OpenWRT

All posts tagged OpenWRT

This tutorial is based on the exroot Nexx 3020H build from THIS earlier post.

Responder has been the bread and butter in our toolkit…screwdriver in our sandwich? Wait, I think I lost the anology. Anyways, Responder is an amazing pen testing tool if you are on a local network. Building the Nexx 3020H as a network dropbox meant that Responder was one of the first tools that I wanted on a the device.

This post is going to be split into two sections since the install part went **spoiler alert** way easier than I had expected.

If you haven’t flashed your device to OpenWRT and setup exroot you can pop back over once that is done.

Part One: Setup and Usage

Download Responder from Spider Labs GitHub as a zipfile. (https://github.com/SpiderLabs/Responder).

GitHub Download for Responder

GitHub Download for Responder

SSH into the Nexx dropbox. I am going to put the files in /opt, you can unzip the file on your host or on the device. Doing it on the device has the drawback of requiring more disk space.

unzip Responder-master.zip

scp -r Responder-master root@192.168.1.1:/opt
Unzip Responder-master

Unzip Responder-master

scp files from host to dropbox

scp files from host to dropbox

Verify Responder-master copied to dropbox

Verify Responder-master copied to dropbox

Excellent, there is one package that Responder requires and I will install nano to edit the config file later.

opkg update
opkg install python
opkg install nano

Since OpenWRT runs a web server and the device also acts as a WAP Responder won’t be able to start the DNS or HTTP module. Don’t believe me? Try it in Analyze mode.

./Responder.py -I br-lan -A
Completely expected error

Completely expected error

Disabling both the HTTP and DNS module allow Responder to start normally and not affect functionality. Disabling DNS would probably cause issues with hosts plugged into the LAN module which would probably end up getting the dropbox detected. Disabling the HTTP server would be less impactful but would limit a future use that I am working on so I’m taking that off the table for now.

Edit the Responder.conf file to disable both modules.

nano Responder.conf
HTTP = Off
DNS = Off
Responder.conf changes

Responder.conf changes

Restart Responder, I will use the br-lan interface as an example and use the -f option to fingerprint hosts.

./Responder.py -I br-lan -f
Responder on br-lan

Responder on br-lan

Part 2: On Interfaces and Theory

Running ifconfig on the dropbox shows all of the available interface.

iwconfig output

iwconfig output

br-lan is the LAN port on the Nexx 3020H
eth0.2 is the WAN port on the Nexx 3020H

Poisoning the br-lan interface only effects the hosts downstream of the dropbox, this limits the potential issues but also means fewer hosts. A common scenario would be to drop this in a waiting area on a receptionist system. Having a foothold on the network and hashes for one person is a good place to start.

The next option is to use eth0.2 and poison the WAN interface. In the same scenario this exposes all of the systems internal to the network to potential poisoning. The chance of getting a high value set of credentials or hash is much higher. But, if Responder causes issues on the network; which is not unheard of, then the chances that you lose the device is higher. Using a cron job to copy the log folder to a remote system reduces the risk of data lost.

The final option is to poison them both. Why? Why not. Test it on your systems and then get everything you can.

Comedy of Errors Scene 2, Act 2
Am I on earth, in heaven, or in hell? Asleep or awake? Crazy or sane? These people know me, but I don’t know myself! I’ll agree with them and keep with it, whatever happens. – ANTIPHOLUS OF SYRACUSE

I’ve used dropboxes in the past for penetration testing when onsite social engineering was allowed. The best thing about these were you could guarantee that they would be returned even if found and someone else paid for them.

I ended up with two Nexx WT3020H wireless NAS routers. Two you say? Yeah, comedy of errors act one. I went to Gearbest to order one. I’m not a huge fan of putting my credit card information into foreign sketchy website so I selected the paypal option. Then nothing … blank screen and a loading indicator. After a few minutes the page redirected back and a ‘Thank you for your order’ message appeared. I broke down and decided to order the same one from Amazon and pay the extra three dollars because there is no way that the other one would ship right? A week later the Amazon one shows up and a few days after that the Gearbest one is sitting in my mailbox. L33T H4x0R mode unlocked!

Act two, call up a few of the guys who I know that are interested in pen testing and meet at UNM. Nexx  box will not power up when connect to the USB port on my laptop or the USB power port on the wall receptacle. No big deal I planned ahead and brought a wall adapter; still no luck. Time spent with friends is never a waste but no work got done. I honestly thought the device was a brick at this point but I tried a different USB cable later that night and BOOM back in business. So, the cable that ships with the device was junk.

Third act…Every write-up you see says you flash the device, opkg a few installs, scp the SWORD (https://github.com/zer0byte/sword) files  from zer0byte to the web directory and then drop the device on a network and cause havoc. I believed these, the problem is most of those packages aren’t in the OpenWRT repos anymore and even if they were there isn’t enough space on the device. Feel free to move through these posts and find the errors yourself but if you want a working device and have an extra USB drive continue on.

Out of Space

Out of Space

Act IV, this is the real deal we are going to get some stuff done! Flashing to OpenWRT is the first step.
The Nexx 3020 has its own entry on the OpenWRT forum making downloading the firmware super easy. The links on that page weren’t working though! I ended up pulling them down from (http://archive.openwrt.org/chaos_calmer/15.05.1/ramips/mt7620/) instead of using wiki links. Has it been fixed since then? Was it just a bad night? Doesn’t matter; use the one that works for you.

Its possible to use the command line to install the firmware but why not use the web interface? Someone spent time coding it, might as well use it.

Nexx Default Page

Nexx Default Page

Nexx Flash Page

Nexx Flash Page

Following the wiki instructions I used the factory firmware to get from the OEM to OpenWRT (openwrt-15.05.1-ramips-mt7620-wt3020-8M-squashfs-factory.bin). I’m kind of a belt and suspenders type person so I did this over the LAN ethernet interface and with the power plugged into an adapter on a powerstrip instead of the computer USB interface. I really wanted to limit the number of things that could go wrong.

Flashing to OpenWRT

Flashing to OpenWRT

The device rebooted the LED went from flashing to solid. Good news!

The default OpenWRT IP is 192.168.1.1 and connecting to it gave me the default webpage. Twice this little beast didn’t turn into a brick!

OpenWRT Default Webpage

OpenWRT Default Webpage

Set a password for the root account and enable SSH on the interface you are using to administer the device. In a real world scenario you would probably enable SSH on the WiFi interface and disable it on the LAN interface. The usage scenario for this is to gain access to the device from the parking lot once it is deployed while leaving the fewest number of ports open on the LAN for detection.

Change the Password and Enable SSH

Change the Password and Enable SSH

This is where we are going to deviate from all of the simple tutorials. We need to do a exroot on the OpenWRT to get more space. In a real world scenario using a low profile 128GB USB drive would cost about twenty five dollars from Amazon. I used a 32GB one that I already had for this write-up but this doesn’t change the process.

Plug the USB drive into the router. SSH in using the root account, there are a few pieces of pre-work that we need to do. Ensure that the WAN ethernet port has internet access.

opkg update
Login and update opkg

Login and update opkg

opkg install fdisk
opkg install block-mount

Enable USB support and ext4 file system

opkg install kmod-usb-storage
opkg install kmod-fs-ext4
opkg install e2fsprogs

Set up the file system and exroot

fdisk -l

If everything installed correctly you should see your USB drive.

USB drive as /dev/sda1

USB drive as /dev/sda1

Delete old partition and create a new one, my USB was /dev/sda but your mileage may vary so change as required. I redacted some text, if you can do fdisk without using the help menu first you probably don’t need to be reading this part.

fdisk /dev/sda

root@OpenWrt:~# fdisk /dev/sdaCommand (m for help): d
Selected partition 1
Partition 1 has been deleted.

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

Create the new partition, 
root@OpenWrt:~# fdisk /dev/sda

Welcome to fdisk (util-linux 2.25.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Command (m for help): n
Partition type
 p primary (0 primary, 0 extended, 4 free)
 e extended (container for logical partitions)
Select (default p): p
Partition number (1-4, default 1): 
First sector (2048-61489151, default 2048): 
Last sector, +sectors or +size{K,M,G,T,P} (2048-61489151, default 61489151):

Created a new partition 1 of type 'Linux' and of size 29.3 GiB.

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

Now that we have a partition format it to ext4. If you want to use a different file system just add those packages instead of ext4.

Format the drive to ex4.

mkfs.ext4 /dev/sda1
Format the USB drive

Format the USB drive

Create a mount point and mount the partition you just created.

mkdir /mnt/sda1
mount /dev/sda1 /mnt/sda1

Copy the current file system to the USB stick partition.

mkdir -p /tmp/cproot
mount --bind / /tmp/cproot
tar -C /tmp/cproot -cvf - . | tar -C /mnt/sda1 -xf -
umount /tmp/cproot

The file system is copied over to the USB drive.

Get out your torches, but I don’t like vi so I installed nano. If you like vi just skip this step.

opkg install nano

Next use fstab to mount the USB drive when it boots up and use it as root.

nano /etc/config/fstab

create the initial /etc/config/fstab file using the following.

block detect > /etc/config/fstab

Add the following to the text file.

config 'mount'
 option target /
 option device /dev/sda1
 option fstype ext4
 option options rw,sync
 option enabled 1
 option enabled_fsck 0
fstab entry for exroot

fstab entry for exroot

Now is the moment of truth, time to reboot. If it doesn’t work you can always reflash it right?
With luck …lights blink …time passes…seasons change…then go solid! Not really it boots really fast. If it switches to a fast blink it came up in fail safe mode so try the ultimate IT hack, unplug it and plug it back in.

SSH to the router and see that all your hard work paid off:

mount
Booted up with exroot

Booted up with exroot

How much space do you have activities now? So much room.

df
df to show space

df to show space

Finally, and I do mean finally lets get to work on making this a dropbox. I really like zer0bytes work and might take a stab at building packages in the future to revive SWORD but for now these are what is in the repos. The nmap version is fairly old but should do most things you need that don’t include NSE.

opkg update
opkg install bash --force-depends (this should already be installed)
opkg install nmap
opkg install tcpdump
opkg install aircrack-ng

I’m going to spend some more time on this in the near future. Building Nmap to a newer version and adding masscan at the request of the brain trust I bounce all of my ideas off of. Having Responder on the internal network would be my next priority so look out for that also. I have no idea how to get these built on OpenWRT or into the repos but when I figure it out I will let everyone know. Brainstorming some other uses came up with another idea but it will require some additional knowledge on my part and will be slightly farther down the road.

Sources I used because we all stand on the shoulders of those who came before us.
https://samhobbs.co.uk/2013/11/more-space-for-packages-with-extroot-on-your-openwrt-router
Just assume every OpenWRT page about USB storage, exroot, and I read through the repos to figure out why I couldn’t opkg install the SWORD packages.