I’m scheduled to give a summary talk on the state of cryptographic attacks on WiFi for the University of Utah GSAC colloquium. I wanted to be able to demonstrate the practicality of these attacks, so I needed a platform to launch attacks from.
OpenWRT is a framework for building a Linux distribution for use in routers and other embedded computers. Building a Linux distribution for an embedded computer is generally very difficult; OpenWRT’s main contribution is that it makes the process significantly easier. At the time of writing, the latest version of OpenWRT is Kamikaze.
Where’s a brief overview of the steps for getting OpenWRT onto the NanoStation 2, and how much work they are:
- Update the firmware on the NanoStation
- Download the OpenWRT trunk and packages (two commands)
- Setup the build environment (one command)
- Select which packages you want for your distribution (one command, a bit of menus)
- Compile (one command and some patience)
- Upload to device (one command)
So now a bit about the NanoStation 2. Seattle Wireless has a good summary of the hardware specifications. I’ll speak about the device qualitatively:
First, this is a device with excellent range with the built-in antenna. I don’t have an external antenna for the unit; in my experience, the unit performs great on its own. I’ve been using it to do analysis, and have found that it sees much more than my laptop (which is why I bought the unit, after all).
Second, the device is powered exclusively by its Ethernet connection. I don’t own any switches that can provide power over Ethernet; however, the unit comes with an adapter that puts power on the line. I’ve never used a PoE device before, but I can tell that I’ll want more. This is a very nice feature, especially for practical use outdoors.
Third, this device is hard to brick. I’m generally nervous about flashing devices with unofficial images. While I obviously can’t claim that this device is brick-proof, I can say that it seems resilient. On more than one occasion I’ve messed up my OpenWRT installation, and was able to recover by returning to the official firmware. I’ll describe this process in a bit.
Fourth, it’s a small machine that mounts with zip-ties. Zip ties! I love it.
Here’s the quick and dirty. We first need to grab the OpenWRT trunk and packages:
broker@localhost:~$ svn co https://svn.openwrt.org/openwrt/trunk/
broker@localhost:~$ cd trunk
broker@localhost:~/trunk$ mkdir feeds
broker@localhost:~/trunk/feeds$ cd feeds
broker@localhost:~/trunk/feeds$ svn co https://svn.openwrt.org/openwrt/packages
Find your way back into the trunk directory and invoke
broker@localhost:~/trunk/feeds$ cd ..
broker@localhost:~/trunk$ make package/symlinks
This command prepared the environment. At some point it brings up a configuration screen. You’ll need to select which platform you want to build for; set the Target System to “Atheros 231x/5312 [2.6].”
Once this is done we are ready to move forward and start selecting packages. Invoke
broker@localhost:~/trunk$ make menuconfig
You’ll find yourself confronted with a menu system similar to that for configuring the Linux kernel. Here you can pick which packages you want included in your build. The NanoStation 2 has 4MB of storage, so pick wisely: the build environment will strip things down as much as it can, but you still need to be prudent with storage.
This is also a good time to configure the default network settings for your image. Select “Image configuration” to set the default IP address for your device’s Ethernet controller. You can also set a DNS and gateway server for the device at this time. If you don’t, it will default to the IP address 192.168.1.1.
After you have configured what packages you want to use, you’ll be returned to the command prompt. We’re now ready to do the build:
Go grab a drink; this will take a while. OpenWRT will proceed to make its own cross-compile environment, which will take some time. It also takes some space: on my system, the
trunk directory is 2.55GB!
Once the build is complete, we can find the constructed image in
trunk/bin. On my system, here’s what the directory listing looks like:
broker@localhost:~/trunk/bin$ ls -l
-rw-r--r-- 1 broker broker 519 2008-11-13 23:29 md5sums
-rw-r--r-- 1 broker broker 3801088 2008-11-13 23:29 openwrt-atheros-root.jffs2-128k
-rw-r--r-- 1 broker broker 3801088 2008-11-13 23:29 openwrt-atheros-root.jffs2-64k
-rw-r--r-- 1 broker broker 2490368 2008-11-13 23:29 openwrt-atheros-root.squashfs
-rw-r--r-- 1 broker broker 3211672 2008-11-13 23:29 openwrt-atheros-ubnt2-squashfs.bin
-rw-r--r-- 1 broker broker 3211672 2008-11-13 23:29 openwrt-atheros-ubnt5-squashfs.bin
-rwxr-xr-x 1 broker broker 2290916 2008-11-13 23:29 openwrt-atheros-vmlinux.elf
-rw-r--r-- 1 broker broker 983040 2008-11-13 23:29 openwrt-atheros-vmlinux.gz
-rw-r--r-- 1 broker broker 720896 2008-11-13 23:29 openwrt-atheros-vmlinux.lzma
drwxr-xr-x 3 broker broker 4096 2008-11-12 23:53 packages
Note that it builds a few different images; we’re interested in
openwrt-atheros-ubnt2-squashfs.bin. If you don’t have this file, but the build didn’t complain, then the most likely cause is that the image was going to be more than 4MB. You see, the build process knows that the NanoStation 2 has only 4MB of storage, and won’t bother making an image for the device that is larger than this size. If you doubt this is the issue, you can try the build again with the
V=99 option, which enables verbosity. Here’s what it would look like:
broker@localhost:~/trunk$ make V=99
Grep through the results to find the command which was going to make the
openwrt-atheros-ubnt2-squashfs.bin file and see if it complained.
So now that we’ve got the image, it’s time to upload it to the device. By default, the NanoStation 2 is configured to run at 192.168.1.20. It supports image upload by tftp:
broker@localhost:~/trunk$ cd bin
broker@localhost:~/trunk/bin$ tftp 192.168.1.20
tftp> put openwrt-atheros-ubnt2-squashfs.bin
If you find that this fails, check to verify that your NanoStation has is running the latest Ubiquiti firmware. Go to the Ubiquiti NanoStation 2 Support page for the latest firmware. I found that the firmware the unit shipped with wouldn’t accept my OpenWRT image, but the newer firmware does.
Once you’ve uploaded the image to the NanoStation 2, you should be able to telnet to the device. It will drop you to a root shell without authentication. Once you change your root password, it will disable the telnet daemon and only respond via SSH.
If you want to enable the wireless, edit
/etc/config/wireless. Note that there’s a line you need to comment-out to enable the controller! For more detailed configuration information, consult with the documentation.
If you decided to deploy Kismet and aircrack-ng on your NanoStation, you will probably want to know more about how to use these utilities on this device.
Here’s how I got Kismet to work on the device:
- First, I had to disable the existing
ath0device. To do this, simply issue
airmon-ng stop ath0. To be honest, I do not know why this has been necessary; however, it has been my experience that
ath0isn’t able to enter monitor mode after the device has booted — my guess is that something about its initialization isn’t hacker-friendly. So we go through this
airmon-ngbusiness to remedy that.
- Now re-create
airmon-ng start wifi0. We can verify that this did what we wanted:
root@OpenWrt:/# iwconfig lo no wireless extensions. eth0 no wireless extensions. wifi0 no wireless extensions. br-lan no wireless extensions. ath0 IEEE 802.11g ESSID:"" Nickname:"" Mode:Monitor Frequency:2.457 GHz Access Point: [censored] Bit Rate:0 kb/s Tx-Power:16 dBm Sensitivity=1/1 Retry:off RTS thr:off Fragment thr:off Encryption key:off Power Management:off Link Quality=0/70 Signal level=-96 dBm Noise level=-96 dBm Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0
- We now need to configure
kismet_droneto use the proper device. This is done by editing
source=ath5k,ath0,wireless. While in there, don’t forget to edit the rest of the file — especially the line that controls which IP addresses kismet clients are allowed to connect from!
- We can now launch
kismet_drone. We need to tell it where to find the configuration file:
root@OpenWrt:/# kismet_drone -f /etc/kismet/kismet_drone.conf
This procedure is enough to get started with the rest of aircrack-ng. Tonight I verified that the device is capable of pulling off the PTW attack; for instructions, see the Simple WEP Crack Tutorial.
The NanoStation 2 is a wonderful device; at under $100, this thing packs much more punch than any other device like it that I’ve used. OpenWRT support for the unit is fantastic. With judicious selection of packages, there’s sufficient room on the device for aircrack, kismet_drone, and nmap.