This is a multi-part series on getting Jasager to play nicely with Metasploit, Hamster & Ferret to create an evil wifi tar-pit of sorts. The end result will be a wireless network that can gather and replay session cookies for web applications and log passwords for a number of different protocols.
In part 1, I will discuss how to set up a La Fonera router with Jasager, and then do some post-installation configuration that will turn this little $30 WiFi router into a stand-alone, automated Karma installation to trap wireless clients without any interaction from you aside from hooking up a power source and network cable.
Things you will need:
- A computer with an ethernet port, tftp server software (mac, windows, linux) and telnet/ssh clients (I stuck to Mac OS X for this but you can do it from Linux or Windows)
- A Fon 2100 router from Fon.com
- An ethernet cable for the La Fonera router
- (maybe) a hub, switch or crossover ethernet cable
A rig like this can be used to quickly, cheaply deny wireless service (for example, if your office does not allow wireless by policy). It also allows you to gather information about people who are trying to connect to wireless networks when/where they should not be. Likewise, it can be used in vulnerability assessments. Like any security tool, there are black-hat uses for Jasager. Used alone, Jasager is mostly harmless. Note: we will be combining Jasager with some other powerful tools.
Hi. Meet Der Jasager, the "yes man"
If you're not familiar with Jasager, check out this video that Darren from hak5 put together. While kicking it with Darren in Springfield, MO last year, he was talking about the concept of a stand-alone Karma implementation on a router. It was an idea that he'd been kicking around with Mubix, and it didn't even have a name yet. Later on, he released this video and that sparked my interest even more. You can ignore the install instructions -- they are old and we can install Jasager in fewer steps now thanks to Digininja. It's still entertaining to watch.
Install Digininja's Jasager firmware
First things first, we have to flash the La Fonera router. I'm going to go on the assumption that you have a fresh FON 2100 from Fon.com and that you haven't plugged it in to the Internet (allowing it to upgrade itself... VERY BAD!) or can otherwise get your Fon router to a state where it can be flashed with the custom OpenWrt-based Jasager firmware. If you already have Redboot enabled, you can keep reading. Otherwise, get redboot enabled first! If you aren't sure if RedBoot is enabled, it almost assuredly is not. It is not enabled by default.
Once you get RedBoot enabled, download digininja's Jasager firmware. Unpack that archive into your TFTP Server's directory. Note that the filenames are slightly different for the Jasager firmware files, so if you're using our howto, keep this in mind. You might as well use Digininja's own installation walk-through though.
Once you get a fresh install on the Fonera, Jasager should be installed. Try hitting it at http://192.168.1.1:1471
Go ahead and create and bring the wireless interface online using the Jasager control panel if it asks (as shown above). You don't need to enable Karma mode just yet.
If the La Fonera doesn't come back up after 5 minutes, try telnetting to 192.168.1.254:9000 again and run fconfig in redboot. I had to fuss around with those options, but it might be due to the fact that I was re-flashing my fonera for the 50th time instead of using a fresh one from fon.com.
Now, it's time to screw with the innards of Jasager to make it play the way we want it to. First, we have to assign a password. This will (as the banner says) disable telnet and enable ssh. We also need to enable wireless.
Chimera$ telnet -lroot 192.168.1.1This username (root) and your password will be required to hit the Jasager web UI from now on, so remember it.
Connected to 192.168.1.1.
Escape character is '^]'.
=== IMPORTANT ============================
Use 'passwd' to set your login password
this will disable telnet and enable SSH
BusyBox v1.11.2 (2009-03-28 00:20:52 GMT) built-in shell (ash)
Enter 'help' for a list of built-in commands.
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
KAMIKAZE (8.09, unknown) ----------------------------
* 10 oz Vodka Shake well with ice and strain
* 10 oz Triple sec mixture into 10 shot glasses.
* 10 oz lime juice Salute!
Changing password for root
New password: [typed my password]
Retype password: [typed my password again]
Password for root changed by root
root@OpenWrt:/# uci set wireless.wifi0.disabled=0
root@OpenWrt:/# uci commit wireless && wifi
Next, change the change the "option ssid" line in /etc/config/wireless file to something innocuous. "OpenWrt" is either boring (to geeks) or strange (to the mundane). Make it clever if not downright inviting! I chose "Guest" since that seems friendly enough.
option ssid Guest
Since we'll be integrating Jasager with tools running on another system later, it's important to make sure that this system (preferably a laptop) is the default gateway and the DNS server for all clients who associate to the network. I decided to use 192.168.1.2 for the ethernet interface on my laptop.
The DHCP server configuration is in /etc/dnsmasq.conf, so add these dhcp options to the end of the file in order to set the default route and dns server to 192.168.1.2.
I also wanted Karma mode to be enabled by default. I dug through the Jasager cgi scripts and they just call iwpriv commands. I added these lines to /etc/init.d/jasager under the start() function:
wlanconfig ath0 create wlandev wifi0 wlanmode masterYou may wish to add a few addkarmassid lines for nearby legitimate wireless networks.
iwpriv ath0 karma 1 #enable karma mode
iwpriv ath0 addkarmassid "H-i-R.Net" #Don't trample on my own wifi!
Give your Fon a quick reboot. It should come back up just fine. It should also associate with pretty much any random SSID you throw at it. Once it connects, try to connect to the Jasager Web interface again at http://192.168.1.1:1471/
It should load just fine and it should show that Karma is currently ON. You may wish to test Karma mode out a bit by trying to associate to some randomly-typed SSIDs. If that works, Karma is enabled and working properly. GAME ON.
For a truly mobile set-up, I recommend attaching a battery pack to the La Fonera router. From Radio Shack digi-key or mouser, you can buy the a style "M" male coaxial barrel pigtail, Battery clip(s), assorted wires, shrink tubing and connectors to hack it all together.
The Fonera is supposed to run on 5VDC with the center pin positive. I've found that I can safely use as many as six 1.2V NiMH cells in a battery clip to run my Fonera router without any problems. This is 7.2 Volts, well above the rated power supply voltage. I obviously can't guarantee that you won't damage your Fonera using any of the tricks (hardware or software) outlined here, but I can say mine has been working fine with an apparent 7.2 Volts.
Not to push product on you (okay, maybe just a little) but Duracell 2650mAh NiMH cells (shown left) are the most awesome rechargeables I've ever used. With them, this battery pack will surprise the hell out of you. It powers the Fonera for several hours. Of course, actual run-time varies with how much use it gets. I've noticed that leaving the Web UI up decreases run-time.
This fits nicely in the hackpack.
Congratulations, you're done messing with the Fon for now. You can simply power it on and chuckle while watching the Web UI as unsuspecting saps get roped into your clever trap, but the real fun hasn't even started yet...
Major props to the contributors to the Jasager project. Together, they took some loosely organized pieces and created a simple, inexpensive tool that is as fun and interesting as it is versatile.
- Dino A. Dai Zovi and Shane "K2" Macaulay for the initial KARMA concept
- Mubix for coming up with the idea of combining this all in a small package. Of all the hackers I know, he's probably the most passionate about brainstorming, tinkering and helping others learn.
- Robin Wood a.k.a. DigiNinja for designing the UI and pulling all the pieces together to run on the Fon.
- Darren at hak5, who introduced me (and I suspect many others) to Jasager. I can't tell if he's a salesman with tech skills or an uber-nerd with people skills. Either way, he's a very well balanced and charismatic show host and a great guy to know in person.
La Fonera Lab: un-bricking howto
CCCKC Grand Opening: Fon Presentation & Notes
Defense: Sidejacking, Subversive Wireless