hacking with the linksys wrt54g/s and custom firmware
TRANSCRIPT
![Page 1: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/1.jpg)
Hacking with the Linksys WRT54G/S and Custom Firmware
By: Sysmin
ISSAP, CISSP, NSA-IEM, NSA-IAM, CCSE
andQuigon
ISSAP, CISSP, NSA-IAM
The Hacker Pimps
![Page 2: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/2.jpg)
Document Versioning
For the most up to date version of this document visit:
www.hackerpimps.com/docs.html
Thank you,-The Hacker Pimps!
![Page 3: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/3.jpg)
Warning!! Warning!! Warning!!
● Modifying your firmware will void your warranty
● There is a possibility that you may brick your WRT. No Pain, No Gain!
● You could probably try the buyer protection plan from Best Buy. They don't check them anyway.
![Page 4: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/4.jpg)
![Page 5: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/5.jpg)
Linksys WRT54G/S Specifics
● Hey, This thing runs Linux! ;)
Linksys WRT54G
200MHz MIPS Processor
4MB of Flash Memory
16MB of RAM
Linksys WRT54GS
200MHz MIPS Processor
8MB of Flash Memory
32MB of RAM
Default has SpeedBooster Crap
![Page 6: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/6.jpg)
Why You Want A GS
● More is better● You can have more software and exploits
loaded● Pretty self-explanatory
![Page 7: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/7.jpg)
Why Would You Use A WRT?
● It is inexpensive● It is innocuous● People are used to seeing these things
around● It has wireless functionality● It has wired functionality
![Page 8: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/8.jpg)
Customizing OpenWRT● White Russian source code has a “make
menuconfig” similar to compiling a Linux kernel.● Can compile items as modules (making them
installable .ipkg's) or compile items directly into the firmware
– BE VERY CAREFUL DOING THIS. You could end up with a firmware that bricks your WRT.
– Don't say we didn't warn you.
![Page 9: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/9.jpg)
Customizing OpenWRT
![Page 10: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/10.jpg)
Cross Compiling Applications● Easy way to get a cross compiler up and running:
– Use the SDK that the OpenWRT project provides (Linux x86 only)
– Download and compile White Russian from OpenWRT.org (for other platforms)
● Enable OpenWRT SDK in configuration options
![Page 11: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/11.jpg)
Cross Compiling Applications● Not so easy ways
– Compile from source (for masochists only)
– Use CrossTool● Cross compiler build scripts from
http://www.kegel.com/crosstool/● Has issues with BASH 3.xx
– I've never gotten a compiler up and running these ways
– To build an app from source (using the SDK):● CC=mipsel-linux-uclibc-gcc CFLAGS=” -s” ./configure --
host=mipsel● make
![Page 12: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/12.jpg)
Cross Compiling Applications
● Issues with compiling– AKA -- My limited knowledge with embedded
development and cross compilers
– Linux normally uses GLibC for C Libraries
– OpenWRT uses uCLibC● much more stripped down and compact C Library
– Binaries compiled with GLibC must be statically compiled (use
“--static” on the CFLAGS line). Results in huge binaries.
– Use the SDK unless it just won't compile any other way
![Page 13: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/13.jpg)
IPv6● What's Required:
– ipkg install iproute2
– ipkg install radvd
– ipkg install kmod-ipv6
– IPRoute2 allows for easier configuration of IPv6 over IPv4 tunnels.
– RADVD (Route Advertiser Daemon) broadcasts an IPv6 prefix to the rest of your network
– kmod-ipv6 is the IPv6 kernel modules for connectivity and firewalling.
– These are built into FairuzaWRT by default
![Page 14: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/14.jpg)
IPv6
● Getting connected:– We used Hurricane Electric as an IPv6 Tunnel Broker.
● http://www.tunnelbroker.net
– Allows for a static IPv6 over IPv4 tunnel and a /64 for your internal network.
– Fairly easy to get it all working.
– Requires registration and a few hours for HE to set up the tunnel.
![Page 15: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/15.jpg)
IPv6● Getting connected:
– Once HE establishes the tunnel, set up your end:● ip tunnel add he.net mode sit remote 64.71.128.83 \ local
12.34.56.78 ttl 255● ip link set he.net up● ip addr add 2001:470:1F01:F00D::2F1/127 dev he.net● ip route add ::/0 dev he.net● ip -f inet6 addr
– You can also add these commands to /etc/init.d/rcS to make them more permanent.
– ping6 www.kame.net to make sure you have connectivity.
![Page 16: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/16.jpg)
IPv6
● For the rest of your network:– Set up your router advertiser:
● vi /etc/radvd.conf● interface br0
{ AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
AdvHomeAgentFlag off;
prefix 2001:470:1F01:CAFE::/64
{ AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};};
![Page 17: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/17.jpg)
IPv6● For the rest of your network:
– Assign one of the /64 IPv6 IPs to the br0 interface● ip -6 addr add 2001:470:1F01:CAFE::1/64 dev br0
– Ensure IPv6 forwarding is enabled● echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
– Start RADVD● radvd -m logfile -l /var/log/radvd.log
– These can also be added to /etc/init.d/rcS.
– You should now be able to ping6 www.kame.net from IPv6 enabled clients.
![Page 18: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/18.jpg)
FairuzaWRT
![Page 19: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/19.jpg)
Information
FairuzaWRT = FuxorWRTWe changed the name.... Why? ... We are
obsessed with Fairuza!
![Page 20: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/20.jpg)
FairuzaWRT – “Built Ins”● IPv6 Support with ip6tables firewalling
● CIFS for mounting Windows 2K/XP/Vista (or whatever they're calling it now) shares.
● NFS client support (including swap over NFS)
● ShFS (file system over SSH)
● NBT Scan
● Dsniff, NMAP, Hping 2, Hydra
● Some cross compiled POC exploits (including MS05039)
● FairuzaUS
![Page 21: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/21.jpg)
Installing Software w/ ipkg
● Works similar to Apt● Repositories are set up in /etc/ipkg.conf● ipkg update #Updates package list● ipkg install <pkgname> #Install certain package● ipkg remove <pkgname> #Removes package● Hackerpimps' ipkg respository the default in
FairuzaWRT● src fairuzawrt http://www.hackerpimps.com/fairuzawrt/packages
![Page 22: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/22.jpg)
The Attacks
![Page 23: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/23.jpg)
FairuzaUS
![Page 24: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/24.jpg)
What is FairuzaUS?
● Used to configure the WRT● Eases simple recon tasks● Its Quick● You don't have to remember things
![Page 25: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/25.jpg)
Net Recon
● Scanning for hosts● Port Scanning
– Nmap
– Netcat
![Page 26: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/26.jpg)
Port Scanning
● Netcat– nc -v -z <host> <port range>
– Netcat banner grabbing
– nc <host> <port>
● Nmap– Do we really need to explain the syntax?
![Page 27: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/27.jpg)
Netbios Recon
● Gives information about Netbios on the network
● nbtscan – nbtscan -v 192.168.1.1-254
![Page 28: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/28.jpg)
Nbtscan in Action
![Page 29: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/29.jpg)
Mounting Shares
● 2 Filesystems: Mount Windows and NFS– Windows 2k and XP
– mount.cifs \\computer\share /mnt -o user=username pass=password
– NFS for mounting *nix shares
– mount -t nfs xxx.yyy.zzz.aaa:/mntpoint /mnt
● Mount over the net● Grab files● Put files
![Page 30: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/30.jpg)
![Page 31: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/31.jpg)
Give Yourself Some Room
● Mount a share to give yourself more room to work with
● Helps when you are trying to crack WEP● Helps when you need to load a dictionary file● Helps when you want to save some files from
someplace
![Page 32: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/32.jpg)
Wireless Recon
● Find wireless networks● Use your WRTs to Wardrive● Use your WRTs to help win Wardriving
contests– Kismet Drone
● Edit your kismet drone config file
– Kismet
![Page 33: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/33.jpg)
Crack that WEP
● Mount a partition and give yourself some more room
● Use airodump to dump the weak Ivs– Airodump
● airodump <interface> <dumpfile>
● Use aircrack to crack the wep key– Aircrack
● Aircrack [options] <.cap file>
![Page 34: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/34.jpg)
Passwords
● Dsniff– This is a big one
– Example: dsniff -i eth0
● Hydra– Hydra fun
– hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e ns] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-f] [-s PORT] [-S] [-vV] server service [OPT]
– Use hydra to crack your own root password w00t!
![Page 35: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/35.jpg)
0wn3d by Ph0n3
I know, my camera sucks
![Page 36: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/36.jpg)
0wn3d by Phone
● Using an SSH enabled smart phone to control FairuzaWRT
● Impress your friends● Fun at parties ● You too can have a Windows prompt on your
phone
![Page 37: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/37.jpg)
0wn3d by Phone
![Page 38: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/38.jpg)
Drive-by Upload
Drive-by upload takes advantage of individuals not changing their default configurations. This
is the act of driving by someone's home or place of business and replacing their firmware
with an alternate one.
![Page 39: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/39.jpg)
This Look Familiar?
![Page 40: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/40.jpg)
Drive-by Upload... who... what???
● Used to recon internal systems● Used to attack internal systems● Used to recon external systems● Used to attack external systems● Sniff passwords● Basically anything the WRT can do at that
point
![Page 41: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/41.jpg)
FairuzaFakeAP
● Fake AP functionality for FairuzaWRT● Impersonates other access points● Still being tested, but it does work● Should be available soon
![Page 42: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/42.jpg)
Malicious VPN● Slice through firewalls with OpenVPN● Can use TCP or UDP● Use commonly open ports such as 80, 443,
22, and udp 53● Can be used even if NAT'ing is involved● Can use a pre-shared keys or digital
certificates● IDS Evasion● Have someone else's network connect to
you!
![Page 43: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/43.jpg)
Static Key OpenVPN
● Simple to set up for both Client and Server● Sets up quickly● Can use the same pre-shared key for your
army of WRTs.
![Page 44: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/44.jpg)
OpenVPN Pre-shared Key
● Generate the Key– openvpn --genkey --secret static.key
● Use the key on both client and server● Make sure that the firewall on the WRT
allows the traffic to be passed
![Page 45: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/45.jpg)
OpenVPN Server Config
port 53dev tunmode serverifconfig 10.8.0.1 10.8.0.2secret static.key
![Page 46: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/46.jpg)
OpenVPN Client Config
remote server.domaindev tunifconfig 10.8.0.2 10.8.0.1secret static.key
![Page 47: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/47.jpg)
Exploits
● Run them from the command line● You can list them in fairuzaUS, functionality
to use them from there will be added in the future
● Located in: /usr/sbin
![Page 48: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/48.jpg)
Things You Probably Shouldn't Do
● Use FairuzaWRT / FuxorWRT as your main gateway.
● Use the tests of FairuzaWRT / FuxorWRT as your only security tests.
● Use this tool on networks or systems that you don't 0wn or have permission to test.
![Page 49: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/49.jpg)
The Future of FairuzaWRT
● Documentation● IPv6 Attacks?● More functions in FairuzaUS● Integration of exploits in to FairuzaUS
● NetHack = fun for everyone
![Page 50: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/50.jpg)
When Firmware Goes Bad
![Page 51: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/51.jpg)
When Firmware Goes Bad
● To avoid certain problems make sure that you turn boot wait on.
nvram set boot_wait=on● Something else to try
– Set the computer up to ping 192.168.1.1
– Remove cover and short out pins 15 and 16 on the nvram chip
– Apply power
– Once the ping is working tftp the image to the wrt
– tftp 192.168.1.1
– tftp> binary
– tftp> rexmt 1
– tftp> trace
– tftp> put <imagefile>
![Page 52: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/52.jpg)
When Firmware Goes Bad
● Hold in the reset button (hahahah)● Try loading Sveasoft● http://voidmain.is-a-geek.net:81/redhat/wrt54g_revival.html
● Pray to the gods of firmware and offer up a sacrifice. Maybe an old telephone or something?
![Page 53: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/53.jpg)
Uses or Brick
7 Uses for a Bricked WRT
![Page 54: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/54.jpg)
The WRT Purse
See Demo
Extras Needed: 1 short piece of Cat5 1 long piece of Cat5
![Page 55: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/55.jpg)
The WRT Soccer Ball
![Page 56: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/56.jpg)
The WRT Plastic Surgeon
Who could possibly know
more aboutplastic surgery?
![Page 57: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/57.jpg)
The WRT Rap Star
Fo Shizzle
![Page 58: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/58.jpg)
The WRT Lawn Sprinkler
![Page 59: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/59.jpg)
The WRT Pleasure Device
Extras Needed: 1 Midget 1 Kazoo
![Page 60: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/60.jpg)
FairuzaWRT Demo
Time permitting
![Page 61: Hacking with the Linksys WRT54G/S and Custom Firmware](https://reader033.vdocuments.mx/reader033/viewer/2022050906/55510d10b4c905b1138b45c0/html5/thumbnails/61.jpg)
Any Questions???
www.hackerpimps.com