{"id":934,"date":"2015-04-23T10:27:47","date_gmt":"2015-04-23T16:27:47","guid":{"rendered":"http:\/\/www.jedge.com\/wordpress\/?p=934"},"modified":"2018-11-29T08:14:27","modified_gmt":"2018-11-29T14:14:27","slug":"openwrt-for-the-gl-inet-v-2","status":"publish","type":"post","link":"https:\/\/www.jedge.com\/wordpress\/2015\/04\/openwrt-for-the-gl-inet-v-2\/","title":{"rendered":"Openwrt for the GL-iNet (v 2) – Bypass 802.1x Port Security"},"content":{"rendered":"


\nBypass 802.1x Port Security w\/ Openwrt<\/strong>
\nBackground<\/strong>
\nDuring an internal and wireless penetration I was unprepared for the port security in the environment. I had to travel internationally and the Statement of Work and Rules of Engagement did not detail the extent of the internal testing and what was to be tested. Penetration Testers know what it is like to conduct a \u201cPenetration Test\u201d when sales staff and client management setup the engagement. Needless to say I was upset at the delay only due to the time it would take to configure a device to bypass the port security when I only had a week onsite to conduct the testing. Luckily I had brought along my PCEngines Alix 62f<\/a> (used previously in my Custom Power Pwn<\/a>). I had brought it for the wireless testing as it was configured for wireless client attacks. Using the work done by Alva Lease \u2018Skip\u2019 Duckwall IV<\/a> and presented <\/a>at DEFCON 19<\/a> in 2011. I reconfigured the Alix to show the client how easy it is to bypass port security. Well I never want to encounter a similar situation again but I also don\u2019t want to carry yet another device with me when traveling. Having the device be as small as possible while service multiple purposes would be ideal. That is why I\u2019m using the GL-iNet with the Openwrt operating system for this project.<\/p>\n

Version 2 of this tutorial builds off of version 1<\/a> but additional work is done to help you build an image that will allow you to bypass 802.1x port security without any post install customization (as shown in this previous post<\/a>). Also some network recon tools are included as well.
\n<\/p>\n

UPDATE: 8\/2\/2016 – Sweet baby Jesus (I like the baby Jesus<\/a>) they fixed the segmentation fault for arptables! The trunk version of Chaos Calmer has a patch that fixes it. Look for a new tutorial soon.<\/p>\n

Obtaining Openwrt<\/strong>
\n*Note: Everything is done from the latest version of Ubuntu LTS (14.04).<\/p>\n

For this tutorial we will work out of your home directory. We will download the latest code for Openwrt Attitude Adjustment 12.09 (AA) and a patch from the GL-iNet website. We will also need to modify two files so that we can compile the 16mb image of AA for the GL-iNet. The two files we will modify are ar71xx\/image\/Makefile and firmware-utils\/src\/mktplinkfw.c.<\/p>\n

But first we will apply the AA patch provided by GL-iNet using the utility quilt.<\/p>\n

Make sure your environment has the software required, including quilt.
\n

$ sudo apt-get update\n$ sudo apt-get install git-core build-essential libssl-dev subversion libncurses5-dev zlib1g-dev gawk gcc-multilib flex gettext quilt xsltproc libxml-parser-perl mercurial bzr ecj cvs unzip\n<\/code><\/pre>
\nTo setup quilt you want a file called .quiltrc in your home directory with the following lines:
\n
QUILT_DIFF_ARGS="--no-timestamps --no-index -pab --color=auto"\nQUILT_REFRESH_ARGS="--no-timestamps --no-index -pab"\nQUILT_PATCH_OPTS="--unified"\nQUILT_DIFF_OPTS="-p"\nEDITOR="nano"\n<\/code><\/pre>
\nHow you accomplish this is up to you. Open gedit and paste, open vim and paste, or do the following from the command line.
\n
$ echo -e QUILT_DIFF_ARGS="--no-timestamps --no-index -pab --color=auto"'\\n'QUILT_REFRESH_ARGS="--no-timestamps --no-index -pab"'\\n'QUILT_PATCH_OPTS="--unified"'\\n'QUILT_DIFF_OPTS="-p"'\\n'EDITOR="nano" &gt; ~\/.quiltrc\n<\/code><\/pre>
\nMove to your home directory obtain AA, update and download the package source files, and patch it using quilt.
\n
$ cd ~\/\n$ git clone git:\/\/git.openwrt.org\/12.09\/openwrt.git attitude_adjustment\n$ cd attitude_adjustment\n~\/attitude_adjustment$ mkdir patches\n~\/attitude_adjustment$ echo 01-gl-inetAA16MiB.patch &gt; patches\/series\n~\/attitude_adjustment$ git clone https:\/\/github.com\/smrx86\/gl-inet.git smrx86\n~\/attitude_adjustment$ cp smrx86\/patches\/01-gl-inetAA16MiB.patch patches\n~\/attitude_adjustment$ echo 01-gl-inetAA16MiB.patch &gt;&gt; patches\/series\n~\/attitude_adjustment$ quilt push -a\n<\/code><\/pre><\/p>\n
Download and install all available “feeds”, create our configuration file to build what we need.
\n
$ cd ~\/attitude_adjustment\n~\/attitude_adjustment$ .\/scripts\/feeds update -a\n~\/attitude_adjustment$ .\/scripts\/feeds install -a\n~\/attitude_adjustment$ cd package\n~\/attitude_adjustment\/package$ git clone git:\/\/git.openwrt.org\/12.09\/packages.git\n~\/attitude_adjustment\/package$ cd ..\n~\/attitude_adjustment$ make menuconfig\n<\/code><\/pre><\/p>\n
Go forth and select all of these packages to be included in the image and not as a modules (asterisk (*) instead of (M)).<\/p>\n
Network \u2014> (mii-tool & tcpdump)
\nNetwork \u2014>Firewall (arptables & ebtables)
\nNetwork \u2014>Firewall\u2014>iptables (iptables-mod-conntrack-extra, iptables-mod-extra, iptables-mod-filter, iptables-mod-iface, iptables-mod-ipopt, iptables-mod-ipset, iptables-mod-ipv4options, iptables-mod-nat-extra, iptables-mod-rawnat, iptables-mod-tee)
\nKernel modules \u2014>Netfilter Extensions (kmod-arptables, kmod-ebtables, kmod-ebtables-ipv4, kmod-ebtables-ipv6)
\nKernel modules \u2014>Network Support (kmod-bridge, kmod-llc, kmod-stp)
\nLibraries \u2014>(libpcap,wireless-tools)
\nBase system \u2014>busybox Networking Utilities \u2014>arp
\nKernel modules \u2014>Filesystems (kmod-fs-ext4, kmod-fs-ntfs & kmod-fs-vfat)
\nKernel modules \u2014>USB Support (kmod-usb-ohci, kmod-usb-uhci, kmod-usb2, kmod-usb-storage, kmod-usb-storage-extras)
\nKernel modules \u2014>Native Language Support (kmod-nls-cp437, kmod-nls-base & kmod-nls-iso8859-1)<\/p>\n
“Hacker” Tools
\nNetwork \u2014>NMAP Suite (ncat-ssl,ndiff,nmap-ssl,nping)
\nNetwork \u2014>wireless (aircrack-ng,aircrack-ptw,kismet-client,kismet-server,reaver)
\nLibraries \u2014>(libcap,libncurses,libnl,libpcre,terminfo,uclibcxx,zlib)
\nLibraries \u2014>SSL (libopenssl)
\nBase system \u2014>(libstdcpp)<\/p>\n
Custom Files<\/strong>
\nThe best place to learn about adding custom files to your image build is the OpenWrt Wiki, specifically here<\/a>.<\/p>\n
Create Directories to Store Out Custom Files<\/em>
\n
$ mkdir -p ~\/attitude_adjustment\/files\/etc\/init.d\n$ mkdir -p ~\/attitude_adjustment\/files\/etc\/config\n$ mkdir -p ~\/attitude_adjustment\/files\/etc\/rc.d\n<\/code><\/pre>
\nCustom Wireless Configuration Files<\/em>
\n
$ vim ~\/attitude_adjustment\/files\/etc\/config\/wireless\n<\/code><\/pre>
config wifi-device  radio0\noption type     mac80211\noption channel  11\noption hwmode   11ng\noption path     'platform\/ar933x_wmac'\noption htmode   HT20\nlist ht_capab   SHORT-GI-20\nlist ht_capab   SHORT-GI-40\nlist ht_capab   RX-STBC1\nlist ht_capab   DSSS_CCK-40<\/code><\/pre><\/p>\n
config wifi-iface
\noption device radio0
\noption network lan
\noption mode ap
\noption ssid att-wifi #or whatever you want to call it
\noption encryption psk2
\noption key ‘mysupersecretPassWord’
\noption hidden 1<\/p>\n
Custom Network Configuration Files<\/em>
\n
$ vim ~\/attitude_adjustment\/files\/etc\/config\/network\n<\/code><\/pre>
config interface 'loopback'\noption ifname 'lo'\noption proto 'static'\noption ipaddr '127.0.0.1'\noption netmask '255.0.0.0'\n<\/code><\/pre>
\nCustom System Configuration Files<\/em>
\n
$ vim ~\/attitude_adjustment\/files\/etc\/config\/system\n<\/code><\/pre>
config system\noption hostname GLiNet #or whatever you want to call it\noption timezone UTC\n<\/code><\/pre>
\nCustom System Control Configuration File<\/em>
\n
$ vim ~\/attitude_adjustment\/files\/etc\/sysctl.conf\n<\/code><\/pre>
kernel.panic=3\nnet.ipv4.conf.default.arp_ignore=1\nnet.ipv4.conf.all.arp_ignore=1\nnet.ipv4.ip_forward=1\nnet.ipv4.icmp_echo_ignore_broadcasts=1\nnet.ipv4.icmp_ignore_bogus_error_responses=1\nnet.ipv4.tcp_ecn=0\nnet.ipv4.tcp_fin_timeout=30\nnet.ipv4.tcp_keepalive_time=120\nnet.ipv4.tcp_syncookies=1\nnet.ipv4.tcp_timestamps=1\nnet.ipv4.tcp_sack=1\nnet.ipv4.tcp_dsack=1<\/code><\/pre><\/p>\n
net.ipv6.conf.default.forwarding=1
\nnet.ipv6.conf.all.forwarding=1<\/p>\n
net.netfilter.nf_conntrack_acct=1
\nnet.netfilter.nf_conntrack_checksum=0
\nnet.netfilter.nf_conntrack_max=16384
\nnet.netfilter.nf_conntrack_tcp_timeout_established=3600
\nnet.netfilter.nf_conntrack_udp_timeout=60
\nnet.netfilter.nf_conntrack_udp_timeout_stream=180<\/p>\n
There are four files in the tarball and it is just easier to provide the files then figure out how to disable some of this shit in OpenWrt. Included in the tarball is the bridge script you will need to create the transparent bridge. But also included are dnsmasq, firewall, sysntpd, dropbear, and telnet files with permissions where execution is removed. Best way to disable them without removing them.
\n
$ cd ~\/attitude_adjustment\/files\/etc\/\n~\/attitude_adjustment\/files\/etc$ wget http:\/\/www.jedge.com\/code\/glinet.openwrt.init.d.build.tar.gz\ntar xzvf glinet.openwrt.init.d.build.tar.gz\n<\/code><\/pre>
\nCreate a symlink for the bridge script so it will start when the device boots.
\n
$ cd ~\/attitude_adjustment\/files\/etc\/rc.d\n~\/attitude_adjustment\/files\/etc\/rc.d$ ln -s ..\/init.d\/bridge S90bridge\n~\/attitude_adjustment\/files\/etc\/rc.d$ ln -s ..\/init.d\/bridge K95bridge\n<\/code><\/pre>
\nWhy set your root password after the first boot? Why not set it in your image before you install it?
\n
echo "yoursecret" | makepasswd --clearfrom=- --crypt-md5 |awk '{print $2}'\n$1$uZ9fJ7OE$A8KGOGcOR4fP3\/XEsxQaa0<\/code><\/pre>
$ vim ~\/attitude_adjustment\/files\/etc\/shadow\n<\/code><\/pre>
root:$1$uZ9fJ7OE$A8KGOGcOR4fP3\/XEsxQaa0:0:0:99999:7:::\ndaemon:*:0:0:99999:7:::\nftp:*:0:0:99999:7:::\nnetwork:*:0:0:99999:7:::\nnobody:*:0:0:99999:7:::\n<\/code><\/pre><\/p>\n
Now we can compile our image. Once complete your image will be find in ~\/attitude_adjustment\/bin\/ar71xx<\/kbd> called openwrt-ar71xx-generic-gl-inet-6416A-v1-squashfs-factory.bin<\/kbd>
cd ~\/attitude_adjustment\n~\/attitude_adjustment$ make<\/code><\/pre>
\nDocumenting how to upgrade (or downgrade) the firmware of your GL-iNet is tricky as I don\u2019t know the state of your device so we are going to use a method I\u2019m sure you haven\u2019t messed with. We are going to use the U-boot Web Method of upgrading. You will need to pry open your GL-iNet and connect a serial to USB adapter as documented from the GL-iNet website. Visit the two links below.<\/p>\n
http:\/\/www.gl-inet.com\/docs\/smartrouter\/?diy_hardware.html<\/a>
\nhttp:\/\/www.gl-inet.com\/docs\/smartrouter\/?diy_serial.html<\/a><\/p>\n
Then boot your device and enter the web failsafe mode following the directions also found on the GL-iNet website.<\/p>\n
http:\/\/www.gl-inet.com\/docs\/smartrouter\/?diy_flashing.html<\/a><\/p>\n
Connect to your USB serial device and then plug in your GL-iNet. Immediately hit the \u201cF\u201d key to enter the U-boot mode and enter httpd to start the failsafe web server. We will need to connect to the WAN port and assign an IP address in the 192.168.1.0\/24 range, open a web browser, and go to http:\/\/192.168.1.1<\/p>\n
From the web interface upload the firmware you compiled. It should be called openwrt-ar71xx-generic-gl-inet-6416A-v1-squashfs-factory.bin.<\/p>\n
References<\/strong>
\nA Bridge Too Far Defeating Wired 802.1X with a Transparent Bridge Using Linux by Alva Lease \u2018Skip\u2019 Duckwall IV
\nPresentation Slides: https:\/\/www.defcon.org\/images\/defcon-19\/dc-19-presentations\/Duckwall\/DEFCON-19-Duckwall-Bridge-Too-Far.pdf<\/a>
\nPresentation (Youtube): http:\/\/youtu.be\/u3T3lUxKm18<\/a>
\nIssue discussing the use of ebtables and packets not being forwarded up the IP chain. The reason we had to re-enable bridged firewalling in Openwrt. http:\/\/stackoverflow.com\/questions\/17116126\/iptables-ebtables-bridge-utils-prerouting-forward-to-another-server-via-single<\/a>
\nAlso mentioned in getting SSLStrip to work in a hak5.org forum. https:\/\/forums.hak5.org\/index.php?\/topic\/26780-guide-for-installing-sslstrip-on-openwrt\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Bypass 802.1x Port Security w\/ Openwrt Background During an internal and wireless penetration I was unprepared for the port security in the environment. I had to travel internationally and the Statement of Work and Rules of Engagement did not detail the extent of the internal testing and what was to be tested. Penetration Testers know […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[113],"tags":[155,123],"class_list":["post-934","post","type-post","status-publish","format-standard","hentry","category-compiling","tag-gl-inet","tag-openwrt"],"_links":{"self":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/934","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/comments?post=934"}],"version-history":[{"count":30,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/934\/revisions"}],"predecessor-version":[{"id":1154,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/934\/revisions\/1154"}],"wp:attachment":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/media?parent=934"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/categories?post=934"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/tags?post=934"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}