At Defcon 13, My wardriving team and I went a different tack than most teams in the past. If we were going to compete, we were going to play hardball and activly attack the other teams while we were doing the contest. One of the things we came up with was using the WRT54G as a small, mobile spoofed target AP.
Many of the games require you to find a specific accesspoint with a specific MAC and SSID. It being Defcon and all, the signal is usually highly directional, or has had it's signal strength impeded in some way. If we had decoy hosts of our own with the same MAC/SSID combinations as the target operating on a higher power, we could hopefully draw the other teams away from the real target. We also devised a method of 'tagging' our data so we could tell the spoofed AP and filter those signals out.
Our intention was, instead of using hostap and and a laptop, let's save those units for other functions, and use the WRT54G's cheap embedded nature to create the decoys. This required a bit of testing and some nvram manipulation but is not a big stretch for the functions of the unit as we are using only built in functions.
1.1 Obtain a Linksys WRT54G Router. Revision shouldn't matter, I will note any differences necessary for different Rev's.
1.2 Configure the routers address, DNS and gateway (so that the router can talk to the rest of the world and we can load packages later). This can be done after OpenWRT is loaded, but we might as well use the GUI Linksys has here anyways to make life easier.
2.1 Download the OpenWRT experimental snapshot from the experimental-/bin folder on the OpenWRT site. Firmwares are compiled daily regardless of changes and breakage. I used the 6/25/05 firmware and it worked well, so your on your own if you use a different one. Success stories are welcome though.
The file want to use is named "openwrt-wrt54g-squashfs.bin" (if your using a WRT54GS, obviously pick the GS firmware).
2.2 Connect to the web control panel on the router. Using the Upgrade firmware button under Administration -> Upgrade Firmware, Violate your warranty by loading the "openwrt-wrt54g-squashfs.bin" file.
Note: It is very advisable to set the BOOT_WAIT parameter on your router *BEFORE* you flash. In case you turn your router into a brick, this gives you a few seconds to try and upload a fresh firmware on powerup. If not, it gets ugly. The OpenWRT Usersguide has instructions for doing this on the default Linksys firmware, or you can load a Sveasoft firmware (or any other firmware) that has the BOOT_WAIT parameter as an option on the web control panel. At any rate, make sure you turn this on, it will save you much headache!
2.2.1 It's reccomended by OpenWRT and myself that you use tftp to load firmware's just so you can be sure you can do it should your router become a brick. If you have access to a *nix system on the same network as the router, just run the following:
tftp 192.168.0.252
tftp> binary
tftp> rexmt 1
tftp> trace
Packet tracing on.
tftp> put openwrt-wrt54g-squashfs.bin
Then power cycle the router. The tftp program should upload the new firmware (provided the BOOT_WAIT parameter was set, and your timing was right on the power cycle).
2.3 Telnet to 192.168.0.252 and you *should* get a prompt and the nice little banner for the OpenWRT firmware.
3.1 Read the OpenWRT Userguide, specifically the section on using 'ipkg' to load extra software. To make some of the changes we need to load the 'wl' driver for the WRT54G chipset so we can easily manipulate the settings. Run the following:
ipkg install http://www.xs4all.nl/~rop/openwrt/wl_3.50.21.10_mipsel.ipkI've mirrored the driver locally just in case it goes down, if the above does'nt work try:
ipkg install http://www.renderlab.net/projects/wardrive/wrt54g/wl_3.50.21.10_mipsel.ipk
If the router complains about not finding hosts, double check you set up DNS and a Gateway. You may need to set a default gateway with route add default gw
4.1 from the telnet command line you can change any of the settings on the unit. Some you can change temporarily with the 'wl' command or with other Linux commands (iwconfig, ifconfig ,etc), however if we want to change the wireless MAC to our own desired one, we need to change them in the actual nvram.
Using Kismet, Netstumbler, or however, determine the SSID and the MAC (also refered to as the BSSID), and channel of your target you want to spoof. Write these down
4.2 Telnet into the router and run 'ifconfig eth1'. The 'HWaddr' line has the hex MAC address we need to change, however it's a good idea to write this down should you ever need to change it back.
4.3 From the command line on the WRT54G, we can now change the routers settings to match our target with the following by using the 'nvram command' and editing the firmware directly (replacing values where nessecary:
Set the SSID:
nvram get wl0_ssid
(Current SSID is displayed)
nvram set wl0_ssid=(TARGET SSID)
nvram get wl0_ssid
(double check the change went through)
Set the Channel:
nvram get wl0_channel
(Current channel is displayed)
nvram set wl0_channel=(TARGET CHANNEL)
nvram get wl0_channel
(double check the change went through)
Set the MAC:
nvram get il0macaddr
(Current MAC is Displayed)
nvram set il0macaddr=(TARGET MAC Address)
nvram get il0macaddr
(double check the change went through)
Set the alternate MAC (not nessecary, but a good idea anyways):
nvram get wl0_hwaddr
(Current MAC is Displayed)
nvram set wl0_hwaddr=(TARGET MAC Address)
nvram get wl0_hwaddr
(double check the change went through)
You'll need to reboot your router for the settings to take effect, but on the next boot, you should be able to telnet in and run 'ifconfig eth1' and see your new MAC address. Run 'iwconfig' and ETH1 should have an ESSID and CHANNEL of what you set. If not, go through the above steps again.
Using this trick, the small low power nature of the router and some ingenuity leave lots of possibilities open for the imaginative mind. At Defcon, I rigged up some 12v, 2.3ah batteries to power the routers. This allowed us to have the routers be totally mobile and concealed wherever we liked. Hooking one up to a pair of 7.8bd omnis led to much entertainment as we massivly over powered the actual target AP.
Other possibilities for this unit are plentiful. Since we are running linux, putting a thttp webserver on the router along with DHCP would allow us to have a self contained implimentation of Beetles' Airsnarf hotspot spoofer. Hook the router to a WET11 and bridge back to the real AP and you have a small, concelable and embedded 'Evil Twin' spoofed AP.