Welcome back to another security tutorial hax0rz! One thing I try to do at this site is writing about things I have not seen online or their tutorials are kind of vague. Today I will show you how to hack/crack Windstream and TimeWarnerCable(now Spectrum) Wifi Routers. The First method we will use is for the Windstream (Sagemcom) router. I have had both services and tried this originally on my own equipment. Obviously, don't try this on your neighbors as that would be illegal without consent. So one thing I noticed while on my Windstream router is that it has WPS enabled. WPS has been cracked years ago and is one of the easier ways to crack a wifi router if it is enabled. Most of the time it is enabled by default and on some router models even if you disable it, it's still active in the firmware. It is also even easier if, let's say Windstream keeps the WPS pins the same in each model they give out to their customers! Everyone! The Same PIN?! (confirmed for Sagecom models) SAYYY WHATTTTT!?
So what does this mean? More than likely your WPS pin is the same as people in your neighborhood if they're the same brand router. So if you know the exact WPS pin, you can crack the password in less than 10 seconds. SAYYY WHATTTTT!? Bad security practice there Mr. Windstream.
So let's get started! We are going to use Kali Linux to start. Note, you will need a wifi card that can go into monitor mode. I use Alfa awus036h.
Once in Kali and in monitor mode, we are looking for any network names that start with Win_somenumbers.
These are Windstream routers by the default SSID Windstream gives them starting with "Win_" We can look around after scanning wifi with Airmon and see any routers that start with "Win_". Then we can use the pin (92486942) to try and crack them with WPS reaver.
If the pin matches yours, we can get the password right away! In this case, I asked my neighbor to test there's, and it worked!
Something to keep in mind, when we navigate to the login page for Windstream at the ip 192.168.254.254, we have to enter a username and password. If someone has not secured their wireless too much, most likely the username and password are "admin" "admin", as it is in this case.
Well, there you have it! An easy way to get into Windstream routers without having to brute force. To fix this security issue TURN OFF WPS. Change your WPS pin as well. Also Please change your SSID to something other than the default, which makes you a target to the trained eye.
So TWC came to my house one day to install my new service. They were so nice they gave me a Technicolor (TC8717T) router. I noticed at the top of the router that there was a WPS button. I asked the install tech if he knew that WPS is crackable, he looked at me like he had no idea what I was talking about.
We can quickly scan the wifi around us to see if we can find TWC routers with the defaults SSID'S.
Some of TWC'S router have the default password set as the first 7 characters of the SSDI followed by the 4th and 5th octet of the MAC address, followed by the last 2 characters of the SSID. Example below:
In this example the MAC address example is FF:FF:FF:58:48:FF
If someone were to install the router and not change any credentials, hackers can easily get into your router if the default password is in place.
How to fix this? CHANGE YOUR PASSWORD, CHANGE YOUR SSID, and thank TWC for their great insecure routers they provide to a good base of their customer! :)