Once we have a valid way to authenticate to the wireless network and are able to connect, the next step is to set up persistence. One area to focus on is the wireless router. Most wireless routers have either a web-based, or other console in which legitimate administrators are able to log in and manage the router. Usually, these routers are located at the beginning of the subnet of the wireless LAN we connect to. For example, if we connect to Wifi_Crack and run the ifconfig wlan0 command, it identifies us as having the IP address of 10.0.0.7.

If we navigate to http://10.0.0.1 via the Iceweasel browser, we are brought to this page. You can also type route -n into a Terminal, which will give you the default gateway:

If we enter the admin username without a password and click OK, this is what we get:

What we see is the default password for the administrator account. While not common, it is not out of the realm of possibility that the systems administrator for this network left the default credentials for the wireless router. If we do not get this error message, there are a great deal of resources on the internet that aggregate the default administrator accounts for a wide variety of routers, switches, and wireless access points.

One such site is http://www.routerpasswords.com/. If that doesn't work, the next option is to brute-force the sign-in using techniques we have previously covered.

If we are able to compromise the administrator accounts and gain access to the administrative settings, take note of information that will allow you to sign in again, such as the WPS PIN:

Administrators may change the wireless access point WPA passcode, but often leave the WPS PIN in place. Also, you should check to see whether you have the ability to access the MAC address-filtering controls:

From here, you can enter several MAC addresses that you can use in the future.