Need some help for hacked Pfsense Box

jits

Hello.

I know this is supposed to be close to impossible for PFSense, but our box was hacked somehow. This evening I logged via OpenVPN and found that the username or password to PFsense was changed. There is only one user and that is myself.

I have tried over and over to log into PFsense but, no joy. I sped up to location and unplugged the box. What is my next step? What would you have me do now?

Thanks, Jits…

muswellhillbilly

This looks promising:

https://doc.pfsense.org/index.php/Locked_out_of_the_WebGUI

If the box really has been hacked, then you should review your WAN rules in particular, making sure you haven't allowed SSH or Web GUI access from outside to the pfSense system. Also make sure your password is suitably complex (do not use 'password', 'pa55w0rd' or even meaningful words if you can help it). Unfortunately, even the most secure systems can be compromised through poor password choices or weak firewall rules.

KOM

Did you try the default admin:pfsense?  I very much doubt you were hacked.  Go to the console and try Option 11 - Restore Recent Configuration.  If that fails, you could restore from your config.xml backup, assuming you have a recent one or a support/Gold account where oyu could retrieve it from AutoConfigBackup.

jits

ok, but before I do all of that. I need to look at the logs.

Can I view the logs via console command?

Can I send the logfile to usb via console command?

I didn't forget password, since I have to write down these things and I made no recent changes and no one else has access.

So, I'd really like to see what the log says and then go from there…

Thanks, and regards...Jits

NOYB

@jits:

I didn't forget password, since I have to write down these things and I made no recent changes and no one else has access.

No one said you did.  Please don't take things so personal and be so defensive.

My first suggestion would be to follow KOM's first suggestion to try the default user id and password.  There is a reason for this suggestion that has nothing to do with forgetting the password.

Please try it.  If it works great.  And it would mean that more likely than being hacked, someone with access to the console reset the password back to default.

If it doesn't work my next suggestion would be to read through the console options to see if any of them seem like they may be useful for re-gaining access to the system.  Perhaps the same option that would allow someone to reset the password back to default.

Another possibility is if someone did have access to the console and change the password back to the default.  They then could have gone into the web GUI and changed it to something only they know.

johnpoz

Well if you have access to the console - set the password.. #3 I do believe from the console.

Derelict

And, yes, on the console you can drop to a shell, cd to /var/log, and use the clog utility to look at the logs stored on pfSense.

That is, unless you enabled Password protect the console menu.

It should still be possible to boot into single-user mode if you have.

KOM

#3 I do believe from the console.

You again and your simple answers  ;D

firewalluser

@jits:

ok, but before I do all of that. I need to look at the logs.

Can I view the logs via console command?

Can I send the logfile to usb via console command?

I didn't forget password, since I have to write down these things and I made no recent changes and no one else has access.

So, I'd really like to see what the log says and then go from there…

Thanks, and regards...Jits

Not the only one who has written down passwords for pfsense and other things, in my case the password for the ssd drive was changed from what was written down and that can only be changed using the bios, and pfsense had been up for 47 days at the time since I lasted booted it so theres a way to change these things in the bios without having to shutdown freebsd/pfsense to make the changes.

Word of advice, setup a separate syslog server on a different device, that way if you get locked out of your machine like I did with the hard drive password being changed in the bios, you have a copy of the logs to help track things down.

I called the UK Police in because I saw encrypted traffic going out which I couldnt account for going to Argentinian ip address blocks, they told me nothing they can do as its encrypted and just issued one of their crime numbers for their stats.

jits

@NOYB:

@jits:

I didn't forget password, since I have to write down these things and I made no recent changes and no one else has access.

No one said you did.  Please don't take things so personal and be so defensive.

huh?? I didn't take that personal at all. I am asking for help afterall… I was just pointing out what I know I normally do.

Anyway, I did option #3, reset the password, and restart the webconfigurator. I'm back in now.

The only thing I'm seeing on System Advanced:Admin Access:SSL Certificate is "WebConfigurator Default (5555691319C79)

So, I've been thinking, how could anyone gain access? What are possible weak points on the network? The only one that comes to mind, is the Linksys Wifi that uses WPA2 PSK and even that can be penetrated with some patience, and then from there...

There is good reason to be suspicious. The company I work for and another just prevented a new Telecommunications Act from being enacted as law that would have given a certain major British Telecoms giant unfair advantage over the local companies. In fact, we would have had to give them access to our ducts, fiber, etc... and the word on the street was, we had better start looking for new jobs because by the time they finish with us, we wouldn't be much of a memory. Well we put a stop to that, as in errrcks...Now we're a thorn in their side and getting back at us is probably all they think about while they play donkey kong with themselves late into the night and into the early morning hours too..

This would make twice in less than two weeks. Our WLAN WIFI system that links three offices was also hacked into and every single antenna had to be factory reset in order to regain access, and the sector antenna was then hit again with DoS attack that prevented me from gaining access for any length of time. This is why I suspect the Wifi is the weak point in this other system.

In the end, We're still using WPA2 PSK, but with 63 random generated full ASCII characters instead of hexcode characters. Someone out there knows something else about WPA2 PSK and they're not telling us just yet.

So, don't take for granted your wifi password in unqiue. Just as they say, "there's and app for that" in Android, I'm sure hackers say, "There's a dictionary for that" when it comes to cracking your passwords, and they could be in your system for a very long time and you may never know...

Thanks, and regards Jits

firewalluser

@jits:

from being enacted as law that would have given a certain major British Telecoms giant unfair advantage over the local

Where in the world are you out of curiosity?

johnpoz

Couple things jump out at me.. For one why would wifi have access to firewall gui in the first place?  If this is a place of business why not use something a bit stronger than psk.. For starters problem with psk no matter how strong you make the password is shared.. right there in the name pSk.. So you have no idea who might of written it down, gave it to billy, etc. etc..

So lets say I got access to your pfsense via your wifi.. So your saying they also know your pfsense password, or they "hacked" in? Lets say either of those got them in why would they change the password??  Create a different admin account, ok - but if what I wanted to do was gain information.  The last thing I would do is change the default passwords..

What are you calling an Antenna that its password would get changed??  So your running stand alone AP??

I think someone been watching/reading too much "hacker" stories.. And their tinfoil hat is a bit tight if you ask me.

Guest

Anyway, I did option #3, reset the password, and restart the webconfigurator. I'm back in now.

The first think, I would really do, if I think my firewall was compromised by an intruder, taking the firewall
from the WAN port or shorter cut the firewall from the network and Internet. Or plain put another pare device
in the front of the WAN because "they" could become the idea to come back again.

The only thing I'm seeing on System Advanced:Admin Access:SSL Certificate is "WebConfigurator Default (5555691319C79)

And what are the log files saying to you? If they were not be shortened by the intruders and I mean all
log entries over their action in your network.

So, I've been thinking, how could anyone gain access?

• false or miss configuration
• opened ports
• unsecured WiFi network (no VLANs, no certificates, no client isolation,…..)
• a server inside the network that is buggy or not in the DMZ.

What are possible weak points on the network?

Someone was lost his smartphone, a tablet computer was stolen,….....
And now they have pulled out this at the school ground for free pron surfing!

The only one that comes to mind, is the Linksys Wifi that uses WPA2 PSK and even that can be penetrated with some patience, and then from there…

LinkSys WiFi AP with DD-WRT or OpenWRT or their plain firmware?
WPA2 AES-CCM would be a good choice to start and then certificates for users WiFi devices.

There is good reason to be suspicious. The company I work for and another just prevented a new Telecommunications Act from being enacted as law that would have given a certain major British Telecoms giant unfair advantage over the local companies.

The bigger one is eating and beating the smaller one, since decades of time.

Our WLAN WIFI system that links three offices was also hacked into and every single antenna had to be factory reset in order to regain access, and the sector antenna was then hit again with DoS attack that prevented me from gaining access for any length of time. This is why I suspect the Wifi is the weak point in this other system.

Perhaps someone was setting up a man in the middle WLAN AP and you was not recognizing that this were
done. Could this be?

In the end, We're still using WPA2 PSK, but with 63 random generated full ASCII characters instead of hexcode characters. Someone out there knows something else about WPA2 PSK and they're not telling us just yet.

You will need to be using certificates and a Radius Server! No certificate no access.

So, don't take for granted your wifi password in unqiue.

• 63 chars long password
• AES-CCM
  -  certificates
• no TKIP (mixed connections)
• 5 GHz
• fantasia SSIDs like chickenbanger or swansausage and not HillBillyLTD.

Just as they say, "there's and app for that" in Android, I'm sure hackers say, "There's a dictionary for that" when it comes to cracking your passwords, and they could be in your system for a very long time and you may never know…

??? Well if the right persons want to access your network they do it, I am pretty sure, but making it for them
so hard as possible would be also not unable to do for you.

Perhaps only a captive portal voucher with a never ending lease time? Who knows it.
I would be really setting up a brand new pfSense or in smaller words do a fresh installation of pfSense.

jits

@johnpoz:

Couple things jump out at me.. For one why would wifi have access to firewall gui in the first place?  If this is a place of business why not use something a bit stronger than psk.. For starters problem with psk no matter how strong you make the password is shared.. right there in the name pSk.. So you have no idea who might of written it down, gave it to billy, etc. etc..

So lets say I got access to your pfsense via your wifi.. So your saying they also know your pfsense password, or they "hacked" in? Lets say either of those got them in why would they change the password??  Create a different admin account, ok - but if what I wanted to do was gain information.  The last thing I would do is change the default passwords..

What are you calling an Antenna that its password would get changed??  So your running stand alone AP??

I think someone been watching/reading too much "hacker" stories.. And their tinfoil hat is a bit tight if you ask me.

John, to be honest with you, I don't read hacker stories and I don't have or wear tin foil hats, and…I've resisted for years, the hacking scene despite constantly being asked to do this and do that...

There are two wifi networks. One for Ubiquiti antenna's that links our offices, and our office wifi, where the password is shared among users. The office wifi is on a vlan that is blocked from accessing other vlans/lans and the gui for the pfsense box itself, so precautions were taken.

But, technology is such that you can sit in your car, or in your friends office next door, sniff the wifi network, force a client to disassociate in order to capture the packets of the handshake. Decode that information, and eventually crack it, then you're in and what do you do from there? Don't you run a security scan looking for vulnerabilities on the network to exploit?

What would be the purpose of changing the gui password? Well, for one, a BOT didn't do this and if I didn't change the password, someone did, or..pfsense has a very serious problem and I doubt that.

So, Why? I'm actually not sure why. Perhaps to send a message or to erase your tracks, or to hide activity you could track via states or the system log. Maybe they erased a part of the log. I don't know.

If you ask me to prove that this was a hack, I couldn't. I have no proof other than I could not access the gui, and ssh was disabled.

I do know it happened, and I don't go on forums asking for help for made up stuff because I'm just too busy.

As to where in the world I am, we're in the Caribbean, where companies like Cable and Wireless made over 3 Billion dollars last year. We pay approx. 50 pounds for a 2 mbit internet connection, so don't complain for that 50Mbit connection you have at home because the people in the Caribbean and Latin America are paying so you could enjoy that.

Derelict

so don't complain for that 50Mbit connection you have at home because the people in the Caribbean and Latin America are paying so you could enjoy that.

Bullshit.

KOM

How did this thread get so antagonistic so quickly???  :'(

johnpoz

So did you look in the logs for when the password was changed, or who connected to it - or are you saying they edited the logs, cleared them?

And again why is your firewall even able to be accessed from your wifi?  You said they prob came in through wifi, but now you say the wifi can not even get to pfsense.  So which is it? You keep bringing up how wifi can be hacked - you feel this is an issue, why is pfsense even able to be gotten to from wifi.  Just block access to ssh and web gui from your wifi network..

Who said anything about a bot?  One thing for sure not a very good "hacker" if they changed the password that they had access to something admins didn't all it could do it draw attention to something wrong and reset of the passwords like you did.  Now they don't have access any more.  Pretty stupid waste of time.

What is more logical you forgot the password, someone on your staff reset it.  And old config was loaded with different password?  Or you were hacked by some idiot that doesn't know enough not to change the password.  But he cleared/edited the logs to cover his tracks of logging in and or changing the password, etc.  OR were they completely cleared?  You do know you can access the older logs vs just what is shown in the gui.  Did the log reflect the last time you had logged in with your password and from where, or was that not in there either?

Are you saying ssh was enabled and then turned off?  That points to old config being loaded or config being reset..  These hackers not very bright again, I would of been enabling ssh if it was off, or again creating an another account to use to access it, etc. etc.  You don't remove modes of access to something you just hacked..  You add them!!

If you really believed you have been hacked in such a matter - first point of business would be to refresh that box so that your sure no back doors, etc. have been left after grabbing all the logs and or image of the machine for forensics to look at, etc.

firewalluser

@jits:

50 pounds for a 2 mbit internet connection, so don't complain for that 50Mbit connection you have at home because the people in the Caribbean and Latin America are paying so you could enjoy that.

Only getting 5Mbps where I am, but its not unlike South Africa and other parts of the world, which is why I'd recommend a mesh network running on 900Mhz, an antenna 15metres high can have a maximum radius of 50Km, so may be worth pooling in the individuals costs for single a faster connection, if you want a work around.  :)

NOYB

Please describe the physical security environment in which this pfSense machine resides and who has physical access to the console.

tim.mcmanus

(removes tinfoil hat, steps out of bunker, opens door to compound)

This may be a simple password file corruption.  No need to go the conspiracy route.  It happens, rarely.

If someone hacked your firewall, they'd take it down or reprogram it.  What's the fun in just locking the admin out?

(puts tinfoil hat back on, closes door to compound, climbs back into bunker)