Tuesday, February 9, 2016

How to build a MiniPwner with a TP-LINK TL-MR3040

A MiniPwner is a penetration testing drop box which can provide some interesting capabilities if you're able to insert one into a target's network. It is a small device and with the MR3040 in particular, it contains a battery which means you don't have to worry about power for at least a few hours. Because it runs OpenWRT there are a variety of infosec friendly packages which can facilitate things such as reverse SSH or VPN tunneling, port scanning with nmap, and while it may not have the horsepower to run Metasploit you can certainly use a MiniPwner as a conduit to forward traffic from a Metasploit install elsewhere. The tutorial that follows is more or less what is described on their website, but some steps are glossed over which I cover here so hopefully this helps fill in the gaps for people that may not be comfortable fiddling with embedded devices.

First take a USB drive (the tutorial suggests a 16gb USB stick, but I'm using 8gb in this tutorial) and format it such that the first partition is a 500mb swap and the remaining partition is ext4. I did this in Kali and the utility gparted. Here is a screenshot of what gparted looked like.


Next, download the OpenWRT firmware that is appropriate for the MR-3040 here.

Using the ethernet cable plug the MR3040 into a computer. Authenticate to the router by navigating to 192.168.0.1 and use admin/admin as the credentials.

Navigate to the Firmware Upgrade endpoint by clicking on System Tools on the left hand side to expand those options. Then click on Firmware Upgrade.

Click on the Choose File button and select the openwrt-ar71xx-generic-tl-mr3040-v2-squashfs-factory.bin file you downloaded earlier.

Click Upgrade. A confirmation dialog will appear and the MR3040 will proceed to be flashed with OpenWRT.


After the flashing process finishes, the MR3040 will reboot. After flashing the MR3040, the default IP address gets updated to 192.168.1.1 instead of 192.168.0.1. Access the newly flashed MR3040 by pointing your browser to 192.168.1.1. You may have to disconnect your host computer from your home Internet connection while this happens since 192.168.1.0/24 is a common network for home routers.

After pointing your browser to 192.168.1.1 you can authenticate to the MR3040 with a username of root and a blank password.



The next task will be to install packages the will enable the MR3040 to interface with the USB drive. In order to do that we will need to get Internet access for the MR3040. In this case, I used the MR3040 to connect to my home wifi network. To do this I clicked on Network and then Wifi. Then I clicked on Scan to have the MR3040 identify my home wifi network.


After the scan identified my home wifi network, I clicked on Join Network. The next screen asks for the passphrase, allows you to set a network name, and configure firewall rules. I left the network name as the default wwan, and the firewall rules to wan which was empty for me. Another screen comes after this which confirms all of the details and I clicked on Save & Apply.

Next, open a terminal and telnet into the MR3040. You should not have to supply credentials at this point.


Confirm that you have Internet access by pinging 8.8.8.8. DNS is not working properly at this point though, so we'll need to update the network configuration for the br-lan interface. Configure the /etc/config/network file and add the line, option dns '8.8.8.8' to the entry for the lan interface. It should look like this:


Reboot the MR3040 by typing reboot -f and when it comes back up telnet back in and attempt to ping a domain name. It should work this time. Now we should be able to update the MR3040 appropriately. From your telnet session, type opkg update to update the list of packages that can be installed. Now we'll install all of the packages for USB by typing: opkg install kmod-scsi-core kmod-usb-storage block-mount kmod-lib-crc16 kmod-crypto-hash kmod-fs-ext4


Insert the USB stick in to the 3G port and reboot by typing, reboot -f from the telnet session. Telnet back into the MR3040. Our next task is to get the MR3040 to recognize the USB drive. We'll do this by modifying the /etc/config/fstab file. First make a backup of the file and then proceed to edit fstab until it resembles this:


Then copy the contents of the flash memory on the MR3040 onto the USB drive with the following commands:
mkdir -p /tmp/cproot
mount --bind / /tmp/cproot
mkdir /mnt/sda2
mount /dev/sda2 /mnt/sda2/
tar -C /tmp/cproot -cvf - . | tar -C /mnt/sda2 -xf -
umount /tmp/cproot

Then update /etc/config/fstab so that the MR3040 will use the USB drive as the root folder. Update /etc/config/fstab so it resembles this:


Reboot the MR3040 by typing reboot -f again. Now we will verify that the MR3040 is identifying the USB drive correctly by typing, df -h, to look at the disk space usage. You should see that /dev/sda2 is there and has gigabytes of space available.


Now we will install the MiniPwner overlay. Change directory into /tmp and download the overlay with this command, wget http://minipwner.com/images/Overlay/minipwner-overlay_2.0.0.tar.


Extract it with this command, tar -xvf minipwner-overlay_2.0.0.tar. It appears that the setup.sh that got archived in this tar was edited using Windows style line endings. Edit the setup.sh file and manually delete the dos line ending ^M characters at the end of each line. I attempted to set the file format to be unix, using :set ff=unix, but was unsuccessful. Save setup.sh and execute it with, sh setup.sh. Flip the 3-way switch to be WISP and reboot.

Telnet back in and you should be welcomed with a MiniPwner banner instead.


Now we will go through the process of installing security related packages. Type, opkg update, to update the list of packages the MR3040 is aware of. Next install the packages with the following commands (I ran into a character limit on the terminal so I had to split it up into two commands):
opkg install libpcap libstdcpp libpthread zlib libopenssl libbz2 bzip2 terminfo libnet1 libpcre libltdl libncurses librt libruby wireless-tools hostapd-common-old kmod-madwifi ruby uclibcxx libnl libcap libreadline libdnet libdaq libuuid libffi python-mini openssl-util kmod-tun liblzo libevent2-core libevent2-extra libevent2-openssl libevent2-pthreads libevent2 aircrack-ng elinks ettercap karma kismet-client kismet-drone kismet-server netcat nmap openvpn-easy-rsa openvpn-openssl perl samba36-client

opkg install samba36-server snort tar tcpdump tmux yafc wget python vim unzip

If you want to install any other packages at a later date, be sure to run, opkg update, before attempting to opkg install your desired package.

Finally, don't forget to run the passwd command to set a password, disable telnet, and enable SSH. The next time you try to remote into your device you will have to use SSH to access it.

20 comments:

  1. Great Guide thanks...
    but I'm stuck when rebooting after the second time editing the fstab file. When my mr3040 reboots I can't connect to it via telnet, ssh or the web gui.

    Thanks again and any advice on where I'm stuck?

    ReplyDelete
  2. Thank you for your guide, it was epic and filled in the gaps that the main guide on the minipwner website left out. An IMPORTANT NOTE for noobs using gparted for the first time, MAKE SURE YOU ACTUALLY PARTITION YOUR USB prior to going ahead with anything. I had set the partitions, but forgot to actually write them to the usb, so was getting Storage errors and could not install anything. This took me 2 days to figure out lol.

    ReplyDelete
  3. Great post! I am actually getting ready to across this information, It's very helpful for this blog.Also great with all of the valuable information you have Keep up the good work you are doing well.

    ccna training in chennai velachery

    ReplyDelete
  4. Wow amazing i saw the article with execution models you had posted. It was such informative. Really its a wonderful article. Thank you for sharing and please keep update like this type of article because i want to learn more relevant to this topic.

    Digital Marketing Company in Chennnai

    ReplyDelete
  5. Thank you for taking time to provide us some of the useful and exclusive information with us.
    ccna Training in Chennai | ccna course in Chennai | ccna Training institute in Chennai

    ReplyDelete
  6. I had problems with the ext4 partition in the usb drive. to solve this i used ext3 and it works without problem

    ReplyDelete
  7. I'm stuck trying to pivot root to the usb, once I create the /mnt/sda2 I cannot mount it because it says it is not there, and then when I create it again it says it already exists. I have tried reflashing my router and nothing has helped. Can anyone help? :(

    ReplyDelete
    Replies
    1. I'm having is issue as well, was there ever a fix found?

      Delete
    2. I also have this issue, I've been at it for a few days and could not get it to work. Did you?

      Delete
    3. install kmod-lib-crc32c and kmod-crypto-crc32c then try again.

      Delete
  8. Thank you for sharing in this webpage, I can learn a lot and could also be a reference, I hope to read the next your article updates.
    Regards,
    ccna Training in Chennai | ccna institutes in Velachery | ccna Training institutes in Velachery

    ReplyDelete
  9. I have been tying to get this set up for the past few 2 days. When I came across your article and wanted to know id others have been able to get it to work. Glad to hea from anyone with updated info blancomichael0@gmail.com...

    ReplyDelete
  10. The screenshots help with the tutorial.

    ReplyDelete
  11. There was very wonderful information and that's great one. I really appreciate the kind words, thanks for sharing that valuable information.
    Digital marketing course in chennai

    ReplyDelete
  12. You are doing a great job. You inspire me to write for other. Thank you very much. I would like to appreciate your work for good accuracy and got informative knowledge from here.

    iOS App Development Company

    ReplyDelete
  13. I have completely read your post and the content is crisp and clear.Thank you for posting such an informative article, I have decided to follow your blog so that I can myself updated. Java Training in Chennai

    ReplyDelete
  14. 192.168.0.1 is the address of an array of D-Link and Netgear model routers, similar to 192.168.1.1

    ReplyDelete