Advice Request Attacked ! via WiFi

[Victor M]

Hi Everyone,

Just got attacked via WiFi just a few weeks ago. Lasted a few weeks because I was being a dimwit.
The first clue I got was that I was unable to each F-Secure.com and nordvpn.com. I subscribe to Nord. And all their servers lie within their .com address space. So I can't even use my vpn.
I know that most man in the middle attacks (mitm) are local. But somehow I managed to forget that. Finally woke up and decided to nmap my network. Lo and behold there is a foreign machine in my LAN. I don't use WiFi, prefer Ethernet, but left both 2.4Ghz and 5Ghz turned on., I knew WiFi allows beyond the perimeter attacks and I had both WPA2 passwords set to long gibberish typing. But I forgot although the passwords are long ( > 20 chars ) they are still brute force-able, it just takes a long time. And looking around on the net, I found fern (Fern Pro | Penetration Testing) which does brute forcing and mitm. There are surely plenty more tools.

I live in a crowded city in a dense apartment complex. Now my WiFi is disabled at the router. No more blocked sites.

 

[Kongo]

Hi Everyone,

Just got attacked via WiFi just a few weeks ago. Lasted a few weeks because I was being a dimwit.
The first clue I got was that I was unable to each F-Secure.com and nordvpn.com. I subscribe to Nord. And all their servers lies within their .com address space. So I can't even use my vpn.
I know that most man in the middle attacks (mitm) are local. But somehow I managed to forget that. Finally woke up and decided to nmap my network. Lo and behold there is a foreign machine in my LAN. I don't use WiFi, prefer Ethernet, but left both 2.4Ghz and 5Ghz turned on., I knew WiFi allows beyond the perimeter attacks and I had both WPA2 passwords set to long gibberish typing. But I forgot although the passwords are long ( > 20 chars ) they are still brute force-able, it just takes a long time. And looking around on the net, I found fern (Fern Pro | Penetration Testing) which does brute forcing and mitm. There are surely plenty more.

I live in a crowded city in a dense apartment complex. Now my WiFi is disabled at the router.

Blacklist the device and change the Wifi password. I personally have a hardware Firewall that blocks newly connected devices from accessing the internet until I manually allow them. Maybe there is a similar option in your router.

 

[Victor M]

I personally have a hardware Firewall that blocks newly connected devices from accessing the internet until I manually allow them.

You got a Gryphon too I guess. I just bought one.

 

[Kongo]

You got a Gryphon too I guess. I just bought one.

No, I actually use the one of my ISP.

 

[Trident]

Years ago I bought TP-Link wi-fi extender. The Norton firewall detected and alerted me to MITM attack. At that time I was experimenting with VPNs and noticed that whatever the VPN, it just gets turned on and instantly off again.

If you are experiencing such an issue, try resetting your router and then change the wi-fi password. You can also look at the list of devices frequently and blacklist any device that appears to not be yours, as @Kongo suggested.

 

[Zero Knowledge]

I think the more plausible explanation is that your Wi-Fi router had a public exploit for your model of router, and someone was scanning for exploitable devices and found yours. Not to doubt your suspicions, but is there any reason someone would go to the effort of brute forcing a "20 long gibberish" length password just to get access to your Wi-Fi? If that's the case, you have a lot more to worry about because it would take a huge cluster of servers just to brute force such a long password and it would take many many years.

try resetting your router and then change the wi-fi password.

This. Also check for firmware updates from manufacturers site. Reset router>Upgrade firmware> Set new passwords.

 

[Ink]

I don't use WiFi, prefer Ethernet, but left both 2.4Ghz and 5Ghz turned on.

What were your primary reasons to keep the Wi-Fi enabled?

 

[MuzzMelbourne]

...is there any reason someone would go to the effort of brute forcing a "20 long gibberish" length password just to get access to your Wi-Fi? If that's the case, you have a lot more to worry about because it would take a huge cluster of servers just to brute force such a long password and it would take many many years...

Interesting timing ZK, I just posted this...

I don't know about brute force Victor, I'd say it was a bloody amazing guess!

 

[Victor M]

I think the more plausible explanation is that your Wi-Fi router had a public exploit

I thought about that - perhaps a gizmo device of some sort. I read recently that home routers are being attacked. I thought that it maybe a device because after changing the WPA2 passwords, I pinged that machine and still got a reply. Now maybe I didn't wait long enough. I decided to shut down the WiFi instead.

What were your primary reasons to keep the Wi-Fi enabled?

No reason. I forgot that even long passwords can be brute forced.

Now I haven't tried brute forcing my own router. I read somewhere on Wired ( I think ) that brute force is quite fast nowadays. And that you can setup a couple of fast machines on Amazon or Azure for little money.

 

[Trident]

Now I haven't tried brute forcing my own router. I read somewhere on Wired ( I think ) that brute force is quite fast nowadays. And that you can setup a couple of fast machines on Amazon or Azure for little money.

It sounds easy-peasy but it really isn’t. There is another explanation. Exploit is one. Another one I could think is neighbour/guest. Maybe they saw a sticker with the password and took a picture.

Brute forcing is really time consuming and still doesn’t guarantee that encryption will be cracked as well. Additional time and tools will be invested for the sake of getting your information. You can try temporarily use VPN (other than Nord maybe) which will add one more layer of encryption. Question is, are you able to use another VPN? If attackers really want to get your information they will perform additional steps that will ensure that you can’t communicate to VPN servers.
If your router is somehow compromised as you believe, then connections via ethernet aren’t safe either.

If the router is heavily compromised, think about purchasing another one and preferably one that gets constant firmware updates. If you have recently purchased this one, you may be able to return it. I would contact the router manufacturer immediately without further ado.

Spoiler: Related Resources

How Long Does It Take A Hacker To Brute Force A Password? » IronTech Security

Learn more about How Long Does It Take a Hacker to Brute Force a Password?.

irontechsecurity.com

https://www.synacktiv.com/sites/default/files/2022-07/Pwn2Own_NETGEAR_router.pdf

MITM Analysis » ADMIN Magazine

MITM Analysis

www.admin-magazine.com

How To Block VPN Access At Home

This article show a user how to use their router to block VPN protocols, and how it's complementary to a DNS filter like CleanBrowsing.

cleanbrowsing.org

 

[Freki123]

I have an ISP provided router but it has an option to only allow whitelisted devices with a matching mac address. Maybe that could also be an option to look into?

 

[ForgottenSeer 97327]

Some easy tips to make life a little harder for local network sniffers

1. Never login to the admin console of your router using WIFI

2. Use a long passphrase (at least 20 characters), change it when you think someone else is on your network

3. When your router has a wireless schedule (of parental control) simply disable Wifi at night
This reduces the time window for brute force attacks (I have disabled from 02.00 to 06.00)

4. Look for reboot schedule in your browser, set it do a daily reboot somewhere in the timeframe the Wifi is down,
I have set it at three 3.00 at night to reboot the router on a daily basis. This will always allow me to get in when needed.

5. Look for network partitioning or AP Isolation, when enabled it prevents to accessing resources of someone else in the network

6. Look for firewall and enable the firewall, when it got an option for SPI and/or DPI enable it

Most Android phones spoof their MAC-address, so when you want to allow every device individually, you will be quite busy when people use Android devices in your home.
AVG free and AVAST free have network inspector module, which warns you when someone logs into a guarded network.

 

[MuzzMelbourne]

... you will be quite busy when people use Android devices in your home...

I have a doormat at my front door that explicitly forbids this likelihood...

 

[Kongo]

I thought about that - perhaps a gizmo device of some sort. I read recently that home routers are being attacked. I thought that it maybe a device because after changing the WPA2 passwords, I pinged that machine and still got a reply. Now maybe I didn't wait long enough. I decided to shut down the WiFi instead.

No reason. I forgot that even long passwords can be brute forced.

Now I haven't tried brute forcing my own router. I read somewhere on Wired ( I think ) that brute force is quite fast nowadays. And that you can setup a couple of fast machines on Amazon or Azure for little money.

Does your router offer WPA3? Many iOT devices are still not supporting WPA3 but it's definitely the more secure option. Alternatively you can check wether your router offers WPA2 with protected management frames which at least gives a little security boost compared to WPA2 alone.

 

[Victor M]

whitelisted devices with a matching mac address. Maybe that could also be an option to look into?

MAC address filtering is of limited benefit. The attacker simply has to sniff the network to find out which MAC addresses are allowed and change his MAC address to that one.

 

[ForgottenSeer 97327]

Agree, as addition to @Kongo and @Victor M
MAC-IP binding is a little better than MAC address filtering, because it blocks machines with spoofed addresses How to configure IP&MAC Binding with TP-Link Best approach is to put all your IOT devices on guest network (together with mobile phones) and put PC's on your home network with better encryption and advanced protections (like ARP spoofing protection) enabled.

In addition to the simple protections I already posted (which limit what an intruder can do and allows you to get back control). Home network security is like putting extra locks on your front door. It won't stop intruders getting in, but when you got more locks in place, the intruders will go to your neighbour's.

 

[Victor M]

The day before I enabled only the IoT WiFi, and gave it a 20+ char alphanumeric+symbol password. All other WiFis are switched off. There is only 1 Google Nest Home on that router which I bought a couple of days ago.

And yesterday afternoon, I noticed that the Gryphon router recorded 3 different machines doing pings on my network.

So it is either that Google Nest Home has some vulnerability, which allow the attacker to join the network, or my attackers have an exploit or device that bypasses WiFi passwords and let them join my network. If it is the latter then we are in deep #####.



Given

 

[Zero Knowledge]

And yesterday afternoon, I noticed that the Gryphon router recorded 3 different machines doing pings on my network.

This is normal behaviour if it's your routers firewall detecting scans. Every router on the internet gets scanned every single day without fail for exploits.

I doubt the Google Nest has a exploit. Google is pretty good with security. They have probably one of the best security teams in the world if not the best.

 

[Victor M]

No, this router is an internal router.

To make it worse, 3 machines joined this LAN and started pinging/nmaping and Gryphon was not able to quarantine them. Normally new machines that join the LAN gets quarantined and needs approval before it can use the network.