LINKSYS WRT54G, WRT54GS User Manual

Linksys WRT54G / WRT54GS

Magical transformations to a useful piece of equipment

or a Brick

By:

Sysmin – ISSAP, CISSP, NSA-IAM

and

Quigon – ISSAP, CISSP, NSA-IAM

Th e Ha c k er Pi mps

www.hackerpimps.com

About This Document

■

This document is not complete or current. Please visit our site for the most current version.

www.hackerpimps.com/docs.html

Thank You,

The Hacker Pimps

WARNING!! WARNING!! WARNING!!

■

Modifying your firmware will void your warranty.

■

It's not like you would have done anything with it anyway.

■

There is a possibility that you may brick your WRT.

■

Isn't that half of the fun?

■

Idea? Hmm... Buying the buyer protection plan from Best Buy might work. Don't think they even check them.

WRT54G / WRT54GS At A Glance

■

WRT54G

➔

200Mhz MIPS processor

➔

4MB of flash memory

➔

16MB of RAM

■

WRT54GS

➔

200Mhz MIPS Processor

➔

8MB of flash memory

➔

32MB of RAM

➔

Default has speed booster crap

Custom Antenna Options

■

Directional or Omni-directional

■

RP-TNC connectors

Custom Antenna Options

■

Coax Cable – What length? Type? Hmm... Just check out http://www.ocarc.ca/coax.htm

■

Now you and your neighbors can share bandwidth.

Exterior Equipment

■

Some of this stuff may seem like a no-brainer but...

➔

Make sure all devices that use electricity are protected in a weatherproof enclosure.

➔

Use weatherproof fittings when available.

➔

Provide some sort of lighting protection.

➔

Use drip loops for connectors and building penetrations.

A Few Firmware Options

■

Original Linksys Firmware

■

www.linksys.com

■

OpenWRT

■

www.openwrt.org

■

Sveasoft

■

www.sveasoft.com

■

Batbox

■

www.batbox.org

■

WiFiBox

■

www.sourceforge.net/projects/wifi-box

■

Google for more.

Our Two Favorites

■

OpenWRT and Sveasoft

■

Why?

➔

Sveasoft is extremely easy to use and offers instant

results.

➔

OpenWRT has software packages and allows for

much flexibility.

■

The rest of the presentation will focus on these two firmware options.

Installing New Firmware

■

The easiest way to upgrade firmware on Linksys and Sveasoft.

Setting OpenWRT NVRAM Variables

■

Showing NVRAM Values

nvram show

■

Searching NVRAM Values

nvram show | grep <string>

■

Setting NVRAM Values

nvram set <variable>=<value>

■

Don't forget to commit

nvram commit

■

Sometimes after committing a reboot is necessary

OpenWRT and Ipkg

■

Works similar to Apt

■

Repositories are set up in /etc/ipkg.conf

■

ipkg update #Updates package list

■

ipkg install <pkgname> #Install certain package

■

ipkg remove <pkgname> #Removes package

Funky Time Issue

■

OpenWRT Ain't Got The Time!

■

Discovered after some frustration

■

The output of the date command displays the year as Jan 1st 2000 every time the access point is

power cycled

■

This causes problems for anything that is dependent on date and time. Your digital certificates may not be valid for another 5 years or so.

■

This can cause problems with OpenVPN w/Digital certificates and 802.1x

Funky Time Issue Fix

■

Use the date command:

■

date <mmddhhmmccyy>

■

example: date 121813452004

■

More of a permanent fix by using ntpclient on boot.

■

install ntpclient via ipkg

■

Add the following to your rcS:

■

ntpclient -h pool.ntp.org -l -s &

Editing the IPTables Firewall

■

Rename the link in the /etc/init.d directory so it doesn't start and so you can import the file from ROM

■

Then copy the file from ROM

■

cp /rom/etc/init.d/S45firewall /etc/init.d/S45firewall

■

Edit the S45firewall file until your heart is content

■

vi S45firewall

Certificate Warning!!!!

Franks and Beans!!!!

■

Warren Says: Never use default certificates that

come with anything. Create your own CA.

Setting up a Certificate Authority

■

Creating your own CA can be fun!

■

OpenSSL

www.openssl.org

■

Compile or install using your favorite package manager.

■

This is important because many of the auth types and VPNs require Digital Certificates.

Creating a Self Signed CA

■

Using the Perl Script CA.pl to create the CA.

perl CA.pl -newca

■

Sometimes it chokes and you need to finish the job by creating the “serial” file yourself in the

directory that houses the CA information.

echo '01' >serial touch index.txt

■

Ta da! You have a new CA.

Create and Sign Request

■

Create a new certificate request

perl CA.pl -newreq

■

Sign a req

perl CA.pl -sign

■

To revoke a cert

openssl -revoke <newcert.pem>

■

Create Diffie Hellman Parameters

openssl dhparam -out dh1024.pem 1024

VPNs and Tunneling

■

OpenVPN

➔

http://openvpn.sourceforge.net

■

Openswan

➔

http://www.openswan.org

■

SSH tunneling

OpenVPN

■

http://openvpn.sourceforge.net

■

Uses UDP

■

Good for NAT'ed hosts

■

Uses SSL

■

Fairly easy to configure

■

Using an OpenVPN server can also help protect

your Internet connection when away from home

+ 49 hidden pages