I actually break into WiFi networks as part of my job, there's two routes in:
1. WPS flaws, although most devices now have WPS locking after 3 failed attempts (this can be bypassed with skill). It is always good practice to disable WPS.
You can see the attack here: https://www.youtube.com/watch?v=knllpZF508k
2. Capture the WPA-2 handshake as you connect in. This can be cracked offline.
To mitigate against number 2, use a long password, say 30+ characters which does not resemble dictionary / easy to remember words. Ensure you are only using WPA-2 not WPA/WPA2 mixed mode, or worse WPS.
You can see the attack here: https://www.youtube.com/watch?v=1HcA17huGBc

Number 2 takes time, but you can speed things up by using logic. Take the latest BT SmartHub, we see an SSID: BTHub6-XXXX and we know the passwords are always 10 characters in length by default. So we only try out 10 digit passwords on this SSID.

Device details
Manufacturer Mini-Router
Model RTL8xxx - looks to be realtek, these work on wifi attacks.
Model Number EV-20 10-09-20
Serial Number 123456789012347
MAC Address 0e:41:58:00:99:3c - This MAC does not belong to a vendor, which suggests it is being spoofed or faked, to try and hide the real devices identity. This is highly suspect. I would have expected to see a Realtek MAC given the details.

If you google the Serial Number: 123456789012347 it brings you right over to some common WPS exploits. https://forums.kali.org/showthread.php?25018-Pixiewp...

In your shoes I would do the following:
1. Reset router to factory settings
2. Change WiFi password to 30+ random password
3. Disable WPS entirely.

I have mentioned number 1, factory settings, as often times once in the attacker setups up remote access to the router interface, so they can get right back in through their backdoor and view the new WiFi password / make changes still.

Edited by ukhardy07 (Fri 29-Dec-17 13:01:46)

The device hasn't appeared in Windows Explorer at all today. However, although the router doesn't show the IP in the list of attached devices Netscan ping scan shows 192.168.1.13 as responding.

At the moment I'm wary of doing a factory reset because I can only connect to the router with my PC over wi-fi so I think I'll just switch everything off in a while until I've got my cable.

p.s.- Is a factory reset sure to get rid of the problem?

Edited by longedge (Fri 29-Dec-17 21:17:34)

Factory reset + disable WPS + new password should resolve everything yes.

On your router, does it have the default WIFI name and Password written on the device? Netgears usually do. If you reset, you can connect over this on WiFi.

Then login to the router, disable WPS, assign a long password, and fix to WPA2.

Run a nmap against 192.168.1.13. For windows use zenmap https://nmap.org/zenmap/
What ports are open? It may give you an idea what the device is.

With these things, there is a sense of urgency, from the perspective you are liable for what is done on your home network, ie the user browses child pornography you will be arrested as it's your name on the bill. Likewise if they download illegal content e.g. copy-write material, it will comeback to you. I'd get on it right away.

ps don't bother with MAC address filtering, it does nothing for security and can be bypassed in a second. It just gives you a headache managing something that doesn't benefit you anyway.

Edited by ukhardy07 (Sat 30-Dec-17 11:40:30)

It took about a dozen attempts to reset the router and didn't work until I had unplugged everything but the power. I think there's still something 'funny' going on because at the moment netscan has revealed 192.168.1.3 answering. I can ping it but when I do, Wireshark doesn't show any activity.

Also, after I set the router up again, the SSID and password kept changing. I'm sure "royaltomato984" isn't a default password! I have now got my own SSID and password to stick.

I'll have to give it a rest now coz I'm boggle eyed trying to watch all the network activity.

I've had it in mind for a while to buy a new router so I think the R6250 might be going in my spares bin.

Nmap reports open ports on the IP that is now the 'hidden one' 192.168.1.3 :-
Discovered open port 554/tcp on 192.168.1.3
Discovered open port 445/tcp on 192.168.1.3
Discovered open port 135/tcp on 192.168.1.3
Discovered open port 2869/tcp on 192.168.1.3
Discovered open port 10243/tcp on 192.168.1.3
Discovered open port 5357/tcp on 192.168.1.3

However I've just run a scan for my external IP for all service ports on GRC.com and that came back all stealth.

Not quite sure where to go from here.

Port 445 is the Windows SMB port, so that tells you a Windows device is connected here.

You sure this isn�t one of your own devices?

RE the default passwords, vendors moved away from default easy to guess passwords to more complicated random ones, so that could be the PW.

I've just come home and switched on to find the unexplained IP has disappeared BUT a few minutes ago a Mobile Phone was showing -

X6069_CUBOT_5365U
Manufacturer Cubot
Model number Cubot Max
MAC 7c:b9:60:02:0d:ae (appears to be a Chinese Co. vendor code)

I switched wireless off and it has disappeared again.

A range scan with Netscan is only showing IP addresses that I can account for (Router, PC and NAS).

You've still not said how your IP camera's are connected...
How did you find the 'royaltomato984' password?

...Typical they have a budget Chinese mobile phone.

Are you sure WPS is turned off? On both 2.4 and 5ghz?

WiFi is so cheap in this country, it's mad to think they're going to all this hassle. Mobile phones have small antennas, it's unlikely to be much further from one of the neighbours, where is your router in the home? 5Ghz barely covers a normal sized house, let alone going beyond many of the neighbours.

Do you have ANY powerline plugs in the home? Any WiFi extenders? Anything other than the main router?

Who is your ISP? E.g. if you have BT, their SmartHub has protection against these WPS attacks out of the box. It's also fairly good WiFi (AC2600 which is better than the netgear) and might be an option to get something cheap and quick.

Steps to try:
1. Check WPS is fully disabled
2. Check any remote management is disabled
3. Ensure no homeplugs are connected - these can connect to neighbours home wiring. It wouldn't be the first the the neighbours have a powerline WiFi extender, which routes back to next door, so whilst they see they're connecting to their home SSID they're getting an IP to next doors router.
4. Update to latest firmware for the router
5. For any wifi extenders ensure WPS is turned off here also
6. Use a long complex password
7. Use WPA2 only

Edited by ukhardy07 (Sun 31-Dec-17 00:37:34)