Samiux's Blog

Friday, May 24, 2013

HOWTO : TP-Link TL-MR3020 (Pocket Router) as Wifi Pineapple

Hardware

(1) TP-Link TL-MR3020
(2) SanDisk Cruzer Fit USB Flash Drive (8GB)

Software

(1) OpenWrt
(2) Wifi Pineapple Web Interface
(3) Wifi Pineapple (configure files only)

Wifi Pineapple is created by Hak5. It is quite expensive device. It is also named as Jasager.

Wifi Pineapple is the Wifi Access Point (AP) to answer “Yes” to all Wifi connection.

If a Wifi client is looking for the SSID of Macdonld the Pineapple (or Jasager) will reply “That’s Me!”. If another Wifi client is looking for an SSID of Starbucks, again the Pineapple will reply “That's Me!”

From this stage you can attack WiFi clients and perfrom Man-in-The-Middle (MiTM) attacks on victims internet traffic!.

Now, we are going to make a custom Wifi Pineapple in a much cheaper price, e.g about $30-USD or less.

Step 1 :

To download the OpenWRT (Attitude Adjustment 12.09, r36088 - at this time of writing) :

If you are fresh install from the stock version of the TP-Link TL-MR3020 -

wget http://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/openwrt-ar71xx-generic-tl-mr3020-v1-squashfs-factory.bin

If you are upgrade from the previous installed OpenWRT -

wget http://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/openwrt-ar71xx-generic-tl-mr3020-v1-squashfs-sysupgrade.bin

Configure your computer to static IP address :

IP address : 192.168.0.10

Gateway    : 192.168.0.1

The default IP address of stock TP-Link TL-MR3020 is 192.168.0.254.

The username and password of the stock TP-Link TL-MR3020 are both "admin".

Go to the "System Tools" -- "Firmware Upgrade"HOWTO : TP-Link TL-MR3020 (Pocket Router) as Wifi Pineapple to upgrade to the just downloaded .bin file.

Step 2 :

Once upgraded to OpenWRT, your device's IP address will changed to 192.168.1.1.

Then set the very STRONG root password at "System" -- "Administration".

To enable wireless at "Network" -- "Wifi".

To enable DHCP at "Network" - "Interfaces" - "Edit" - select "DHCP Client" and "OpenWrt".

Now, connect your ethernet cable to the TL-MR3020. Connect your computer to the TL-MR3020 via wifi and the SSID is "OpenWrt".

Once you get the IP address, such as 192.168.1.100, you can connect to the TL-MR3020 via ssh.

ssh 192.168.1.100 -lroot

Enter your just created very STRONG root password.

Install the following packages :

opkg update

opkg install kmod-usb-storage
 
opkg install kmod-fs-ext4

opkg install block-mount

Step 3 :

Format your USB pendrive (8GB) as ext4 and swap, e.g. 2GB for swap (sda1) and 6GB for ext4 (sda2).

Then insert the USB pendrive to the TL-MR3020. Execute the following command line by line.

mkdir -p /mnt/sda2

mount /dev/sda2 /mnt/sda2

mkdir -p /tmp/cproot

mount --bind / /tmp/cproot

tar -C /tmp/cproot -cvf - . | tar -C /mnt/sda2 -xf -

umount /tmp/cproot

umount /mnt/sda2

Step 4 :

/etc/init.d/fstab enable

/etc/init.d/fstab start

vi /etc/config/fstab

Change the content as the following :

config mount

        option target /

        option device /dev/sda2

        option fstype ext4

        option options rw,sync

        option enabled 1

        option enabled_fsck 0



config swap

        option device /dev/sda1

        option enabled 1

The following is the command for the vi if you do not familiar with vi :

i - go to the insert mode and ready for edit
Esc - exit from insert mode
:w - write the changes to the file
:q - quit the vi

Then type the following command to reboot the device :

reboot

Once it boot up again, you login to it via ssh.

To check if the USB pendrive is mounted as "/" or not :

mount

df

Then install any package that you like, such as :

opkg update

opkg install nano

opkg install htop

opkg install bash

opkg install netcat
 
opkg install tar

opkg install openssh-sftp-client
 
opkg install nmap

opkg install tcpdump

opkg install aircrack-ng
 
opkg install kismet-client

opkg install kismet-server

opkg install nbtscan

opkg install snort

opkg install karma

opkg install samba36-client
 
opkg install elinks

opkg install yafc

opkg install python

opkg install uhttpd

opkg install at

opkg install php5

opkg install php5-cgi

/etc/init.d/atd start

touch /var/spool/cron/atjobs/.SEQ

Step 4a :

ssh to the TL-MR3020 (Pineapple).

nano /etc/rc.local

Insert the following line above the "exit 0".

/etc/init.d/atd start

Step 5 :

Download the upgrade package of Pineapple to your computer, such as Ubuntu :

wget http://wifipineapple.com/index.php?downloads&downloadUpgrade=2.8.1

Install unsquashfs on your Ubuntu if you do not have it :

sudo apt-get install squashfs-tools

Extract the files from the upgrade-2.8.1.bin :

unsquashfs upgrade-2.8.1.bin



cd squashfs-root

Copy the following files to the TL-MR3020 via ssh :

Should disabled the "Wireless" at the Pineapple webpage before doing the following commands :

scp /home/samiux/test/squashfs-root/usr/sbin/hostapd root@192.168.1.100:/usr/sbin

scp /home/samiux/test/squashfs-root/usr/sbin/wpad root@192.168.1.100:/usr/sbin

Make sure you restart the "Wireless" after done.

scp /home/samiux/test/squashfs-root/usr/sbin/hostapd_cli root@192.168.1.100:/usr/sbin

scp /home/samiux/test/squashfs-root/lib/wifi/hostapd.sh root@192.168.1.100:/lib/wifi

Step 6 :

Download the Pineapple source code to "/home/samiux/test" :

sudo apt-get install git

git clone https://github.com/WiFiPineapple/web-interface.git /home/samiux/test/pineapple

Replace the uncompatiable commands :

grep -lr -e 'ps aux' /home/samiux/test/pineapple/* | xargs sed -i 's/ps aux/ps/g'

grep -lr -e 'ps -all' /home/samiux/test/pineapple/* | xargs sed -i 's/ps -all/ps/g'

grep -lr -e 'ps auxww' /home/samiux/test/pineapple/* | xargs sed -i 's/ps auxww/ps/g'

Then copy the directories to the TL-MT3020 via ssh :

scp -r /home/samiux/test/pineapple/ root@192.168.1.100:/

Download or copy the following files to "/home/samiux/test" :

/etc/config/dhcp :

/etc/config/firewall :

/etc/config/network :

/etc/config/uhttpd :

/etc/php.ini :

Then copy the following files to the TL-MR3020 via ssh :

scp /home/samiux/test/dhcp root@192.168.1.100:/etc/config

scp /home/samiux/test/firewall root@192.168.1.100:/etc/config

scp /home/samiux/test/network root@192.168.1.100:/etc/config

scp /home/samiux/test/uhttpd root@192.168.1.100:/etc/config

scp /home/samiux/test/php.ini root@192.168.1.100:/etc

Step 7 :

ssh 192.168.1.100 -lroot

Any upgrade/update from the Pineapple will brick your TL-MR3020, so you need to disable it.

touch index.php /www/

mv /pineapple/pages/upgrade.php /pineapple/pages/not-upgrade.php

touch /pineapple/pages/upgrade.php

Step 8 :

nano /etc/rc.local



hostapd_cli -p /var/run/hostapd-phy0 karma_enable

vi /etc/config/httpd.conf

Append the following :

/:root:$p$root

Reboot the TL-MR3020 :

reboot

After boot up, point your browser to the following url :

http://172.16.42.1:1471

Enter username as "root" and password as your very STRONG root password.

The SSID is "OpenWrt".

Step 9 (Optional) :

The following is one of the ways to use the Pineapple (TL-MR3020) by the way of tethering :

Connect your TL-MR3020 to the computer (laptop) with wired cable. Connect your laptop to internet via wireless.

Set Wired Connection at the Network Manager of the Ubuntu to :

Method : Manual

Address : 172.16.42.42

Netmask : 255.255.255.0

Gateway : 172.16.42.1

DNS Server : 8.8.8.8

At the laptop, download the script.

wget wifipineapple.com/wp4.sh
chmod +x wp4.sh
sudo ./wp4.sh

Now, your computer (laptop) can access internet and also can access the TL-MR3020.

*** One problem that I encountered so far is that the victim, who is connected to the Pineapple (TL-MR3020), cannot access the internet. I don't know if it is a feature or not. Or, I need to solve this problem. ;P

Step 10 (Optional) :

The following is one of the ways to use the Pineapple (TL-MR3020) by router or alike :

Change the content of the file "/etc/config/network" to the following :

If your router (such as mobile phone with tethering function) IP address range is 192.168.1.x, you can change the IP address of TL-MR3020 to 192.168.1.10 and the gateway as the gateway of your router (such as mobile phone) :

option ipaddr '192.168.1.10'

option netmask '255.255.255.0'

option gateway '192.168.1.1'

option dns '8.8.8.8'

*** The victim, who is connected to the Pineapple (TL-MR3020), can access to interent by this setup.

Reference

Blue for the Pineapple
The beginners guide to breaking website security with nothing more than a Pineapple
Getting Started with the Wi-Fi Pineapple IV (Video)
Security4Plus Youtube Channel (Video)
How To: Configure a WiFi Pineapple For Use With Mac OS X (Video)
The Wifi Pineapple Book - Free Download

Known Issues

The Services of "URL Snarf", "DNS Spoof" and "SSH" cannot be enabled. I think I need to find out a way to make them to be enabled.

That's all! See you.

Tuesday, May 21, 2013

HOWTO : Nessus on Ubuntu Desktop 12.04 LTS

Step 1 :

Go to the following link to download you copy of Nessus.

http://www.tenable.com/products/nessus/select-your-operating-system

For 32-bit :

wget "http://downloads.nessus.org/nessus3dl.php?file=Nessus-5.2.1-ubuntu1110_i386.deb&licence_accept=yes&t=8bd3179e2669137382555cb07611a795&__utma=96148739.876193166.1369081770.1369081770.1369084100.2&__utmb=96148739.3.10.1369084100&__utmc=96148739&__utmx=-&__utmz=96148739.1369084100.2.2.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided)&__utmv=-&__utmk=236900745" -O Nessus-5.2.1-ubuntu1110_i386.deb

For 64-bit :

wget "http://downloads.nessus.org/nessus3dl.php?file=Nessus-5.2.1-ubuntu1110_amd64.deb&licence_accept=yes&t=8bd3179e2669137382555cb07611a795&__utma=96148739.876193166.1369081770.1369081770.1369084100.2&__utmb=96148739.3.10.1369084100&__utmc=96148739&__utmx=-&__utmz=96148739.1369084100.2.2.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided)&__utmv=-&__utmk=236900745" -O Nessus-5.2.1-ubuntu1110_amd64.deb

Step 2 :

sudo dpkg -i Nessus-5.2.1-ubuntu1110_i386.deb

or

sudo dpkg -i Nessus-5.2.1-ubuntu1110_adm64.deb

Go to the following link to register your Nessus Plugin feed :

http://www.tenable.com/products/nessus/nessus-homefeed

sudo /etc/init.d/nessusd start

Point your Firefox to :

https://localhost:8834/

Follow the instructions on the browser.

Activate your Nessus plugin feed via the received email.

After that, you should disable the nessusd from being loaded automatically when bootup.

sudo update-rc.d nessusd disable

Step 3 :

To run it.

sudo /etc/init.d/nessusd start

Point your Firefox to :

https://localhost:8834/

That's all! See you.

HOWTO : edb-debugger on Ubuntu Desktop 12.04 LTS

When we are doing debugging work on Windows system, we will use Immunity Debugger or Olldbg. Those are very good debuggers for Windows system. When doing debugging work on Linux, there is a command line version, namely GDB (The GNU Project Debugger). How about the GUI version of Linux debugger? Yes, there is one available, it is namely Evan's Debugger (edb-debugger).

Step 1 :

sudo apt-get update

sudo apt-get install libqt4-dev libboost1.48-all-dev subversion

Step 2 :

sudo -sH

cd /opt



svn checkout http://edb-debugger.googlecode.com/svn/trunk/ edb-debugger

cd edb-debugger

qmake

make

make install

Step 3 :

To run it. You can run it at any directory.

sudo -sH

edb

If you run it for the first time, you will be prompted for not loading some plugins, you can solve it when the pop up windows showing up.

Preferences -- Directories



Symbol Directory : /opt/edb-debugger

Plugin Directory : /lib64/edb

Session Directory : /opt/edb-debugger

That's all! See you.