[BBLISA] Might need help debugging a new wireless set-up

Dean Anderson dean at av8.com
Wed Nov 3 22:02:08 EST 2004


On Fri, 29 Oct 2004, Adam S. Moskowitz wrote:

> I'm putting together a new wireless set-up (to meet security
> requirements for my new job), and I have a feeling I'm going to need
> some help getting it to work: I'm using an untested Compact Flash
> 802.11b card in a proprietary H/W VPN box, there's no way to load
> drivers, and no way to get at the O/S to see what's happening.
> 
>     Before anyone goes off on a rant about open source:
>     The VPN box runs Linux, but you can't get to it. In
>     a security device this is A Good Thing.

It maybe is not that hard to get in. Many of the linux based wireless
boxes have 'firmware upgrade' procedures if you have physical access, and
some are pathetically open. See the installation procedure for OpenWRT,
which uses an exploit:

=========== from http://www.openwrt.org/userguide.html 
First, check the status page and make sure that the device has an internet
IP - it really doesn't matter if the internet is even connected, just as
long as the internet IP is set. Next, load the web administration and
locate the Ping.asp page (found under Administration >> Diagnostics) and
perform a series of pings using the following "addresses":

;cp${IFS}*/*/nvram${IFS}/tmp/n 
;*/n${IFS}set${IFS}boot_wait=on
;*/n${IFS}commit 
;*/n${IFS}show>tmp/ping.log 
=========== 

In case you didn't recognize this, its an root exploit that allows you to
run commands as root.  This is basically all linksys wireless products.
The only half-saving grace is that to get to the Ping.asp page, you have
to http authorized. But the administration uses unencrypted http and basic
authorization. Not too hard to snoop... Sigh.  The nice thing, of course,
is that its open source, and so this can all be changed. :-)  And I've
done just that on our hotspots.  And if that weren't enough, its still a
90 dollar linux box(!) Think about that a bit.

> To make the job more difficult, I don't have wireless at home, and the
> company I work for is located in New Jersey. Oh, and did I mention I
> have just over one week to get this working?
> 
> So, is there anyone out there that:
> 
>     1. has the ability to sniff both wired and wireless packets;

This isn't as hard as you might think.  There are a bunch of WEP crackers.  
These can be used to sniff the wireless segment.  If you don't want
to/need to crack the net, but just listen to it, as a normal user, then
linux wireless and tcpdump should work.

>     2. has a network where we can test all this;

Yep. Av8 has some wireless access points.

>     3. has the time to help me?

Sure, I can probably work it in tomorrow.  You have my numbers...

> If so, please contact me. My schedule is pretty flexible and I'll buy
> lunch or beer, your choice. Day (preferred) or evening, your home or
> office.
> 
> Thanks,
> AdamM
> 
> _______________________________________________
> bblisa mailing list
> bblisa at bblisa.org
> http://www.bblisa.org/mailman/listinfo/bblisa
> 
> 

-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000   





More information about the bblisa mailing list