Hacking with the Linksys WRT54G/S and Custom Firmware


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Hacking with the Linksys WRT54G/S and Custom Firmware

  1. 1. Hacking with the Linksys WRT54G/S and Custom Firmware By: Sysmin ISSAP, CISSP, NSA-IEM, NSA-IAM, CCSE and Quigon ISSAP, CISSP, NSA-IAM The Hacker Pimps
  2. 2. Document Versioning For the most up to date version of this document visit: www.hackerpimps.com/docs.html Thank you, -The Hacker Pimps!
  3. 3. Warning!! Warning!! Warning!! ● Modifying your firmware will void your warranty ● There is a possibility that you may brick your WRT. No Pain, No Gain! ● You could probably try the buyer protection plan from Best Buy. They don't check them anyway.
  4. 4. Linksys WRT54G/S Specifics ● Hey, This thing runs Linux! ;) Linksys WRT54G Linksys WRT54GS 200MHz MIPS Processor 200MHz MIPS Processor 4MB of Flash Memory 8MB of Flash Memory 16MB of RAM 32MB of RAM Default has SpeedBooster Crap
  5. 5. Why You Want A GS ● More is better ● You can have more software and exploits loaded ● Pretty self-explanatory
  6. 6. Why Would You Use A WRT? ● It is inexpensive ● It is innocuous ● People are used to seeing these things around ● It has wireless functionality ● It has wired functionality
  7. 7. Customizing OpenWRT ● White Russian source code has a “make menuconfig” similar to compiling a Linux kernel. ● Can compile items as modules (making them installable .ipkg's) or compile items directly into the firmware – BE VERY CAREFUL DOING THIS. You could end up with a firmware that bricks your WRT. – Don't say we didn't warn you.
  8. 8. Customizing OpenWRT
  9. 9. Cross Compiling Applications ● Easy way to get a cross compiler up and running: – Use the SDK that the OpenWRT project provides (Linux x86 only) – Download and compile White Russian from OpenWRT.org (for other platforms) ● Enable OpenWRT SDK in configuration options
  10. 10. Cross Compiling Applications ● Not so easy ways – Compile from source (for masochists only) – Use CrossTool ● Cross compiler build scripts from http://www.kegel.com/crosstool/ ● Has issues with BASH 3.xx – I've never gotten a compiler up and running these ways – To build an app from source (using the SDK): ● CC=mipsel-linux-uclibc-gcc CFLAGS=” -s” ./configure -- host=mipsel ● make
  11. 11. Cross Compiling Applications ● Issues with compiling – AKA -- My limited knowledge with embedded development and cross compilers – Linux normally uses GLibC for C Libraries – OpenWRT uses uCLibC ● much more stripped down and compact C Library – Binaries compiled with GLibC must be statically compiled (use “--static” on the CFLAGS line). Results in huge binaries. – Use the SDK unless it just won't compile any other way
  12. 12. IPv6 ● What's Required: – ipkg install iproute2 – ipkg install radvd – ipkg install kmod-ipv6 – IPRoute2 allows for easier configuration of IPv6 over IPv4 tunnels. – RADVD (Route Advertiser Daemon) broadcasts an IPv6 prefix to the rest of your network – kmod-ipv6 is the IPv6 kernel modules for connectivity and firewalling. – These are built into FairuzaWRT by default
  13. 13. IPv6 ● Getting connected: – We used Hurricane Electric as an IPv6 Tunnel Broker. ● http://www.tunnelbroker.net – Allows for a static IPv6 over IPv4 tunnel and a /64 for your internal network. – Fairly easy to get it all working. – Requires registration and a few hours for HE to set up the tunnel.
  14. 14. IPv6 ● Getting connected: – Once HE establishes the tunnel, set up your end: ● ip tunnel add he.net mode sit remote local ttl 255 ● ip link set he.net up ● ip addr add 2001:470:1F01:F00D::2F1/127 dev he.net ● ip route add ::/0 dev he.net ● ip -f inet6 addr – You can also add these commands to /etc/init.d/rcS to make them more permanent. – ping6 www.kame.net to make sure you have connectivity.
  15. 15. IPv6 ● For the rest of your network: – Set up your router advertiser: ● vi /etc/radvd.conf ● interface br0 { AdvSendAdvert on; MinRtrAdvInterval 3; MaxRtrAdvInterval 10; AdvHomeAgentFlag off; prefix 2001:470:1F01:CAFE::/64 { AdvOnLink on; AdvAutonomous on; AdvRouterAddr on; };};
  16. 16. IPv6 ● For the rest of your network: – Assign one of the /64 IPv6 IPs to the br0 interface ● ip -6 addr add 2001:470:1F01:CAFE::1/64 dev br0 – Ensure IPv6 forwarding is enabled ● echo 1 > /proc/sys/net/ipv6/conf/all/forwarding – Start RADVD ● radvd -m logfile -l /var/log/radvd.log – These can also be added to /etc/init.d/rcS. – You should now be able to ping6 www.kame.net from IPv6 enabled clients.
  17. 17. FairuzaWRT
  18. 18. Information FairuzaWRT = FuxorWRT We changed the name.... Why? ... We are obsessed with Fairuza!
  19. 19. FairuzaWRT – “Built Ins” ● IPv6 Support with ip6tables firewalling ● CIFS for mounting Windows 2K/XP/Vista (or whatever they're calling it now) shares. ● NFS client support (including swap over NFS) ● ShFS (file system over SSH) ● NBT Scan ● Dsniff, NMAP, Hping 2, Hydra ● Some cross compiled POC exploits (including MS05039) ● FairuzaUS
  20. 20. Installing Software w/ ipkg ● Works similar to Apt ● Repositories are set up in /etc/ipkg.conf ● ipkg update #Updates package list ● ipkg install <pkgname> #Install certain package ● ipkg remove <pkgname> #Removes package ● Hackerpimps' ipkg respository the default in FairuzaWRT ● src fairuzawrt http://www.hackerpimps.com/fairuzawrt/packages
  21. 21. The Attacks
  22. 22. FairuzaUS
  23. 23. What is FairuzaUS? ● Used to configure the WRT ● Eases simple recon tasks ● Its Quick ● You don't have to remember things
  24. 24. Net Recon ● Scanning for hosts ● Port Scanning – Nmap – Netcat
  25. 25. Port Scanning ● Netcat – nc -v -z <host> <port range> – Netcat banner grabbing – nc <host> <port> ● Nmap – Do we really need to explain the syntax?
  26. 26. Netbios Recon ● Gives information about Netbios on the network ● nbtscan – nbtscan -v
  27. 27. Nbtscan in Action
  28. 28. Mounting Shares ● 2 Filesystems: Mount Windows and NFS – Windows 2k and XP – mount.cifs computershare /mnt -o user=username pass=password – NFS for mounting *nix shares – mount -t nfs xxx.yyy.zzz.aaa:/mntpoint /mnt ● Mount over the net ● Grab files ● Put files
  29. 29. Give Yourself Some Room ● Mount a share to give yourself more room to work with ● Helps when you are trying to crack WEP ● Helps when you need to load a dictionary file ● Helps when you want to save some files from someplace
  30. 30. Wireless Recon ● Find wireless networks ● Use your WRTs to Wardrive ● Use your WRTs to help win Wardriving contests – Kismet Drone ● Edit your kismet drone config file – Kismet
  31. 31. Crack that WEP ● Mount a partition and give yourself some more room ● Use airodump to dump the weak Ivs – Airodump ● airodump <interface> <dumpfile> ● Use aircrack to crack the wep key – Aircrack ● Aircrack [options] <.cap file>
  32. 32. Passwords ● Dsniff – This is a big one – Example: dsniff -i eth0 ● Hydra – Hydra fun – hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e ns] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-f] [-s PORT] [-S] [-vV] server service [OPT] – Use hydra to crack your own root password w00t!
  33. 33. 0wn3d by Ph0n3 I know, my camera sucks
  34. 34. 0wn3d by Phone ● Using an SSH enabled smart phone to control FairuzaWRT ● Impress your friends ● Fun at parties ● You too can have a Windows prompt on your phone
  35. 35. 0wn3d by Phone
  36. 36. Drive-by Upload Drive-by upload takes advantage of individuals not changing their default configurations. This is the act of driving by someone's home or place of business and replacing their firmware with an alternate one.
  37. 37. This Look Familiar?
  38. 38. Drive-by Upload... who... what??? ● Used to recon internal systems ● Used to attack internal systems ● Used to recon external systems ● Used to attack external systems ● Sniff passwords ● Basically anything the WRT can do at that point
  39. 39. FairuzaFakeAP ● Fake AP functionality for FairuzaWRT ● Impersonates other access points ● Still being tested, but it does work ● Should be available soon
  40. 40. Malicious VPN ● Slice through firewalls with OpenVPN ● Can use TCP or UDP ● Use commonly open ports such as 80, 443, 22, and udp 53 ● Can be used even if NAT'ing is involved ● Can use a pre-shared keys or digital certificates ● IDS Evasion ● Have someone else's network connect to you!
  41. 41. Static Key OpenVPN ● Simple to set up for both Client and Server ● Sets up quickly ● Can use the same pre-shared key for your army of WRTs.
  42. 42. OpenVPN Pre-shared Key ● Generate the Key – openvpn --genkey --secret static.key ● Use the key on both client and server ● Make sure that the firewall on the WRT allows the traffic to be passed
  43. 43. OpenVPN Server Config port 53 dev tun mode server ifconfig secret static.key
  44. 44. OpenVPN Client Config remote server.domain dev tun ifconfig secret static.key
  45. 45. Exploits ● Run them from the command line ● You can list them in fairuzaUS, functionality to use them from there will be added in the future ● Located in: /usr/sbin
  46. 46. Things You Probably Shouldn't Do ● Use FairuzaWRT / FuxorWRT as your main gateway. ● Use the tests of FairuzaWRT / FuxorWRT as your only security tests. ● Use this tool on networks or systems that you don't 0wn or have permission to test.
  47. 47. The Future of FairuzaWRT ● Documentation ● IPv6 Attacks? ● More functions in FairuzaUS ● Integration of exploits in to FairuzaUS ● NetHack = fun for everyone
  48. 48. When Firmware Goes Bad
  49. 49. When Firmware Goes Bad ● To avoid certain problems make sure that you turn boot wait on. nvram set boot_wait=on ● Something else to try – Set the computer up to ping – Remove cover and short out pins 15 and 16 on the nvram chip – Apply power – Once the ping is working tftp the image to the wrt – tftp – tftp> binary – tftp> rexmt 1 – tftp> trace –
  50. 50. When Firmware Goes Bad ● Hold in the reset button (hahahah) ● Try loading Sveasoft ● http://voidmain.is-a-geek.net:81/redhat/wrt54g_revival.html ● Pray to the gods of firmware and offer up a sacrifice. Maybe an old telephone or something?
  51. 51. Uses or Brick 7 Uses for a Bricked WRT
  52. 52. The WRT Purse See Demo Extras Needed: 1 short piece of Cat5 1 long piece of Cat5
  53. 53. The WRT Soccer Ball
  54. 54. The WRT Plastic Surgeon Who could possibly know more about plastic surgery?
  55. 55. The WRT Rap Star Fo Shizzle
  56. 56. The WRT Lawn Sprinkler
  57. 57. The WRT Pleasure Device Extras Needed: 1 Midget 1 Kazoo
  58. 58. FairuzaWRT Demo Time permitting
  59. 59. Any Questions??? Sysmin sysmin@neohaxor.org QuiGon gene@hacktek.com www.hackerpimps.com