Your SlideShare is downloading. ×
Hacking with the Linksys WRT54G/S and Custom Firmware
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Hacking with the Linksys WRT54G/S and Custom Firmware


Published on

  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Hacking with the Linksys WRT54G/S and Custom Firmware By: Sysmin ISSAP, CISSP, NSA-IEM, NSA-IAM, CCSE and Quigon ISSAP, CISSP, NSA-IAM The Hacker Pimps
  • 2. Document Versioning For the most up to date version of this document visit: Thank you, -The Hacker Pimps!
  • 3. Warning!! Warning!! Warning!! ● Modifying your firmware will void your warranty ● There is a possibility that you may brick your WRT. No Pain, No Gain! ● You could probably try the buyer protection plan from Best Buy. They don't check them anyway.
  • 4. Linksys WRT54G/S Specifics ● Hey, This thing runs Linux! ;) Linksys WRT54G Linksys WRT54GS 200MHz MIPS Processor 200MHz MIPS Processor 4MB of Flash Memory 8MB of Flash Memory 16MB of RAM 32MB of RAM Default has SpeedBooster Crap
  • 5. Why You Want A GS ● More is better ● You can have more software and exploits loaded ● Pretty self-explanatory
  • 6. Why Would You Use A WRT? ● It is inexpensive ● It is innocuous ● People are used to seeing these things around ● It has wireless functionality ● It has wired functionality
  • 7. Customizing OpenWRT ● White Russian source code has a “make menuconfig” similar to compiling a Linux kernel. ● Can compile items as modules (making them installable .ipkg's) or compile items directly into the firmware – BE VERY CAREFUL DOING THIS. You could end up with a firmware that bricks your WRT. – Don't say we didn't warn you.
  • 8. Customizing OpenWRT
  • 9. Cross Compiling Applications ● Easy way to get a cross compiler up and running: – Use the SDK that the OpenWRT project provides (Linux x86 only) – Download and compile White Russian from (for other platforms) ● Enable OpenWRT SDK in configuration options
  • 10. Cross Compiling Applications ● Not so easy ways – Compile from source (for masochists only) – Use CrossTool ● Cross compiler build scripts from ● Has issues with BASH 3.xx – I've never gotten a compiler up and running these ways – To build an app from source (using the SDK): ● CC=mipsel-linux-uclibc-gcc CFLAGS=” -s” ./configure -- host=mipsel ● make
  • 11. Cross Compiling Applications ● Issues with compiling – AKA -- My limited knowledge with embedded development and cross compilers – Linux normally uses GLibC for C Libraries – OpenWRT uses uCLibC ● much more stripped down and compact C Library – Binaries compiled with GLibC must be statically compiled (use “--static” on the CFLAGS line). Results in huge binaries. – Use the SDK unless it just won't compile any other way
  • 12. IPv6 ● What's Required: – ipkg install iproute2 – ipkg install radvd – ipkg install kmod-ipv6 – IPRoute2 allows for easier configuration of IPv6 over IPv4 tunnels. – RADVD (Route Advertiser Daemon) broadcasts an IPv6 prefix to the rest of your network – kmod-ipv6 is the IPv6 kernel modules for connectivity and firewalling. – These are built into FairuzaWRT by default
  • 13. IPv6 ● Getting connected: – We used Hurricane Electric as an IPv6 Tunnel Broker. ● – Allows for a static IPv6 over IPv4 tunnel and a /64 for your internal network. – Fairly easy to get it all working. – Requires registration and a few hours for HE to set up the tunnel.
  • 14. IPv6 ● Getting connected: – Once HE establishes the tunnel, set up your end: ● ip tunnel add mode sit remote local ttl 255 ● ip link set up ● ip addr add 2001:470:1F01:F00D::2F1/127 dev ● ip route add ::/0 dev ● ip -f inet6 addr – You can also add these commands to /etc/init.d/rcS to make them more permanent. – ping6 to make sure you have connectivity.
  • 15. IPv6 ● For the rest of your network: – Set up your router advertiser: ● vi /etc/radvd.conf ● interface br0 { AdvSendAdvert on; MinRtrAdvInterval 3; MaxRtrAdvInterval 10; AdvHomeAgentFlag off; prefix 2001:470:1F01:CAFE::/64 { AdvOnLink on; AdvAutonomous on; AdvRouterAddr on; };};
  • 16. IPv6 ● For the rest of your network: – Assign one of the /64 IPv6 IPs to the br0 interface ● ip -6 addr add 2001:470:1F01:CAFE::1/64 dev br0 – Ensure IPv6 forwarding is enabled ● echo 1 > /proc/sys/net/ipv6/conf/all/forwarding – Start RADVD ● radvd -m logfile -l /var/log/radvd.log – These can also be added to /etc/init.d/rcS. – You should now be able to ping6 from IPv6 enabled clients.
  • 17. FairuzaWRT
  • 18. Information FairuzaWRT = FuxorWRT We changed the name.... Why? ... We are obsessed with Fairuza!
  • 19. FairuzaWRT – “Built Ins” ● IPv6 Support with ip6tables firewalling ● CIFS for mounting Windows 2K/XP/Vista (or whatever they're calling it now) shares. ● NFS client support (including swap over NFS) ● ShFS (file system over SSH) ● NBT Scan ● Dsniff, NMAP, Hping 2, Hydra ● Some cross compiled POC exploits (including MS05039) ● FairuzaUS
  • 20. Installing Software w/ ipkg ● Works similar to Apt ● Repositories are set up in /etc/ipkg.conf ● ipkg update #Updates package list ● ipkg install <pkgname> #Install certain package ● ipkg remove <pkgname> #Removes package ● Hackerpimps' ipkg respository the default in FairuzaWRT ● src fairuzawrt
  • 21. The Attacks
  • 22. FairuzaUS
  • 23. What is FairuzaUS? ● Used to configure the WRT ● Eases simple recon tasks ● Its Quick ● You don't have to remember things
  • 24. Net Recon ● Scanning for hosts ● Port Scanning – Nmap – Netcat
  • 25. Port Scanning ● Netcat – nc -v -z <host> <port range> – Netcat banner grabbing – nc <host> <port> ● Nmap – Do we really need to explain the syntax?
  • 26. Netbios Recon ● Gives information about Netbios on the network ● nbtscan – nbtscan -v
  • 27. Nbtscan in Action
  • 28. Mounting Shares ● 2 Filesystems: Mount Windows and NFS – Windows 2k and XP – mount.cifs computershare /mnt -o user=username pass=password – NFS for mounting *nix shares – mount -t nfs /mnt ● Mount over the net ● Grab files ● Put files
  • 29. Give Yourself Some Room ● Mount a share to give yourself more room to work with ● Helps when you are trying to crack WEP ● Helps when you need to load a dictionary file ● Helps when you want to save some files from someplace
  • 30. Wireless Recon ● Find wireless networks ● Use your WRTs to Wardrive ● Use your WRTs to help win Wardriving contests – Kismet Drone ● Edit your kismet drone config file – Kismet
  • 31. Crack that WEP ● Mount a partition and give yourself some more room ● Use airodump to dump the weak Ivs – Airodump ● airodump <interface> <dumpfile> ● Use aircrack to crack the wep key – Aircrack ● Aircrack [options] <.cap file>
  • 32. Passwords ● Dsniff – This is a big one – Example: dsniff -i eth0 ● Hydra – Hydra fun – hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e ns] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-f] [-s PORT] [-S] [-vV] server service [OPT] – Use hydra to crack your own root password w00t!
  • 33. 0wn3d by Ph0n3 I know, my camera sucks
  • 34. 0wn3d by Phone ● Using an SSH enabled smart phone to control FairuzaWRT ● Impress your friends ● Fun at parties ● You too can have a Windows prompt on your phone
  • 35. 0wn3d by Phone
  • 36. Drive-by Upload Drive-by upload takes advantage of individuals not changing their default configurations. This is the act of driving by someone's home or place of business and replacing their firmware with an alternate one.
  • 37. This Look Familiar?
  • 38. Drive-by Upload... who... what??? ● Used to recon internal systems ● Used to attack internal systems ● Used to recon external systems ● Used to attack external systems ● Sniff passwords ● Basically anything the WRT can do at that point
  • 39. FairuzaFakeAP ● Fake AP functionality for FairuzaWRT ● Impersonates other access points ● Still being tested, but it does work ● Should be available soon
  • 40. Malicious VPN ● Slice through firewalls with OpenVPN ● Can use TCP or UDP ● Use commonly open ports such as 80, 443, 22, and udp 53 ● Can be used even if NAT'ing is involved ● Can use a pre-shared keys or digital certificates ● IDS Evasion ● Have someone else's network connect to you!
  • 41. Static Key OpenVPN ● Simple to set up for both Client and Server ● Sets up quickly ● Can use the same pre-shared key for your army of WRTs.
  • 42. OpenVPN Pre-shared Key ● Generate the Key – openvpn --genkey --secret static.key ● Use the key on both client and server ● Make sure that the firewall on the WRT allows the traffic to be passed
  • 43. OpenVPN Server Config port 53 dev tun mode server ifconfig secret static.key
  • 44. OpenVPN Client Config remote server.domain dev tun ifconfig secret static.key
  • 45. Exploits ● Run them from the command line ● You can list them in fairuzaUS, functionality to use them from there will be added in the future ● Located in: /usr/sbin
  • 46. Things You Probably Shouldn't Do ● Use FairuzaWRT / FuxorWRT as your main gateway. ● Use the tests of FairuzaWRT / FuxorWRT as your only security tests. ● Use this tool on networks or systems that you don't 0wn or have permission to test.
  • 47. The Future of FairuzaWRT ● Documentation ● IPv6 Attacks? ● More functions in FairuzaUS ● Integration of exploits in to FairuzaUS ● NetHack = fun for everyone
  • 48. When Firmware Goes Bad
  • 49. When Firmware Goes Bad ● To avoid certain problems make sure that you turn boot wait on. nvram set boot_wait=on ● Something else to try – Set the computer up to ping – Remove cover and short out pins 15 and 16 on the nvram chip – Apply power – Once the ping is working tftp the image to the wrt – tftp – tftp> binary – tftp> rexmt 1 – tftp> trace –
  • 50. When Firmware Goes Bad ● Hold in the reset button (hahahah) ● Try loading Sveasoft ● ● Pray to the gods of firmware and offer up a sacrifice. Maybe an old telephone or something?
  • 51. Uses or Brick 7 Uses for a Bricked WRT
  • 52. The WRT Purse See Demo Extras Needed: 1 short piece of Cat5 1 long piece of Cat5
  • 53. The WRT Soccer Ball
  • 54. The WRT Plastic Surgeon Who could possibly know more about plastic surgery?
  • 55. The WRT Rap Star Fo Shizzle
  • 56. The WRT Lawn Sprinkler
  • 57. The WRT Pleasure Device Extras Needed: 1 Midget 1 Kazoo
  • 58. FairuzaWRT Demo Time permitting
  • 59. Any Questions??? Sysmin QuiGon