Captive portal on my home network, what can I do?

Komo

Komo

I was able to get rid of it, but devices and network still compromised due to persistent rootkits. Does anyone have suggestions?

Robin_Ex_Fing

Hi @Komo
Welcome to the community. It looks like you are trying to set up your Wifi. Is that it? If you are making your first connection, I would advice contacting your ISP so all settings are done correctly.

Komo

Thanks for the welcome.

This was right after I switched my router out. The first one was compromised. 1 TB of bandwidth was consumed in a matter of 20 hours and the router was hot and running louder than usual. I’ve actually had to reset the current one I have now a few times, which will walks me through the Xfinity Setup process.

ive told Xfinity and they did confirm the high and with usage, but they did little else to help.

This pic that I shared is a spoof page and not the real Xfinity page. If you look at the browser in my pic, you can see that it says “captiveportal.php” So a fake access point was created from my BSSID and an attacker was trying to gain my Wi-Fi credentials.

This is not appearing anymore, but sometimes we do get prompted to log into captive portals. Unfortunately our home network is actually less safe than our guest Wi-Fi, which is just named “xfinity.”

Ive narrowed the problem down to a remote hacker that has flashed firmware on multiple devices, even UEFI persistent BIOS. Basically our systems don’t belong to us because the highest privilege escalation has been obtained by the hacker.

So I was wondering if anyone had similar experience? And what they did to get relief or resolve?

[Deleted User]

The user and all related content has been deleted.

Komo

Thank you so much

rooted

I've got to ask, how do you know a hacker has exploited wireless devices around you? I mean versus an individual living nearby using their own hardware to spoof your initial broadcasting SSID?

I'm relatively sure the address is genuine, initially upon setting up the modem your browser will go to that exact address (10.0.0.1/captiveportal.php).

vulcansheart

If you are sure that the captive portal is NOT your gateway, then you are likely a victim of a WiFi man-in-the-middle (MITM) attack. However, due to the complexity of the captive portal that you are interacting with, I do have my doubts about this. Regardless, to err on the side of caution, you need to connect directly into your gateway with a wired connection to complete the setup process. Then, using a mobile device, use a network sniffing tool (I like WiFiman by Ubiquiti) to look for nearby access points that mimic your SSID name, but have a foreign MAC address. This will identify if in fact there is a WiFi spoofing device in range. Be sure not to attempt to connect to any WiFi networks until you've verified that there are no malicious networks posing as your own.

rooted

You can spoof the MAC address also, but unless they are right outside the house the SSID of your gateway will be stronger so it's easy to determine which is authentic.

Grabbing an APs MAC and SSID is trivial, faking a captive portal less so but not hard.

vulcansheart

Faking a captive portal for logging in is one thing, but faking the setup wizard in the xfinity portal will be much more difficult. It should be easier to tell a fake when it doesn't respond appropriately, i.e. the SSID you create doesn't actually begin broadcasting.

rooted

Like you said performing the initial setup wired negates this problem which would be the appropriate action.

Komo

@rooted @vulcansheart Ok, so the day I suspected something was wrong, my devices connected to my home network lost connection. I figured something was configured incorrectly, sometimes there are outages, etc. I look at the WiFi around me and notice there are fake wireless access points. My neighbors network would say something like “Williams Family” and then “Williams Family0” Too much of a coincidence for about 80% of my neighbors to have fake access points.

Moving forward to today- I took my Xfinity router back because once again, it’s full of backdoors and Trojans. (I know my devices have been compromised because I ran chkrootkit and rkhunter on my Linux devices which show 4-5 possible rootkits and port scan daily. I also ran the GMER rootkit program on a windows device and a ton of malicious files and programs appeared, plus many other tests).

So when I get home, I’m not connecting ANYTHING to the new router because I don’t want to reinfect all over again. So because I’m an Xfinity customer, I can log into “xfinity hotspots” which are really my neighbor’s guest WiFi networks. I start doing port scans and checking the IP address. I came across some interesting findings. So on my neighbors guest WiFi network aka “xfinity hotspots “ the IP is blacklisted here are a few results:

• CBL - You have contracted a Virus or Malware that is operating a Botnet, either on your email server on a workstation behind the NAT - Continual delisting requests without eliminating the virus will result in permanent blacklisting;
• XBL (Spamhaus Exploits Block List) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies;
• PBL - Spamhaus PBL is a DNSBL database of end-user IP address ranges which should not be delivering unauthenticated SMTP email to any Internet mail server except those provided for specifically by an ISP for that customer's use.

and shows errors in all of the following: SMTP reverse DNS mismatch, SMTP banner mismatch, no SMTP TLS support, and so many other errors with other protocols as well. I had similar results checking my IP on my home network as well.

The pic I shared above is for the admin page, but also appears continuously as a captive portal- even after setup. For my home network while using an android device running InterceptX, warnings appear that a captive portal has been detected. This is without going to the admin page- just trying to connect to WiFi.

So digging further on the block on these IP addresses, . I went on ARIN- a name shows up “AfriNIC.” I look up this company and start finding the following info: https://krebsonsecurity.com/2019/12/the-great-50m-african-ip-address-heist/#more-49646

(Read comment section of article as well)

Thoughts?

vulcansheart

There's a lot to digest, so I'll kick it around tomorrow when I have more time. But where was all of this info in the original post?

rooted

https://community.fing.com/discussion/comment/10029#Comment_10029

It is a long article, I also will have to give it a read tomorrow. I don't yet understand how antiquated ipv4 addresses are a valuable commodity currently but it's interesting.

Komo

The original post’s header was edited by Fing staff because I didn’t ask a question. It said “Check out this captive portal.” my comment under the pic mentioned the rootkits. And I agree, it is ALOT to digest. I find out new info as I go.

Komo

@rooted t@vulcansheart I guess apparently there is a shortage of ipv4 addresses worldwide. There are too many users and not enough addresses to go around. All ipv4 addresses are exhausted besides what Afrinic owns. They were recently investigated because blocks of IP’s that they own have been used to commit crimes. From what I’ve been reading, this company doesn’t keep meticulous records or report them all the time. The criminals know this. So when a criminal calls a different company and says they are the owner, then some of those companies don’t verify ownership. This is such a headache 🤕

Xfinity wants me to pay them $100 when my bill is due. I think not.

Komo

I found this while looking for info between xfinity (Comcast) and AfriNIC . If it breaks Fings policy, feel free to delete it.

AfriNIC staff planning to end ipv4 internet

https://lists.afrinic.net/pipermail/rpd/2019/009874.html

vulcansheart

Sorry, I wasn't referring to the article about IPv4 addresses. I meant, why did you hold out all of the information about the troubleshooting that you've already performed? You mentioned evil-twin SSID's that were spoofing your neighbors' WiFi, etc. Also, that you've done vulnerability scans and revealed active exploits. Don't hold out on the details when we are trying to help you troubleshoot.

What it sounds like to me is that a device on your neighbor(s) network was compromised and is being used to attempt to spread to nearby networks via WiFi. I recommend looking through the post on hardening your network to help prevent this lateral attack from breaching your network:

https://community.fing.com/discussion/2246/steps-you-can-take-to-harden-your-home-network#latest

Komo

Ok I see what you mean and maybe my comment about me having rootkits got buried? Regardless, that is a great thread you shared. So I set up my router and have my WiFi back up. So far, I’ve only been able to live boot off ISO’s because the rootkits have corrupted my SDD and HDD multiple times now. I even installed Qubes and started wiping everything clean. Then I put an infected usb to wipe that clean also- it killed my HDD. Had to start all over again, but at least I was able to isolate the rootkit. I was able to install a different Os today and I’m going to implement a few things that were suggested in the link u shared and also run Lynis. I’m going to use OSSEC for IDS. And yes, I do think what you said about a neighbors system being compromised is a very likely possibility. Because obviously this is some type of pivot attack. I had 2 BIOS on two different machines become compromised by the firmware being flashed.

Hopefully today I’ll have some luck. Thank you.

eJony

@Komo
You seem well read on this topic and impacted by a very malevolent actor. Thank you for sharing your experience and please do update the thread with your experience.

I think having intrusion detection and prevention capabilities on a router are important. They don't just prevent external bad actors from getting in, but they also identify and can help prevent internal bad actors from getting out. BOTH sides of the equation are important. I like using higher end Asus routers for this reason. They come with Trend Micro IDS tools. Further, I always change my router admin username/password prior to allowing any device to connect via WiFi. If the router is compromised, all hope of locking things down is deeply impacted. Unverified devices connect to a guest network in isolation mode. 

So, it is really good that you picked up a fresh router and started from scratch. Being able to watch traffic at the router is important. Fing is amazing and very helpful, but I use it IN ADDITION TO not AS A REPLACEMENT FOR strong tools on the router. 

rooted

How did a USB flash drive kill a hard drive? I could understand malicious code erasing or encrypting a drive but not destroying it, not since HDK have I seen this and that was 15+ years ago.

Naive

So here is my query...Say your home router is in the living room and someone takes the sticker off it with the needed credentials to do administrative tasks and assigns everyone to use the guest profile or customized access point, hiding the initial Netgear access point, making any changes or maintenance impossible for everyone, even the owner of the router and service.
Like maybe your wife or husband is the person who is to blame for these problems?