hacking with the linksys wrt54g/s and custom firmware
TRANSCRIPT
Hacking with the Linksys WRT54G/S and Custom Firmware
By: Sysmin
ISSAP, CISSP, NSA-IEM, NSA-IAM, CCSE
andQuigon
ISSAP, CISSP, NSA-IAM
The Hacker Pimps
Document Versioning
For the most up to date version of this document visit:
www.hackerpimps.com/docs.html
Thank you,-The Hacker Pimps!
Warning!! Warning!! Warning!!
● Modifying your firmware will void your warranty
● There is a possibility that you may brick your WRT. No Pain, No Gain!
● You could probably try the buyer protection plan from Best Buy. They don't check them anyway.
Linksys WRT54G/S Specifics
● Hey, This thing runs Linux! ;)
Linksys WRT54G
200MHz MIPS Processor
4MB of Flash Memory
16MB of RAM
Linksys WRT54GS
200MHz MIPS Processor
8MB of Flash Memory
32MB of RAM
Default has SpeedBooster Crap
Why You Want A GS
● More is better● You can have more software and exploits
loaded● Pretty self-explanatory
Why Would You Use A WRT?
● It is inexpensive● It is innocuous● People are used to seeing these things
around● It has wireless functionality● It has wired functionality
Customizing OpenWRT● White Russian source code has a “make
menuconfig” similar to compiling a Linux kernel.● Can compile items as modules (making them
installable .ipkg's) or compile items directly into the firmware
– BE VERY CAREFUL DOING THIS. You could end up with a firmware that bricks your WRT.
– Don't say we didn't warn you.
Customizing OpenWRT
Cross Compiling Applications● Easy way to get a cross compiler up and running:
– Use the SDK that the OpenWRT project provides (Linux x86 only)
– Download and compile White Russian from OpenWRT.org (for other platforms)
● Enable OpenWRT SDK in configuration options
Cross Compiling Applications● Not so easy ways
– Compile from source (for masochists only)
– Use CrossTool● Cross compiler build scripts from
http://www.kegel.com/crosstool/● Has issues with BASH 3.xx
– I've never gotten a compiler up and running these ways
– To build an app from source (using the SDK):● CC=mipsel-linux-uclibc-gcc CFLAGS=” -s” ./configure --
host=mipsel● make
Cross Compiling Applications
● Issues with compiling– AKA -- My limited knowledge with embedded
development and cross compilers
– Linux normally uses GLibC for C Libraries
– OpenWRT uses uCLibC● much more stripped down and compact C Library
– Binaries compiled with GLibC must be statically compiled (use
“--static” on the CFLAGS line). Results in huge binaries.
– Use the SDK unless it just won't compile any other way
IPv6● What's Required:
– ipkg install iproute2
– ipkg install radvd
– ipkg install kmod-ipv6
– IPRoute2 allows for easier configuration of IPv6 over IPv4 tunnels.
– RADVD (Route Advertiser Daemon) broadcasts an IPv6 prefix to the rest of your network
– kmod-ipv6 is the IPv6 kernel modules for connectivity and firewalling.
– These are built into FairuzaWRT by default
IPv6
● Getting connected:– We used Hurricane Electric as an IPv6 Tunnel Broker.
● http://www.tunnelbroker.net
– Allows for a static IPv6 over IPv4 tunnel and a /64 for your internal network.
– Fairly easy to get it all working.
– Requires registration and a few hours for HE to set up the tunnel.
IPv6● Getting connected:
– Once HE establishes the tunnel, set up your end:● ip tunnel add he.net mode sit remote 64.71.128.83 \ local
12.34.56.78 ttl 255● ip link set he.net up● ip addr add 2001:470:1F01:F00D::2F1/127 dev he.net● ip route add ::/0 dev he.net● ip -f inet6 addr
– You can also add these commands to /etc/init.d/rcS to make them more permanent.
– ping6 www.kame.net to make sure you have connectivity.
IPv6
● For the rest of your network:– Set up your router advertiser:
● vi /etc/radvd.conf● interface br0
{ AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
AdvHomeAgentFlag off;
prefix 2001:470:1F01:CAFE::/64
{ AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};};
IPv6● For the rest of your network:
– Assign one of the /64 IPv6 IPs to the br0 interface● ip -6 addr add 2001:470:1F01:CAFE::1/64 dev br0
– Ensure IPv6 forwarding is enabled● echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
– Start RADVD● radvd -m logfile -l /var/log/radvd.log
– These can also be added to /etc/init.d/rcS.
– You should now be able to ping6 www.kame.net from IPv6 enabled clients.
FairuzaWRT
Information
FairuzaWRT = FuxorWRTWe changed the name.... Why? ... We are
obsessed with Fairuza!
FairuzaWRT – “Built Ins”● IPv6 Support with ip6tables firewalling
● CIFS for mounting Windows 2K/XP/Vista (or whatever they're calling it now) shares.
● NFS client support (including swap over NFS)
● ShFS (file system over SSH)
● NBT Scan
● Dsniff, NMAP, Hping 2, Hydra
● Some cross compiled POC exploits (including MS05039)
● FairuzaUS
Installing Software w/ ipkg
● Works similar to Apt● Repositories are set up in /etc/ipkg.conf● ipkg update #Updates package list● ipkg install <pkgname> #Install certain package● ipkg remove <pkgname> #Removes package● Hackerpimps' ipkg respository the default in
FairuzaWRT● src fairuzawrt http://www.hackerpimps.com/fairuzawrt/packages
The Attacks
FairuzaUS
What is FairuzaUS?
● Used to configure the WRT● Eases simple recon tasks● Its Quick● You don't have to remember things
Net Recon
● Scanning for hosts● Port Scanning
– Nmap
– Netcat
Port Scanning
● Netcat– nc -v -z <host> <port range>
– Netcat banner grabbing
– nc <host> <port>
● Nmap– Do we really need to explain the syntax?
Netbios Recon
● Gives information about Netbios on the network
● nbtscan – nbtscan -v 192.168.1.1-254
Nbtscan in Action
Mounting Shares
● 2 Filesystems: Mount Windows and NFS– Windows 2k and XP
– mount.cifs \\computer\share /mnt -o user=username pass=password
– NFS for mounting *nix shares
– mount -t nfs xxx.yyy.zzz.aaa:/mntpoint /mnt
● Mount over the net● Grab files● Put files
Give Yourself Some Room
● Mount a share to give yourself more room to work with
● Helps when you are trying to crack WEP● Helps when you need to load a dictionary file● Helps when you want to save some files from
someplace
Wireless Recon
● Find wireless networks● Use your WRTs to Wardrive● Use your WRTs to help win Wardriving
contests– Kismet Drone
● Edit your kismet drone config file
– Kismet
Crack that WEP
● Mount a partition and give yourself some more room
● Use airodump to dump the weak Ivs– Airodump
● airodump <interface> <dumpfile>
● Use aircrack to crack the wep key– Aircrack
● Aircrack [options] <.cap file>
Passwords
● Dsniff– This is a big one
– Example: dsniff -i eth0
● Hydra– Hydra fun
– hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e ns] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-f] [-s PORT] [-S] [-vV] server service [OPT]
– Use hydra to crack your own root password w00t!
0wn3d by Ph0n3
I know, my camera sucks
0wn3d by Phone
● Using an SSH enabled smart phone to control FairuzaWRT
● Impress your friends● Fun at parties ● You too can have a Windows prompt on your
phone
0wn3d by Phone
Drive-by Upload
Drive-by upload takes advantage of individuals not changing their default configurations. This
is the act of driving by someone's home or place of business and replacing their firmware
with an alternate one.
This Look Familiar?
Drive-by Upload... who... what???
● Used to recon internal systems● Used to attack internal systems● Used to recon external systems● Used to attack external systems● Sniff passwords● Basically anything the WRT can do at that
point
FairuzaFakeAP
● Fake AP functionality for FairuzaWRT● Impersonates other access points● Still being tested, but it does work● Should be available soon
Malicious VPN● Slice through firewalls with OpenVPN● Can use TCP or UDP● Use commonly open ports such as 80, 443,
22, and udp 53● Can be used even if NAT'ing is involved● Can use a pre-shared keys or digital
certificates● IDS Evasion● Have someone else's network connect to
you!
Static Key OpenVPN
● Simple to set up for both Client and Server● Sets up quickly● Can use the same pre-shared key for your
army of WRTs.
OpenVPN Pre-shared Key
● Generate the Key– openvpn --genkey --secret static.key
● Use the key on both client and server● Make sure that the firewall on the WRT
allows the traffic to be passed
OpenVPN Server Config
port 53dev tunmode serverifconfig 10.8.0.1 10.8.0.2secret static.key
OpenVPN Client Config
remote server.domaindev tunifconfig 10.8.0.2 10.8.0.1secret static.key
Exploits
● Run them from the command line● You can list them in fairuzaUS, functionality
to use them from there will be added in the future
● Located in: /usr/sbin
Things You Probably Shouldn't Do
● Use FairuzaWRT / FuxorWRT as your main gateway.
● Use the tests of FairuzaWRT / FuxorWRT as your only security tests.
● Use this tool on networks or systems that you don't 0wn or have permission to test.
The Future of FairuzaWRT
● Documentation● IPv6 Attacks?● More functions in FairuzaUS● Integration of exploits in to FairuzaUS
● NetHack = fun for everyone
When Firmware Goes Bad
When Firmware Goes Bad
● To avoid certain problems make sure that you turn boot wait on.
nvram set boot_wait=on● Something else to try
– Set the computer up to ping 192.168.1.1
– Remove cover and short out pins 15 and 16 on the nvram chip
– Apply power
– Once the ping is working tftp the image to the wrt
– tftp 192.168.1.1
– tftp> binary
– tftp> rexmt 1
– tftp> trace
– tftp> put <imagefile>
When Firmware Goes Bad
● Hold in the reset button (hahahah)● Try loading Sveasoft● http://voidmain.is-a-geek.net:81/redhat/wrt54g_revival.html
● Pray to the gods of firmware and offer up a sacrifice. Maybe an old telephone or something?
Uses or Brick
7 Uses for a Bricked WRT
The WRT Purse
See Demo
Extras Needed: 1 short piece of Cat5 1 long piece of Cat5
The WRT Soccer Ball
The WRT Plastic Surgeon
Who could possibly know
more aboutplastic surgery?
The WRT Rap Star
Fo Shizzle
The WRT Lawn Sprinkler
The WRT Pleasure Device
Extras Needed: 1 Midget 1 Kazoo
FairuzaWRT Demo
Time permitting
Any Questions???
www.hackerpimps.com