Menu
What's new
By:
Filters Better Search

I don't understand why some people are still using WOL?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

F

follower

Very Senior Member
It's convenient for them? Throwing away security?
I remember that I mentioned WOL security risk at Snbforums years ago(7 or 8 years maybe?). I didn't talk about What I saw and knew at that time. Because when I talked about WOL is not safe, a lot of snbfoums users said it's safe including someone. Why am I talking about this now? I've seen someone who my friend knows got hacked by WOL recently. That's why. Do not use WOL. If you are still believing that WOL is safe keep using it.
But you may lose everything. You don't even know you've got hacked. I can say more, but this is enough I think. ;)
 
Last edited:
By any chance did the friend of a friend have port forward enabled to the computer that got hacked? If so, it is their fault. Not WoL's fault!
 
I think if someone is going to tell us a feature such as WOL is unsafe then I think that person needs to say more! So far as my understanding goes, WOL just wakes up a device, so unless I'm missing something, having a device use WOL should be no less secure than having the same device just sit there waiting for a connection without having its network connection sleep.
@follower if I'm wrong, please tell me why!
 
Crimliar said:
I think if someone is going to tell us a feature such as WOL is unsafe then I think that person needs to say more! So far as my understanding goes, WOL just wakes up a device, so unless I'm missing something, having a device use WOL should be no less secure than having the same device just sit there waiting for a connection without having its network connection sleep.
@follower if I'm wrong, please tell me why!
Click to expand...
It's not only waking up the device but also more. I don't think a lot of users know about this 3 or 4 years old incident.
This is just an example of 'Why is WOL risky?'. This is why some Network device companies remove or don't use WOL function.
It has a long story. It's still evolving. It's not only for Ransomware but also Hacking.
Vulnerability>Owning the network device or PC>Using this attack> :eek:

[2019 to 2020 incident]
I can tell you that there are many dedicated hacking tools for this, paid and free.

What is it?

RYUK Ransomware

www.trendmicro.com www.trendmicro.com

How does it work?
blogs.quickheal.com

A Deep Dive Into Wakeup On Lan (WoL) Implementation of Ryuk

Quick Heal Security Labs recently came across a variant of Ryuk Ransomware which contains an additional feature of identifying and encrypting systems in a
blogs.quickheal.com blogs.quickheal.com

How to do it?

Ryuk Wake on LAN Command

Command and Scripting Interpreter, Windows Command Shell
research.splunk.com
 
Last edited:
It's an attack that wakes up a machine if it's sleeping to exploit a vulnerability that if it exists would also have been there when the machine was already awake. I'm either being incredibly stupid (wouldn't be the first time) or WOL would seem to be incidental to the problem!
 
Well - WOL is a "trusted" interface from a LAN side perspective...

As an interface, it's also an open port to rx packets - packet of any kind

Ryuk is a clever exploit of that fact...
 
Crimliar said:
It's an attack that wakes up a machine if it's sleeping to exploit a vulnerability that if it exists would also have been there when the machine was already awake. I'm either being incredibly stupid (wouldn't be the first time) or WOL would seem to be incidental to the problem!
Click to expand...
WOL is the key point and the loophole.

holy.gif
 
Last edited:
sfx2000 said:
Well - WOL is a "trusted" interface from a LAN side perspective...

As an interface, it's also an open port to rx packets - packet of any kind

Ryuk is a clever exploit of that fact...
Click to expand...
I would assume somebody would have to be running the hacking software on your network to be attacked using WOL? Maybe in the same network? Or is it routable across local networks?
I don't think my firewall will let it in.

I don't want to read it all. I thought you could enlighten me.
 
coxhaus said:
I would assume somebody would have to be running the hacking software on your network to be attacked using WOL? Maybe in the same network? Or is it routable across local networks?
I don't think my firewall will let it in.

I don't want to read it all. I thought you could enlighten me.
Click to expand...

WOL is a concern as it's UDP on ports 7 (echo) or 9 (discard) - and UDP doesn't have the same kernel constraints as Raw Sockets... and since the WOL client is always listening outside of the OS the host is running, it's an interesting attack vector...

Challenge with WOL packets is that they are intercepted by the NIC at the network layer - before it hits the OS firewalls if any...
 
The fact that WOL is typically embedded in a UDP packet is of no real relevance because as you say, the packets are intercepted by the NIC and never reach the OS.

Ryuk is not doing anything clever. It's not "hacking" WOL in any way whatsoever. It's merely using WOL to try and wake up machines it's found in the ARP cache. Any user on the LAN could do the same thing. Once Ryuk has woken up any machines (and pinged others) it then crudely attempts to encrypt any insecure administrative shares that it's found.

So as @Crimliar noted the fact that it's using WOL is almost incidental. The main problem is the fact that a) your LAN has already been compromised for this malware to be running, and b) PCs/servers on your LAN have insecure administrative shares.
 
ColinTaylor said:
The fact that WOL is typically embedded in a UDP packet is of no real relevance because as you say, the packets are intercepted by the NIC and never reach the OS.

Ryuk is not doing anything clever. It's not "hacking" WOL in any way whatsoever. It's merely using WOL to try and wake up machines it's found in the ARP cache. Any user on the LAN could do the same thing. Once Ryuk has woken up any machines (and pinged others) it then crudely attempts to encrypt any insecure administrative shares that it's found.

So as @Crimliar noted the fact that it's using WOL is almost incidental. The main problem is the fact that a) your LAN has already been compromised for this malware to be running, and b) PCs/servers on your LAN have insecure administrative shares.
Click to expand...
Thats what I kind of figured.
 
All of labs and hackers say WOL is main. But some Snbforums users say it's not.🤔

1. Ryuk is a variant of Hermes ransomware(2018). It's a well known ransomware and nothing new.
2. But Attackers have added WOL attack technique> Ryuk.
3. This attack is not a random attack but a targeted attack. What does meaning of Targeted?
4. Targeted means the attackers know all the vulnerabilities about victim's devices.
5. This kind of attack can overwrite your BIOS and Firmware(PC, Router, Switch, IoT and more) to hacked BIOS. Yes, this happens in the real world.
Does firewall work? Maybe yes. Maybe not. The problem is not only Ryuk but also Hacking.
 
Last edited:
follower said:
All of labs and hackers say WOL is main. But some Snbforums users say it's not.
Click to expand...

Well - I'm not one of those members that says - "don't worry about it..."

Rather - it's one of many things one can do to keep your LAN and Devices Secure... Depends on the NIC and BIOS/UEFI in use - easy enough to turn off, however defaults are to have it on...

At the risk of going off-thread - There are a lot of threats out there - and it's really about a few things...

1) remain current with your chosen OS provider
2) on device firewalls are a good thing - Mac and Windows are decent about this - I would say a 7 score out of 10
3) watch what services you expose on clients and the router/gateway
4) some spatial awareness around things - Apple/Google/Microsoft/Facebook/Amazon are going to contact you only in certain ways - and there, don't click the darn link - log in directly to the service provider...

It's really about practicing "Safe HEX" - and it's ok to refer to operational security like this - it's gets attention...
 
follower said:
All of labs and hackers say WOL is main. But some Snbforums users say it's not.🤔

1. Ryuk is a variant of Hermes ransomware(2018). It's a well known ransomware and nothing new.
2. But Attackers have added WOL attack technique> Ryuk.
3. This attack is not a random attack but a targeted attack. What does meaning of Targeted?
4. Targeted means the attackers know all the vulnerabilities about victim's devices.
5. This kind of attack can overwrite your BIOS and Firmware(PC, Router, Switch, IoT and more) to hacked BIOS. Yes, this happens in the real world.
Does firewall work? Maybe yes. Maybe not. The problem is not only Ryuk but also Hacking.
Click to expand...
Dell has been pretty good about updating BIOS even in their older PCs. It is one of the reasons I don't build PCs using random motherboards anymore. I am now using all UEFI no BIOS.

The attack is still going to have to happen inside your home network. I think the IOT is how it is going to happen. Isolate them.
 
You must log in or register to reply here.

Similar threads

AGTDenton
RT-AC5300 - Crashing & Rebooting (Merlin 386.12)
Replies
3
Views
787
L&LD
L&LD
M
Asus AiMesh with wired access point headache, out of my mind, angry
Replies
14
Views
1K
craigeryjohn
C
I
Using Samba in home network only. Is it safe?
Replies
6
Views
1K
in2ndo
I
Shaniza
RT-AC86U: Repeater mode connecting to Android hotspot (or via USB)
Replies
0
Views
726
Shaniza
Shaniza
D
I am coming from a netgear R7450, trying to figure out a current equivalent with similar range
Replies
2
Views
995
dyer4789
D
Similar threads
Thread starter Title Forum Replies Date
L&LD More great 'actors' who don't act appropriately. General Network Security 1
L&LD Don't ssh me! General Network Security 8

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 850 (members: 20, guests: 830)
Top