I’ve always had a fascination, almost an obsession, with highly functional, compact gadgets. When netbooks were all the rage I had several, all of my laptops (and now ultrabooks) have been 12-13″… and I can assure you I was foaming at the mouth when the WiFi Pineapple was released.

Recently, faced with a few days off of work as well as a long weekend with no plans made to fill it, I wanted something new to play with. For a while I had been keeping an eye on what people were doing with miniature routers, for example the MiniPwner – so this seemed like a fitting project, especially given my local PC store happened to stock the TP-Link TL-MR3020.

the hardware

TP-Link TL-MR3020:

that’s not a imperfection on the top, i’ve left the protective film on

16GB ADATA UD310:

Pineapple Juice USB battery:

flashing the router

To obtain the right OpenWRT image for your router first visit the OpenWRT Table of Hardware, view the specific wiki page for the router that you are wishing to use and ensure that that the revision available to you is officially supported. For example:

If possible, ensure that you get a revision that is supported by a final release of OpenWRT – not an RC or trunk release. As seen on the box of my 3020 I have the latest, version 1.9:

Which, according to the table on it’s OpenWRT wiki page (also shown above), is compatible with release 12.09.

Download the image, slide the mode switch on the router to ‘WISP’, and connect both the USB power cable and ethernet cable to your PC.

Once the router completes it’s start-up procedures it will form a bridged network with your PC and will become accessible at 192.168.0.254. Fire up your browser, navigate to http://192.168.0.25, and under ‘System Tools’ in the left-hand menu you will find ‘Firmware Upgrade’:

Open the downloaded OpenWRT image and select ‘Upgrade’:

A progress bar will show the progress of the upgrade, however as OpenWRT uses different addressing the page will not automatically reload after the upgrade. You will visibly see the router reboot, so after this give it a moment and continue.

 

initial configuration

Once the finishes it’s reboots it will finally come up on a 192.168.1.0/24 network. Open a terminal session on the connected PC and enter:

telnet 192.168.1.1

You will automatically be logged in as the root user, with no password configured. So, change the password:

passwd

Depending on your local network addressing you may want to throw the router on a different subnet (in my case, my local network is also 192.168.1.0/24, so I changed it to 192.168.2.0/24). For this, edit /etc/config/network:

vi /etc/config/network

Enter ‘I’ to enter insert mode, then edit the value of ‘option ipaddr’ for the ‘lan’ network to be something more suitable:

Pressing ‘Esc’ will exit insert mode, and entering ‘:wq’ will save the changes and quit vim.

Reboot the device:

reboot

When it comes back up the router will be accessible via the address you entered as ‘option ipddr’. Browse to this address in your web browser (plain HTTP), log in, and in the top bar navigate to ‘Network’ > ‘WiFi’, and select ‘Scan’ to scan for your local WiFi network:

Next to your network click ‘Join Network’, complete the details (leaving ‘Replace Wireless Configuration’ ticked, and set the network name as ‘wan’) and click ‘Submit’:

Return to the main WiFi page and ensure that the connection is enabled:

Then on the interfaces page connect the interface:

SSH to the router:

ssh -l root

… and ensure that the wlan0 interface has obtained an IP address and that you can both resolve DNS and ping an external name (e.g. downloads.openwrt.org):

extending the storage

Most of the instructions out there leave you explicitly installing your packages to the USB drive due to poorly thought out mounting, which creates real headaches when it comes to resolving dependencies – everything requires symlinks. However, using the following method will allow you to install everything straight into the system without the need for symlinks or running the risk of filling the system partition.

Insert the USB stick into your PC and use a tool like GParted to create three partitions (in order):

  1. 512mb, ext4 (system)
  2. 256mb, swap (swap)
  3. Remainder, ext4 (home)

Once the partitions are created you can insert the USB stick into the router. Enter:

ls /dev/sda*

… and ensure that the partitions are mounted. If they don’t automatically mount, reboot the router and they should then appear. Should you still have issues, ‘dmesg’ is your friend.

Assuming you managed to connect the router to your local WiFi network, proceed with installing the USB prerequisites:

opkg install kmod-usb-storage kmod-fs-ext4 block-mount

Edit /etc/config/fstab to define the new mount points:

config global automount
        option from_fstab 1
        option anon_mount 1

config global autoswap
option from_fstab 1
option anon_swap 1

config mount
option target /overlay
option device /dev/sda1
option fstype ext2
option options rw,sync
option enabled 1
option enabled_fsck 0

config mount
option target /home
option device /dev/sda3
option fstype ext2
option options rw,sync
option enabled 1
option enabled_fsck 0

config swap
option device /dev/sda2
option enabled 1

Make the mount points:

mkdir /mnt/sda1 /home

Mount the system partition:

mount /dev/sda1 /mnt/sda1

Clone all data to the system partition with tar, then reboot to bring everything into effect:

tar -C /overlay -cvf – . | tar -C /mnt/sda1 -xf –
reboot

Once the router comes back up you should be able to view the extended storage space with df:

… and validate that you are swapping on the USB stick by entering:

swapon /dev/sda2

If the device reports it is busy, things are working as expected.

 

further configuration

The ultimate goal is to be able to use this box as a remote tap into networks: either via wireless, or SSH/VPN tunnelling. As we’re unlikely to know the exact subnetting used inside of networks that are tapped into (i.e. this box is quickly dropped in place and left), the ethernet port will become a DHCP client and we will connect to the WiFi access point. Luckily, 99% of the work has already been done and only a few config file changes are required.

You can go about this however you wish, but – personally – I made a directory under /home and dumped two sets of configs in there so I can switch between them when I want to change the function of the router. Suffixed with .1 are the current configs, and suffixed with .2 are the configs that will turn the router into a ‘tap’:

dhcp.2:

config dnsmasq
        option domainneeded 1
        option boguspriv 1
        option filterwin2k 0  # enable for dial on demand
        option localise_queries 1
        option rebind_protection 1  # disable if upstream must serve RFC1918 addresses
        option rebind_localhost 1  # enable for RBL checking and similar services
        #list rebind_domain example.lan  # whitelist RFC1918 responses for domains
        option local '/lan/'
        option domain 'lan'
        option expandhosts 1
        option nonegcache 0
        option authoritative 1
        option readethers 1
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        #list server  '/mycompany.local/1.2.3.4'
        #option nonwildcard 1
        #list interface  br-lan
        #list notinterface lo
        #list bogusnxdomain     '64.94.110.11'

config dhcp lan
option interface lan
option start 100
option limit 150
option leasetime 12h
option ignore 1

config dhcp wan
option interface wan
option ‘start’ ‘150’
option ‘limit’ ‘100’
option ‘leasetime’ ’24h’

firewall.2:

config defaults
        option syn_flood 1
        option input  ACCEPT
        option output  ACCEPT 
        option forward  ACCEPT
        # Uncomment this line to disable ipv6 rules
        # option disable_ipv6 1

config zone
option name lan
option network ‘lan’
option input ACCEPT
option output ACCEPT
option forward ACCEPT

config zone
option name wan
option network ‘wan’
option input ACCEPT
option output ACCEPT
option forward ACCEPT
option masq 1
option mtu_fix 1

config forwarding
option src wan
option dest lan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4

# Allow IPv4 ping
config rule
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
option src wan
option proto udp
option src_ip fe80::/10
option src_port 547
option dest_ip fe80::/10
option dest_port 546
option family ipv6
option target ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
option limit 1000/sec
option family ipv6
option target ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT

# include a file with users custom iptables rules
config include
option path /etc/firewall.user

network.2:

config 'interface' 'loopback'
        option 'ifname' 'lo'
        option 'proto' 'static'
        option 'ipaddr' '127.0.0.1'
        option 'netmask' '255.0.0.0'

config ‘interface’ ‘lan’
option ‘ifname’ ‘eth0’
option ‘proto’ ‘dhcp’

config ‘interface’ ‘wan’
option ‘ifname’ ‘wlan0’
option ‘proto’ ‘static’
option ‘ipaddr’ ‘192.168.2.1’
option ‘netmask’ ‘255.255.255.0’

wireless.2:

config wifi-device  wlan0
        option type     mac80211
        option channel  6 
        option macaddr  YOUR MAC
        option hwmode   11ng
        option htmode   HT20
        list ht_capab   SHORT-GI-20
        list ht_capab   SHORT-GI-40
        list ht_capab   RX-STBC1
        list ht_capab   DSSS_CCK-40

config wifi-iface
option device wlan0
option network wan
option mode ap
option ssid YOUR SSID
option encryption none

Once copied in place:

… and the router restarted, you can connect your PC to the routers WiFi network defined in it’s new wireless config. This should assign you an IP that will allow you to connect back to the router:

The router will (should) have been assigned a DHCP address by the hardwired network it has a leg on:

By default the WiFi and ethernet interfaces are in different firewall zones, however if you change the ethernet network to also be in the WAN zone you will be able to directly connect through to the target network with your attacking PC:

Should you want to revert to the old configuration, all you need to do is copy in place the .1 files and reboot.

going further

Some ideas:
  • Set up the router to automatically VPN through to your home network.
  • Use the router as a portable, anonymising proxy for multiple clients (using Tor or a private VPN).
  • Produce some automated attack scripts.
  • Install more software using opkg (a full list of available software is here), e.g. aircrack-ng, karma, nano, nmap, openvpn, samba, tcpdump.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s