Wireless success with 802.11A/B/G!!

Discuss Networking
User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Wed Nov 19, 2003 9:22 pm

I am now officially without wires. At 54Mbps even! I'm running the LinuxSys WRT54G router and the WPC55AG card. The router can do 802.11G/B. The card can do 802.11G/A/B. The router actually runs Linux inside and there is a site that tells you how to do cool things like mod it's OS and install other software like Snort for instance. The WPC55AG PCMCIA card uses the Atheros chipset and thus uses the madwifi driver. It was as simple as downloading the madwifi driver and doing a "make install" in the directory I extracted it to. No kernel recompile or anything. I then manually configured a card configuration for Fedora that looks like this:

/etc/sysconfig/network-scripts/ifcfg-ath0:

Code: Select all

DEVICE=ath0
TYPE=Wireless
ONBOOT=yes
BOOTPROTO=dhcp
IWPRIV="mode 0"
ESSID=VoidsSecret
DHCP_HOSTNAME=voidlinux
USERCTL=yes
PEERDNS=yes
I literally just got it hooked up a little while ago and am not currently running it in WEP mode and I need to get that working next (doesn't look too hard). I'm sure I'll have to add something to the above config file for this.

Another thing is I am not currently using the wireless router as a router (although I did test it as such and it worked fine). I am currently just using it as a bridge. It has 5 ports, 4 are just a 4 port switch on the private side and the other is the public interface that you are supposed to plug into your cable/dsl router. I use my 3 interface Linux box for my firewall/gateway so I just wanted a bridge. I figured I could use the wireless router as a bridge just by plugging one of the regular switch ports into my existing network and leaving the cable/dsl interface empty. Sure enough, it works like a champ. My laptop gets it's DHCP assigned address from my regular DHCP server. It even works in promiscuous mode with Ethereal or other sniffer type utilities (snort etc).

I paid less than $180 total for both devices from amazon.com. Free shipping if you do the slow UPS ground (listed at 5-7 days, but only took 3 in my case). It's funny, just a wireless bridge was close to $300 and I can't figure out why. It's less functional than a wireless router that can do the same thing.

I'll update this if I run into any problems or have any more successes.

Ok, WEP is easy. I set my router to use 128 bit WEP, had it generate a few keys, set it to use the 1st key and took that key and added it to my wireless interface config in Linux so it now looks like:

Code: Select all

DEVICE=ath0
TYPE=Wireless
ONBOOT=yes
BOOTPROTO=dhcp
IWPRIV="mode 0"
ESSID=VoidsSecret
KEY=NOTREALLYVOIDSKEY123456789
DHCP_HOSTNAME=voidlinux
USERCTL=yes
PEERDNS=yes

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Sat Nov 22, 2003 12:31 am

Just got kismet working so now I can do some war driving. I had to apply the madwifi patch to the CVS version. Pretty cool stuff! Next I am going to try and build a new OS for my wireless access point:

http://www.batbox.org/wrt54g.html
http://www.batbox.org/wrt54g-linux.html

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Sat Nov 22, 2003 8:16 am

And to continue my documentation so I don't forget how I did this stuff. I also got gkismet installed and working. Just download the appropriate package, extract it, and do a "make install". It's just a Perl Gtk module so you may have to install it if it's not already installed "apt-get install Gtk-Perl". There are a few screenshots on the gkismet page linked above.

Tux
guru
guru
Posts: 689
Joined: Wed Jan 08, 2003 10:40 am

Post by Tux » Sat Nov 22, 2003 10:11 am

How are you finding the signal strength of that WAP?

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Sat Nov 22, 2003 9:14 pm

It seems to be very good. I get 54Mbps almost everywhere in the house except for the bathroom where I only get like 36Mbps. That's ok, I'm not in any big hurry in the bathroom. :)

Tux
guru
guru
Posts: 689
Joined: Wed Jan 08, 2003 10:40 am

Post by Tux » Sun Nov 23, 2003 9:53 am

How about the end of the garden? :)

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Sun Nov 23, 2003 10:04 am

Well, I did a little war driving on the way to dirt bikin' yesterday and I was still gettin 54Mbps in my car in my driveway so it seems to be plenty for what I need. From what I hear the devices I got were rated at or near the top of the signal strength category. It's funny, I didn't get a quarter mile down the road and picked up on another Linksys running with a default config (no WEP, default SSID of "linksys", and the default IP 192.168.1.1). I should probably leave a note in the mailbox of anyone I find like that on how they can configure their stuff more securely.

agent007
administrator
administrator
Posts: 254
Joined: Wed Feb 12, 2003 11:26 pm

Post by agent007 » Sun Nov 23, 2003 1:46 pm

Thats pretty cool! Btw, is the antenna in the first floor or somewhere high?


Void Main wrote:It seems to be very good. I get 54Mbps almost everywhere in the house except for the bathroom where I only get like 36Mbps. That's ok, I'm not in any big hurry in the bathroom. :)

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Sun Nov 23, 2003 1:55 pm

I have a bilevel house (I think that's the term for it). My downstairs is sort of like a finished basement but it is not fully in the ground like a real basement, and half of it is a 2 stall garage. I have the AP in the downstairs with all my other server stuff. I spend most of my time upstairs on the couch that happens to be directly above the AP but it seems to work pretty well anywhere in the house.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Sun Nov 23, 2003 11:52 pm

Well I just built a new firmware for my WRT54G router and installed it. Believe it or not it still works! I changed the source of one of the files to reintroduce an old exploit that you can use to get a shell on the device and install just about anything you want (limited by memory of course). I plan on adding to the firmware either snort or kismet (probably kismet) so I'll have a wireless IDS. It will be cool being able to tell if someone is war driving by my house like I did earlier today. :)

I drove around town today for about 10 minutes and picked up on 20 access points. All of them were broadcasting their SSIDs and only 4 of them were running WEP. I am certain that if I had wanted to I could have connected to their networks but I wouldn't do that without their knowlege not just because it would be illegal but because it would not be morally right. As I mentioned I might just contact each person who is running one wide open in the default configuration and help them secure it.

If you are interested in hacking the WRT54G you'll want to check out this highly interesting, utterly informative, and just plain cool page:
http://seattlewireless.net/index.cgi/LinksysWrt54g

It appears that there are a couple of other APs that are running Linux and possibly can be modified in similar manner. Happy hacking!

Tux
guru
guru
Posts: 689
Joined: Wed Jan 08, 2003 10:40 am

Post by Tux » Mon Nov 24, 2003 5:27 am

Void Main wrote:Another thing is I am not currently using the wireless router as a router (although I did test it as such and it worked fine). I am currently just using it as a bridge. It has 5 ports, 4 are just a 4 port switch on the private side and the other is the public interface that you are supposed to plug into your cable/dsl router. I use my 3 interface Linux box for my firewall/gateway so I just wanted a bridge. I figured I could use the wireless router as a bridge just by plugging one of the regular switch ports into my existing network and leaving the cable/dsl interface empty. Sure enough, it works like a champ. My laptop gets it's DHCP assigned address from my regular DHCP server. It even works in promiscuous mode with Ethereal or other sniffer type utilities (snort etc).
So if I can find the WRT54G for cheaper than the WAP54G it would be a better buy?

Which is more pricey?

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Mon Nov 24, 2003 10:41 am

On this page is says:
What are the hardware specs for the WAP54G?

Are they simlar or the same as the WRT54G?

Chris McDonald?

Chris it's the same unit as the WRT54G, it does'nt have a 4 port switch built in, it just has a single ethernet port. The linksys software is different too, with the WAP54G , linking to other WAP54g's in bridge mode/wds can be done, this feature has been removed on the WRT54G :-(((....You don't have Nat either, but as they both run linux, so hopefully the clever guys working on hacking this can make the both of these unit with better open source software. Having vpn functions , ospf routing, snort ids and no cat auth, on both of these would be aa damm fine thing, something that cisco and the other want to you pay extra monies for..... remember, cisco have share holders to feed/greed

the only thing that lets these units down is the output power and receive sensitivty, but with the correct hack you can increase the output power ... as for the price, you can't go wrong, these things are cheap for what they are!

with new open source firmware, these units will be hot stuff, if only linksys/cisco would help out with the open source
And on this link where I bought mine it has this comparison:

Image

The WRT54G is $79 and the WAP54G is $89 from Amazon. To me it looks like you get more box for less money with the WRT54G although there may be a little less of the bridging specific capabilities (linking multple bridged networks together). On the other hand, since you can modify the firmware, anything is possible. The WAP54G only has one Ethernet port where the WPC54G has 5 ports. I believe they both run Linux and I am only certain that the WAP54G can be customized although I would be willing to bet that the WAP54G can be also. If you are a geek like me you will get through enjoyment out of reading these two links (long but very interesting):

http://www.seattlewireless.net/index.cgi/LinksysWrt54g
http://www.seattlewireless.net/index.cgi/WAP54G

It's funny, I'm not currently using the internet interface port (routing) on my WRT54G and am using it more like what you would use the WAP54G for, but the routing capability is there if I want it later. I guess my old P100 running Linux and acting as my current firewall/router could die at any time so the WRT54G is a nice and quick backup/replacement if it does die.

agent007
administrator
administrator
Posts: 254
Joined: Wed Feb 12, 2003 11:26 pm

Post by agent007 » Mon Nov 24, 2003 12:24 pm

Void Main wrote: I plan on adding to the firmware either snort or kismet (probably kismet) so I'll have a wireless IDS. It will be cool being able to tell if someone is war driving by my house like I did earlier today. :)
Does this mean that u will get the output from the IDS on the server?
I drove around town today for about 10 minutes and picked up on 20 access points. All of them were broadcasting their SSIDs and only 4 of them were running WEP. I am certain that if I had wanted to I could have connected to their networks
Knoppix has a tool which can sniff out the wireless traffic.....Suppose one uses such a tool on these non WEP connections could it be really possible to read the data from the packets? Obviously one would be able to get usernames/passwords without much trouble

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Mon Nov 24, 2003 12:51 pm

agent007 wrote:
Void Main wrote: I plan on adding to the firmware either snort or kismet (probably kismet) so I'll have a wireless IDS. It will be cool being able to tell if someone is war driving by my house like I did earlier today. :)
Does this mean that u will get the output from the IDS on the server?
The person that mentioned he already had Snort running on the AP said he was logging the alerts to a file on the AP. Of course this is very limiting as you are limited by the amount of memory you have on the AP so what I would like to do is also compile in the MySQL support (if it can be done in a small amount of space) so I can log to a remote MySQL database which is how I normally run Snort. Another option is to just mount an NFS share and log alerts to it. That might be the least consuming.
I drove around town today for about 10 minutes and picked up on 20 access points. All of them were broadcasting their SSIDs and only 4 of them were running WEP. I am certain that if I had wanted to I could have connected to their networks
Knoppix has a tool which can sniff out the wireless traffic.....Suppose one uses such a tool on these non WEP connections could it be really possible to read the data from the packets? Obviously one would be able to get usernames/passwords without much trouble
I am assuming you are asking because you are concerned about others doing this to you and not because you want to know how to do it to others. It's certainly easier to know how to defend yourself if you know how your attackers operate. Kismet saves any packets it sees in a format that can be read by Ethereal. You can also run Ethereal directly just like if you were connected to a wired network. Ethereal wil also give you the lower level (layer 2) wireless packets that you will not normally get with a regular Ethereal sniff. If the network is running encryption then you would not be able to sniff passwords (at least not without breaking the encryption). That encryption can be at any level of course, weather it be the lowest level of WEP or higher levels like SSH or HTTPS, etc. Of course if there is no encryption anywhere in the chain then it would certainly be easy to grab a password if you wanted to sit in front of someone's house long enough. It wouldn't be something I would be terribly interested in doing. I am more interested in helping people get secure than taking their brand new lawn mower out of their garage because they left the garage door open when they went on vacation. There are many other tools other than the ones I mention but none that are any better.

X11
guru
guru
Posts: 676
Joined: Sun Jan 19, 2003 11:09 pm
Location: Australia
Contact:

Post by X11 » Sun Dec 14, 2003 9:46 am

Void Main wrote:Well, I did a little war driving on the way to dirt bikin' yesterday and I was still gettin 54Mbps in my car in my driveway so it seems to be plenty for what I need. From what I hear the devices I got were rated at or near the top of the signal strength category. It's funny, I didn't get a quarter mile down the road and picked up on another Linksys running with a default config (no WEP, default SSID of "linksys", and the default IP 192.168.1.1). I should probably leave a note in the mailbox of anyone I find like that on how they can configure their stuff more securely.
Leave them a note on how you can abuse it, and a number and how much it will cost for you to fix it ;-)

Money, my friend.

Its all about Money.

Post Reply