OpenWRT + Cheap Routers = Cheap, Customized Security Sensors

yeah so I'm Ryan Wilson I was trying to do a fancy tech thing here with my slides it didn't work out so we're gonna do fallback here I wanted to demo the cool technology I'm about to talk to you about but it didn't work quite right so I'm work for a spotlight cybersecurity part-time here in local of Augusta security for a security firm and I've been playing with these open wrt based routers for a long time and I wanted to share with you some cool things you can do to help as a sort of a training platform is a customized security sensor my plan is to sort of walk you through why care about this like why is this

important kind of give you a little history background about where how we ended up with open wrt today I'm gonna walk you through how you would go about installing it if you wanted to try it out at home we'll do a really quick tour around open wrt because it's its own linux distribution so it's a little different from other distributions you've made play with that's probably about the first half the talk in the second half of the talk I just want to kind of run through all of the different use cases that I've tried and to sort of inspire you as to how you could use this yourself so why should you care about this well my father-in-law cut out an

article from the Augusta Chronicle a couple weeks ago for me that said experience is vital in the cyber job hunt the dusty university apparently did a survey here in the Augusta area and the firm's that they interviewed said that experience was way more important than your college degrees and certifications if you can read the little fine print there well that's really good to know you know that that's what's going to be so important but the question is where am I going to get that experience you know if I'm a college student or even just entry-level position how am I gonna get better at this I just attended the talk with Don Murdock and he said you can't buy skill

so if we can't buy it where are we gonna get it from so we need these essentially we need these enterprise skills that are you know typically cost beaucoup bucks except you know if you're in that position you know you're on this beer budget am I gonna be able to buy that how am I gonna get to do this so enter these Soho embedded system routers the wrt54g the links this one was probably one of the early popular ones released in December 2002 and what the hardware hacking community sort of discovered is hey this thing runs Linux under the hood and yeah you know that means it's got the source code is covered by the GPL so they kind of

pressured Linksys to release the source code and they did and the hardware hackers were like okay cool now we can do some really neat stuff with this hardware I don't remember exactly what date I bought my wrt54g but I got in sometime in that year or two after that flashed it with the custom firmware and have used it for a really long time the the firmware is open-source these at these Hardware actually has some really interesting capabilities it's got this built-in Ethernet switch it's based on flash memory which is actually really handy because that means there's no moving parts in here no fans no hard drives very little that can go that could break along the way so it's a it's

a handy little embedded system box that we can fully customize and you can still get them really cheap I bought a couple of these links to see a 45 hundreds for the talk just and you'll see them in the show up here but they are $40 to buy Oh refurbished unit on Amazon right now these have the same programmable Ethernet switch and they've got a pretty good chipset that supports Wi-Fi well which is important for a couple of the use cases I'll share in just a minute my go-to open wrt box was this tp-link edition because it was only $20 this was dirt cheap and every now and then on Amazon it would drop to ten dollars so

this was a really great thing however the hardware is kind of limited is the memory is pretty low on it I wouldn't recommend it for starting today but the but this was what you know they used to spend just a you know 20 bucks to kind of get one of these boxes so contrast that with the Raspberry Pi a very capable customizable platform but typically you're going to be spending at least fifty five dollars to get like a whole kit and that doesn't include the memory card to kind of get started the this doesn't have an Ethernet switch you just have a single single Ethernet ports you got a supplement that and at least the Raspberry Pi units I've played with

the I used Broadcom chipsets which for some of the wireless use cases I'm going to talk about is doesn't work quite as well I just haven't gotten it haven't had as good support with the Broadcom stuff so after the wrt54g came out a couple of custom firmwares popped up dd-wrt was probably one of the most popular ones another very similar one was to mate oh and while you could customize them pretty extensively you were relatively limited in to sort of using their web interface and some of the options that they put under the hood open wrt came around a little bit later and introduced the ability of putting a whole flash file system on the flash

memory so that you could completely customize it and use it more or less like you use the Linux box that you know of any other distribution so you have a full file system you can put files on it and it actually just saves it off into flash memory along the way just because it's relevant because if you go looking for documentation you'll also see this other one lead unfortunately the open wrt developers had a little bit of a dispute a few years ago about some practices in the way they handle the project and accept a new code and there was a fork they forked off to this lead project for a little while unfortunately it's Bandung they finally resolve their

differences they've reunited under the open wrt name but you will still see a number of blog posts even if you go to my web site you'll see even one of the pieces of code I put out still references this lead because that was where active development happened for a while and just as a side reference this icon over here comes from Asus Merlyn the Asus routers are not typically very well supported with open wrt there is a another sort of custom vendor a custom firmware called Asus Merlyn that you can download if you have one of those devices instead I got started with this like I mentioned back a while I still have my wrt54gl and my 54g that I had I

ran it literally until the capacitors burst on it it was sitting on my desk and the that I heard this little buzzing sound I saw the light starting to flicker and over a period of weeks that got worse and then finally like it just wouldn't turn on anymore I mean so these things work really well and they've been work horses for the kinds of purposes I use them before and they this still works for me at home as a Ethernet bridge when I wore this bridge when I need it periodically so this this doesn't this is a really cool I set of opportunities but there are some trade-offs and one of the things I want to warn you if you want to start

out with this is you really have to pay attention to the manufacturing model numbers and version numbers so unfortunately I assume it's because on Amazon you once a model number gets popular and gets good reviews you know the company doesn't want to lose that so they'll introduce a new version hopefully to save them money or a new price point and they will completely change the underlying hardware but keep the model number exactly the same and sometimes even the outside of the case is that we the same and so if you look on the underside of these this is a picture from understand mine you'll see that there's this place where it's got the model number and there's a little

version number there you really have to pay attention to that you know so that you don't go to Amazon order the router you think is supported and then you end up with the newest and latest and greatest one which actually is not yet supported open wrt depends on the chipsets that are underlying these devices not the actual model number so pay attention as you look up which one you want to try I chose the Lynx is 40 foot EA 4500 because they haven't updated in a while and both of the versions that are out on the market are very well supported right now but there's a number of others that are like that as well another challenge is you

get no support you know the companies don't expect you to do this they want you to use the stock firmware and while I think some of them are happy for you to play with it you are voiding your warranty and as the chat man page says if it breaks you get to keep both pieces another because of that you have to get you can because you can break them relatively easily you got to be careful you know it's very easy to brick these devices either while flashing it if you make a mistake or if you configure it incorrectly sometimes there's a few weird configuration settings that could make it inaccessible I've been really careful because I didn't want to lose

any of my boxes and so I actually haven't bricked the device yet a hope is not lost if you do that there's a couple of failsafe modes there's also a hardware hackers have discovered that if you open them up you can solder serial ports on to the board and flash it that way I don't have time for that but if you're interested in that like all this stuff is within the realm of the possible newer devices like the EA 4500 that I mentioned actually keep two firmwares on at all time but if one of them fails it'll fall back to a known good ones it's a little safer with some of these more recent devices but the big

trade-off that I want you to kind of walk away with is this is about your time you know you could prepay for Enterprise convenience and get an enterprise equipment but if you're choosing to kind of go this route essentially because you have more time than money and so you're gonna end up spending some more time hacking with it and trying to work through some problems that's great for skills building but just know if you want to get to the end quickly like this this can usually usually run into some glitches along the way I wish I had time to tell you about all the challenges but just be aware I said it's really a time money trade-off

I said if you want to play with this really cool things but it's gonna take you some time to set it up just a few other quick notes a run-through I've heard people complain about some of these devices running high temperature because they don't have fans I've not personally had this problem but just be on the lookout I've had a few hardware weirdness things like you've got enterprise features in these things like 802 2.1 Q VLANs but there's sometimes little weirdness like I setting up a VLAN once and it just was not working the way that the configuration said it would and I finally just had to give up on that and say okay it's not gonna go they have

pretty small CPUs very limited memory both flash and RAM so you soon you're not gonna like run bro on one of these things in most cases but you can use them for a number of useful collection points and then offload it to another system which is some of the use cases I'll share with you in just a moment alright so I'm going to talk about you know how do you get started with this so I purchased one of these just so I could take some pictures for this talk rime amazon a nice box here you can see the front here and then the backside here is relatively standard you know router back we got four LAN ports internet port we

got a USB port that we'll use for some additional storage and then a powered a couple of buttons once you get it set up I had to load up into the stock firmware and I was pretty amused when Cisco was pointing out when I was trying to click through to get to the firmware update straight screen it was making sure I had like legal banner say yes I confirm that understand that my router is completely open it unprotected before I could go through once you get through to the stock firmware like what comes built in from Linksys you just got to navigate some of the menu find the firmware update page now I went off to open wrt I

downloaded their firmware and you can see I have it to choose file loaded it up and all you have to do at this point is hit start to get it updating and then the system will reboot and into open wrt at that point you'll start to see this screen this is open wrt sluicey web interface it's got many of the same features that the stock firmware would have all in here in a nice interface it's more letting me know I might need to set a password but one of the great things about open wrt is you've got a very powerful command line I love working at the command line so you can just pop up SSH and be

working on this side or you can use the the web interface for a little easier setup now I make this sound really easy one of the boxes I got I've ordered two at the exact same time for testing for this talk and one of them worked great was that easy and the second one had it came despite ordering at the same time came with a different version of Linksys firmware on it and required some stepping through so I saw I have a put a QR code on the last page if you want to I put posted instructions further instructions on our website spotlight cybersecurity comm and I sprinkled a few QR codes soon because I don't have time

to quite go through all the detail of these steps but you can see the steps extra steps I had to take to get that other device up and working all right we're in we've got open wrt ready to go what's next so just a quick tour around the operating system one of the reasons I liked open wrt is for its package management capabilities it uses a tool called a package so it's a little different than if you've used like rpm or apt-get but it's very similar concepts there's just two commands you need to know o package update which says go grab the latest package feeds like the listings it keeps that in RAM disk so it will every time you reboot you

lose it so you got you're gonna end up running that command a lot and then opak egde install and then the name of the package you care about you know if you want to install TCP dump you just drop TCP dump it'll take care of all the dependencies it'll figure out the feed limpy cap and get it installed for you so installing packages is real easy and then the configuration open wrt has prided itself on a sort of a centralized configuration system call that called UCI and pretty much all that's an Etsy config all the files in one place it's pretty easy just to edit the text files and then reboot it and they have a

command that'll help you through it you can hit UCI show it'll show you all the current configuration you can set once you've seen what's in there you can set individual settings you can see what changes are in memory but haven't been saved and then commit them to the disk and so those are the four kind of if you want to do it man line those are the four most important commands that you need to be aware of all on the way so that's that quick tour around open wrt before I go into use cases there are any quick questions all right yeah spotlight cybersecurity comm yeah I got a couple other links in here I'll kind

of point along the way but I've got some instructions on there so we're in we know our way around open wrt what can we do with this system now so you know there's a lot of different things to do and one of the primary ones is hey I can use this to help secure my network you know I want to defend your home or business network you want to set up a firewall you want to learn Wireshark get some real data from your network to pick it up you know try out using a security sensor like security onion or maybe even do some content filtering I've got kids at home I'm worried about what they

might stumble across what can I do to use this position to help me to get there so we got a pretty standard network set up looks a little bit like this you've got some client devices that are connected by wires or Wireless to a router which are connected to your ISP modem like a cable modem or DSL or something going out to the Internet so one of the things when I used to work here at augusta university for a little while used to challenge my students where are the single points of failure in this network map show hands yeah yeah yeah high speed modem is one of them all right oh else we got yeah we got the

router so so thanks yeah so we've got a couple of single points of failure here that we need to deal with the and we can take that to our advantage these are the these are the choke points on the network perfect places for us to instrument and pull off data and so we since we control this router really well now that we've put open wrt on it let's use it to get at some data now when I have trouble or when I want to one of the first cases was to use the fire wallet this is Linux we have a full IP tables firewall I'm not going to go into detail about IP tables now there's some

really awesome modules out there they can do some complex things some of them are not built into open wrt but there's a lot of packages you can install to get at it I there's a great Doug guide in there I'm open wrt has a custom wrapper around IP tables the documents is there if you want to check it out but one of the great things is is you can if you like using just straight IP tables you can write your own you just stick it in this particular script shell script but instead of using the standard chains use those ones instead input rule output rule and forwarding rule but you said full power of that IP tables firewall at

your disposal with this device the but remember we said you know because we're the choke point though if something's going wrong on our network and we want to investigate this is also the best place for us to get a tap on it and so TCP dump is one of my go to tools quick easy command-line to be able to take a look at what's there just two quick commands to install it if you try out TCP dump on the router just be aware there's two packages there's TCP dump and TCP dump mini the full TCP dump has a whole lot of extra protocol parsers and it's kind of large remember this is embedded system doesn't have a lot of

space so there's a second package TCP dump mini that has a lot of that pared-down still get really useful information but kind of clogged up as much of your limited storage space on the device and then you can just sort of see I fired it up to check it out and I actually was a little surprised I didn't realize my Chrome browser was using Google's new quic protocol the over UDP port 443 to talk to back to Google instead of using HTTP over TCP but real quick to see what kind of traffic's happening on your network with TCP dump right from this device but sometimes we want to be able to save off some of those pcap files and

they don't have a whole lot of space built in I picked the EA 4500 because a lot of the newer routers actually have these USB ports so pick up an extra flash drive off Amazon format it as a Linux compatible filesystem pop it in the device here and then with a little installing a couple of extra modules you see there's a few packages you got to install to make this work but then you can mount it just as you would any other file system and then it's a handy way for you to be able to use TCP dump or any other utility and save off that data onto the flash drive and then you can

either pull the flash drive out and move it to your desktop or you know just use a secure copy SCP over SSH to be able to move them over so you could use Wireshark on your more powerful desktop system and process it after the the but we also you know have this again we have this choke point maybe we want to do some better analysis like run bro or snort on this data that we can't get it working on open wrt router but what about if we could tap that off well you know typically we've used network taps for this and you can pick up an active network tap pretty easily on Amazon problem is they're a little pricey $220

it's not a lot of money but it's you know you're on that beer budget what if we could do something cheaper can we use our open wrt device for it and you can there's a lot of different ways that you can set this up it is not going to give you a pristine copy of your data or be as easy as if you were to buy an active tap like the dual comm one I just showed so there's sort of three methods that I have discovered for doing this I said I have the links on the blog for more instructions if you want to get step-by-step on how to do it but the iptables T module is the easiest one

that works on all hardware built into the firewall just the downside of this is that it only works for IP traffic so you won't pick up our packets going across your network or any other internet only traffic the other downside of this is that the way that the T module works is it messes with the MAC addresses so you won't get the original MAC addresses for most situations that's ok but just be aware is that it's not a perfect tap to get a perfect tap you got to buy certain hardware so these ei 45 hundreds that I have running over here they they only do they don't support this but another model that I've used the tp-link 3600 here

that actually the chip that's the chipset that's on the Ethernet switch has a essentially a port mirroring capability built-in that you can trigger and as I said certain chipsets have this you got a hunter round if you really want that particular feature but that gives you pristine packets copied through the switch the third option is you can use this daemon logger tool from Cisco this we'll talk about more in a minute but again another caveat is Hardware dependent for it to work you have to be using a destination mirrored port that's not a switched port so again it's not easy but you can accomplish this with these cheap devices if you want to kind of wrestle through again

that time money trade-off they're also cuz we're at that choke point these are great for sort of other network security monitoring things so we can do full packet capture on them we can grab a session data and export it as NetFlow we can grab both the firewall logs and the DNS logs and see what kind of activity is happening on our network a couple you know the daemon logger is a great tool to do this it captures all the packets it'll even rotate the pcap files for you once you fill up your filesystem and so I have this set up you know here to capture it on my land port to name it and then to you know to

rotate the file every every 600 seconds every 10 minutes or so and it'll keep it'll aged off some of the older files for you if you would like it to do that you can save it off on that USB Drive and or as I do I will have it rotating on there and I'll just pull the USB files the pcap files off when I need them if I want to do some analysis at a later time NetFlow is very similar there's the soft flow D package which has support for exporting NetFlow version 5 NetFlow version 9 so you can just all you need to do essentially as easy configuration to just point it at your net flow

collector well I didn't have a net flow collector running at home all the time and so I actually just set it up to point to the local host and then use the daemon logger to capture all those packets and then a couple of utilities strung them together to replay it now unfortunately my analysis side I didn't get that documented in time for this talk if you're really interested in that send me a direct message on Twitter I'll have my note here at the end and I can let you know as soon as I've got that written up later you can also since we have all that the box has a DNS server on it and all of our traffic's going

through it this is a great place to capture what is everybody looking up on the network so just a couple of simple commands to turn on DNS logging you've got to bounce the DNS server and then you'll start seeing entries like this show up in all your logs you can see you can see I said one of my hosts on my network was querying play.google.com and then you can see you know it tells you who queried it which forwarding server did we send it to and which of the what was the response that came back from the server that we relayed to the client and and you just get a lot of log data and

they sends it all into the system log that we can then pull off a quick question so the way that it is stored it built in I'm gonna talk about in a moment how to save it but it is stored only in memory and it'll be lost on a reboot the same thing with the firewall logs you know you just say there's a couple of settings you just turn on and the built-in firewall stuff and it'll start outputting the this is using the IP tables built in logging utilities you start to see packets or entries in the log here so anytime something gets dropped on your firewall you can see an entry let you know hey somebody scanning

me what's going on in my network we can save that off here real quick real easy now if you want to be able to save it off and keep it persistent there's a couple of utilities you can use open wrt supports built-in it's just sending all this data to a remote syslog source so if you've got like a log infrastructure already you can do it that way how I do it I have a script shared at that bitly link where I just have a script I run that capture saves the logs onto my USB disk and just keeps a rotating file and then I pull them off manually when I want to do analysis on them yeah yeah

that one that one is a setting that's saved then so that it's persistent but you have to choose that it's not by default that way so you've got to add that into your open wrt setup if you'd like that so content filtering so what you know what if we want to be honest I've got kids at home a most important thing I want to tell you is there is no technology silver bullet for protecting your kids online you cannot rely on technology alone but technology is a useful part of the puzzle you know if you combine it with them active parenting having some rules about how your kids use it and having some education with them about potential bad

stuff and this helps with sort of a defense in-depth strategy a couple of tools that I've found useful to use with my open wrt router is pointing it at Open DNS as family shield service they block malicious and phishing traffic for us and then they also block instantly all a known adult content domains again it's not going to get everything but my goal is to sort of prevent happy accident or unto accidents on my network so I want to keep them away from that away yeah so great thing about this is it's free and it's an easy configuration change to be able to support that up and by the way I just would say I use the

bit ly links this is your way of feedback to me I want to know after the fact I get to track who Koo went to those QR codes gives me some feedback about what topics were you guys interested in after the fact so I appreciate if you could use those another way to do this is Google and Bing and YouTube all have various safe search modes and that you could actually through a little DNS trick enforce them require it so you could turn them on you can opt in to them but you can disable it too but using this DNS trick you can force it for all the devices on your network and so this

again just a simple edit of the DNS configuration and essentially what I'm doing is forcing google.com to resolve to this IP address which is something at Google has published saying that yes we can you know if you go to this IP address you will only get safe search mode every time YouTube has something similar Bing has something similar it's a pretty easy setup just to kind of again make sure that we're preventing accidents on the network another great use case I've found for this is with Open VPN to be able to use it for a VPN we can do all sorts of cool things like site-to-site VPN is like if i've got two routers at two different locations i can have

them one cool call the other one and establish a VPN connect the networks over secure tunnel that's an easy setup the another one is sort of the remote access maybe you're away from home and you want to dial into your house we got like I know if I've got my smart phone out here I download the open pion app I can call home and get connected to my network easy peasy and be able to access any of the resources there and the there's also some really neat wireless stuff that you can do with this so a typical wireless scenario I have at my house I mentioned is that if I've got a couple of older

computers that I can't get that I need you can't get them to where am i close to mine where my router is so I use a second open wrt and just turn it into a wireless bridge so you can see that server right up there is connected via wire to that open wrt dice and then it is a Cott wireless client instead of an access point down to my main router and then from there it can get out to the internet access whatever resources it needs so I can extend my network pretty easily this way another scenario I use at home is I want my house is a they're long and so it's the wireless

coverage doesn't work across the whole house so I actually had an Ethernet cable I ran sort of as a trunk line and since I have to broadcast to different wireless networks I have a guest network and a home sort of a main network I actually can turn on the VLAN trunking capabilities in these routers and push both of those networks across the trunk so they can both be broadcasting it and this doesn't use any of the mesh technologies that are more commonly used for this type of setup right now and one that I was able to do here at augusta university that i wanted to share with permission as we set up a web cracking

lab using these devices we configured a router here with WEP up and then we set up a client that would just keep pinging it and generating data and then we were able to use some wireless capture devices to be able to capture that and then do a web cracking attack in the classroom with some students here and it was great because all we have to do whenever we run it is just grab those devices put them out in the classroom plug them in and then the lab just works so it's really really handy I have since unfortunately had to stop working here due to scheduling reasons but I've since developed us something similar for wpa2

to be able to look at how you crack it when he can grab the handshake and be able to catch that offline I have to skip a couple of these scenarios do time but the gist there's a lot of other useful cases like for disaster recovery you can run pixie boot on these to be able to push boot images out to your devices I use one of them as a travel router when I go to a hotel similar to what the armadillo guys shared this morning in the other hall so they can you know I could VPN to home or at least have secure Wi-Fi in my room if you're into hardware hacking we've got GPIO

ports and audio types of things that you can control if you really want to open up the box and get in it I've not done that but there's some really cool things that you can do so what I want you guys have taken away from this is that this is a really versatile platform to be able to do some neat security sensing stuff and training if you want to play with some of these enterprise stuff at home this is a quick and easy way to kind of get started with it on the way and so I have to take a couple of quick questions I think we have a minute for that yes

do you mean like fur like using a toe to toe 11g no you can support I don't know about dd-wrt I used it briefly and then switched over to open wrt so I can't speak to that one open wrt supports all of the recent standards though sometimes it's not always the default though and you'll have to flip the switch to turn on the higher performance speeds yeah it's just being persistent there's just weird things this is all unsupported though you like you'll run into weird little glitches like for me the other day I was trying to install open wrt and it kept failing and it wasn't until I realized I needed to upgrade the stock firmware to the

latest stock firmware and then install open wrt and so there's weird sort of undocumented things like that it's just like so if you if you're willing to be persistent with it I said that's the way to go and you're just gonna be like said that's the time money trade off a little bit I said this is sort of unsupported space you can do some cool things but you're a little bit on your own yeah one more real quick and then I'll stick around afterwards if you got a question yeah there's a slow down the network to do the port mirroring when you do it in hardware in theory it shouldn't I didn't do any success of performance testing so

I can't speak to that yeah yeah I didn't have any problems but I wasn't trying to extensively run a lot of stuff on him now I have a couple more prizes to give away and since we're going into a break I wanted to give you guys a little bit of a challenge for this so you can hit my blog if you want to kind of pick up a few more links about how to get started but I have one of these open wrt devices up here running an access point if you would like to try to get into it and try to pull off a little flag off of it you got about five minutes to do this if you

want to try to pull it off and just come down here and tell me the code I said there's two more things here but they said this is a device that's up here running open wrt it's got open VPN on it there's a config there that you can download and if you want to try connecting into it to get a little hands-on and see what this is like please feel free to jump in and try it out that anything else all right thank you very much