English
TP Link Archer C5 Router Hacking
Today we got our hands on a brand new TP Link Archer C5 router which we will be
testing for known vulnerabilities such as hidden backdoors and vulnerabilities,
brute force default passwords and WPS vulnerabilities. In this new WiFi hacking
tutorial we will be using different tools on Kali Linux 2.0 like Reaver, pixiewps
and the Aircrack-ng suite to exploit possible vulnerabilities. TP Link is known
to use easy to break default passwords such as the WPS PIN as default wireless
password or a password which is derived directly from the MAC address. Especially
the last one would make it very easy to retrieve the password because the MAC address
is not meant to be secret and is actually send with every single wireless packet send
from the router. With a packet analyser like Wireshark it is very easy to retrieve
MAC addresses from sending and receiving devices, including the router.
In this tutorial we’ll be using
airodump-ng for this purpose.
TP Link Archer C5 Router Specifications
The TP Link Archer C5 Router is a consumer grade router priced at
approximately $70,- dollars and offers a lot of value for the money.
The router supports the 802.11 ac standard and offers dual band simultaneous
2.4GHz 300Mbps and 5GHz 867Mbps connections for a total available
bandwidth of 1.2Gbps. Both IPv4 and IPv6 are supported by the router.
The TP-Link Archer C5 has the following antennas and ports available:
- 2 External detachable antenna
- 1 Gigabit WAN port
- 4 Gigabit LAN ports
- 2 USB ports for external devices
The USB ports can be used for external devices such as storage devices
or a shared printer. Something which seems to be a nice feature on the
router is the option to install an isolated wireless guest network
(with bandwidth control!) separated from your main network.
With this feature you don’t have to worry about sharing the password
from your main network with guests.
TP Link Archer C5 Front view
TP Link Archer C5 Rear view
TP Link Archer C5 package contents
The contents of the package included:
- AC1200 Wireless Dual Band Gigabit Router Archer C5
- 2 detachable antennas
- Power supply unit
- Resource CD
- Ethernet Cable
- Quick Installation Guide
When we’re summing up the specifications and features of the TP Link
Archer C5 router it seems like a great router for this price. This middle
segment TP Link router is targeted at home and small office users. The
router is very affordable for a lot of people and seems like a great alternative
for the router provided by your ISP. All together this is enough reason to question
and test the security of this router. Especially the target group of this TP Link router
should think twice before they unpack the router as soon as possible to get it up and
running as fast as possible to benefit from its great speed and features without even
thinking about proper and safe configuration. Let’s continue this tutorial to see if and
how we can hack and secure this router starting by looking at the default passwords.
TP Link Archer C5 Default passwords and settings
As we already expected the default password for the wireless network is the
default WPS PIN which consists of 8 numbers. The C5 router we’re testing
has the following default WPS PIN which is used as the default wireless key: 98159338.
The default username and password to access the router settings is just like all TP Link routers:
Username: admin
Password: admin
TP Link Archer C5 Default SSID settings
The standard SSID name for the 2.4 GHz network is TP-LINK_A361 and
for the 5 GHz network is TP-LINK_A360. The standard SSID is based on the
routers MAC Address and consists of the last 4 digits of the MAC address
subtracted by 1 for the 2.4 GHz SSID and subtracted by 2 with _5G added
for the 5 GHz SSID.
The MAC address is in hexadecimal notation so if the MAC address ends
with a letter that letter is actually a number in decimal notation. For example
when the MAC address ends with an A, which is hexadecimal for 10 in decimal,
you should subtract 1 from 10 to determine the last digit of the default SSID
which would be 9 in this case. If you want to calculate the last digit of the MAC
address using the default SSID you would know that it would be A when the
last digit of the default SSID is 9.
So far so good because there are TP Link routers around which have their default
wireless password based on the MAC address. This is not the case for the
TP Link Archer C5 router. Let’s continue with connecting the router and
see if it has any WPS vulnerabilities we can exploit.
Scanning the TP Link Archer C5 for WPS
vulnerabilities
Wi-Fi Protected Setup (WPS) provides simplified mechanisms connect to
wireless networks with a PIN consisting of 8 numbers. The PIN exchange mechanism
is vulnerable to brute-force attacks which will return the PIN and WPA key
to the attack which can
be used to connect to the wireless network. Theoretically there are 10^8
(= 100.000.000) possible values for the WPS PIN. Unfortunately the
WPS PIN consists of 8 numbers divided into 3 segments from which
can be tested separately with a brute force attack. The last digit is
checksum which can be calculated. The PIN has been composed as following:
- Part 1 of the pin is 5 digits = 10^4 (= 10.000) brute force attempts
- needed to retrieve this segment.
- Part 2 of the PIN is 3 digits = 10^3 (1.000) brute force attempts
- needed to retrieve this segment.
- Part 3 of the PIN is 1 digit which is a calculated checksum.
A WPS brute force tool like Reaver, which is included with Kali Linux,
brute forces part 1 and 2 of the PIN in a maximum of 11.000 attempts.
When a router is vulnerable to this WPS attack it will be 100% effective and
grand the attacker access to your network no matter how strong the password is.
During the attack with Reaver the attack has to be in range of the access point.
A lot of routers nowadays
have range limiting for WPS brute force attacks which means that the WPS part will
lock up until it is manually unlocked by the owner of the router. During the lock it is
not possible to brute force any of the WPS PIN segments. A commonly use method to avoid these lock up’s is MDK3 which can be used to force the router to reboot and release the WPS
lock. MDK3 is depreciated nowadays and most routers are invulnerable to
DOS attacks with MDK3. Many hackers are looking for new ways to force
routers to reboot and unlock the rate limiting through vulnerabilities and
exploits. It will probably be a matter of time before new methods pop up
which do work.
WPS is enabled by default on the TP Link Archer C5 router so we will be
checking it for known WPS vulnerabilities. We’ve done several tutorials on
Hacking Tutorials about exploiting WPS vulnerabilities with Reaver and
Pixiewps so we won’t get into great detail on these. For detailed tutorials
on these subjects have a look at <tutorial name> and <tutorial name>.
Let’s fire up Kali Linux and see if we can hack the TP Link Archer C5
router by brute forcing the WPS PIN with Reaver.
Brute forcing the Archer C5 WPS PIN with reaver
First we put our Wifi adapter in monitoring mode using the following command:
Airmon-ng start wlan0
The interface for the monitoring adapter will be wlan0mon. You will most likely
receive a message about process who might cause trouble, kill them using the kill
command. We can use airodump-ng to locate our access point and retrieve the MAC
address. Use the following command to start airodump-ng:
airodump-ng –i wlan0mon
The MAC address appears in the first column which can be copied to your clipboard.
Next we will use the following command to start Reaver:
reaver –I wlan0mon –b [router MAC address] –c [channel] –vv
The reaver attack will start testing some common PINS and will than start with 0 and
work its way up to 9.999 for the first WPS PIN segment. As we already expected the
TP Link router has rate limiting on the number of WPS attempts. It will lock up afte
r a couple attempts and we need to unlock it manually. When the rate limiting occurs
Reaver will throw a warning as following:
TP Link Archer C5 Pixie dust attack
Another WPS vulnerability is known as the Pixie Dust Attack. The Pixie dust attack
is performed with a modified version of Reaver with a secondary tool called pixiewps.
The pixie dust attack is an offline WPS attack which means that the attackers retrieves
the needed data in seconds which than can be used to retrieve the wireless password.
This is only applicable to routers which are vulnerable to this attack. Let’s see if the
TP Link Archer C5 is vulnerable to this offline pixie dust attack.
To start the pixie dust attack using Reaver use the following command:
reaver -i wlan0mon -b [Router MAC address] -c [channel] -vvv -K 1 –f
Or use the following command to start pixiewps manually and supply the needed data yourself:
pixiewps -e [PKE] -s [EHASH1] -z [EHASH2] -a [AUTHKEY] -S
The TP Link Archer C5 router seems to be invulnerable to the pixie dust WPS attack. If a router is vulnerable than pixiewps will return the WPS PIN which can be used in Reaver to retrieve the WPA key using the following command:
reaver -i mon0 -c 1 -b [Router MAC] -vv -S –pin=[WPS PIN]
Let’s see if we run this command on the Archer C5 with the valid WPS PIN:
reaver -i mon0 -c 1 -b [Router MAC] –vv –d 0 –w –n -S –pin=98159338
With the correct PIN Reaver will return the WPA PSK.
Although the access point locks itself up after a few attempts it is possible to retrieve the WPA PSK with the correct WPS PIN and Reaver.
Reversing the default WPS PIN
The remaining question now is how does the TP Link Archer C5 generates the default
WPS PIN because every time we restore the WPS PIN it resets back to the same
default PIN. Some router manufacturers, like Belkin (Belkin N900) and D-Link
(D-Link DIR-810L), used to calculate the default PIN from the MAC address in
the past which has been discovered by reversing engineering the algorithm.
Other routers have the default PIN programmed in the NVRAM at the factory.
NVRAM stands for
Non-volatile random-access memory which is memory that retains the stored
content after the power is turned off. Of course router manufacturers do not
want to lose the default WPS PIN after powering off the device.
At this moment we do not know which method is used by TP-Link for restoring the
default PIN of the Archer C5 router. If somebody succeeds in finding a method to
reverse the default WPS PIN from static figures like the MAC Address or serial
number it would leave a lot of routers vulnerable with WPS turned on. Retrieving
the wireless password would then be as simple as feeding the PIN, BSSID and channel
to Reaver as we’ve demonstrated earlier in this tutorial.
Defending against attackers exploiting WPS vulnerabilities
We always recommend you to turn off WPS in the router settings to prevent
attackers from exploiting WPS vulnerabilities. Even though this router is not
vulnerable to any of the tested WPS attacks, new WPS vulnerabilities can arise
without you knowing it. Since routers basically have a long lifecycle
(often without updates) when used in homes and small offices it is even more
advised to turn this useless feature off. For the Archer C5 router you can simply
access the wireless menu and turn WPS off using the ‘Disable WPS’ button as pictured below.
Disable WPS in this menu
Let’s continue to see if the router has any known backdoors or vulnerabilities
in the next chapter.
TP Link Archer C5 Backdoors and
Vulnerabilities
A good point to start searching for known backdoors and vulnerabilities for our
TP Link Archer C5 router is the National Vulnerability Database and exploit
database websites. On these websites we’ve came across two vulnerabilities for
the Archer C5 router with a high severity rating; CVE-2015-3035 and CVE-2015-3036. Both vulnerabilities have been fixed already by the vendor through a firmware update in 2015.
CVE-2015-3035: Directory traversal vulnerability
This directory traversal vulnerability allows the remote attacker to read arbitrary
files via a .. (dot dot) in the PATH_INFO to login/. This vulnerability affects the
following TP Link router products including the Archer C5 router
(Hardware version 1.2) with firmware before 150317:
- TP-LINK Archer C5 (1.2) with firmware before 150317
- C7 (2.0) with firmware before 150304
- C8 (1.0) with firmware before 150316
- Archer C9 (1.0)
- TL-WDR3500 (1.0)
- TL-WDR3600 (1.0)
- TL-WDR4300 (1.0) with firmware before 150302
- TL-WR740N (5.0)
- TL-WR741ND (5.0) with firmware before 150312
- TL-WR841N (9.0)
- TL-WR841N (10.0)
- TL-WR841ND (9.0)
- TL-WR841ND (10.0) with firmware before 150310.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3035
CVE-2015-3036: Stack-based buffer overflow in the
KCodes NetUSB module
Stack-based buffer overflow in the run_init_sbus function in the KCodes
NetUSB module for the Linux kernel. KCodes NetUSB is used in certain Netgear,
TP-LINK, and other products and allows remote attackers to execute arbitrary code
by providing a long computer name in a session on TCP port 20005. You can
find more information about this vulnerability here:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3036
And a full disclosure here:
http://seclists.org/fulldisclosure/2015/Oct/50
How to avoid vulnerability exploits on your router
Both of the severe rated vulnerabilities show you the importance of keeping
the firmware of your router up-to-date. CVE-2015-3035 and CVE-2015-3036
were fixed in 2015 for the Archer C5 with the following
update: Archer C5(UN)_V2_150515. TP Link mentions the following
about the update on their website:
- Fixed the security bug caused by overflowing of Kcodes buffer.
- Fixed the bug that you can access FTP Server from WAN port without password.
May 2015 may seem like a long time ago but in terms of security patches for
consumer products it is like yesterday. I’m sure there are a lot of routers out there
which haven’t been patched yet because many home and small office users do not
check for firmware updates on a regular basis. New vulnerabilities are discovered
all the time and often affect a lot of models as you can see in the affected model list for
the directory traversal vulnerability CVE-2015-3035. Especially when drivers are affected
which are used by a lot of vendors which was the case with the KCodes NetUSB in
CVE-2015-3036. We advise you to check for firmware updates for any router on a
regular basis and update it as soon as possible when a new version is available.
You can find the firmware version of your router in the router settings under the System tools > Firmware update menu. Our Archer C5 was shipped with the 150515 firmware for which both vulnerabilities have been patched.
Brute forcing the TP Link Archer C5 default password
The default wireless password for the Archer C5 router is the default WPS PIN. The WPS PIN
is an eight number figure which leaves us with 10^8 = 100.000.000 different possibilities if we
would brute force the password. In the Cracking WPA with oclHashcat GPU on Windows
tutorial from last year we’ve learned that an old video card like an AMD Radeon 7670M can
do 20.000 attempts per second. A newer and more powerful video card like the AMD HD7970
can easily do 142.000 attempts per second. When we divide the 100 million possibilities by 142
.000 it takes 705 seconds, which is less than 12 minutes, to brute force the password.
Keep in mind that a newer and better performing video card could probably do it less than
10 minutes. With these figures coming from consumer grade hardware with really average
processing power we’re still surprised that TP Link is using the default WPS PIN as default
wireless password. If there was any good reason to do that, they could at least inform or warn
the end user about changing the default wireless password to a more secure one. Last year we
already did a tutorial on how brute force WPA passwords with the power of GPU’s. You can
watch it here:
Let’s see if we can capture a WPA handshake, convert the captured .cap file to .
hccap so we can use oclHashcat with a GPU to crack the password with oclHashcat.
Theoretically it should take about 1.5 hours with 20k attempts per second.
Capturing a WPA handshake from the TP Link Archer C5
We’ve done a lot of tutorials about how to capture handshakes, break wireless
passwords with CPU/GPU etc. so we won’t go into detail about this. If you don’t
know how to do this in Kali Linux than you can follow any of these WiFi hacking tutorials:
- How to hack a TP link WR841N router wireless network
- How to hack UPC wireless networks and other WLAN
To capture the WPA handshake which can be used to brute force the WPA
key we have to put our wireless interface in monitoring mode with Airmon-ng.
Than we use Airodump-ng to capture the handshake to a .cap file. The handshake is
made when a client connects to the wireless network. We can use Aireplay-ng to
force a client to reconnect to the network by sending de-authentication package to
the router. The client will then be disconnected and will automatically reconnect which
results in a 4 way handshake which we will be capturing in Airodump-ng. When we have
the handshake in .cap we need to convert it to .hccap with Aircrack-ng for use with oclhHashcat
GPU on Windows. Now that we have the WPA handshake ready in a file that oclHashcat
can handle we only need to generate the password list containing every single combination of 8 numbers. For this purpose we can use a tool like maskprocessor or Crunch in Kali Linux.
If you want to learn about generating custom password lists you can follow this
password list generation tutorial:
Brute forcing the password with oclHashcat GPU
Now that we have the password list we can use oclHashcat on Windows to brute
force the password. We will be using Windows for this purpose because it is a lot
easier to set up the drivers and get oclHashcat working with your GPU on Windows
than on Kali Linux. It is not impossible on Linux of course but I’ve never bothered to
get it working on Kali before or write a tutorial for it.
If you want to learn about brute forcing wireless passwords with a GPU on Windows
you can follow this oclHashcat tutorial:
The default PIN of our TP Link Archer C5 start with 98 so when we have created a
full list of possible combinations of 8 numbers oclHashcat had to attempt 98% of
the possibilities in the password list. After almost 1,5 hours waiting oclHashcat
outputted the following to the log file:
TP-LINK_A361: a361:84b153e65963:98159338
As you can see and as expected oclHashcat successfully brute forced the
password in 90 minutes on an old and slow GPU. It attempted 98% of the
different possibilities for the default WPS PIN as wireless password before
succeeding in this case. Theoretically there is a 50% chance of breaking the
password in 50% of the time. The lesson learned from this is that you really
have to change the default wireless password because even with WPS turned
off it is very easy for attackers to hack your wireless network.
Thanks for reading this new Hacking Tutorial and please subscribe to our YouTube channel for more hacking tutorials 🙂
