What happens when you put a bored power user in a coffee shop?
You get someone playing with aircrack-ng and trying to get into nearby networks vulnerable enough to be broken in. It’s bad enough someone leaves what’s supposed to be an internal network wide open and without encryption. Sometimes those open networks just rely on MAC address whitelists as their sole method of keeping unwanted users at bay. Granted, it does stop casual users, but the problem here is that their data is still broadcasted in plaintext, and that anyone with a packet sniffer in range can passively snoop on what’s being transmitted, specially if that connection wasn’t encrypted with say, TLS/SSL.
Another issue is that MAC addresses can be easily spoofed, meaning one can impersonate as one of the whitelisted MAC addresses and gain unrestricted access to the network, undermining everything else. In addition, if there was no isolation between clients, anyone in the network can access public shares and do not-so-friendly activities, like connecting to a nearby shared printer in the network and start printing nothing but saturated black pages (maybe naughty pictures of women, if that’s your fancy), or
dd if=/dev/zero of=/victim/computer/share/file.zero and fill their hard drive.
Once connected, one’s next target may be the router/access point’s administration interface. As for the two networks I’ve gone into, it came to me as a surprise as both their passwords were “admin”, which enabled me to gain access to their units. It’s saddening to see that ordinary users don’t pay much attention on how important securing these areas are. This is equivalent to gaining root access to a box.
For example, having root to a gateway/router/access point running Linux can give you access to
route, and so much more. With these, you can say, have it dump whatever connections are flowing in and out to somewhere else and see what was happening like chat sessions, connections, login credentials, and the like (try Firesheep for starters). Or, have it set up a man-in-the-middle and start intercepting SSL connections, decrypting data on-the-fly. For something that’s less evil, redirecting DNS to point all addresses to a site of your choosing (try Kittenwar?, Meatspin? WARNING: VERY NSFW! Have NoScript for Firefox to avoid untoward incidents of things like these playing by themselves).
So what happened?
Well, I was nearby two networks. One was encrypted with WEP, and the other completely open.
aircrack-ng cracked the password with ease, and it had a really short password of five numeric characters. Yes, they didn’t even bother to make it alphanumeric. It was one of those mobile 3G modems with wifi, so I could even send SMS using their number for fun. The other was a Linksys WRT320N flashed with DD-WRT v24-sp2-std-vpn. It had no internet connection, so that was boring. If it had an internet connection, I would’ve played with its included
dnsmasq and pointed all DNS requests to something “fun” (see previous paragraph).
Try again next time, on another network open enough and has an internet connection. I’d love to see what happens next.