Hacking the Buffalo AirStation Wireless Router

by Donoli

Mr. D from Company A decided to create a new company with a guy named Harry.

Since Mr. D already owned a small building, there was no problem with office space.  It was easy to set up a second office separated by a single wall.  I manage the network for Mr. D in Company A.  It's a small network with a Windows 2000 Server and, at the most, 15 workstations running Windows 2000 Professional or Windows XP Professional.

The entire network is wired and uses static IP addresses only.  There is no wireless router and no DHCP running at all.  So, if an associate of the company should arrive with a laptop and wants to connect to the Internet, his computer must be given an IP address on the existing Class C subnet.  There is no other way to connect.

When the second company was formed, Harry decided that he wanted to use a wireless network and also decided that he didn't want me to install it.  He brought in his own people to make it happen at double the price.

Both Mr. D and Harry decided that a connection was needed between the two networks for payroll purposes, so they had Harry's guy install two wireless network cards in two of the PCs in Company A's system.

All was fine with the systems and still fairly secure since WEP was enabled.  What wasn't fine was that Mr. D never really trusted Harry and the distrust grew as time went on, so much so that Mr. D thought that Harry had a Trojan horse running on Company A's system and maybe even had bugged the telephone system.

That's when he decided to call me.  So I went there and checked the logs for Trend Micro's Client/Server Suite which is great for small businesses.  I didn't see anything there.

Next, I ran netstat -an to see if there were any unwanted connections in the foreign address column of the output.  The only thing I saw was the IP addresses of each of the network cards, one wired and one wireless.  Neither of them had any suspicious connections to the outside world.

I then opened the browser and connected to the web interface of the wireless router in Harry's office.  I was greeted with a login dialog box asking for my username and password.

Not knowing what router it was, I tried using admin as the username or the password, which D-Link and Linksys use respectively.

None of that worked.  At that point, I don't remember if I clicked Cancel or if I was automatically redirected to another page that said "The user login name is 'root.'"

Oh really?  It is?  Thank you very much for that information.  You are too kind.  It was root and without a password.

What could be better?  The interface page opened and I immediately went to DHCP where I saw a list of connected computers by IP address along with the name of the user.

One by one, I opened a run box and ran: \\192.168.1.xxx

Most of the C: drives were shared although not everything on each drive was accessible.

I went though all | could looking for Data Gone Wild that was worrying Mr. D.  There was nothing that didn't belong there.  I assumed it was moved to Syria along with the Weapons of Mass Destruction to avoid detection.

Finally, I clicked on Intrusion Detector.  It took me to the next page which said "No detections found yet."  What??  No detections??  What about the failed login attempts that I made with admin as a username and/or password?

Don't they count as an intrusion or do I have to break down the entrance door with an axe first?  I clicked the Clear Log just in case but it probably wasn't needed.

Now we all know that security is usually an afterthought but at least the admin had WEP enabled.

Of course, he should have had the router password protected and the workstations shouldn't have had all those shared files.  The problem is that administrators sometimes don't look at security from the inside, where I was.

The fact that the Buffalo AirStation actually gave me the username is not the admin's fault.  The fact that it didn't count my failed login attempts as an intrusion is not the admin's fault either.  Those are things that came with the router.

How does all that help you?

If you are an admin, now you know what do.

If you just like to look for unsecured wireless connections on www.wifimaps.com, then you know what to do too.