At Defcon 13, My wardriving team and I went a different tack than most teams in the past. If we were going to compete, we were going to play hardball and activly attack the other teams while we were doing the contest. One of the things we came up with was using the WRT54G as a small, mobile spoofed target AP.
Many of the games require you to find a specific accesspoint with a specific MAC and SSID. It being Defcon and all, the signal is usually highly directional, or has had it's signal strength impeded in some way. If we had decoy hosts of our own with the same MAC/SSID combinations as the target operating on a higher power, we could hopefully draw the other teams away from the real target. We also devised a method of 'tagging' our data so we could tell the spoofed AP and filter those signals out.
Our intention was, instead of using hostap and and a laptop, let's save those units for other functions, and use the WRT54G's cheap embedded nature to create the decoys. This required a bit of testing and some nvram manipulation but is not a big stretch for the functions of the unit as we are using only built in functions.
1.1 Obtain a Linksys WRT54G Router. Revision shouldn't matter, I will note any differences necessary for different Rev's.
1.2 Configure the routers address, DNS and gateway (so that the router can talk to the rest of the world and we can load packages later). This can be done after OpenWRT is loaded, but we might as well use the GUI Linksys has here anyways to make life easier.
2.1 Download OpenWRT Whiterussian RC3 from the OpenWRT site.
The file want to use is named "openwrt-wrt54g-squashfs.bin" (if your using a WRT54GS, obviously pick the GS firmware).
2.2 Connect to the web control panel on the router (if your still using the linksys firmware. Using the Upgrade firmware button under Administration -> Upgrade Firmware, Violate your warranty by loading the "openwrt-wrt54g-squashfs.bin" file.
Note: It is very advisable to set the BOOT_WAIT parameter on your router *BEFORE* you flash. In case you turn your router into a brick, this gives you a few seconds to try and upload a fresh firmware on powerup. If not, it gets ugly. The OpenWRT Usersguide has instructions for doing this on the default Linksys firmware, or you can load a Sveasoft firmware (or any other firmware) that has the BOOT_WAIT parameter as an option on the web control panel. At any rate, make sure you turn this on, it will save you much headache!
2.2.1 It's reccomended by OpenWRT and myself that you use tftp to load
firmware's just so you can be sure you can do it should your router become
a brick. If you have access to a *nix system on the same network as the
router, just run the following:
tftp 192.168.0.252
tftp> binary
tftp> rexmt 1
tftp> trace
Packet tracing on.
tftp> put openwrt-wrt54g-squashfs.bin
Then power cycle the router. The tftp program should upload the new firmware (provided the BOOT_WAIT parameter was set, and your timing was right on the power cycle).
2.3 Telnet to 192.168.0.252 and you *should* get a prompt and the nice little banner for the OpenWRT firmware.
3.1 Read the OpenWRT Userguide, specifically the section on using 'ipkg' to load extra software. To make some of the changes we need to load the 'wl' driver for the WRT54G chipset so we can easily manipulate the settings. Run the following:
ipkg updateI've
mirrored the driver locally just in case it goes down, if the above
does'nt work
try:
ipkg install
http://www.renderlab.net/projects/wrt54g/wl_3.90.37-1_mipsel.ipk
If the router complains about not finding hosts, double check you set
up DNS and a Gateway. You may need to set a default gateway with
route add default gw
4.1 from the telnet command line you can change any of the settings on the unit. Some you can change temporarily with the 'wl' command or with other Linux commands (iwconfig, ifconfig ,etc), however if we want to change the wireless MAC to our own desired one, we need to change them in the actual nvram.
Using Kismet, Netstumbler, or however, determine the SSID and the MAC (also refered to as the BSSID), and channel of your target you want to spoof. Write these down
4.2 Telnet into the router and run 'ifconfig eth1'. The 'HWaddr' line has the hex MAC address we need to change, however it's a good idea to write this down should you ever need to change it back.
4.3 From the command line on the WRT54G, we can now change the routers settings to match our target with the following by using the 'nvram command' and editing the firmware directly (replacing values where nessecary:
Set the SSID:
nvram get wl0_ssid
(Current SSID is displayed)
nvram set wl0_ssid=(TARGET SSID)
nvram get wl0_ssid
(double check the change went through)
Set the Channel:
nvram get wl0_channel
(Current channel is displayed)
nvram set wl0_channel=(TARGET CHANNEL)
nvram get wl0_channel
(double check the change went through)
Set the MAC:
nvram get il0macaddr
(Current MAC is Displayed)
nvram set il0macaddr=(TARGET MAC Address)
nvram get il0macaddr
(double check the change went through)
Set the alternate MAC (not nessecary, but a good idea anyways):
nvram get wl0_hwaddr
(Current MAC is Displayed)
nvram set wl0_hwaddr=(TARGET MAC Address)
nvram get wl0_hwaddr
(double check the change went through)
As of OpenWRT Whiterussian RC3, and with Linksys WRT54G V3's you may also have to change the following to get this whole thing to work otherwise the rotuer reverst to the old MAC:
Set the Channel:
nvram get et0macaddr
(Current et0 MAC is displayed)
nvram set et0macaddr=(TARGET MAC)
nvram get et0macaddr
(double check the change went through)
Set the MAC:
nvram get lan_hwaddr
(Current MAC is Displayed)
nvram set lan_hwaddr=(TARGET MAC Address)
nvram get lan_hwaddr
(double check the change went through)
At the end of all that, you need to run:
nvram commit
This writes the settings to the nvram.
You'll need to reboot your router for the settings to take effect, but on the next boot, you should be able to telnet in and run 'ifconfig eth1' and see your new MAC address. Run 'iwconfig' and ETH1 should have an ESSID and CHANNEL of what you set. If not, go through the above steps again.
Using this trick, the small low power nature of the router and some ingenuity leave lots of possibilities open for the imaginative mind. At Defcon, I rigged up some 12v, 2.3ah batteries to power the routers. This allowed us to have the routers be totally mobile and concealed wherever we liked. Hooking one up to a pair of 7.8bd omnis led to much entertainment as we massivly over powered the actual target AP.
Other possibilities for this unit are plentiful. Just use your imagination!
This Guide also available at The Church Of Wifi