Thursday, April 16, 2009

Argus 3.x On Linksys WRT54GL

I have bought two units of Linksys WRT54GL wlan router previously so that I can run Linux and getting network security monitoring tools running on it as well. This little device has very limited space but you can't beat linux as router device. One of the unit is currently living in spoonfork's place to serve that Darth Vader, and another one is with me.
Since Carter has argus supported on OpenWRT, I have been thinking of getting argus installed on it(MIPS platform). And after some tinkering, I have successfully loading argus on it and export the network flow to another box in the network. Here's the complete howto that you can follow exactly to get argus compiled for OpenWRT Kamikaze 8.09(MIPS platform) using Ubuntu Linux.

Prepare the environment, my main directory to build this is /home/geek00l/i-Projects -

shell>sudo apt-get install gcc g++ patch binutils \

flex bison make pkg-config unzip zlib1g zlib1g-dev \

libc6 libc6-dev gawk autoconf upslug2 libncurses5-dev


To build OpenWRT Kamikaze 8.09, svn up the source first -

shell>svn co https://svn.openwrt.org/openwrt/branches/8.09 kamikaze-8.09

shell>cd kamikaze-8.09


Start the building process -

shell>make defconfig


shell>make package/symlinks


shell>make menuconfig


shell>make


Take a coffee break when you run make .....

Install libpcap, this is the only dependencies we need to get argus 3 compiled -

shell>make package/libpcap-compile V=99

shell>make package/libpcap-install V=99


Check out the gcc that we need to use -

shell>/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/gcc --version
gcc (GCC) 3.4.6 (OpenWrt-2.0)
Copyright (C) 2006 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Now we need to set the environment variables for this build -

shell>export PATH=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin:/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/bin:$PATH

shell>export AR=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/ar


shell>export AS=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/as


shell>export LD=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/ld


shell>export NM=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/nm


shell>export CC=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/gcc


shell>export CPP=/home/geek00l/i-Projects/kamikaze-8.09/build_dir/toolchain-mipsel_gcc3.4.6/gcc-3.4.6-initial/gcc/cpp


shell>export GCC=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/gcc


shell>export CXX=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/g++

shell>export RANLIB=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir/toolchain-mipsel_gcc3.4.6/mipsel-linux-uclibc/bin/ranlib


shell>export ac_cv_linux_vers=2.4.35


shell>export LDFLAGS="-static"


shell>export CFLAGS="-Os -s"


Time to have fun, doing cross-compile for argus so it works on MIPS platform -

shell>cd /home/geek00l/i-Projects/argus-3.0.1.beta.2


shell>./configure --host=mipsel-linux \

--with-openwrt=/home/geek00l/i-Projects/kamikaze-8.09/staging_dir \

--with-libpcap=/home/geek00l/i-Projects/kamikaze-8.09/build_dir/mipsel/libpcap-0.9.8


shell>make


shell>file bin/argus

bin/argus: ELF 32-bit LSB executable, MIPS, version 1 (SYSV), statically linked, stripped

Transfer it to my OpenWRT -

shell>scp -P 55555 bin/argus root@192.168.1.1:/tmp

To export argus network flow on ppp0 interface -

shell>argus -i ppp0 -B 192.168.1.1 -P 561 -d

To intercept the network flow -

shell>ra -S 192.168.1.1:561 - ip

I have found some good references here to get me going, and I would like to thank to David Watson(UK Honeynet) for his guide on building nepenthes on openwrt too.

Reference:
http://www.frontiernet.net/~beakmyn/CrossCompile.htm
http://www.ukhoneynet.org/research/building-nepenthes-on-the-openwrt-embedded-platform/
http://forum.openwrt.org/viewtopic.php?pid=31794
http://gargoyle-router.com/openwrt-coding.php

Since this embedded device has very limited space, there's no point to run packet logger locally, other tools I would like to run on it so that I can export pcap to other system should be something like packetforward or rpcap. If anyone has experience to get any of these tools installed on OpenWRT, please do share!

Enjoy (;])

Wednesday, April 15, 2009

OpenWRT: Allow SSH Access On WAN Interface

Here's the quick way to allow SSH Access for WAN interface on OpenWRT, I configure my ssh to run on port 12345 instead of 22 to avoid automated probes from internet using the web interface, then just run this in the terminal -

shell>/usr/sbin/iptables -I INPUT 1 -p tcp --dport 12345 -j LOG

shell>/usr/sbin/iptables -I INPUT 1 -p tcp --dport 12345 -j ACCEPT


To check if it loads properly -

shell>/usr/sbin/iptables -L | grep 12345
LOG tcp -- anywhere anywhere tcp dpt:12345 LOG level warning
ACCEPT tcp -- anywhere anywhere tcp dpt:12345

To make sure it survives reboot -

shell>nvram set rc_firewall="/usr/sbin/iptables -I INPUT 1 -p tcp --dport 12345 -j LOG"

shell>nvram set rc_firewall="/usr/sbin/iptables -I INPUT 1 -p tcp --dport 12345 -j ACCEPT"


shell>nvram commit

Thanks to the link here.

Done!

Cheers (;])

Sunday, April 05, 2009

Tshark: Decrypt WEP

Yes, you can decrypt wep using airdecap-ng from aircrack-ng suite, or using wireshark gui. However you can also use tshark to decrypt wep with known key, and you can define many keys to be used to decrypt wep packets as well.

Quick example -

shell>tshark -t ad -o 'wlan.enable_decryption:TRUE' \
-o "wlan.wep_key1:1122aabbcc" -nr wlan-wep.pcap

By the way, you can also decrypt wpa similarly.

Enjoy (;])