
1
Linksys WRT54G / WRT54GS
Magical transformations to a useful piece of equipment
or a Brick
By:
Sysmin – ISSAP, CISSP, NSA-IAM
and
Quigon – ISSAP, CISSP, NSA-IAM
Th e Ha c k er Pi mps
www.hackerpimps.com
OR

2
About This Document
■
This document is not complete or current. Please
visit our site for the most current version.
www.hackerpimps.com/docs.html
Thank You,
The Hacker Pimps

3
WARNING!! WARNING!! WARNING!!
■
Modifying your firmware will void your warranty.
■
It's not like you would have done anything with it
anyway.
■
There is a possibility that you may brick your
WRT.
■
Isn't that half of the fun?
■
Idea? Hmm... Buying the buyer protection plan
from Best Buy might work. Don't think they even
check them.

4
WRT54G / WRT54GS At A Glance
■
WRT54G
➔
200Mhz MIPS
processor
➔
4MB of flash memory
➔
16MB of RAM
■
WRT54GS
➔
200Mhz MIPS
Processor
➔
8MB of flash memory
➔
32MB of RAM
➔
Default has speed
booster crap

5
Custom Antenna Options
■
Directional or Omni-directional
■
RP-TNC connectors

6
Custom Antenna Options
■
Coax Cable – What length? Type? Hmm... Just
check out http://www.ocarc.ca/coax.htm
■
Now you and your neighbors can share
bandwidth.

7
Exterior Equipment
■
Some of this stuff may seem like a no-brainer
but...
➔
Make sure all devices that use electricity are protected
in a weatherproof enclosure.
➔
Use weatherproof fittings when available.
➔
Provide some sort of lighting protection.
➔
Use drip loops for connectors and building
penetrations.

8
A Few Firmware Options
■
Original Linksys Firmware
■
www.linksys.com
■
OpenWRT
■
www.openwrt.org
■
Sveasoft
■
www.sveasoft.com
■
Batbox
■
www.batbox.org
■
WiFiBox
■
www.sourceforge.net/projects/wifi-box
■
Google for more.

9
Our Two Favorites
■
OpenWRT and Sveasoft
■
Why?
➔
Sveasoft is extremely easy to use and offers instant
results.
➔
OpenWRT has software packages and allows for
much flexibility.
■
The rest of the presentation will focus on these
two firmware options.

10
Installing New Firmware
■
The easiest way to upgrade firmware on Linksys
and Sveasoft.

11
Setting OpenWRT NVRAM Variables
■
Showing NVRAM Values
nvram show
■
Searching NVRAM Values
nvram show | grep <string>
■
Setting NVRAM Values
nvram set <variable>=<value>
■
Don't forget to commit
nvram commit
■
Sometimes after committing a reboot is necessary

12
OpenWRT and Ipkg
■
Works similar to Apt
■
Repositories are set up in /etc/ipkg.conf
■
ipkg update #Updates package list
■
ipkg install <pkgname> #Install certain package
■
ipkg remove <pkgname> #Removes package

13
Funky Time Issue
■
OpenWRT Ain't Got The Time!
■
Discovered after some frustration
■
The output of the date command displays the year
as Jan 1st 2000 every time the access point is
power cycled
■
This causes problems for anything that is
dependent on date and time. Your digital
certificates may not be valid for another 5 years or
so.
■
This can cause problems with OpenVPN w/Digital
certificates and 802.1x

14
Funky Time Issue Fix
■
Use the date command:
■
date <mmddhhmmccyy>
■
example: date 121813452004
■
More of a permanent fix by using ntpclient on boot.
■
install ntpclient via ipkg
■
Add the following to your rcS:
■
ntpclient -h pool.ntp.org -l -s &

15
Editing the IPTables Firewall
■
Rename the link in the /etc/init.d directory so it
doesn't start and so you can import the file from
ROM
■
Then copy the file from ROM
■
cp /rom/etc/init.d/S45firewall /etc/init.d/S45firewall
■
Edit the S45firewall file until your heart is content
■
vi S45firewall

16
Certificate Warning!!!!
Franks and Beans!!!!
■
Warren Says: Never use default certificates that
come with anything. Create your own CA.

17
Setting up a Certificate Authority
■
Creating your own CA can be fun!
■
OpenSSL
www.openssl.org
■
Compile or install using your favorite package
manager.
■
This is important because many of the auth types
and VPNs require Digital Certificates.

18
Creating a Self Signed CA
■
Using the Perl Script CA.pl to create the CA.
perl CA.pl -newca
■
Sometimes it chokes and you need to finish the
job by creating the “serial” file yourself in the
directory that houses the CA information.
echo '01' >serial
touch index.txt
■
Ta da! You have a new CA.

19
Create and Sign Request
■
Create a new certificate request
perl CA.pl -newreq
■
Sign a req
perl CA.pl -sign
■
To revoke a cert
openssl -revoke <newcert.pem>
■
Create Diffie Hellman Parameters
openssl dhparam -out dh1024.pem 1024

20
VPNs and Tunneling
■
OpenVPN
➔
http://openvpn.sourceforge.net
■
Openswan
➔
http://www.openswan.org
■
SSH tunneling

21
OpenVPN
■
http://openvpn.sourceforge.net
■
Uses UDP
■
Good for NAT'ed hosts
■
Uses SSL
■
Fairly easy to configure
■
Using an OpenVPN server can also help protect
your Internet connection when away from home

22
OpenVPN Server Configuration
■
port specifies the port the server will run on
port 5000
■
dev tun or dev tap specifies the type of interface
dev tun
■
TLS Parameters for use of digital certificates
ca /path/to/cert #Root CA Cert
cert /path/to/cert #Cert for OpenVPN
key /path/to/key #Key for OpenVPN
dh /path/to/dh1024.pem #Diffie Hellman params
■
Guess what this option does.
mode server

23
OpenVPN Server Configuration
■
push #Pushes options to clients,
it is usually used to push routing options.
■
cipher #The cipher used
■
redirect gateway local #Sets VPN as Default GW
■
verb #Sets the verbosity level

24
OpenVPN Client Configuration
■
dev tun or dev tap specifies the type of interface
dev tun
■
remote specifies the server and port
remote 192.168.1.1 5000
tls-client #specifies machine as client
■
TLS parameters
ca /path/to/cert #Root CA Cert
cert /path/to/cert #Cert for OpenVPN
key /path/to/key #Key for OpenVPN
■
verb #sets the verbosity level

25
OpenVPN Client Configuration
■
Cipher determines the cipher
cipher AES-128-CBC
■
redirect-gateway local #redirects traffic
■
pull #pulls settings from the server

26
Fun with SSH
■
What's Required:
➔
ipkg install dropbear
➔
Dropbear is a stripped down version of OpenSSH
originally written to run on a 386 laptop with 4MB.
➔
Provides most OpenSSH capabilities
➔
Client and server
➔
Secure copy (SCP)
➔
Port forwarding
➔
Encrypted traffic
➔
Uses most of the same syntax as OpenSSH

27
Fun with SSH
■
What you can do with it:
➔
Say you have a Squid server doing caching on your
internal network.
➔
You're on a public (possibly hostile) network.
➔
ssh root@wrtexternal.net -C -L
3128:ipofsquidbox:3128
➔
Now set your web browser's proxy settings to
127.0.0.1 port 3389.
➔
Your traffic will now be fully encrypted (and
compressed) until it gets to a “safe zone” (your home
network).

28
Fun with SSH
■
What you can do with it:
➔
SSH tunnelling can be done seamlessly with almost
any TCP based connection.
➔
Dropbear does NOT have IPv6 capability (yet).
➔
Connections aren't limited to your internal network.
➔
Things get a bit hairy using Windows XP as a client for
Terminal Services via SSH (but still can be done).

29
802.1x
■
Better than standard WEP.
■
Can use your new Digital Certificates.
■
Can do dynamic key rotation.
■
Stronger authentication.
■
Can still use usernames / passwords if you want
(yuck!). Only this time with more security.

30
802.1x Linux Client
■
www.open1x.org
■
Has extensive configuration options
■
Configurations are done through configuration files
■
Supports multiple authentication types including
EAP-TLS, PEAP, and LEAP

31
802.1x Windows Client
■
Later versions of Windows have built-in support.
■
XP with SP2 has best support.
■
XP with SP1 has limited support.
■
2k has a a download with limited support.

32
802.1x with TinyPEAP
■
The easiest way to do 802.1x with the WRT.
■
Works with Linksys and Sveasoft firmware.
■
Nice web interface for adding users and setting
preferences.
■
Set security mode to: Radius
■
Set the radius server address to the address of
the AP.
■
Radius port should be 1812
■
Shared key should be: password
■
set an initial WEP key
■
Add users though the GUI

34
IPv6
■
What's Required:
➔
ipkg install iproute2
➔
ipkg install radvd
➔
ipkg install kmod-ipv6
➔
IPRoute2 allows for easier configuration of IPv6 over
IPv4 tunnels.
➔
RADVD (Route Advertiser Daemon) broadcasts an
IPv6 prefix to the rest of your network
➔
kmod-ipv6 is the IPv6 kernel modules for connectivity
and firewalling.

35
IPv6
■
Getting connected:
➔
We used Hurricane Electric as an IPv6 Tunnel Broker.
➔
http://www.tunnelbroker.net
➔
Allows for a static IPv6 over IPv4 tunnel and a /64 for
your internal network.
➔
Fairly easy to get it all working.
➔
Requires registration and a few hours for HE to set up
the tunnel.

36
IPv6
■
Getting connected:
➔
Once HE establishes the tunnel, set up your end:
➔
ip tunnel add he.net mode sit remote 64.71.128.83 \ local
12.34.56.78 ttl 255
➔
ip link set he.net up
➔
ip addr add 2001:470:1F01:F00D::2F1/127 dev he.net
➔
ip route add ::/0 dev he.net
➔
ip -f inet6 addr
➔
You can also add these commands to /etc/init.d/rcS to
make them more permanent.
➔
ping6 www.kame.net to make sure you have
connectivity.

37
IPv6
■
For the rest of your network:
➔
Set up your router advertiser:
➔
vi /etc/radvd.conf
➔
interface br0
{ AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
AdvHomeAgentFlag off;
prefix 2001:470:1F01:CAFE::/64
{ AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};};

38
IPv6
■
For the rest of your network:
➔
Assign one of the /64 IPv6 IPs to the br0 interface
➔
ip -6 addr add 2001:470:1F01:CAFE::1/64 dev br0
➔
Ensure IPv6 forwarding is enabled
➔
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
➔
Start RADVD
➔
radvd -m logfile -l /var/log/radvd.log
➔
These can also be added to /etc/init.d/rcS.
➔
You should now be able to ping6 www.kame.net from
IPv6 enabled clients.

39
Community Networking
■
Using the WRT as a wireless client.
■
Using WDS (Wireless Distribution System).
■
Creating a Phat network in your neighborhood
because sharing your Internet connection is fun
for everyone.
■
Do some prior planning and have an objective for
your community network.
■
Doesn't matter if you want to share Internet
access or files, planning goes a long way.
■
Know what type of antennas you need to use.

40
Community Networking
■
Be mindful of obstructions in the fresnel zone.
■
Metal can be a very bad thing.

41
WRT as a Wireless Client
■
Allows you to connect to another access point
using wireless.
■
No need to configure main access point.
■
Must be configured with the same SSID.
■
Must be configured with on the same channel.

42
Using WDS in Sveasoft
■
Setup through the GUI
■
Easy to configure
■
Can still use the wireless interface even though it
is meshing.
■
Enter MAC addresses of other AP's wireless
interfaces into the WDS config page

44
WDS in Sveasoft
■
Set the scope, hand out DHCP, and be the
gateway on one AP.
■
Set up this AP as the gateway on other APs.
■
Turn off DHCP on other APs.

45
Hotspots and Authentication
■
NoCat
➔
http://nocat.net
■
Chillispot
➔
http://www.chillispot.org

46
Cross Compiling Applications
■
Easy way to get a cross compiler up and running:
➔
Requires a Debian based distro
➔
From http://skaya.enix.org/wiki/ToolChain
➔
apt-get install toolchain-source toolchain-source-gdb
toolchain-source-newlib
➔
tpkg-make mipsel-linux
➔
cd binutils-mips-linux-*/ ; debuild -us -uc
➔
su -
➔
debi
➔
TPKG_SERVER=ftp://ftp.us.debian.org tpkg-install-libc
mipsel-linux
➔
go to the gcc-mips-linux-* dir
➔
debuild -us -uc
➔
debi
➔
A lot easier than it sounds

47
Cross Compiling Applications
■
Not so easy ways
➔
Compile from source (good luck!!!)
➔
Use CrossTool
➔
Cross compiler build scripts from
http://www.kegel.com/crosstool/
➔
Has issues with BASH 3.xx
➔
I've never gotten a compiler up and running these ways
➔
To make an app from source (from ToolChain slide):
➔
CC=mipsel-linux-gcc CFLAGS=” -s --static” ./configure \ --
host=mipsel
➔
make

48
Cross Compiling Applications
■
Issues with compiling
➔
AKA -- My limited knowledge with embedded
development and cross compilers
➔
Linux uses GLibC for C Libraries
➔
OpenWRT uses uCLibC
➔
much more stripped down and compact C Library
➔
Binaries compiled with GLibC must be statically
compiled (hence the --static)
➔
They end up being huge (even after the symbols get
stripped...-s)
➔
We're working on it
➔
Trying to use the Tool Chain that actually builds OpenWRT

49
Customizing OpenWRT
■
2 Config scripts to know about (for now)
➔
/buildroot/sources/openwrt/busybox/busybox.config
➔
Busybox is a command line interface used in embedded
systems (many POSIX tools in an >200kb package if
configured properly).
➔
There are some tools you might want that aren't compiled in
by default (e.g. mkswap, swapon, swapoff).
➔
/buildroot/sources/openwrt/kernel/linux.config
➔
Standard .config file from the 2.4.20 kernel
➔
for more flexibility, enabling and disabling modules you
need/don't need.
➔
BE VERY CAREFUL DOING THIS. You could end up
with a firmware that bricks your WRT.
➔
Don't say we didn't warn you.

50
Mod The #@&$ Out Of It!
WrtZilla
Yes, this is a functional WRT

52
Drive-by Upload
■
Remember why it is so important to change your
defaults?

53
FuxorWRT by THP
“Don't Enter us, We'll enter you!”

54
THP Customized Firmware
■
FuxorWRT
➔
Hacker Pimps' Customized OpenWRT firmware
➔
Includes (out of the box):
➔
most kernel modules embedded into the firmware
➔
smbmount & smbclient
➔
nbtscan
➔
aircrack
➔
NFS client/NFS Swap
➔
IPv6 stack (with Router Advertiser)
➔
THC-Hydra
➔
Lutz (tiny port scanner similar to NMAP)
➔
hping2
➔
stunnel
➔
Misc. exploits for computers behind the WRT54G(S)
➔
Suggestions?

55
More Fuxor
■
FuxorWRT Build
➔
Customized linux.config
➔
Customized busybox.config
➔
Several cross compiled tools and apps
➔
copied into /opt/build_mipsel/root
➔
Re-running “make” in your buildroot dir adds new
programs and Kernel/BusyBox mods
➔
Custom /opt/build_mipsel/root/etc/banner

56
Netcat
■
Using netcat as a port scanner.
➔
nc -v -z <host> <port range>
■
Using netcat to connect to ports and banner grab.
➔
nc <host> <port>
■
Using Lutz
➔
-sC Connect() Scan. Default for nonroot users
➔
* -sS SYN-Stealth Scan. Default for r00t
➔
* -sF,-sX,-sN FIN,Xmas,NULL-Scan instead of SYN
➔
Many other options

57
More Attacks
■
What can be done with FuxorWRT?
➔
Discover hosts
➔
Port scan
➔
Scan for shares
➔
Transfer data
➔
Mount shares
➔
Crack WEP
➔
Exploit

59
When Firmware Goes Bad
■
To avoid certain problems make sure that you turn
boot wait on.
nvram set boot_wait=on
■
Something else to try
➔
Set the computer up to ping 192.168.1.1
➔
Remove cover and short out pins 15 and 16 on the
nvram chip
➔
Apply power
➔
Once the ping is working tftp the image to the wrt
➔
tftp 192.168.1.1
➔
tftp> binary
➔
tftp> rexmt 1
➔
tftp> trace
➔
tftp> put <imagefile>

60
When Firmware Goes Bad
■
Hold in the reset button
■
Pray to the gods of firmware and offer up a
sacrifice. Maybe an old telephone or something?

62
The WRT Purse
See Demo
Extras Needed: 1 short piece of Cat5
1 long piece of Cat5

67
The WRT Pleasure Device
Extras Needed: 1 Midget
1 Kazoo

68
Thank You
■
We would like to thank the developers of the
various projects and communities that make them
great. Your work is greatly appreciated.

69
Useful Links
■
www.openwrt.org
■
www.sveasoft.com
■
http://openvpn.sourceforge.net
■
http://www.openswan.org
■
http://voidmain.is-a-geek.net:81/redhat/wrt54g_revival.html
■
www.openssl.org
■
http://www.neonbox.org/nanobox

70
Any Questions?
■
Sysmin Sys73m47ic
Nathan Hamiel – ISSAP, CISSP, NSA-IAM
sysmin@neohaxor.org
■
Quigon
Gene Cronk – ISSAP, CISSP, NSA-IAM
gene@hacktek.com
Th e Ha c k er Pi mps
www.hackerpimps.com