About

Thursday, September 2, 2010

IBM Thinkpad T30

I love my old beat up IBM T30 Thinkpad. I've always found Thinkpads to be solidly constructed and to be well wearing machines (mine has taken some abuse). Here are the specs:
  • Pentium 4 1200Mhz
  • 256 MB Ram
  • 40GB HD
  • 14.1" screen - 1,024 × 768
  • 16 MB video memory
  • MiniPCI slot
  • 56K Modem, 100Mbit Ethernet, Com & LPT1 ports
I scored it cheaply as a refurbished ex lease, and had been running Ubuntu Hardy 8.04 LTS since it was released in April 2008.

Just the other day I decided to wipe Hardy off this laptop and give OpenBSD 4.7 a try. This laptop is secondary one which I only use for playing, sometimes its nice to learn a new OS on a dedicated machine.

Install process wasn't so bad, my display drivers were automatically installed and building Gnome was fine. Have a usable OpenBSD desktop now, getting there was not as horrific as I had expected.
Labels: , ,

Sunday, July 4, 2010

Using OpenWRT on my dg834

Have been using OpenWRT to power my home adsl connection for the past month. Running Kamikaze on a Netgear DG834 v2, as detailed in my last post, and it's solid.
08:11:03 up 20 days, 3:39, load average: 0.00, 0.03, 0.08
Here is what I have done since then:
Connection
Modify /etc/init.d/network and remove all the /sbin/wifi up lines (I don't have Wifi). Also have /sbin/ifup wan under the boot section of /etc/init.d/network to get ppp to come up after booting.
ppp will automatically reconnect if it drops out. I also placed a script under /etc/ppp/ip-up.d/log_ppp_up that will log when my last connection
#!/bin/sh
pubip=$(ip route show dev ppp0 | awk '{ print $7 }')
uptime > /www/ppp-status.html
echo " wan ip: $pubadd" >> /www/ppp-status.html
Cron
Open wrt has cron, run crontab -e (same as vim /etc/crontabs/root) to setup jobs. There is however a bug in Busybox that makes cron leave an error message in your syslog everytime a task executes (other than the cron.err it seems to work fine).
Syslog
Use the logread command to view the syslog, and logger "some message" to write to it. To forward the system log to another machine in /etc/config/system under config 'system' add:
option 'log_ip' '192.168.1.10'
option 'log_port' '514'
option 'log_size' '16'
option 'log_type' 'circular'
Packages
The opkg package manager, http://code.google.com/p/opkg/, an actively developed fork of ipkg, is installed with OpenWRT. Before installing new packages I usually have to run the update command first.
Realtime bandwidth monitoring with ifstat package:
root@OpenWrt:~# opkg intsall ifstat
root@OpenWrt:~# ifstat -S
Time eth0 br-lan imq0 ppp0
HH:MM:SS KB/s in KB/s out KB/s in KB/s out KB/s in KB/s out KB/s in KB/s out
12:38:45 3.75 112.54 2.87 112.54 117.19 111.33 117.19 2.46
lsof is also a handy debugging tool that can be installed with opkg.
Somewhat worrying watching space shrink on my jffs parition when I install packages. Made the mistake of maxing out my disk once, it segfaulted and after a reboot it was luckily all okay.
Time Setup
Install the ntpclient to keep time on the device as there is no bios battery to keep time. Configure settings (ntpclient --hep) in /etc/config/ntpclient after install:
root@OpenWrt:~# opkg intsall ntpclient
Also be sure to set the correct time zone in /etc/config/system
Network traffic monitoring
It's very handy having tcpdump on your router :-)
root@OpenWrt:~# opkg intsall tcpdump
Forwarding all outgoing http traffic through a proxy on my LAN, add this to /etc/config/firewall
config redirect
option src_dport 80
option proto tcp
option src lan
option dest_ip 192.168.1.100
option dest_port 8080
Read more of firewall documentation for other examples http://wiki.openwrt.org/doc/uci/firewall

LEDS
OpenWRT does not fully support the leds on this model of router yet. The leds on the network swtich work fine, but there is no indication of wan status out of the box. I found this script on pitt-pladdy.com. Use scp or wget to place it on the modem:
root@OpenWrt:/etc/init.d# cd /etc/init.d/
root@OpenWrt:/etc/init.d# wget http://192.168.1.11/local-adsl-led
root@OpenWrt:/etc/init.d# ./local-adsl-led enable
root@OpenWrt:/etc/init.d# ./local-adsl-led start
The 3 front leds are now: (power) (cpu?) (wan up/wan down).
Further securing
  • Install ssh keys for dropbear. root@OpenWrt:~# vim /etc/dropbear/authorized_keys root@OpenWrt:~# chmod 0600 authorized_keys
  • Remove telnet now that a password for root has been set and ssh is working: root@OpenWrt:~# rm /etc/init.d/telnet
Future plans
I really like the OpenWRT platform and plan to keep messing with it, there are some cool mods out there. I also have a Netgear dg834g (v1) at home that I plan to install OpenWRT on next, but after that I might have buy a Linksys WRT router.
There are plenty of interesting things to do with routers:

Also I noticed that tor is available in the opkg repository, however its version 0.2.0.31-1 which is an old version. It might be worth looking at a project of installing the latest version of tor on another router, and have it all setup purely for secure anonymous web access.

Labels: , ,

Tuesday, June 15, 2010

Talks on privacy and anonymity

Watched these talks a little while ago but have just been revisiting them.

Changing Threats To Privacy: From TIA to Google
By Moxie Marlinspike

Abstract: A lot has changed since discussions around digital privacy began. The security community won the war for strong cryptography, anonymous darknets which presumably make the eradication of information impossible have been successfully deployed, and much of the communications infrastructure has been decentralized. These strategies were carefully conceived while planning for the most dystopian visions of the future imaginable, and yet somehow they've fallen short of delivering us from the most pernicious privacy threats today. Rather than a centralized state-backed database of all our movements, modern threats to privacy have become something much more subtle, and perhaps all the more sinister. This talk will explore these evolving trends and discuss some interesting solutions in the works.


Becoming Jack Flack: Real Life Cloak and Dagger
By Taylor Banks and Adam Bregenzer

Abstract: Are you on too many social networking sites? Have all of your exes found you on facebook? If the fuzz came looking, how easy it would be for them to find you? kaos.theory, the creators of Anonym.OS, bring you this abridged guide to becoming (and staying) anonymous. Privacy is your right, anonymity is your path, and kaos.theory will be your guide.
We address anonymity at three progressively comprehensive levels - whether you just want to CLOAK your tracks, go undercover like Jack Flack at the DAGGER level, or go completely off the grid and be a HERMIT. In this 50 minute session, arcon (Adam Bregenzer) and dr.kaos (Taylor Banks) explore some of the issues, challenges, and sacrifices you will encounter. After this talk, if you don't cut up your credit cards, we will!

Labels: , ,

Sunday, June 6, 2010

Installing OpenWRT Kamikaze on a Netgear DG834 v2 ADSL Router


This is how I installed OpenWRT, a Linux distribution for embedded devices, on a Netgear DG834 v2 ADSL Router. Apparently the DG834G is the same but comes with a wireless interface too.

CPU: Texas Instruments AR7 @150MHZ
RAM: 16MB
Disk: 4MB flash

This modem was given to me by a friend who had been given a whole bunch of old network gear. After some research on the web I decided to try installing OpenWRT, it looked fun and some pieces of documentation for this model existed already.

My procedure is here. I mostly used these sites as a guide:
Hacking
The Netgear DG834 actually already runs a Linux kernel! You can enable telnet access to the device (a number of netgear routers support this) by logging into the web admin interface and then visiting this hidden page: http://192.168.0.1/setup.cgi?todo=debug

There is also a vulnerability on the dg834g in setup.cgi?todo=ping_test that lets you do anything. Here is an example that executes busybox.
http://192.168.0.1/setup.cgi?todo=ping_test&c4_IPAddr=%26/bin/busybox
Apparently there is also a default account hard coded in with the password "zebra".

To reset the device to its factory state (if you don't know its current password) hold down reset button on the back of the device for a few seconds as you power it on. Default IP is 192.168.0.1, default username "admin" with "password" to login.
$ telnet 192.168.0.1
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.

BusyBox v0.61.pre (2006.02.20-10:34+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands.

# cat /proc/version
Linux version 2.4.17_mvl21-malta-mips_fp_le (root@localhost.localdomain) (gcc version 2.95.3 20010315 (release/MontaVista)) #19 Fri Dec 9 17:16:36 CST 2005

# cat /proc/cpuinfo
processor : 0
cpu model : MIPS 4KEc V4.8
BogoMIPS : 149.91
wait instruction : no
microsecond timers : yes
extra interrupt vector : yes
hardware watchpoint : yes
VCED exceptions : not available
VCEI exceptions : not available
Telnet does not require a user name or password, and is left enabled until the device is rebooted! Here is an article with some more commands to play with: http://www.cyberciti.biz/tips/hacking-the-dlink-502t-router.html

Patching the routers bootloader
ADAM2 (See http://www.seattlewireless.net/ADAM2 for more information) is the name of the bootloader on the DG834. In order for it to boot firmwares with non-standard checksums (eg anything not supplied by netgear) we need to modify it.

Backup the device:
before we modify the router firmware we should back it up. /tmp is the only place we can write to on the modem. To get the firmware off the modem we can start another instance of mini httpd:
$ telnet 192.168.0.1
# cd /tmp/
# mini_httpd -p 1080
# cat /dev/mtdblock/0 > /tmp/mtd0.bin

On my laptop I retrieve the firmware one file at a time:
$ wget http://192.168.0.1:1080/mtd0.bin

On modem:
# rm /tmp/mtd0.bin
Do this for all five folders (0 1 2 3 4) in /dev/mtdblock

The patch:
First of all, do a md5sum the mtd2.bin file you downloaded off the device. It should be: 
0530bfdf00ec155f4182afd70da028c1
If not then find another guide! If yes then open up mtd2.bin in a hex editor. Go to offset 0x3944, and you should see: 44 09 00 0C

Replace this with: 00 00 00 00

Then save the file as mtd2.patched.bin, if you did this properly it will have the md5sum
d8a2f4623bf6f64b7427812f0e849aa7
Now the fun part, and warning: the next series of commands could brick your router so please follow this guide at your own risk.

So place your patched mtd2.bin file on a local web server (sorry, need one of those too), so we can download it back onto the modem which has wget installed on it.
$ telnet 192.168.0.1
# cd /tmp/
# wget http://192.168.0.10/mtd2-patched.bin
# dd if=mtd2-patched.bin of=/dev/mtdblock/2
# exit
Now, power off the device. Turn it on again and it *should* reboot just fine. This procedure has worked fine for me.. .

Compiling OpenWRT
On my Ubuntu 9.10 Laptop I checked out the source code for the OpenWRT Kamikaze 8.09 branch with subversion:
$ svn co svn://svn.openwrt.org/openwrt/branches/8.09  
$ cd 8.09 
$ make menuconfig 
$ make package/symlinks  
$ make menuconfig  
$ make v=99
Using revision 21732 (the latest at the time) for my build. My config only has support for PPPoA (Most countries use PPPoE).

You will get openwrt-ar7-squashfs.bin in the bin/ subdirectory after compiling has completed. Split this up into 2 files:

$ dd if=openwrt-ar7-squashfs.bin of=ow-mtd0.bin skip=720896 bs=1
$ dd if=openwrt-ar7-squashfs.bin of=ow-mtd1.bin count=720896 bs=1

Flashing the router:
You can flash the router with your OpenWRT image by using the ADAM2 FTP interface. Telnet to the router and issue this command:
# echo "my_ipaddress 192.168.0.1" > /proc/sys/dev/adam2/environment
From now on when you reboot the router ftp will momentarily become available during boot.

The window where you get "21/tcp filtered ftp" as I observed when running watch -n .4 "nmap -v 192.168.0.1 -p 21 | grep ftp" is quite small. I only had success in gaining ftp access to the device after I did the following:
  • Plugged in a network switch between my Laptop and the Router.
  • Used Ethernet port 1, out of the 5, on the router.
  • Restricted the TCP window size on my Ubuntu 9.10 laptop (as show below):
root@laptop:~$ cat /proc/sys/net/ipv4/tcp_wmem tcp_wmem_orig
root@laptop:~$ echo 0 512 512 > /proc/sys/net/ipv4/tcp_wmem

after ftp is done restore settings:
root@laptop:~$ cat tcp_wmem_orig /proc/sys/net/ipv4/tcp_wmem
After the above is done, power off the modem and unplug it. On the laptop I ready the command "ftp 192.168.0.1", then plug the modem in (handy to have beside keyboard) and execute the ftp command - before the network light on the device came on worked best for me.

Once you do get a login its time to ftp your compiled firmware to the device, in the directory containing your compiled OpenWRT files:
$ ftp 192.168.0.1
Connected to 192.168.0.1.
220 ADAM2 FTP Server ready.
Name (192.168.0.1:craig): adam2
331 Password required for adam2.
Password:
230 User adam2 successfully logged in.
Remote system type is UNIX.
ftp> quote "MEDIA FLSH"
200 Media set to FLSH.
ftp> bin
200 Type set to I.
ftp> put ow-mtd0.bin "fs mtd0"
local: ow-mtd0.bin remote: fs mtd0
200 Port command successful.
150 Opening BINARY mode data connection for file transfer.
226 Transfer complete.
1598607 bytes sent in 14.64 secs (106.7 kB/s)
ftp> put ow-mtd1.bin "fs mtd1"
local: ow-mtd1.bin remote: fs mtd1
200 Port command successful.
150 Opening BINARY mode data connection for file transfer.
226 Transfer complete.
720896 bytes sent in 6.56 secs (109.5 kB/s)
ftp> quote REBOOT
221-Thank you for using the FTP service on ADAM2.
221 Goodbye.
ftp> quit

First boot of OpenWRT
After the ftp commands above the orange light on the device will beat for a couple of minutes. This is hopefully OpenWRT configuring its system! Once this is done we can connect to the device:
$ telnet 192.168.0.1
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
=== IMPORTANT ============================
Use 'passwd' to set your login password
this will disable telnet and enable SSH
------------------------------------------
root@OpenWrt:/# dmesg | grep jffs2 -A2 -B2
root@OpenWrt:/# passwd
root@OpenWrt:/# reboot
Check that the jffs2 partition has been written - can take a minute or two after ftp. Once that has done set your password and reboot the device. Mine takes ~1 minute to boot up:



Now I have a working OpenWRT installation on my router! I can flash it via the ftp method above if I have to (which I did do again).

Connecting to my ISP
ssh to the device and use vim to edit the network settings in /etc/config/network. Here are my settings for a PPPoA ADSL connection with my New Zealand ISP:
root@OpenWrt:~# cat /etc/config/network
## Localhost
   config 'interface' 'loopback'
        option 'ifname' 'lo'
        option 'proto' 'static'
        option 'ipaddr' '127.0.0.1'
        option 'mask' '255.0.0.0'             
## IP
   config 'interface' 'lan'
        option 'type' 'bridge'
        option 'ifname' 'eth0'
        option 'proto' 'static'
        option 'netmask' '255.255.255.0'
        option 'nat' '1'
        option 'dns' ''
        option 'ipaddr' '192.168.0.1'                                                   
## enable all 5 network ports on router switch
        config 'switch' 'eth0'
        option 'reset' '1'                                                                
## My ISP details
   config 'interface' 'wan'
        option 'ifname' 'atm0'
        option 'proto' 'pppoa'
        option 'encaps' 'vc'
        option 'vpi' '0'
        option 'vci' '100'
        option 'username' 'xxxx@adsl.xxxx.xxx'
        option 'password' 'xxxxxxxx'
        option 'keepalive' '5,5'
Bring up the wan after editing network settings
root@OpenWrt:~# ifup wan
Connection stats in this file:
root@OpenWrt:~# cat /proc/avalanche/avsar_modem_stats | grep Rate -A1 -B1
[DSL Modem Stats]
 US Connection Rate: 869 DS Connection Rate: 7658
 DS Line Attenuation: 34 DS Margin:  13
--
 Frame mode:  0 Max Frame mode:  0
 Trained Path:  1 US Peak Cell Rate: 2049
 Trained Mode:  16 Selected Mode:  1
--
 Hybrid Selected: 1 Trellis:  1
 Showtime Count:  1 DS Max Attainable Bit Rate: 8648 kbps
 BitSwap:  1 US Max Attainable Bit Rate: 869000 bps
 Annex:    AnxA psd_mask_qualifier: 0x0000
I now have a usable router running my own custom firmware to connect to the Internet with. Clients on the LAN can get an internal IP with DHCP and use the routers DNS server.

To do:
  • Customize the Firewall, better logging etc. Setup a vlan on the routers switch and have one network port for a DMZ zone.
  • adsl connection does not automatically start on boot yet. Also I want something to regularly check the connection health.
  • Explore half bridge with pppoa [wlug.org.nz] - I have another router that supports half-bridging.
Labels: , ,
Subscribe to: Posts (Atom)