1 00:00:01,050 --> 00:00:03,829 Because the router is the main doorway and gateway 2 00:00:03,830 --> 00:00:04,800 into your network, 3 00:00:04,801 --> 00:00:07,040 both locally and via the internet, 4 00:00:07,330 --> 00:00:10,930 it is a crucial component for maintaining security, 5 00:00:11,020 --> 00:00:12,560 privacy and anonymity. 6 00:00:12,760 --> 00:00:15,840 Routers have a very, very tainted history 7 00:00:16,120 --> 00:00:19,650 of vulnerabilities and bad default configurations. 8 00:00:20,160 --> 00:00:23,670 They’re often plugged in and just left running. 9 00:00:23,990 --> 00:00:27,110 If they become vulnerable, you never find out 10 00:00:27,140 --> 00:00:28,640 and nothing is ever done about it, 11 00:00:28,950 --> 00:00:30,340 and they remain vulnerable. 12 00:00:30,660 --> 00:00:33,460 Here you see some of the many examples of 13 00:00:33,560 --> 00:00:36,960 vulnerable routers and incidents of vulnerable routers. 14 00:00:39,260 --> 00:00:42,780 Let me introduce you to Shodan, if you are not familiar with it. 15 00:00:43,120 --> 00:00:45,600 Think of Shodan as a search engine 16 00:00:45,730 --> 00:00:49,240 that searches for vulnerable devices on the internet. 17 00:00:49,720 --> 00:00:53,900 It’s the Google of vulnerabilities, or the Google of 18 00:00:54,110 --> 00:00:55,670 internet of things if you like. 19 00:00:56,000 --> 00:00:59,510 It continually scans the internet looking for vulnerabilities 20 00:00:59,640 --> 00:01:02,170 and then adds it to their database 21 00:01:02,520 --> 00:01:03,680 to make it searchable. 22 00:01:04,050 --> 00:01:08,560 So let me give you an example here. So I’m typing in just simply “netgear”. 23 00:01:12,740 --> 00:01:16,690 Both hackers and security researchers use this to find targets 24 00:01:16,840 --> 00:01:18,670 and to protect their own infrastructure. 25 00:01:19,050 --> 00:01:22,530 So this search query here has returned back 26 00:01:22,810 --> 00:01:26,330 devices that have responded with this string, netgear. 27 00:01:26,700 --> 00:01:29,360 NetGear, being one of the most popular 28 00:01:29,490 --> 00:01:31,230 home router manufacturers. 29 00:01:31,520 --> 00:01:34,270 So what this means is that these are open ports 30 00:01:34,400 --> 00:01:35,679 on these NetGears. 31 00:01:35,680 --> 00:01:39,280 So if you look here, you can see there’s 100,000 32 00:01:39,480 --> 00:01:42,170 NetGears with port 8080 open, 33 00:01:42,640 --> 00:01:46,120 you’ve got HTTP, you’ve got FTP, 34 00:01:46,550 --> 00:01:48,906 and this is essentially the response back that they’re giving, 35 00:01:48,930 --> 00:01:50,500 so it’s saying which 36 00:01:50,890 --> 00:01:51,890 NetGear it is, 37 00:01:52,230 --> 00:01:54,470 and it’s saying Unauthenticated, because 38 00:01:54,630 --> 00:01:57,090 a username and password is not being provided. 39 00:01:57,600 --> 00:02:00,080 Unless there is a very good reason, 40 00:02:00,200 --> 00:02:03,100 and the device has been hardened especially for it, 41 00:02:03,320 --> 00:02:06,240 no router should be allowing access 42 00:02:06,290 --> 00:02:09,490 to its admin interface to the whole internet like this. 43 00:02:09,810 --> 00:02:12,210 The attack surface has to be minimized. 44 00:02:12,470 --> 00:02:15,570 If you need access to your admin interface, 45 00:02:15,640 --> 00:02:17,920 you need to at least VPN in 46 00:02:18,160 --> 00:02:19,210 to your network 47 00:02:19,450 --> 00:02:21,480 in order to access the admin interface, 48 00:02:21,600 --> 00:02:24,900 or preferably it should only be accessible internally. 49 00:02:31,680 --> 00:02:34,650 So literally, hundreds of thousands of them, 50 00:02:35,020 --> 00:02:38,530 and that’s just from one search from one string. 51 00:02:41,600 --> 00:02:45,460 The sort of strings you are more likely to put into this search engine here, 52 00:02:45,920 --> 00:02:48,930 are ones that indicate vulnerabilities, 53 00:02:49,080 --> 00:02:52,040 so that you can find vulnerable devices. 54 00:02:52,270 --> 00:02:54,690 So I’ve put in here “default password”, 55 00:02:55,060 --> 00:02:57,230 meaning that these devices are responding 56 00:02:57,610 --> 00:02:59,960 with the terms “default” and “password”. 57 00:03:00,620 --> 00:03:02,020 And if we look down here, 58 00:03:03,670 --> 00:03:04,920 let's see what we can find. 59 00:03:05,350 --> 00:03:09,190 So this has given us some examples that Cisco might be the default password, 60 00:03:12,360 --> 00:03:15,520 but then we’ve got this particularly interesting one 61 00:03:15,810 --> 00:03:18,070 telling us that the default username is “admin” 62 00:03:18,110 --> 00:03:20,770 and the password is “1234”. 63 00:03:21,420 --> 00:03:22,950 And that’s on ADSL, 64 00:03:23,720 --> 00:03:25,810 that’s probably Taiwan so that is 65 00:03:26,150 --> 00:03:28,380 somebody's home router 66 00:03:28,950 --> 00:03:31,490 that’s probably got the username 67 00:03:32,080 --> 00:03:36,060 and password displayed to everyone on the internet. 68 00:03:36,880 --> 00:03:37,880 Well, let's find out. 69 00:03:51,600 --> 00:03:54,620 So there we are. We’re on some unfortunate person’s – 70 00:03:55,120 --> 00:03:58,450 let me just zoom in – we’re on some unfortunate person’s 71 00:03:58,600 --> 00:04:00,040 internal home router, 72 00:04:00,370 --> 00:04:02,040 and I don't think I need to tell you 73 00:04:02,230 --> 00:04:03,970 what you could do from here. 74 00:04:04,050 --> 00:04:08,400 Obviously, we can start trying to compromise the internal devices, 75 00:04:08,430 --> 00:04:10,580 we can start looking at the network traffic, 76 00:04:10,650 --> 00:04:12,230 we can act as a man in the middle 77 00:04:12,500 --> 00:04:15,319 and SSL strip his traffic, I mean essentially, 78 00:04:15,320 --> 00:04:17,900 we can own the network and own his devices. 79 00:04:19,270 --> 00:04:20,640 Let's have a quick look. 80 00:04:27,340 --> 00:04:28,760 And there’s 81 00:04:29,850 --> 00:04:34,230 his WiFi password, he has actually selected the best and strongest 82 00:04:34,400 --> 00:04:35,490 method of encryption, 83 00:04:37,440 --> 00:04:39,660 and let's look at why he actually has this problem, 84 00:04:39,710 --> 00:04:40,940 why is this accessible? 85 00:04:49,170 --> 00:04:54,010 And that’s the reason. He’s set up Port Forwarding or a DMZ, 86 00:04:54,340 --> 00:04:57,360 which has enabled access to this device from the internet, 87 00:04:57,490 --> 00:04:58,750 which was a mistake. 88 00:04:59,570 --> 00:05:01,610 And there will be literally hundreds of thousands of 89 00:05:01,900 --> 00:05:03,560 vulnerable routers, 90 00:05:03,660 --> 00:05:06,520 this is just a vulnerable router in terms of 91 00:05:07,040 --> 00:05:08,650 default, username and password, 92 00:05:08,950 --> 00:05:10,800 but there will also be routers vulnerable 93 00:05:11,240 --> 00:05:13,810 in terms of they have vulnerable code, 94 00:05:13,880 --> 00:05:14,940 they haven't been patched, 95 00:05:15,280 --> 00:05:18,130 and we can even search for those using Shodan. 96 00:05:19,650 --> 00:05:22,120 So here I’ve done a search for NetGear, 97 00:05:22,230 --> 00:05:25,640 and it’s linking to the Exploit database, 98 00:05:26,790 --> 00:05:28,900 so then we can look on the Exploit database 99 00:05:29,490 --> 00:05:31,670 and find Exploit code 100 00:05:31,760 --> 00:05:34,110 and Exploit strings to search for 101 00:05:34,650 --> 00:05:36,880 to find vulnerable routers 102 00:05:37,200 --> 00:05:39,330 that we can get potential route access 103 00:05:39,390 --> 00:05:40,870 or some sort of access to it, 104 00:05:40,950 --> 00:05:43,760 using the various vulnerabilities hat are out there. 105 00:05:44,120 --> 00:05:47,590 Are you confident that your own router is locked down and secure? 106 00:05:47,740 --> 00:05:49,160 Well, we can find out. 107 00:05:49,640 --> 00:05:53,870 If you find out your router’s external IP address, 108 00:05:54,010 --> 00:05:57,040 you can go to “whatismyipaddress”, 109 00:05:57,460 --> 00:05:58,870 you can see on Google; 110 00:05:59,890 --> 00:06:03,450 you can also go to here: whatismyipaddress.com, 111 00:06:03,490 --> 00:06:04,840 I’ve shown you this many times, 112 00:06:05,910 --> 00:06:08,960 and then pop that into Shodan and see what you get. 113 00:06:12,420 --> 00:06:14,530 This is an IP address I’ve just chosen at random 114 00:06:14,900 --> 00:06:17,020 because it represents UK, 115 00:06:17,170 --> 00:06:19,480 BT Local home users, 116 00:06:20,030 --> 00:06:21,560 so it’s just an example one. 117 00:06:22,370 --> 00:06:23,940 And as we can see here, 118 00:06:24,110 --> 00:06:25,200 this is someone’s 119 00:06:26,520 --> 00:06:28,500 home router by the look of it. 120 00:06:28,990 --> 00:06:32,320 Now, because IP addresses are generally dynamic, 121 00:06:32,450 --> 00:06:35,200 at least they are in this country, 122 00:06:35,270 --> 00:06:39,060 or they certainly are with BT anyway, this means that this IP address 123 00:06:39,690 --> 00:06:42,460 has had this port on it at some point. 124 00:06:42,570 --> 00:06:45,600 It doesn't mean it is vulnerable now, 125 00:06:46,180 --> 00:06:47,960 but it does say last update 126 00:06:48,600 --> 00:06:52,510 was then, so this could very well be available 127 00:06:53,140 --> 00:06:54,940 And as you can see, it’s some sort of 128 00:06:55,350 --> 00:06:57,400 web server of some sort. 129 00:07:01,680 --> 00:07:03,790 And that one doesn't look to be available. 130 00:07:04,570 --> 00:07:07,279 So it may be that whatever the device was, 131 00:07:07,280 --> 00:07:09,440 is now changed to a different IP address. 132 00:07:10,360 --> 00:07:13,970 Even if nothing shows up on here for your router’s IP address, 133 00:07:14,060 --> 00:07:16,800 that doesn't really necessarily tell you much. 134 00:07:17,060 --> 00:07:19,540 You can go direct to the source of the information. 135 00:07:19,830 --> 00:07:23,080 If you want to know what services and ports are running on your router, 136 00:07:23,230 --> 00:07:26,300 you can go onto the router’s web admin interface. 137 00:07:28,940 --> 00:07:31,070 To access your web interface by the way, 138 00:07:32,230 --> 00:07:36,080 I mean usually it would be at http, or https 139 00:07:38,030 --> 00:07:39,920 on whatever the IP address is 140 00:07:42,960 --> 00:07:43,960 that you looked up. 141 00:07:45,630 --> 00:07:49,200 And here’s an example, web interface for DD-WRT, 142 00:07:49,310 --> 00:07:50,510 the router firmware. 143 00:07:50,930 --> 00:07:53,920 It isn't always easy to see what is running, 144 00:07:54,080 --> 00:07:56,280 especially if you’ve not looked much at your router. 145 00:07:56,710 --> 00:07:59,670 There are lot of tabs and sometimes services could be running, 146 00:08:00,100 --> 00:08:01,520 but it doesn't even tell you. 147 00:08:02,500 --> 00:08:05,740 You can check for services, if there’s some sort of services tab 148 00:08:05,770 --> 00:08:07,410 to see what services might be running. 149 00:08:07,690 --> 00:08:09,030 If you want to know whether or not 150 00:08:09,440 --> 00:08:12,590 there’s any network address translation port 151 00:08:12,680 --> 00:08:14,880 forwarding and demilitarized zone, 152 00:08:14,920 --> 00:08:16,706 then you want to look for those sorts of things: 153 00:08:16,730 --> 00:08:18,980 port forwarding, port range forwarding, 154 00:08:19,920 --> 00:08:20,960 DMZ. 155 00:08:21,190 --> 00:08:24,020 This can point to ports being opened up 156 00:08:24,430 --> 00:08:26,770 to the internet and this will look different, 157 00:08:26,960 --> 00:08:29,360 depending on what router you have obviously. 158 00:08:31,450 --> 00:08:35,880 Check on your router to see if it has this UPnP, 159 00:08:36,160 --> 00:08:38,480 which is the Universal Plug and Play. 160 00:08:38,780 --> 00:08:42,320 This allows port forwarding to set up automatically, 161 00:08:42,640 --> 00:08:45,300 so you can imagine this may not be a good idea. 162 00:08:45,480 --> 00:08:49,120 You may have some internal device, if UPnP is set up, 163 00:08:49,180 --> 00:08:50,800 that communicates with your router 164 00:08:51,060 --> 00:08:54,500 and opens up a port automatically without your knowledge, 165 00:08:54,640 --> 00:08:58,540 and this also has a history of vendor vulnerabilities as well. 166 00:08:58,840 --> 00:09:01,680 So it’s not just opening the ports automatically without your knowledge, 167 00:09:01,980 --> 00:09:03,840 it also has vendor vulnerabilities. 168 00:09:04,130 --> 00:09:07,060 So in your interface make sure that it is disabled 169 00:09:07,520 --> 00:09:11,010 and set up port forwarding manually yourself, 170 00:09:11,440 --> 00:09:13,080 if you want to do port forwarding. 171 00:09:13,480 --> 00:09:15,960 If you do do any port forwarding, 172 00:09:16,330 --> 00:09:18,220 whatever you port forward to 173 00:09:18,540 --> 00:09:22,180 must be absolutely secure and hardened, 174 00:09:22,560 --> 00:09:24,340 because that is an open doorway 175 00:09:24,560 --> 00:09:28,550 to your network and to whatever device you are connecting to, 176 00:09:29,000 --> 00:09:32,680 so think long and hard about port forwarding to any device. 177 00:09:32,760 --> 00:09:35,220 It must be fully secure and hardened. 178 00:09:37,220 --> 00:09:40,060 And while you are here, you should check to see whether or not the 179 00:09:40,200 --> 00:09:43,160 router is up to date with patches. 180 00:09:43,440 --> 00:09:47,080 You’ll have to look around and see whether you can find some option 181 00:09:47,590 --> 00:09:49,950 to see whether or not it has been updated. 182 00:09:50,890 --> 00:09:54,310 Other than web admin interface, you can try to SSH 183 00:09:54,360 --> 00:09:55,870 or Telnet to the router 184 00:09:56,280 --> 00:09:58,530 using the internal IP address 185 00:09:58,780 --> 00:10:01,290 that you’ve got from looking up the default gateway. 186 00:10:01,650 --> 00:10:04,480 We’re on a Mac here, both Mac and Linux 187 00:10:04,950 --> 00:10:06,230 come with SSH, 188 00:10:09,080 --> 00:10:10,750 so there we have the default gateway. 189 00:10:11,560 --> 00:10:15,850 On Linux, as I said, it is “route-n” to show you the default gateway. 190 00:10:20,550 --> 00:10:22,890 This is a basic SSH command to log in. 191 00:10:23,000 --> 00:10:25,020 “SSH” is the command, 192 00:10:25,480 --> 00:10:27,640 “root” is the username, 193 00:10:28,120 --> 00:10:32,820 @ and then the IP address of the router you’re trying to connect to. 194 00:10:33,090 --> 00:10:36,720 This will connect via the default port 22. 195 00:10:41,380 --> 00:10:42,580 And there we are logged in. 196 00:10:44,240 --> 00:10:47,220 On Windows you don't have SSH, so you can try 197 00:10:47,550 --> 00:10:49,330 using a program called PuTTY, 198 00:10:49,740 --> 00:10:52,360 just download and install it, it is free. 199 00:10:53,210 --> 00:10:55,920 That looks like this and you simply put in the 200 00:10:56,180 --> 00:10:57,630 router IP address in here, 201 00:11:00,300 --> 00:11:01,420 I’m going to click Open, 202 00:11:02,920 --> 00:11:05,570 and then enter your username and password. 203 00:11:08,390 --> 00:11:10,610 Then, when on the root, you can attempt to look at 204 00:11:10,740 --> 00:11:12,390 what ports are open 205 00:11:15,520 --> 00:11:18,720 using “netstat – tuln.” 206 00:11:19,810 --> 00:11:22,140 And here I can see with IPv4, 207 00:11:22,580 --> 00:11:24,040 I got port 80 listening, 208 00:11:24,470 --> 00:11:26,510 53, which is DNS, 209 00:11:26,580 --> 00:11:29,760 and 22, which is SSH, which we just connected to. 210 00:11:30,200 --> 00:11:31,720 So these are open and listening, 211 00:11:32,160 --> 00:11:35,290 but these are more likely to be open and listening 212 00:11:35,390 --> 00:11:37,970 for your local network and not your internet, 213 00:11:38,500 --> 00:11:42,530 unless the DMZ or port forwarding has been set up 214 00:11:42,820 --> 00:11:43,840 on your router. 215 00:11:44,270 --> 00:11:46,350 So we do definitely want to definitively check 216 00:11:46,420 --> 00:11:49,960 what ports are open on the internet side of the router, 217 00:11:50,280 --> 00:11:51,830 and I’ll show you how to do that now. 218 00:11:52,980 --> 00:11:56,680 What I’m going to show you are websites that do port scanning, 219 00:11:56,890 --> 00:11:59,930 which probe the router’s open ports. 220 00:12:00,380 --> 00:12:05,360 There are 6,535 possible open ports, 221 00:12:05,860 --> 00:12:10,210 but these sites will just check well known or common ports, 222 00:12:10,540 --> 00:12:12,300 or on some, like this one, 223 00:12:12,740 --> 00:12:14,130 you can specify 224 00:12:14,710 --> 00:12:17,070 a range, you can have a list, 225 00:12:17,900 --> 00:12:20,130 or you can use the common ports. 226 00:12:20,440 --> 00:12:22,630 Just a word of caution though, port scanning 227 00:12:22,940 --> 00:12:26,280 could be potentially maybe illegal to do 228 00:12:26,640 --> 00:12:28,310 on devices you don't own. 229 00:12:28,360 --> 00:12:29,700 It’s a bit of a grey area. 230 00:12:30,090 --> 00:12:33,520 In the US, under the Computer Fraud and Abuse Act 231 00:12:33,980 --> 00:12:38,180 of America and the UK Computer Misuse Act of 1990, 232 00:12:38,320 --> 00:12:40,160 and others in their respective countries, 233 00:12:40,480 --> 00:12:43,270 although I don't ever believe there has been a conviction, 234 00:12:43,590 --> 00:12:46,350 it’s just a bit of a grey area, so just bare that in mind, 235 00:12:46,520 --> 00:12:49,670 but there is no issue of course port scanning on your own devices. 236 00:12:50,880 --> 00:12:53,540 So this is my IP address here. 237 00:12:57,790 --> 00:13:00,660 And for interest you can see if you can detect the 238 00:13:00,840 --> 00:13:04,949 service version and the operating system, 239 00:13:04,950 --> 00:13:08,120 I’m not going to select that, because it will take a little bit longer to do, 240 00:13:09,220 --> 00:13:10,440 and let’s start the scan. 241 00:13:19,850 --> 00:13:22,460 So there you go, you can actually see a number of ports. 242 00:13:22,540 --> 00:13:24,920 I’m actually coming from a VPN here, so 243 00:13:25,360 --> 00:13:28,610 it’s not unreasonable that there are some ports here. 244 00:13:28,960 --> 00:13:33,200 If this is your home router, it should show as having no ports, 245 00:13:34,170 --> 00:13:35,649 and as a demonstration, 246 00:13:35,650 --> 00:13:37,760 I want you to see it’s showing some ports. 247 00:13:38,500 --> 00:13:40,240 So here you can see it’s discovered 248 00:13:40,930 --> 00:13:42,090 these ports here. 249 00:13:42,360 --> 00:13:46,400 This site’s actually using a tool called "Nmap”, which is available in Kali, 250 00:13:46,560 --> 00:13:48,490 which we’re going to talk more about later on. 251 00:13:50,250 --> 00:13:53,090 For good measure you can try another site as well. 252 00:13:54,230 --> 00:13:55,300 There’s this one, 253 00:13:58,180 --> 00:14:00,600 this searches for common ports as well, 254 00:14:03,240 --> 00:14:05,030 so there you go, it shows the same 255 00:14:05,850 --> 00:14:06,850 ports. 256 00:14:08,500 --> 00:14:13,390 And for good measure, there’s also Steve Gibson's ShieldsUP! 257 00:14:27,200 --> 00:14:28,940 So I’ll select Common Ports. 258 00:14:43,190 --> 00:14:45,180 So there you go, slightly different results there. 259 00:14:45,940 --> 00:14:49,750 Another site here, you can check if your IP is in a 260 00:14:49,960 --> 00:14:54,560 database of known vulnerable devices and routers. 261 00:14:55,440 --> 00:14:56,750 Simply go down here 262 00:14:57,380 --> 00:14:58,480 and click “Check me”. 263 00:15:02,010 --> 00:15:03,410 “Good news! You are all clear.” 264 00:15:03,830 --> 00:15:08,290 Now, if you do have ports open, or you are getting warnings, 265 00:15:08,440 --> 00:15:10,020 then you need to investigate. 266 00:15:10,200 --> 00:15:13,400 I recommend a full vulnerability scan, 267 00:15:13,760 --> 00:15:15,960 which does more than port scanning, 268 00:15:16,120 --> 00:15:20,100 it will check to see if the device is also vulnerable 269 00:15:20,280 --> 00:15:21,560 to any exploits. 270 00:15:22,810 --> 00:15:25,460 The best vulnerability scanner I can recommend 271 00:15:25,520 --> 00:15:29,030 for free is Qualys FreeScan, 272 00:15:29,400 --> 00:15:32,920 which is an online vulnerability scanner, which you can see here. 273 00:15:33,220 --> 00:15:37,840 You will have to register and go through all that process which is a little slow, 274 00:15:38,000 --> 00:15:41,450 but once you have done, you got access to actually a very powerful 275 00:15:41,630 --> 00:15:42,920 vulnerability scanner. 276 00:15:43,300 --> 00:15:47,520 Free scan is limited to 10 unique security scans 277 00:15:47,570 --> 00:15:50,100 of internet accessible assets. 278 00:15:50,450 --> 00:15:53,170 So you should be able to scan your external router, no problem. 279 00:15:53,560 --> 00:15:57,240 It will provide detailed guidance on how to fix any specific 280 00:15:57,310 --> 00:15:59,090 vulnerabilities that you might have, 281 00:15:59,340 --> 00:16:02,820 but generally, the answer will be to patch the router, 282 00:16:02,930 --> 00:16:04,290 make sure the router is up to date, 283 00:16:04,470 --> 00:16:09,080 and remove any services that are open and are running, 284 00:16:09,410 --> 00:16:11,890 unless you absolutely need access to them, 285 00:16:11,980 --> 00:16:15,050 and if you do, those need to be secure services, 286 00:16:15,310 --> 00:16:19,050 i.e. they have authentication and there’s no vulnerabilities in them, 287 00:16:19,440 --> 00:16:22,130 and they are kept up to date with security patches.