[ Wanadoo's livebox: fun and experiments, and fun ]

                                                           november 2005


    INTRO

    This short paper is about Wanadoo's "recent" attempt at providing
    a user-friendly xDSL access in France, and more.  The livebox,
    depending on what you've subscribed to, bundles the following
    services :

        - broadband internet access;
        - phone (VOIP);
        - television;
        - secure *cough* wireless access point.

    The box is quite pretty, with a looks-like-apple-but-not-that-much
    feeling, is said to be running Linux, and we'll be discussing the
    weaknesses of the first version of the livebox which only provided
    WEP encryption, and MAC filtering.  Hopefully, this version is no
    longer deployed and its successor has been upgraded to WPA, which is
    a Good Thing.


    ADMINISTRATION BASICS

    The box can me managed through a very pretty web interface happily
    denying you the basic security of an https access.  Furthermore,
    the engineers at Wanadoo felt they had to provide their users with
    a telnet interface...  "Great" idea, I mean thank you.

    These two interfaces are of course protected by two independant
    passwords: one for each.  If the average user might have the
    good idea of changing his web password, what about telnet? How often
    would Aunt Tilly use telnet? Never.

    Life being what it is, both of these administration interfaces are
    accessible from any wireless device associated with the AP.  That is
    utterly stupid considering all communications are protected with
    WEP.

    The network's IP scheme is 192.168.1.0/24
    Default route being 192.168.1.1
    And default passwords are: 

        Web interface:
                   login: admin
                   password: admin

        Telnet access:
                   login: root
                   password: 1234


    MAC RESTRICTIONS

    The only way here (the only one I know anyway), since the AP has MAC
    restrictions in place, is waiting.  Fire up Kismet or maybe Airodump
    until it detects some client traffic on that particular Livebox.  If
    there is no traffic, you'll have a hard time getting a valid MAC
    address as the Livebox will drop any traffic wether authenticated or
    not, unless it's in the MAC access list.  No traffic nor MAC? Well,
    wait some more. :)

    Aireplay attack #0 "deauthenticatgion" can be of some help since
    Windows clients (if any) tend to flush their ARP cache when
    disconnected.  When reconnecting, they will helpfully send a few ARP
    requests and reveal more information about the network.  In any
    case, disconnect someone from his wireless AP, and you'll probably
    get traffic.

    I'm not sure using the AP's wlan iface MAC address is of some use
    here (sounds like crap), but I haven't tried, can't tell.


    WEP CRACKING

    From now on, it's all aireplay, airodump, and aircrack working
    together.

    Since the Livebox is all happy with WEP, you just have to monitor
    traffic and gather enough IVs, that is around a million.  Probably
    more if you're out of luck.  Then aircrack will do the trick.

    However, what if there is no traffic? Well you have to make some on
    your own.  If your wireless card can't inject raw packets, just go
    shop one that can: I could get a cheap D-Link USB dongle for about
    35 euros.  There is a list of compatible hardware within the aircrack
    README[1], read it.

    If you're trying to get hand on the AP while no one is looking,
    chances are you will need to fake an authentication using that handy
    address MAC you grabbed sooner.  Aireplay can do this for you, it's
    called attack #1, and just fakes an authentication from whatever MAC
    address you like.

    Quoting aircrack's doc, you should get to this:

        aireplay -1 0 -e <ESSID> -a <AP MAC> -h <Client MAC> wlan0
        12:14:06  Sending Authentication Request
        12:14:06  Authentication successful
        12:14:06  Sending Association Request
        12:14:07  Association successful :-)

    Good, now you need to generate ARP requests, LOTS of them, to crack
    the WEP key.

    ARP packet injection is done with aireplay, this is attack #3.
    You'll preferably do this with airodump running to capture the
    replies.

        airodump wlan0 dump 10 1

    And in another term:

        aireplay -3 -b <AP MAC> -h <Client MAC> wlan0

    Note you often have to wait some time before an ARP request shows
    up.  Then they start flowing like well... like ARP requests flowing
    on a wireless network.  Depending on your card, on the network type,
    or on the distance between you and the AP (...), getting enough IVs
    can take up to a couple of hours, or just a few minutes if you're
    lucky.  And that's about it for the WEP cracking.


    LIVEBOX TUNING

    Since you can only use someone else's MAC address, conflicts are
    to occur at some point.  The solution is then to update the AP's
    configuration: this has to be done with a valid MAC address, so
    you'll have to change you wireless iface MAC address to the one you
    used when injecting packets.  This is likely to cause problems if
    its legitimate owner is connected at the same time, and you want to
    avoid this (problems that is).

    When associated with your fake MAC, just ask for an IP to the DHCP
    server or use one starting from 192.168.1.10/24 (default settings
    assumed).  Disabling MAC address filtering or adding a random address
    for later use is the best thing to do.

    If you're very lucky you can access the web interface using its
    default password settings.

    If you're unlucky, the telnet interface is waiting for you.

    If you're really unlucky and that both passwords have changed,
    then you'll have to sniff traffic until its legitimate owner dares
    logging in any of these two management interfaces.  Since you have
    the WEP key, any traffic can be analyzed and decrypted at will with
    your card listening in monitor mode.


    TELNET HINTS

    Once logged in the telnet interface, you're provided with some
    kind of awkward shell program.  Use "help" for a list of general
    commands and if you're interested in discovering some of the Livebox
    features.  What you need to know however is that the box is slow as
    hell, you may have to wait seconds for a command to complete.

    To enter wireless settings, type "wlan".  You can then:

        - add a MAC address with the "addstation <MAC>" command;
        - disable MAC filtering with the "macfiltering disable" command;
        - toy with any other wlan options. :)

    If you don't want to lose all your settings on the next reboot,
    don't forget to save them ('save' command) before exiting.


    CONCLUSION

    If you're a normal person, you may find your victim's e-mail address
    somewhere on the wanadoo.fr web portal which helpfully identifies
    its users by their IP address (brilliant idea).  Maybe you'd like to
    discuss the likelyness of opening a little bit this overly strict
    AP: "Hi I just hacked my way onto your livebox, could we talk?".
    Good luck.

    If you're a good person, you won't break into any Livebox but yours.

    In any case, don't do anything bad, unless you're an evil person that
    is.


    [1] http://www.cr0.net:8040/code/network/aircrack/#q0A0


                                                      oz <oz@tuxaco.net>