OpenWRT basic command line configuration

OpenWRT is an open source third party firmware, originally built for the Linksys WRT54G. Support has been expand to include networking devices ranging from consumer to enterprises grade routers and wireless access points. OpenWRT has a variety of web based user interfaces, as you would expect with any networked device, but because the operating system is based on the Linux kernel, the command line is where its flexibility really shows.

If you are familiar with any *inx operating system, you will find working and navigating in Dropbear, OpenWRT's terminal, simple. The binary I will be focusing on is uci or Unified Configuration Interface. As its name implies, uci is the program responsible for making all configuration changes to system files located /etc/config/.

The syntax is broken into three parts. The first two are mandatory with the [arguments] field being optional depending on the [option]

uci options commands arguments

[commands] is also broken down into three parts: file.section.option. Section can be called by their name, such as lan, wan as in /etc/config/network or wifi0 in /etc/config/wireless. Sections that do not have names can be called their position in the array of sections. An example of this is wireless.@wifi-iface[0].ssid

To view a configuration file such as /etc/config/network:

uci export network

Making or adding a new value to a section, in this case the default gatway, is easy as typing:

uci set network.lan.gateway=10.168.1.1

OR

uci set network.@interface[1].gateway=10.168.1.1

To add and delete options use uci add or uci delete:

uci delete wireless.@wifi-iface[0].encryption

It is also possible to set DHCP options, such as the gateway or DNS servers to push to clients. Refer to this http://www.networksorcery.com/enp/protocol/bootp/options.htm"website> to find the DHCP option codes.

uci add_list network.lan.dhcp_option="3,10.168.1.1"

When done making changes you must run:

uci commit [configuration]

example: uci commit network

It is possible to change the behavior of startup services.

root@OpenWRT:~#/etc/init.d/network
Syntax /etc/init.d/network [command]
Available commands:
start      Start the service
stop      Stop the service
restart   Restart the service
reload    Reload configuration files (or restart if that fails)
enable   Enable service autostart
disable    Disable service autostart

Script

OpenWRT does not try to set the correct time and date at startup. It is possible to install an NTP (Network Time Protocol) client that will run as a daemon, but I chose to write a script utilizing the already built-in rdate to configure the date and time.

1) Set the your timezone. Refer to this http://docs.sun.com/source/816-5523-10/appf.htm from sun.com for a list of timezone codes

uci set system.@system[0].timezone=CST6CDT
uci commit system 

2) Download (or copy and paste) the set_date.sh script to /etc/init.d/setdate on the device running OpenWRT.

#!/bin/sh /etc/rc.common
START=10
start() {
DATE="1969"
while [ $DATE = "1969" ]; do
        /usr/sbin/rdate 128.138.140.44
        if [ $? -eq 1 ]; then
                sleep 60
        fi
        DATE=`date +%Y`
done
exit 0 

3) change mode and enable the script to run at boot

chmod +x /etc/init.d/setdate
/etc/init.d/setdate enable 

4) Reboot the device and check the date.

# date
Mon Dec 28 11:36:28 CST 2009 

More »


Jasager, Karma on the Fon

Alt fon

Karma is a set of tools for sniffing wireless network probe requests coming from wireless clients. Karma will automatically respond to any SSID probe and pretend to be the requested AP, giving the wireless client a good reason to connect.

Robin Wood (@digininja) took Karma to the next level by rebuilding it with the La Fonera routers, specifically the original Fon 2100 and the Fon+ 2201, in mind because of their low cost and small footprint. He also created a web interface for easy visualization of connected clients and to control functionality. He released this package as “Jasager, Karma on the Fon” in November 2008.

Fon+ 2201

Jasager comes in three different packages. First, Jasager also comes as a binary package, installable on a device that has an Atheros Wi-Fi card and already running OpenWRT. Then is the official Jasager firmware, built, tested and hosted by Robin Wood on the projects homepage. Finally, Jasager has also been integrated into Piranha 2.0 alpha4 Firmware created by Orange (http://piranha.klashed.net/). Piranha 3.0 DOES NOT have Jasager integrated. I will be flashing my Fon+ with Piranha 2.0 alpha4 because of extra functionality Orange has built in, including a web interface for configuring the router.

As with most things in life, there are several ways to go about flashing a Fon with third party firmware. For simplicity, I will be using a GUI app called Fon Flash (http://www.gargoyle-router.com/download.php), but if you are interested in getting into the nitty gritty of flashing, check out the installation instructions on Jasager project page.

First you must flash the Fon with the firmware of your choice. I used Fon Flash and pointed it to the .squashfs rootfs file and the .lzma kernel file. FonFlash

Fon Flash GUI

Connect the Fon/+ through the LAN port to the NIC on your computer.
Set the NIC’s IP address to 192.168.1.2 netmask 255.255.255.255.0 and gateway 192.168.1.1
Press the “Flash router Now!” button on Fon Flash
Reboot the Fon and you should see Fon Flash discover and connect to the router
The .squashfs and .lzma files will be uploaded and installed. This process will take about 20 minutes. Be patient.
The router will reboot and you will need to set your computer’s NIC to DHCP
TELNET to 192.168.1.1:23
To start the OpenSSH server you must set the root password with the command : passwd

TelnetFon

OpenWRT login message

For this setup, I will be using Jasager to bait wireless clients into using the Internet provided by my evil gateway:

Remove wireless security, change the SSID, and change Fon’s IP

    vim /etc/config/wireless

    *note* Jasager firmware users change option disabled 1 to option disabled 0
    change option ssid default to option ssid ‘SOMETHING INTERESTING’
    *note* Piranha firmware users. remove option encryption psk2 and option key k4m1k4z3

    uci set network.lan.ipaddr=10.168.1.254 #set Fon's IP

    uci set network.lan.gateway=10.168.1.1 #set Fon's GW

    uci commit network

    Start Jasager on boot

        vim /etc/init.d/jasager

        make iwpriv ath0 karma 1 the last line of the start() function.
        Configure DHCP to provide a DNS server and an Evil gateway (our laptop)

            uci add_list dhcp.lan.dhcp_option="3,10.168.1.1" #config GW

            uci add_list dhcp.lan.dhcp_option="6,10.168.1.254,4.2.2.2" #config DNS

            uci commit dhcp

            reboot the Fon.
            SSH to 10.168.1.254. Login as root with the password you set.

The laptop will be acting as the default gateway. This way, all traffic can be easily captured going out to the Internet. For this set up to work correctly, the laptop must be configured to accept traffic from the Fon and forward it out an interface connected to the Internet.

On Linux and other *nix based OS, iptables can be configured in Masquerade mode to allow traffic forwarding. I’ve created a bash script to easily allow users to configure their computes to do this. {DOWNLOAD}
On Windows, Internet Connection Sharing (ICS) needs to be enabled on the interface connected to the Internet. The interface connected to the Fon should have an IP address of 10.168.1.1 netmask 255.255.255.0
Everything should be set up and all packets should be flowing through your evil gateway.

More »


Sidejacking with Hamster

Websites need to somehow protect users’ passwords when sent from the browser to the server. To do this, sites will encrypt the password into a session cookie and pass that securely to the server. An issue arises because the website server does not or cannot preform a check as to the authenticity from where this session cookie coming from. Sidejacking or session hijacking is when an attacker captures network traffic, specifically web traffic containing the users authentication token (session cookie) for a website, and then replays the token to gain access to the user's account.

A set of tools released by Errata Security (http://erratasec.blogspot.com) called Ferret/Hamster automate this process and provide a web interface to replay the cookies. Ferret is a specially built packet sniffer that collects only packets containing session cookie. The session ID and associated website are entered into a file. Hamster is a web proxy that runs locally and reads from the file that Ferret created for easily replaying of the captured cookies.

Ferret/Hamster 2.0 can be downloaded from http://hamster.erratasec.com/. The tool comes as either a Windows binary or *nix source that can easily be complied. I have had some issues with Hamster crashing on Windows 7, but Ferret was able to run just fine.

After obtain the executables by either downloading or compiling them, run ferret -W from the command line to list available network adapters. ferret -W

The output on my test machine of ferret -W. I'm interested in interface 1 (eth0), 3 (wlan0) and 4 (bnep0 - my 3G cellphone modem).

To start sniffing for session cookies traveling from your machine to the Internet, run ferret -i interface. On Windows you will be using the number associated with the interface. On Linux you are able to specific eth0, wlan0, etc. Session cookies will be collected and stored in a file called hamster.txt in the directory with the executables.

In a command prompt, navigate to where ferret/hamster is saved a start hamster. You will notice that the proxy will be running on http://127.0.0.1:1234. To access this web page, you must set your browser to use a web proxy running on port 1234. I like to use a Firefox plug-in called FoxyProxy to easily change the browsers proxy settings.

Now that ferret is collecting sessions and hamster is ready to replay those sessions, use a browser to navigate to http://hamster. You should see a list of IP addresses that sessions have been collected from. When you click on one of the targets, a list of websites will appear on the left hand panel. Click on one and with any luck, hamster should automatically pass the session cookie and redirect you to the post authenticated webpage.

Defense

You see how easy it is for an attacker to obtain access to your websites. There are several preventative measures users can take to protect themselves. Do not connect unsecure wireless access points. Connecting to unsecured wireless access points will make you the most vulnerable because you do not know and cannot trust other computers connected in the area. That being said, much of the time it is impractical to totally avoid using a wireless connection so use a VPN connection or SSH tunnel to encrypt network traffic sent from your machine. I have found that sites using SSL such as gmail (not by default) are less likely to be prone to this attack. Be aware of what high impact sites you are visiting. Most of the time attackers are not interested low impact sites Facebook or Twitter profiles, but rather, they are looking to gain access to high impact sites like corporate web email and financial websites. The simplest action any web user can do to mitigate the risk of sidejacking is to logout of the website because once you logout, the authentication session cookie is no longer valid. Morel of the story, always be weary when you are connected to untrusted wired or wireless networks.

"Just because you are paranoid, it doesn’t mean they are not out to get you"

More »


Networking Basics: Capturing Packets

I recently gave a presentation (slides - pdf) about packet sniffing to a group of students interested in the security field. It was an interesting experience given the fact that it was the second time I have presented something in two years, and desperately need public speaking practice. Overall I feel it went well and look forward to giving another presentation in the future.

This is a recap of the presentation with some additional comments. Understanding how to capture packets is one of the core competencies a network administrator should have. Packet captures can help you understand how packets are constructed, troubleshoot connectivity issues, and monitor traffic from known or unknown applications. Tools like Wireshark and TCPDump make watching data fly across the network so easy to do and are invaluable when trouble shooting or preforming reconnaissance on a network. Let's break it down from the beginning.

Network communication (lolz interwebz) is based around, depending on who you ask, a five (Internet) or seven (OSI) layer model. I like to cover the five layer model because it is a bit simpler and contains the most interesting stuff. These layers encapsulate the data in a standard frame that all network devices, from a network interface card (NIC), to a switch or router, can read and process.

These Matryoshka dolls represent the OSI layers.The smallest is the application layer (Layer 5). The largest is the physical layer (Layer 1)

When you capture a packet you are capturing this data and because this is an open model, anyone can easily figure out how to decapsulate the frame. Wireshark (www.wireshark.org), in particular, is a great tool for viewing how data is arranged on a network. This tool is freely available and has great filtering abilities. TCPDump (www.tcpdump.org) is similar to Wireshark, but in a lightweight, command line form.

Normally, computers will only process packets that are labeled with their MAC (layer 2) and IP (layer 3) address. This won't cause any problems with capturing packets going to and from your own machine, like when you are browsing the web, but it would cause problems if you want to see what other computer is doing on the network. The default for most packet sniffing tools is to put the a wired NIC in promiscuous mode though exactly how this is done is OS specific. Promiscuous mode allows the packet capturing tool to receive every packet, regardless of MAC or IP. If you are on a switched network (which is more than likely) you will still only see packets destined for your machine because switches are smart enough to know what port a MAC address is attached to and will only send packets to the right port. To see all traffic in this situation you need a network tap or Cisco SPAN port enabled. Hubs on the other hand are dumb, and will send packets out all ports with no regards as to what MAC it is destined for.

Capturing all packets that are traveling across the wireless LAN are just as easy to catch. I won't say that operating systems based on Unix are the only ones that can do this, but the are by far the only ones that can do this easily. Do some research into AirPCAP and related wireless cards if you are looking at using Windows for this. The wireless equivalent to promiscuous mode is monitor mode. Mointor modes will let your wireless card see every packet that is sent on surrounding radio waves. This mode must be supported by the WLAN card drivers. Aircrack-ng wiki has a good chart of Linux compatible cards that support monitor mode. Most tools do not automatically put wireless cards into this mode, but #iwconfig wlan0 mode monitor is a simple command that will allow that card to hear all and see all.

That about wraps it up the very basics of capturing network traffic on both wired and wireless connections. I will be posting more information about other tools you can use alongside live and offline packet captures, but until then, check out these extremely helpful sites:

PacketLife.org cheatsheets - http://packetlife.net/library/cheat-sheets/

TheInterW3bs.com packet capture cheatsheet - http://theinterw3bs.com/docs/PacketSniffCraft-CheatSheet.pdf

Basic Wireshark filters - http://openmaniak.com/wireshark_filters.php

Wireshark tutorial - http://www.security-freak.net/tools/wireshark/wireshark.html

More »