OpenWRT and Ubiquiti NanoStation 2

I’m scheduled to give a summary talk on the state of cryptographic attacks on WiFi for the University of Utah GSAC colloquium. I wanted to be able to demonstrate the practicality of these attacks, so I needed a platform to launch attacks from.

To this end, I picked up a Ubiquiti NanoStation 2 from Metrix. Today’s post is a bit of a how-to for getting the unit up and running with OpenWRT.

Background

OpenWRT is a framework for building a Linux distribution for use in routers and other embedded computers. Building a Linux distribution for an embedded computer is generally very difficult; OpenWRT’s main contribution is that it makes the process significantly easier. At the time of writing, the latest version of OpenWRT is Kamikaze.

Where’s a brief overview of the steps for getting OpenWRT onto the NanoStation 2, and how much work they are:

  1. Update the firmware on the NanoStation
  2. Download the OpenWRT trunk and packages (two commands)
  3. Setup the build environment (one command)
  4. Select which packages you want for your distribution (one command, a bit of menus)
  5. Compile (one command and some patience)
  6. Upload to device (one command)
Laying on my desk

Laying on my desk

So now a bit about the NanoStation 2. Seattle Wireless has a good summary of the hardware specifications. I’ll speak about the device qualitatively:

First, this is a device with excellent range with the built-in antenna. I don’t have an external antenna for the unit; in my experience, the unit performs great on its own. I’ve been using it to do analysis, and have found that it sees much more than my laptop (which is why I bought the unit, after all).

Second, the device is powered exclusively by its Ethernet connection. I don’t own any switches that can provide power over Ethernet; however, the unit comes with an adapter that puts power on the line. I’ve never used a PoE device before, but I can tell that I’ll want more. This is a very nice feature, especially for practical use outdoors.

Third, this device is hard to brick. I’m generally nervous about flashing devices with unofficial images. While I obviously can’t claim that this device is brick-proof, I can say that it seems resilient. On more than one occasion I’ve messed up my OpenWRT installation, and was able to recover by returning to the official firmware. I’ll describe this process in a bit.

Fourth, it’s a small machine that mounts with zip-ties. Zip ties! I love it.

Mounts with zip ties.  Shown here on my camera tripod as a temporary measure during testing.

Mounts with zip ties. Shown here on my camera tripod as a temporary measure during testing.

Getting OpenWRT Up

Here’s the quick and dirty. We first need to grab the OpenWRT trunk and packages:


broker@localhost:~$ svn co https://svn.openwrt.org/openwrt/trunk/
broker@localhost:~$ cd trunk
broker@localhost:~/trunk$ mkdir feeds
broker@localhost:~/trunk/feeds$ cd feeds
broker@localhost:~/trunk/feeds$ svn co https://svn.openwrt.org/openwrt/packages

Find your way back into the trunk directory and invoke make package/symlinks:


broker@localhost:~/trunk/feeds$ cd ..
broker@localhost:~/trunk$ make package/symlinks

This command prepared the environment. At some point it brings up a configuration screen. You’ll need to select which platform you want to build for; set the Target System to “Atheros 231x/5312 [2.6].”

Once this is done we are ready to move forward and start selecting packages. Invoke


broker@localhost:~/trunk$ make menuconfig

You’ll find yourself confronted with a menu system similar to that for configuring the Linux kernel. Here you can pick which packages you want included in your build. The NanoStation 2 has 4MB of storage, so pick wisely: the build environment will strip things down as much as it can, but you still need to be prudent with storage.

This is also a good time to configure the default network settings for your image. Select “Image configuration” to set the default IP address for your device’s Ethernet controller. You can also set a DNS and gateway server for the device at this time. If you don’t, it will default to the IP address 192.168.1.1.

After you have configured what packages you want to use, you’ll be returned to the command prompt. We’re now ready to do the build:


broker@localhost:~/trunk$ make

Go grab a drink; this will take a while. OpenWRT will proceed to make its own cross-compile environment, which will take some time. It also takes some space: on my system, the trunk directory is 2.55GB!

Once the build is complete, we can find the constructed image in trunk/bin. On my system, here’s what the directory listing looks like:


broker@localhost:~/trunk/bin$ ls -l
total 20080
-rw-r--r-- 1 broker broker 519 2008-11-13 23:29 md5sums
-rw-r--r-- 1 broker broker 3801088 2008-11-13 23:29 openwrt-atheros-root.jffs2-128k
-rw-r--r-- 1 broker broker 3801088 2008-11-13 23:29 openwrt-atheros-root.jffs2-64k
-rw-r--r-- 1 broker broker 2490368 2008-11-13 23:29 openwrt-atheros-root.squashfs
-rw-r--r-- 1 broker broker 3211672 2008-11-13 23:29 openwrt-atheros-ubnt2-squashfs.bin
-rw-r--r-- 1 broker broker 3211672 2008-11-13 23:29 openwrt-atheros-ubnt5-squashfs.bin
-rwxr-xr-x 1 broker broker 2290916 2008-11-13 23:29 openwrt-atheros-vmlinux.elf
-rw-r--r-- 1 broker broker 983040 2008-11-13 23:29 openwrt-atheros-vmlinux.gz
-rw-r--r-- 1 broker broker 720896 2008-11-13 23:29 openwrt-atheros-vmlinux.lzma
drwxr-xr-x 3 broker broker 4096 2008-11-12 23:53 packages

Note that it builds a few different images; we’re interested in openwrt-atheros-ubnt2-squashfs.bin. If you don’t have this file, but the build didn’t complain, then the most likely cause is that the image was going to be more than 4MB. You see, the build process knows that the NanoStation 2 has only 4MB of storage, and won’t bother making an image for the device that is larger than this size. If you doubt this is the issue, you can try the build again with the V=99 option, which enables verbosity. Here’s what it would look like:


broker@localhost:~/trunk$ make V=99

Grep through the results to find the command which was going to make the openwrt-atheros-ubnt2-squashfs.bin file and see if it complained.

So now that we’ve got the image, it’s time to upload it to the device. By default, the NanoStation 2 is configured to run at 192.168.1.20. It supports image upload by tftp:


broker@localhost:~/trunk$ cd bin
broker@localhost:~/trunk/bin$ tftp 192.168.1.20
tftp> bin
tftp> put openwrt-atheros-ubnt2-squashfs.bin

If you find that this fails, check to verify that your NanoStation has is running the latest Ubiquiti firmware. Go to the Ubiquiti NanoStation 2 Support page for the latest firmware. I found that the firmware the unit shipped with wouldn’t accept my OpenWRT image, but the newer firmware does.

Once you’ve uploaded the image to the NanoStation 2, you should be able to telnet to the device. It will drop you to a root shell without authentication. Once you change your root password, it will disable the telnet daemon and only respond via SSH.

If you want to enable the wireless, edit /etc/config/wireless. Note that there’s a line you need to comment-out to enable the controller! For more detailed configuration information, consult with the documentation.

Getting aircrack-ng and Kismet to work

If you decided to deploy Kismet and aircrack-ng on your NanoStation, you will probably want to know more about how to use these utilities on this device.

Here’s how I got Kismet to work on the device:

  1. First, I had to disable the existing ath0 device. To do this, simply issue airmon-ng stop ath0. To be honest, I do not know why this has been necessary; however, it has been my experience that ath0 isn’t able to enter monitor mode after the device has booted — my guess is that something about its initialization isn’t hacker-friendly. So we go through this airmon-ng business to remedy that.
  2. Now re-create ath0 by issuing airmon-ng start wifi0. We can verify that this did what we wanted:
    root@OpenWrt:/# iwconfig
    lo        no wireless extensions.
    eth0      no wireless extensions.
    wifi0     no wireless extensions.
    br-lan    no wireless extensions.
    ath0      IEEE 802.11g  ESSID:""  Nickname:""
              Mode:Monitor  Frequency:2.457 GHz  Access Point: [censored]
              Bit Rate:0 kb/s   Tx-Power:16 dBm   Sensitivity=1/1  
              Retry:off   RTS thr:off   Fragment thr:off
              Encryption key:off
              Power Management:off
              Link Quality=0/70  Signal level=-96 dBm  Noise level=-96 dBm
              Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
              Tx excessive retries:0  Invalid misc:0   Missed beacon:0
    
  3. We now need to configure kismet_drone to use the proper device. This is done by editing /etc/kismet/kismet_drone and setting source=ath5k,ath0,wireless. While in there, don’t forget to edit the rest of the file — especially the line that controls which IP addresses kismet clients are allowed to connect from!
  4. We can now launch kismet_drone. We need to tell it where to find the configuration file:

  5. root@OpenWrt:/# kismet_drone -f /etc/kismet/kismet_drone.conf

This procedure is enough to get started with the rest of aircrack-ng. Tonight I verified that the device is capable of pulling off the PTW attack; for instructions, see the Simple WEP Crack Tutorial.

Conclusion

The NanoStation 2 is a wonderful device; at under $100, this thing packs much more punch than any other device like it that I’ve used. OpenWRT support for the unit is fantastic. With judicious selection of packages, there’s sufficient room on the device for aircrack, kismet_drone, and nmap.

About these ads
Leave a comment

24 Comments

  1. Roberto

     /  26 February, 2009

    Hello,
    Thank you for this useful instruction on flashing the NanoStation2 unit. I have followed the instruction provided and build the following packages :
    openwrt-atheros-ubnt2-squashfs.bin
    openwrt-atheros-ubnt5-jffs2-128k.bin
    md5sums
    openwrt-atheros-ubnt5-jffs2-64k.bin
    openwrt-atheros-np25g-jffs2-128k.bin
    openwrt-atheros-ubnt5-squashfs.bin
    openwrt-atheros-np25g-jffs2-64k.bin
    openwrt-atheros-vmlinux.elf
    openwrt-atheros-np25g-squashfs.bin
    openwrt-atheros-vmlinux.gz
    openwrt-atheros-root.jffs2-128k
    openwrt-atheros-vmlinux.lzma
    openwrt-atheros-root.jffs2-64k
    openwrt-atheros-wpe53g-jffs2-128k.bin
    openwrt-atheros-root.squashfs
    openwrt-atheros-wpe53g-jffs2-64k.bin
    openwrt-atheros-ubnt2-jffs2-128k.bin
    openwrt-atheros-wpe53g-squashfs.bin
    openwrt-atheros-ubnt2-jffs2-64k.bin packages
    roberto@roberto-desktop:~/trunk/bin$

    Prior to that, I have loaded the NanoStation2 with latest firmware version. I tried to TFTP to NanoStation (192.168.1.20) and put openwrt-atheros-ubnt2-squashfs.bin file however I got a time-out error message. I tried few times again only to receive the timeout error message. I then use the NanoStation web interface and from advance tab I clicked the Update firmware and upload openwrt-atheros-ubnt2-squashfs.bin file. It Give me a warning about third party firmware. I proceed with the upload. It takes a while and when flash is done, the unit IP address automatically changed to 192.168.1.1. at this stage, Telnet is then established with the unit. I am able to telnet to it and learnt that Kamikaze is loaded.

    There is one thing remain, I am using open-mesh network in my environment and wondering if NanoStation can be meshed to the mesh network too. I am currently using Accton mr3201A. Would you be able to advise if this can be done and what configuration needed to be add/modify into the Kamikaze configuration for meshed network can be achieved via nanostation2.

    Your advise and and feedback on this matter is highly appreciated.

    Regards,

    Roberto de Sousa

  2. I’ve never used it for any of the meshing technologies, so I can’t really advise :/

  3. great writeup. i’m missing the ath0 interface. any ideas?

  4. never mind. i figured that out. i missed that step.
    anyway, I don’t have enough room to install aircrack in order to use airmon to disable and renable wifi (so it can be used in monitor mode) any ideaS?

  5. Liam

     /  13 March, 2009

    So did you ever get the NanoStation to crack WEP? Is this possible with AirOS or only possible with the installation or OpenWRT. I couldn’t connect to the link you posted to aircrack nor the site itself to see if you could or couldn’t do it. Sorry for all the dumb questions but I am new to this but is very interested in the Nanostation’s capability as an alternative to the Alfa. Would appreciate your help greatly.

  6. @raffi

    The space on the device is very limited. With OpenWRT, I found that it took less space to install applications into my image before flashing the firmware, rather than trying to use the OpenWRT package manager.

    @Liam

    I’ve used the NanoStation 2 (running OpenWRT) to collect packets for WEP cracking, but I did the cracking using a more powerful machine (I had the OpenWRT mount a network share via its ethernet adapter so that it could save the captured data to a place with enough storage and processing power for the job). I wouldn’t expect the NS2 to be a very good platform for actually performing the crack, given it’s limited processor.

  7. Liam

     /  17 March, 2009

    Thanks for the response. Just to clarify, are you saying that the Atheros 2316 chipset of the NS do not have the power for fast IVs injection compareable to the Alfa500mW with the Realtek 8187L chipset ? Was the what you were refering to or were you referring to the CPU power of the computer used in cracking the captured packets. How much less power do you think the Atheros2315 chipset has when compare with the Realtek8187L for WEP cracking? How much IV’s were you getting per second? Even if the Atheros is 1/2 to 1/4 as slow in injection I would prefer buying the NS over the Alfa500mW(true power of measly300mW pre-attena for b-mode and 90mW for g-mode) for I like the NS’s superior receiver sensitiviy and power provided that the NS chipset can be used for doing WEP cracking. I just want to confirm first with you that the NS can do injection after setting it to monitoring mode. Thanks again and how do i set up a network share?

  8. Oh, I just meant that the CPU on the NS isn’t very powerful. I couldn’t comment on the wifi adapter’s speed for injection; I haven’t benchmarked it against anything else.

    Setting up a network share is its own can of worms, so I won’t get into it here. There are lots of guides online about network file sharing with Linux.

    I can say, for a fact, that the NS is able to inject IV’s and capture data for a WEP crack. I just didn’t use the NS’ processor to do the actual crunching.

  9. Liam

     /  18 March, 2009

    Thanks my friend…one more final question.

    Is there a reason why you need to install/flash aircrack, kismet_drone, and nmap onto NS??? Any advantages gain from this?

  10. Liam

     /  31 March, 2009

    I found this info from Ubiquiti saying that you will loss the use of built-in antenna when flashing with OpenWRT but noticed that wasn’t the case from your setup picture. How is it possible??? Did you have to use and external antenna to make the device work but forgot to mention it???

    http://ubnt.com/forum/viewtopic.php?t=800&highlight=openwrt+antenna

  11. The internal antenna worked fine for me; I don’t own an external antenna, so there couldn’t have been any mixup there.

  12. Liam

     /  16 April, 2009

    Can I get the software that you have already compiled with aircrack or whatever you have installed with it. So all I have to do is just flash NS. I am having a hard time figuring out Linus compiling since Linux is new to me.

  13. Paige Adele Thompson

     /  9 June, 2009

    ???????????????????????????

    root@OpenWrt:~# airmon-ng start wifi0

    Interface Chipset Driver

    wifi0 Atheros madwifi-ng
    ath0 Atheros madwifi-ng VAP (parent: wifi0) (monitor mode enabled)

    root@OpenWrt:~# ifconfig ath0 up
    root@OpenWrt:~# iwlist ath0 scanning
    ath0 No scan results

    root@OpenWrt:~#

  14. Pizda

     /  15 December, 2009

    can mod nanostation2 to plug some memory card?

  15. is it possible to use multiple wifi virtual devices ? e.g. one connecting to another network, the other one rebroadcasting with another essid ?

  16. the nigeria post is defo scam there thr most worst scammers in the world buy anything from them and you WILL GET SCAMMED.scum

  17. dudu

     /  25 August, 2010

    Hola Amigos como puedo sacar el openwrt y volver a poner Airos.. porfavor alguin que me diga…

    Hello Friends how I can get the openwrt and replace Airosa .. alguin please tell me …

  18. Mike

     /  22 October, 2010

    Hi guys, does anybody know how to save captured data to an external device different than ns2?¿. I’m actually having the message “not enough space on the device”.

  19. The trick is to use Samba to store the data remotely. This also allows you to use a machine with a faster CPU to do the analysis.

  20. Black-Viper

     /  7 March, 2011

    i got a problem that is i dont know what is the settings of nanostation2 to get internet…please help me…

  21. Willy

     /  3 April, 2011

    Can someone tell how I can use samba to store data remotely?

    thx in advance

  1. Wires Are Evil » Blog Archive » OpenWRT on Nanostation 2 in six commands.
  2. Dangers in key reuse « Integer Overflow
  3. Projekt WarSailing (Suche Komponte um 2Wlan Antennen zu Verbinden)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: