type parenting stuff.

But, then what the heck do I know...I don't have kids! :grinner: I have enough trouble with a dog (whose toys are strewn across the family room floor at all times).

#12 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:32 PM

Posted 30 May 2017 - 01:35 PM

You can check the logs of your router. Maybe that will give you a clue.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#13 DeimosChaos

DeimosChaos

  • BC Advisor
  • 1,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, Delaware
  • Local time:10:32 AM

Posted 30 May 2017 - 02:48 PM

As far as packet sniffing goes, the most popular one out there is wireshark. See if he has it installed on his computer. That would at least give you a clue he is doing some sniffing.

 

My mind immediately went to key logger as well.. but if you run a good AV on your PC it probably would have picked up on it...

 

I'll second Buddy's suggestion at using a live Linux OS to log into the router and change passwords.


OS - Ubuntu 14.04/16.04 & Windows 10
Custom Desktop PC / Lenovo Y580 / Sager NP8258 / Dell XPS 13 (9350)
_____________________________________________________
Bachelor of Science in Computing Security from Drexel University
Security +


#14 buddy215

buddy215

  • Moderator
  • 13,315 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:32 AM

Posted 30 May 2017 - 04:28 PM

I was wondering if Wireshark is portable...it is.

QUOTE from the web: Run the PortableApps version (http://portableapps.com) of Wireshark. When a machine stops communicating, plug your USB flash drive in to that machine, and launch Wireshark Portable. Wireshark itself will run without being installed on the PC. Wireshark requires Winpcap in order to capture traffic, so it will install Winpcap if Winpcap is not already installed on the PC, but it will offer to remove it and clean up when you exit Wireshark.

 

Easy enough to rename an installed program to disguise it, too. :)


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#15 trenansac

trenansac

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Sacramento, CA
  • Local time:07:32 AM

Posted 27 July 2017 - 01:57 AM

I would say  that your Son has spyware attached to your computer.  Try using a different computer to set up your router,  Preferrably a device never connected on the network.  Let us know what happens.  I'm curious! 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users